[Python-Dev] Hash collision security issue (now public) (original) (raw)
Georg Brandl g.brandl at gmx.net
Thu Jan 5 21:52:40 CET 2012
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 01/05/2012 09:45 PM, Barry Warsaw wrote:
On Jan 05, 2012, at 02:33 PM, David Malcolm wrote:
We have similar issues in RHEL, with the Python versions going much further back (e.g. 2.3)
When backporting the fix to ancient python versions, I'm inclined to turn the change off by default, requiring the change to be enabled via an environment variable: I want to avoid breaking existing code, even if such code is technically relying on non-guaranteed behavior. But we could potentially tweak modpython/modwsgi so that it defaults to on. That way /usr/bin/python would default to the old behavior, but web apps would have some protection. This sounds like a reasonable compromise for all stable Python releases. It can be turned on by default for Python 3.3. If you also make the default setting easy to change (i.e. parameterized in one place), then distros can make their own decision about the default, although I'd argue for the above default approach for Debian/Ubuntu.
Agreed.
Georg
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]