Hi,
2014-02-25 8:53 GMT+01:00 Nick Coghlan ncogh...@gmail.com:
I've checked these, and noted the relevant hg.python.org links on the
tracker issue at http://bugs.python.org/issue20246
Would it be possible to have a table with all known Python security
vulnerabilities and the Python versions
Hi,
2014-02-25 8:39 GMT+01:00 Christian Heimes christ...@python.org:
this looks pretty serious -- and it caught me off guard, too. :(
https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
I don't think that the issue is critical.
Extract of the article
On Tue, 25 Feb 2014 08:39:40 +0100
Christian Heimes christ...@python.org wrote:
this looks pretty serious -- and it caught me off guard, too. :(
https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
Next time please inform the Python Security Response
On Tue, Feb 25, 2014 at 11:13 AM, Victor Stinner
victor.stin...@gmail.com wrote:
Hi,
2014-02-25 8:53 GMT+01:00 Nick Coghlan ncogh...@gmail.com:
I've checked these, and noted the relevant hg.python.org links on the
tracker issue at http://bugs.python.org/issue20246
Would it be possible to
On Feb 25, 2014, at 7:59 AM, Maciej Fijalkowski fij...@gmail.com wrote:
On Tue, Feb 25, 2014 at 11:13 AM, Victor Stinner
victor.stin...@gmail.com wrote:
Hi,
2014-02-25 8:53 GMT+01:00 Nick Coghlan ncogh...@gmail.com:
I've checked these, and noted the relevant hg.python.org links on the
On Tue, Feb 25, 2014 at 3:01 PM, Donald Stufft don...@stufft.io wrote:
On Feb 25, 2014, at 7:59 AM, Maciej Fijalkowski fij...@gmail.com wrote:
On Tue, Feb 25, 2014 at 11:13 AM, Victor Stinner
victor.stin...@gmail.com wrote:
Hi,
2014-02-25 8:53 GMT+01:00 Nick Coghlan ncogh...@gmail.com:
On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski fij...@gmail.com wrote:
Last issues:
- hash DoS
is this fixed?
Yes, hash randomization was added as an option in 2.7.3 or 2.7.4 or
thereabouts, and is on by default in 3.3+. You do have to set an
environment variable for 2.7 (and I think
On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico ros...@gmail.com wrote:
On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski fij...@gmail.com wrote:
Last issues:
- hash DoS
is this fixed?
Yes, hash randomization was added as an option in 2.7.3 or 2.7.4 or
thereabouts, and is on by default
On Feb 25, 2014, at 8:06 AM, Chris Angelico ros...@gmail.com wrote:
On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski fij...@gmail.com wrote:
Last issues:
- hash DoS
is this fixed?
Yes, hash randomization was added as an option in 2.7.3 or 2.7.4 or
thereabouts, and is on by default
On Feb 25, 2014, at 8:07 AM, Maciej Fijalkowski fij...@gmail.com wrote:
On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico ros...@gmail.com wrote:
On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski fij...@gmail.com
wrote:
Last issues:
- hash DoS
is this fixed?
Yes, hash randomization
On Wed, Feb 26, 2014 at 12:07 AM, Maciej Fijalkowski fij...@gmail.com wrote:
No, the hash randomization is broken, it does not provide enough
randomness (without changing the hash function which only happened in
3.4+)
Hmm, I don't remember reading about that - got a link to more info? Or
was
On Tue, 25 Feb 2014 08:08:09 -0500
Donald Stufft don...@stufft.io wrote:
Hash randomization is broken and doesn’t fix anything.
Not sure what you mean with doesn't fix anything. Hash collisions were
easy to exploit pre-hash randomization, they doesn't seem as easy to
exploit with it.
Regards
On Feb 25, 2014, at 8:17 AM, Antoine Pitrou solip...@pitrou.net wrote:
On Tue, 25 Feb 2014 08:08:09 -0500
Donald Stufft don...@stufft.io wrote:
Hash randomization is broken and doesn’t fix anything.
