[Python-Dev] Hash collision security issue (now public)
Georg Brandl
g.brandl at gmx.net
Thu Jan 5 21:52:40 CET 2012
On 01/05/2012 09:45 PM, Barry Warsaw wrote:
> On Jan 05, 2012, at 02:33 PM, David Malcolm wrote:
>
>>We have similar issues in RHEL, with the Python versions going much
>>further back (e.g. 2.3)
>>
>>When backporting the fix to ancient python versions, I'm inclined to
>>turn the change *off* by default, requiring the change to be enabled via
>>an environment variable: I want to avoid breaking existing code, even if
>>such code is technically relying on non-guaranteed behavior. But we
>>could potentially tweak mod_python/mod_wsgi so that it defaults to *on*.
>>That way /usr/bin/python would default to the old behavior, but web apps
>>would have some protection.
>
> This sounds like a reasonable compromise for all stable Python releases. It
> can be turned on by default for Python 3.3. If you also make the default
> setting easy to change (i.e. parameterized in one place), then distros can
> make their own decision about the default, although I'd argue for the above
> default approach for Debian/Ubuntu.
Agreed.
Georg
More information about the Python-Dev
mailing list