On 10/04/2013 11:15 AM, Victor Stinner wrote:
2013/10/4 Armin Rigo <ar...@tunes.org>:
The current hash randomization is
simply not preventing anything; someone posted long ago a way to
recover bit-by-bit the hash randomized used by a remote web program in
Python running on a server.
Oh interesting, is it public?
http://events.ccc.de/congress/2012/Fahrplan/events/5152.en.html
Quoting the synopsis:
We also describe a vulnerability of Python's new randomized hash,
allowing an attacker to easily recover the 128-bit secret seed.
I found all that while reading this interesting, yet moribund, bug report:
http://bugs.python.org/issue14621
I guess there was enough bike shedding that people ran out of steam, or
something. It happens.
//arry/
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
