Python 2.6.8, 2.7.3, 3.1.5, and 3.2.3 security release

The Python project has released updated versions of Python 2.6, 2.7, 3.1, and 3.2; in each case, the objective is to close the hash collision denial of service vulnerability. It's worth noting, though, that the fix needs to be enabled explicitly: "Historically, dict iteration order has not changed very often across releases and has always remained consistent between successive executions of Python. Thus, some existing applications may be relying on dict or set ordering. Because of this and the fact that many Python applications which don't accept untrusted input are not vulnerable to this attack, in all stable Python releases mentioned here, HASH RANDOMIZATION IS DISABLED BY DEFAULT." It can be enabled with a command-line option or through an environment variable.

Full Story (comments: 42)