On 2/25/14, Victor Stinner wrote:
> Hi,
>
> 2014-02-25 8:53 GMT+01:00 Nick Coghlan :
>> I've checked these, and noted the relevant hg.python.org links on the
>> tracker issue at http://bugs.python.org/issue20246
>
> Would it be possible to have a table with all known Python security
> vulnerabilit
Donald Stufft writes:
> Instead of pre-generating one set of values that can be be used to
> DoS things you have to pre-generate 256 sets of values and try them
> until you get the right one. It’s like putting on armor made of
> paper and saying it’s harder to stab you now.
You obviously don'
On 26 Feb 2014 04:51, "Antoine Pitrou" wrote:
>
> On Tue, 25 Feb 2014 20:38:46 +0200
> Maciej Fijalkowski wrote:
> >
> > My impression is that a lot of discussion went into hash
> > randomization, because it was a high profile issue. It got "fixed",
> > then later someone discovered that the fix
On 2/25/2014 8:32 AM, Chris Angelico wrote:
On Wed, Feb 26, 2014 at 12:21 AM, Donald Stufft wrote:
Instead of pre-generating one set of values that can be be used to DoS things
you have to pre-generate 256 sets of values and try them until you get the
right one. It’s like putting on armor made
On Tue, 25 Feb 2014 20:38:46 +0200
Maciej Fijalkowski wrote:
>
> My impression is that a lot of discussion went into hash
> randomization, because it was a high profile issue. It got "fixed",
> then later someone discovered that the fix is completely broken and
> was left at that without much dis
On Tue, Feb 25, 2014 at 5:22 PM, Barry Warsaw wrote:
> On Feb 25, 2014, at 03:03 PM, Maciej Fijalkowski wrote:
>
>>Oh, I thought security fixes go to all python releases.
>
> Well, not the EOL'd ones of course.
yes of course sorry.
>
> Where's the analysis on backporting SIPHash to older Python
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 25.02.2014 15:41, Benjamin Peterson wrote:
> I'm not sure why you think it wasn't sent to security@
> https://mail.python.org/mailman/private/psrt/2014-January/001297.html
Because
>
I can't find the mail in my inbox. Perhaps it fell victim to
p
On Feb 25, 2014, at 03:03 PM, Maciej Fijalkowski wrote:
>Oh, I thought security fixes go to all python releases.
Well, not the EOL'd ones of course.
Where's the analysis on backporting SIPHash to older Python versions? Would
such a backport break backward compatibility? What other impacts woul
On Mon, Feb 24, 2014, at 11:39 PM, Christian Heimes wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi,
>
> this looks pretty serious -- and it caught me off guard, too. :(
>
> https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
>
> Next
On Feb 25, 2014, at 8:33 AM, Nick Coghlan wrote:
>
> On 25 Feb 2014 23:09, "Maciej Fijalkowski" wrote:
> >
> > On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico wrote:
> > > On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski
> > > wrote:
> > >>> Last issues:
> > >>> - hash DoS
> > >>
> > >>
On 25 Feb 2014 23:23, "Donald Stufft" wrote:
>
>
> On Feb 25, 2014, at 8:17 AM, Antoine Pitrou wrote:
>
> > On Tue, 25 Feb 2014 08:08:09 -0500
> > Donald Stufft wrote:
> >>
> >> Hash randomization is broken and doesn't fix anything.
> >
> > Not sure what you mean with "doesn't fix anything". Has
On 25 Feb 2014 23:09, "Maciej Fijalkowski" wrote:
>
> On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico wrote:
> > On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski
wrote:
> >>> Last issues:
> >>> - hash DoS
> >>
> >> is this fixed?
> >
> > Yes, hash randomization was added as an option in 2.7.
On Wed, Feb 26, 2014 at 12:21 AM, Donald Stufft wrote:
> Instead of pre-generating one set of values that can be be used to DoS things
> you have to pre-generate 256 sets of values and try them until you get the
> right one. It’s like putting on armor made of paper and saying it’s harder to
> stab
On Feb 25, 2014, at 8:17 AM, Antoine Pitrou wrote:
> On Tue, 25 Feb 2014 08:08:09 -0500
> Donald Stufft wrote:
>>
>> Hash randomization is broken and doesn’t fix anything.
>
> Not sure what you mean with "doesn't fix anything". Hash collisions were
> easy to exploit pre-hash randomization, th
On Tue, 25 Feb 2014 08:08:09 -0500
Donald Stufft wrote:
>
> Hash randomization is broken and doesn’t fix anything.
Not sure what you mean with "doesn't fix anything". Hash collisions were
easy to exploit pre-hash randomization, they doesn't seem as easy to
exploit with it.
Regards
Antoine.
_
On Wed, Feb 26, 2014 at 12:07 AM, Maciej Fijalkowski wrote:
> No, the hash randomization is broken, it does not provide enough
> randomness (without changing the hash function which only happened in
> 3.4+)
Hmm, I don't remember reading about that - got a link to more info? Or
was that report kep
On Feb 25, 2014, at 8:07 AM, Maciej Fijalkowski wrote:
> On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico wrote:
>> On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski
>> wrote:
Last issues:
- hash DoS
>>>
>>> is this fixed?
>>
>> Yes, hash randomization was added as an option in
On Feb 25, 2014, at 8:06 AM, Chris Angelico wrote:
> On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski wrote:
>>> Last issues:
>>> - hash DoS
>>
>> is this fixed?
>
> Yes, hash randomization was added as an option in 2.7.3 or 2.7.4 or
> thereabouts, and is on by default in 3.3+. You do hav
On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico wrote:
> On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski wrote:
>>> Last issues:
>>> - hash DoS
>>
>> is this fixed?
>
> Yes, hash randomization was added as an option in 2.7.3 or 2.7.4 or
> thereabouts, and is on by default in 3.3+. You do hav
On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski wrote:
>> Last issues:
>> - hash DoS
>
> is this fixed?
Yes, hash randomization was added as an option in 2.7.3 or 2.7.4 or
thereabouts, and is on by default in 3.3+. You do have to set an
environment variable for 2.7 (and I think 2.6 got that
On Tue, Feb 25, 2014 at 3:01 PM, Donald Stufft wrote:
>
> On Feb 25, 2014, at 7:59 AM, Maciej Fijalkowski wrote:
>
>> On Tue, Feb 25, 2014 at 11:13 AM, Victor Stinner
>> wrote:
>>> Hi,
>>>
>>> 2014-02-25 8:53 GMT+01:00 Nick Coghlan :
I've checked these, and noted the relevant hg.python.org
On Feb 25, 2014, at 7:59 AM, Maciej Fijalkowski wrote:
> On Tue, Feb 25, 2014 at 11:13 AM, Victor Stinner
> wrote:
>> Hi,
>>
>> 2014-02-25 8:53 GMT+01:00 Nick Coghlan :
>>> I've checked these, and noted the relevant hg.python.org links on the
>>> tracker issue at http://bugs.python.org/issue20
On Tue, Feb 25, 2014 at 11:13 AM, Victor Stinner
wrote:
> Hi,
>
> 2014-02-25 8:53 GMT+01:00 Nick Coghlan :
>> I've checked these, and noted the relevant hg.python.org links on the
>> tracker issue at http://bugs.python.org/issue20246
>
> Would it be possible to have a table with all known Python s
On Tue, 25 Feb 2014 08:39:40 +0100
Christian Heimes wrote:
>
> this looks pretty serious -- and it caught me off guard, too. :(
>
> https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
>
> Next time please inform the Python Security Response Team about any
Hi,
2014-02-25 8:39 GMT+01:00 Christian Heimes :
> this looks pretty serious -- and it caught me off guard, too. :(
> https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
I don't think that the issue is critical.
Extract of the article "Diving into SocketSe
Hi,
2014-02-25 8:53 GMT+01:00 Nick Coghlan :
> I've checked these, and noted the relevant hg.python.org links on the
> tracker issue at http://bugs.python.org/issue20246
Would it be possible to have a table with all known Python security
vulnerabilities and the Python versions which are fixed? Bo
On 25 February 2014 17:39, Christian Heimes wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi,
>
> this looks pretty serious -- and it caught me off guard, too. :(
>
> https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
>
> Next time please i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
this looks pretty serious -- and it caught me off guard, too. :(
https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
Next time please inform the Python Security Response Team about any
and all issues tha
28 matches
Mail list logo
