On 2/25/14, Victor Stinner wrote:
> Hi,
>
> 2014-02-25 8:53 GMT+01:00 Nick Coghlan :
>> I've checked these, and noted the relevant hg.python.org links on the
>> tracker issue at http://bugs.python.org/issue20246
>
> Would it be possible to have a table with all known Python security
> vulnerabilit
On 26 February 2014 13:57, Stephen J. Turnbull wrote:
> Nick Coghlan writes that b'%a' is
>
> > the obvious way to interpolate representations of arbitrary objects
> > into binary formats that contain ASCII compatible segments.
>
> The only argument that I have sympathy for is
>
> > %a *should*
Donald Stufft writes:
> Instead of pre-generating one set of values that can be be used to
> DoS things you have to pre-generate 256 sets of values and try them
> until you get the right one. It’s like putting on armor made of
> paper and saying it’s harder to stab you now.
You obviously don'
Nick Coghlan writes that b'%a' is
> the obvious way to interpolate representations of arbitrary objects
> into binary formats that contain ASCII compatible segments.
The only argument that I have sympathy for is
> %a *should* be allowed for consistency with text interpolation
although introd
On 2/25/2014 8:56 PM, Surya wrote:
Hey there,
I am Surya, studying final year of Engineering. I have looked into Core
Python's ideas list and got interested in Email module.
I've been working on Django over the past few years, and now like to
work on slightly a different layer of protocols and
Hey there,
I am Surya, studying final year of Engineering. I have looked into Core
Python's ideas list and got interested in Email module.
I've been working on Django over the past few years, and now like to work
on slightly a different layer of protocols and this idea happened to be it.
That s
On 26 Feb 2014 07:04, "r.david.murray" wrote:
>
> http://hg.python.org/cpython/rev/4cd620d8c3f6
> changeset: 89392:4cd620d8c3f6
> user:R David Murray
> date:Tue Feb 25 16:03:14 2014 -0500
> summary:
> whatsnew: DynanicClassAttribute (#19030), Py_SetStandardStreamEncoding
(#161
On 26 Feb 2014 04:51, "Antoine Pitrou" wrote:
>
> On Tue, 25 Feb 2014 20:38:46 +0200
> Maciej Fijalkowski wrote:
> >
> > My impression is that a lot of discussion went into hash
> > randomization, because it was a high profile issue. It got "fixed",
> > then later someone discovered that the fix
On 02/25/2014 12:13 PM, Terry Reedy wrote:
On 2/25/2014 8:32 AM, Chris Angelico wrote:
On Wed, Feb 26, 2014 at 12:21 AM, Donald Stufft wrote:
Instead of pre-generating one set of values that can be be used to DoS things
you have to pre-generate 256 sets of values and try them until you get the
On 2/25/2014 8:32 AM, Chris Angelico wrote:
On Wed, Feb 26, 2014 at 12:21 AM, Donald Stufft wrote:
Instead of pre-generating one set of values that can be be used to DoS things
you have to pre-generate 256 sets of values and try them until you get the
right one. It’s like putting on armor made
On 2/25/2014 6:25 AM, Rik wrote:
I want to try to submit a patch for 2.7, but I don't know how to run the
tests for the 2.7 branch. `./configure` doesn't seem to create a
`python.exe` file on the 2.7 branch on OS X Mavericks, and I do need
this file according to this guide:
http://docs.python.org
17.02.14 01:27, Nick Coghlan написав(ла):
This change doesn't fix any of the known crashers in Lib/test/crashers,
though - I applied the patch locally and checked.
It fixes other crasher (http://bugs.python.org/issue20440#msg209713).
The point is that people already know what Py_CLEAR does. T
On Tue, 25 Feb 2014 20:38:46 +0200
Maciej Fijalkowski wrote:
>
> My impression is that a lot of discussion went into hash
> randomization, because it was a high profile issue. It got "fixed",
> then later someone discovered that the fix is completely broken and
> was left at that without much dis
On Tue, Feb 25, 2014 at 5:22 PM, Barry Warsaw wrote:
> On Feb 25, 2014, at 03:03 PM, Maciej Fijalkowski wrote:
>
>>Oh, I thought security fixes go to all python releases.
