A CVE has been assigned for a security issue in Python: http://openwall.com/lists/oss-security/2013/12/09/13 The issue is similar to the previous hash table collision DoS CVE-2012-1150 that we fixed in Bug 5843. Reproducible: Steps to Reproduce:
CC: (none) => makowski.mageiaWhiteboard: (none) => MGA3TOO
that's a big patch http://hg.python.org/cpython/rev/adb471b9cba1 it will be in Python 3.4 (3.4.0 final: February 23, 2014), and I don't think that it will be backported in Python 2 I don't know what to do.
If I understand from the discussion in that oss-security thread, Python 3.4 is changing to an entirely new implementation for the dictionary backend. I think the Debian patch and other discussion on the oss-security thread is about how to make the existing implementation better. For now it might be better to wait and see if upstream tries to do any kind of fix for older Pythons and also to see what other distros ultimately do about this.
in upstream I doubt they will back-port something if I read the thread here : http://bugs.python.org/issue14621 (see last message) I put here the Redhat tracking : https://bugzilla.redhat.com/show_bug.cgi?id=1039918 https://bugzilla.redhat.com/show_bug.cgi?id=1039917 I will watch
I mixed this up with another issue, so there's no proposed solution yet. I dunno if there will be. Here's the main RH bug for this: https://bugzilla.redhat.com/show_bug.cgi?id=1039915
For the record : Python 3.4 is not affected (so it will be fixed for us in mga5) (due to PEP 456 http://legacy.python.org/dev/peps/pep-0456/), but 3.3 and 2.7 are still affected. And Python project declare this as "WONTFIX" for older version than 3.4 cf : http://bugs.python.org/issue14621
RedHat has marked their bug WONTFIX as well. I'll do the same. Thanks Philippe.
Status: NEW => RESOLVEDResolution: (none) => WONTFIX