|From:||Benjamin Peterson <benjamin-AT-python.org>|
|To:||Python Dev <python-dev-AT-python.org>, python-announce-list-AT-python.org, python-list-AT-python.org|
|Subject:||[RELEASED] Python 2.6.8, 2.7.3, 3.1.5, and 3.2.3|
|Date:||Wed, 11 Apr 2012 15:37:49 -0400|
We're bursting with enthusiasm to announce the immediate availability of Python 2.6.8, 2.7.3, 3.1.5, and 3.2.3. These releases included several security fixes. Note: Virtualenvs created with older releases in the 2.6, 2.7, 3.1, or 3.2 series may not work with these bugfix releases. Specifically, the os module may not appear to have a urandom function. This is a virtualenv bug, which can be solved by recreating the broken virtualenvs with the newer Python versions. The main impetus for these releases is fixing a security issue in Python's hash based types, dict and set, as described below. Python 2.7.3 and 3.2.3 include the security patch and the normal set of bug fixes. Since Python 2.6 and 3.1 are maintained only for security issues, 2.6.8 and 3.1.5 contain only various security patches. The security issue exploits Python's dict and set implementations. Carefully crafted input can lead to extremely long computation times and denials of service.  Python dict and set types use hash tables to provide amortized constant time operations. Hash tables require a well-distributed hash function to spread data evenly across the hash table. The security issue is that an attacker could compute thousands of keys with colliding hashes; this causes quadratic algorithmic complexity when the hash table is constructed. To alleviate the problem, the new releases add randomization to the hashing of Python's string types (bytes/str in Python 3 and str/unicode in Python 2), datetime.date, and datetime.datetime. This prevents an attacker from computing colliding keys of these types without access to the Python process. Hash randomization causes the iteration order of dicts and sets to be unpredictable and differ across Python runs. Python has never guaranteed iteration order of keys in a dict or set, and applications are advised to never rely on it. Historically, dict iteration order has not changed very often across releases and has always remained consistent between successive executions of Python. Thus, some existing applications may be relying on dict or set ordering. Because of this and the fact that many Python applications which don't accept untrusted input are not vulnerable to this attack, in all stable Python releases mentioned here, HASH RANDOMIZATION IS DISABLED BY DEFAULT. There are two ways to enable it. The -R commandline option can be passed to the python executable. It can also be enabled by setting an environmental variable PYTHONHASHSEED to "random". (Other values are accepted, too; pass -h to python for complete description.) More details about the issue and the patch can be found in the oCERT advisory  and the Python bug tracker . Another related security issue fixed in these releases is in the expat XML parsing library. expat had the same hash security issue detailed above as Python's core types. The hashing algorithm used in the expat library is now randomized. A few other security issues were fixed. They are described on the release pages below. These releases are production releases. Downloads are at http://python.org/download/releases/2.6.8/ http://python.org/download/releases/2.7.3/ http://python.org/download/releases/3.1.5/ http://python.org/download/releases/3.2.3/ As always, please report bugs to http://bugs.python.org/ Happy-to-put-hash-attack-issues-behind-them-ly yours, The Python release team Barry Warsaw (2.6), Georg Brandl (3.2), and Benjamin Peterson (2.7 and 3.1)  http://www.ocert.org/advisories/ocert-2011-003.html  http://bugs.python.org/issue13703
Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds