On Thu, 19 Apr 2012 09:13:12 +0800 Funda Wang <[email protected]> wrote: > Hello, > > Could somebody push python-2.7.3 and python3-3.2.3 into cauldron? They > fixed CVE-2012-0876, oCERT-2011-003, CVE-2012-0845, CVE-2011-3389, > and a lot of other minor bugs.
Note that oCERT-2011-003 is not plugged by default, because of backwards compatibility issues (**). You need to use either the new "-R" command-line option, or to set the PYTHONHASHSEED environment variable to "random" (*). Perhaps that could be done for select Python applications, especially Web applications (where malicious data can be sent by anyone on the Internet). (*) http://docs.python.org/using/cmdline.html#cmdoption-R (**) “Changing hash values affects the order in which keys are retrieved from a dict. Although Python has never made guarantees about this ordering (and it typically varies between 32-bit and 64-bit builds), enough real-world code implicitly relies on this non-guaranteed behavior that the randomization is disabled by default.” Regards Antoine.
