[Python-Dev] XML DoS vulnerabilities and exploits in Python
Barry Warsaw
barry at python.org
Thu Feb 21 05:53:50 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Feb 20, 2013, at 11:35 PM, Tres Seaver wrote:
>I believe that the same rationale should apply as that for adding hash
>randomization in 2.6.8: this is at least as bad a vulnerability, with
>many more vectors of attack.
Except that I really want to EOL 2.6 in October as per schedule, and I really
don't want a 2.6.10. So if we get the API changes wrong in 2.6.9 there won't
be much of an opportunity to correct it. Also, in 2.6, hash randomization is
opt-in so the default didn't change.
Cheers,
- -Barry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJRJaheAAoJEBJutWOnSwa/A2sQAK0HnPQCG87vEVj7hpfp1h7o
8mVDpf8VyZtfVIhwJLmb106DCe3mWb+UZLf4ks16zSQfy1JVxNl179VESqDgOD30
RTC0/esArDzpVbCOKf0mepyYflQEnrA0FR/URAJVoqjGDlPSPr6vneWX2fOPGwn7
VsgzHzyqHs5k+JLTn9piDKLfW6LXWQOYl+oPF/T60SnYZTs8y6E00n9i2kLPaWy+
UMSnAC3jQMtgfhzPnXgPrlzVh4/ojYYnBVdhZYKGroBx4JGt7UDph1koFck7CRTD
yJuVQ4QzsbtEF0/SyJVORWTh2N3jxEA7qWFIDQ8kif+Tqqfz/bujSud8SEK7dLuZ
IPinvL2K9lD722RJjhmcMyfsrCJxafF2YbkdWyNr2zMlx6FO/oQWCbDVPBaZlu8+
cZyzF+JJiIM+ljlqL9dy5w156JxfQ5eh5h5ocZ/OiUisiKY93zT9j2hOM82bbo+/
QIWmMf2wPl277awbvw3+9GDi4xdgK0GJB/4BVOYBXy0/b2q2n5oHyHACJCoUtDyv
AVCT+Hfw5Nu1ZIm3AU329gFeBPjEvl8+YsbiQf4hqsp40fnY7GzhRFb8HTwCZVmu
amOWyeTg9f7dtF/sOwEpc/UGcCjJdBklrbndpNZ0f9gZF+FwncxbJThrTztlxaDY
7eT2EYRJsnLW5XiZTilj
=HXz8
-----END PGP SIGNATURE-----
More information about the Python-Dev
mailing list