Not sure what you mean with doesn't fix anything. Hash collisions were
easy to exploit
On Wed, Feb 26, 2014 at 12:21 AM, Donald Stufft don...@stufft.io wrote:
Instead of pre-generating one set of values that can be be used to DoS things
you have to pre-generate 256 sets of values and try them until you get the
right one. It’s like putting on armor made of paper and saying it’s
On 25 Feb 2014 23:09, Maciej Fijalkowski fij...@gmail.com wrote:
On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico ros...@gmail.com wrote:
On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski fij...@gmail.com
wrote:
Last issues:
- hash DoS
is this fixed?
Yes, hash randomization was
On 25 Feb 2014 23:23, Donald Stufft don...@stufft.io wrote:
On Feb 25, 2014, at 8:17 AM, Antoine Pitrou solip...@pitrou.net wrote:
On Tue, 25 Feb 2014 08:08:09 -0500
Donald Stufft don...@stufft.io wrote:
Hash randomization is broken and doesn't fix anything.
Not sure what you mean
On Feb 25, 2014, at 8:33 AM, Nick Coghlan ncogh...@gmail.com wrote:
On 25 Feb 2014 23:09, Maciej Fijalkowski fij...@gmail.com wrote:
On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico ros...@gmail.com wrote:
On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski fij...@gmail.com
wrote:
On Mon, Feb 24, 2014, at 11:39 PM, Christian Heimes wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
this looks pretty serious -- and it caught me off guard, too. :(
https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
Next time
On Feb 25, 2014, at 03:03 PM, Maciej Fijalkowski wrote:
Oh, I thought security fixes go to all python releases.
Well, not the EOL'd ones of course.
Where's the analysis on backporting SIPHash to older Python versions? Would
such a backport break backward compatibility? What other impacts
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 25.02.2014 15:41, Benjamin Peterson wrote:
I'm not sure why you think it wasn't sent to security@
https://mail.python.org/mailman/private/psrt/2014-January/001297.html
Because
I can't find the mail in my inbox. Perhaps it fell victim to
On Tue, Feb 25, 2014 at 5:22 PM, Barry Warsaw ba...@python.org wrote:
On Feb 25, 2014, at 03:03 PM, Maciej Fijalkowski wrote:
Oh, I thought security fixes go to all python releases.
Well, not the EOL'd ones of course.
yes of course sorry.
Where's the analysis on backporting SIPHash to
On Tue, 25 Feb 2014 20:38:46 +0200
Maciej Fijalkowski fij...@gmail.com wrote:
My impression is that a lot of discussion went into hash
randomization, because it was a high profile issue. It got fixed,
then later someone discovered that the fix is completely broken and
was left at that
On 2/25/2014 8:32 AM, Chris Angelico wrote:
On Wed, Feb 26, 2014 at 12:21 AM, Donald Stufft don...@stufft.io wrote:
Instead of pre-generating one set of values that can be be used to DoS things
you have to pre-generate 256 sets of values and try them until you get the
right one. It’s like
On 26 Feb 2014 04:51, Antoine Pitrou solip...@pitrou.net wrote:
On Tue, 25 Feb 2014 20:38:46 +0200
Maciej Fijalkowski fij...@gmail.com wrote:
My impression is that a lot of discussion went into hash
randomization, because it was a high profile issue. It got fixed,
then later someone
Donald Stufft writes:
Instead of pre-generating one set of values that can be be used to
DoS things you have to pre-generate 256 sets of values and try them
until you get the right one. It’s like putting on armor made of
paper and saying it’s harder to stab you now.
You obviously don't
On 2/25/14, Victor Stinner victor.stin...@gmail.com wrote:
Hi,
2014-02-25 8:53 GMT+01:00 Nick Coghlan ncogh...@gmail.com:
I've checked these, and noted the relevant hg.python.org links on the
tracker issue at http://bugs.python.org/issue20246
Would it be possible to have a table with all
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
this looks pretty serious -- and it caught me off guard, too. :(
https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
Next time please inform the Python Security Response Team about any
and all issues
On 25 February 2014 17:39, Christian Heimes christ...@python.org wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
this looks pretty serious -- and it caught me off guard, too. :(
https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
Next
28 matches
Mail list logo