>
> Well, not the EOL'd ones of course.
yes of course sorry.
>
> Where's the analysis on backporting SIPHash to older Python
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 25.02.2014 15:41, Benjamin Peterson wrote:
> I'm not sure why you think it wasn't sent to security@
> https://mail.python.org/mailman/private/psrt/2014-January/001297.html
Because
>
I can't find the mail in my inbox. Perhaps it fell victim to
p
23.02.14 18:42, r.david.murray написав(ла):
http://hg.python.org/cpython/rev/4d615ab37804
changeset: 89337:4d615ab37804
user:R David Murray
date:Sun Feb 23 10:22:07 2014 -0500
summary:
whatsnew: textwrap.shorten.
Also add the missing TextWrapper.shorten method doc.
There
Hi,
Saimadhav Heblikar here.I would like to express my interest in working on
IDLE improvement project as a part of Google Summer of Code 2014 for Python
Core projects under the Python Software Foundation.I am currently a
freshman Computer Science undergraduate student at PESIT , Bangalore.
Simi
Hi,
Saimadhav Heblikar here.I would like to express my interest in working on
IDLE improvement project as a part of Google Summer of Code 2014 for Python
Core projects under the Python Software Foundation.I am currently a
freshman Computer Science undergraduate student at PESIT , Bangalore.
Simi
On Feb 25, 2014, at 03:03 PM, Maciej Fijalkowski wrote:
>Oh, I thought security fixes go to all python releases.
Well, not the EOL'd ones of course.
Where's the analysis on backporting SIPHash to older Python versions? Would
such a backport break backward compatibility? What other impacts woul
On Mon, Feb 24, 2014, at 11:39 PM, Christian Heimes wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi,
>
> this looks pretty serious -- and it caught me off guard, too. :(
>
> https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
>
> Next
On Feb 25, 2014, at 8:33 AM, Nick Coghlan wrote:
>
> On 25 Feb 2014 23:09, "Maciej Fijalkowski" wrote:
> >
> > On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico wrote:
> > > On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski
> > > wrote:
> > >>> Last issues:
> > >>> - hash DoS
> > >>
> > >>
On 25 Feb 2014 23:23, "Donald Stufft" wrote:
>
>
> On Feb 25, 2014, at 8:17 AM, Antoine Pitrou wrote:
>
> > On Tue, 25 Feb 2014 08:08:09 -0500
> > Donald Stufft wrote:
> >>
> >> Hash randomization is broken and doesn't fix anything.
> >
> > Not sure what you mean with "doesn't fix anything". Has
On 25 Feb 2014 23:09, "Maciej Fijalkowski" wrote:
>
> On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico wrote:
> > On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski
wrote:
> >>> Last issues:
> >>> - hash DoS
> >>
> >> is this fixed?
> >
> > Yes, hash randomization was added as an option in 2.7.
On Wed, Feb 26, 2014 at 12:21 AM, Donald Stufft wrote:
> Instead of pre-generating one set of values that can be be used to DoS things
> you have to pre-generate 256 sets of values and try them until you get the
> right one. It’s like putting on armor made of paper and saying it’s harder to
> stab
On Feb 25, 2014, at 8:17 AM, Antoine Pitrou wrote:
> On Tue, 25 Feb 2014 08:08:09 -0500
> Donald Stufft wrote:
>>
>> Hash randomization is broken and doesn’t fix anything.
>
> Not sure what you mean with "doesn't fix anything". Hash collisions were
> easy to exploit pre-hash randomization, th
On Tue, 25 Feb 2014 08:08:09 -0500
Donald Stufft wrote:
>
> Hash randomization is broken and doesn’t fix anything.
Not sure what you mean with "doesn't fix anything". Hash collisions were
easy to exploit pre-hash randomization, they doesn't seem as easy to
exploit with it.
