On Wed, Jan 4, 2012 at 12:02 AM, Bill Janssen jans...@parc.com wrote:
Christian Heimes li...@cheimes.de wrote:
Am 29.12.2011 12:13, schrieb Mark Shannon:
The attack relies on being able to predict the hash value for a given
string. Randomising the string hash function is quite
Well what if /dev/urandom is unavailable because the program is run
e.g. in a chroot?
If the system ought to have /dev/urandom (as e.g. determined during
configure), I propose that Python fails fast, unless the command line
option is given that disables random hash seeds.
For the security
On Wed, 4 Jan 2012 09:59:15 +0200
Maciej Fijalkowski fij...@gmail.com wrote:
Is it *really* a security issue? We knew all along that dicts are
O(n^2) in worst case scenario, how is this suddenly a security
problem?
Because it has been shown to be exploitable for malicious purposes?
Regards
Am 04.01.2012 08:59, schrieb Maciej Fijalkowski:
Is it *really* a security issue? We knew all along that dicts are
O(n^2) in worst case scenario, how is this suddenly a security
problem?
For example Microsoft has released an extraordinary and unscheduled
security patch for the issue between
(or is /dev/urandom still available in a chroot?)
Last time that I played with chroot, I binded /dev and /proc. Many
programs rely on specific devices like /dev/null.
Python should not refuse to start if /dev/urandom (or CryptoGen) is
missing or cannot be used, but should use a weak fallback.
Oops, it's a typo in the doc (copy/paste failure). It's now fixed, thanks.
Victor
2012/1/4 Antoine Pitrou solip...@pitrou.net:
+.. c:function:: int PyUnicode_Fill(PyObject *unicode, Py_ssize_t start, \
+ Py_ssize_t length, Py_UCS4 fill_char)
+
+ Fill a string with a
On Wed, Jan 4, 2012 at 00:30, Stephen J. Turnbull step...@xemacs.org wrote:
Benjamin Peterson writes:
My goodness, I was trying to make a ridiculous-sounding proposition.
In this kind of discussion, that's in the same class as be careful
what you wish for -- because you might just get it.
(I've added back python-ideas, because I think that is still the
appropriate forum.)
A new
suite type - the ``transaction`` will be added to the language. The
suite will have the semantics discussed above: modifying an object in
the suite will trigger creation of a thread-local shallow
On Jan 04, 2012, at 02:59 AM, Antoine Pitrou wrote:
Well what if /dev/urandom is unavailable because the program is run
e.g. in a chroot?
(or is /dev/urandom still available in a chroot?)
It is (apparently) in an schroot in Ubuntu, so I'd guess it's also available
in Debian (untested).
-Barry
On Wed, Jan 4, 2012 at 12:59 AM, Maciej Fijalkowski fij...@gmail.com wrote:
On Wed, Jan 4, 2012 at 12:02 AM, Bill Janssen jans...@parc.com wrote:
Christian Heimes li...@cheimes.de wrote:
Am 29.12.2011 12:13, schrieb Mark Shannon:
The attack relies on being able to predict the hash value for
On Wed, Jan 04, 2012 at 11:55:13AM +0100, Antoine Pitrou wrote:
On Wed, 4 Jan 2012 09:59:15 +0200
Maciej Fijalkowski fij...@gmail.com wrote:
Is it *really* a security issue? We knew all along that dicts are
O(n^2) in worst case scenario, how is this suddenly a security
problem?
11 matches
Mail list logo