Regards
Antoine.
_
On Wed, Feb 26, 2014 at 12:07 AM, Maciej Fijalkowski wrote:
> No, the hash randomization is broken, it does not provide enough
> randomness (without changing the hash function which only happened in
> 3.4+)
Hmm, I don't remember reading about that - got a link to more info? Or
was that report kep
On Feb 25, 2014, at 8:07 AM, Maciej Fijalkowski wrote:
> On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico wrote:
>> On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski
>> wrote:
Last issues:
- hash DoS
>>>
>>> is this fixed?
>>
>> Yes, hash randomization was added as an option in
On Feb 25, 2014, at 8:06 AM, Chris Angelico wrote:
> On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski wrote:
>>> Last issues:
>>> - hash DoS
>>
>> is this fixed?
>
> Yes, hash randomization was added as an option in 2.7.3 or 2.7.4 or
> thereabouts, and is on by default in 3.3+. You do hav
On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico wrote:
> On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski wrote:
>>> Last issues:
>>> - hash DoS
>>
>> is this fixed?
>
> Yes, hash randomization was added as an option in 2.7.3 or 2.7.4 or
> thereabouts, and is on by default in 3.3+. You do hav
On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski wrote:
>> Last issues:
>> - hash DoS
>
> is this fixed?
Yes, hash randomization was added as an option in 2.7.3 or 2.7.4 or
thereabouts, and is on by default in 3.3+. You do have to set an
environment variable for 2.7 (and I think 2.6 got that
On Tue, Feb 25, 2014 at 3:01 PM, Donald Stufft wrote:
>
> On Feb 25, 2014, at 7:59 AM, Maciej Fijalkowski wrote:
>
>> On Tue, Feb 25, 2014 at 11:13 AM, Victor Stinner
>> wrote:
>>> Hi,
>>>
>>> 2014-02-25 8:53 GMT+01:00 Nick Coghlan :
I've checked these, and noted the relevant hg.python.org
On Feb 25, 2014, at 7:59 AM, Maciej Fijalkowski wrote:
> On Tue, Feb 25, 2014 at 11:13 AM, Victor Stinner
> wrote:
>> Hi,
>>
>> 2014-02-25 8:53 GMT+01:00 Nick Coghlan :
>>> I've checked these, and noted the relevant hg.python.org links on the
>>> tracker issue at http://bugs.python.org/issue20
On Tue, Feb 25, 2014 at 11:13 AM, Victor Stinner
wrote:
> Hi,
>
> 2014-02-25 8:53 GMT+01:00 Nick Coghlan :
>> I've checked these, and noted the relevant hg.python.org links on the
>> tracker issue at http://bugs.python.org/issue20246
>
> Would it be possible to have a table with all known Python s
Hi Rik,
On Tue, 25 Feb 2014 12:25:27 +0100
Rik wrote:
> I want to try to submit a patch for 2.7, but I don't know how to run the
> tests for the 2.7 branch. `./configure` doesn't seem to create a
> `python.exe` file on the 2.7 branch on OS X Mavericks, and I do need this
> file according to this
On Tue, 25 Feb 2014 08:39:40 +0100
Christian Heimes wrote:
>
> this looks pretty serious -- and it caught me off guard, too. :(
>
> https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
>
> Next time please inform the Python Security Response Team about any
I want to try to submit a patch for 2.7, but I don't know how to run the
tests for the 2.7 branch. `./configure` doesn't seem to create a
`python.exe` file on the 2.7 branch on OS X Mavericks, and I do need this
file according to this guide:
http://docs.python.org/devguide/
Anybody know how I shou
Hi,
2014-02-25 8:39 GMT+01:00 Christian Heimes :
> this looks pretty serious -- and it caught me off guard, too. :(
> https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
I don't think that the issue is critical.
Extract of the article "Diving into SocketSe
Hi,
2014-02-25 8:53 GMT+01:00 Nick Coghlan :
> I've checked these, and noted the relevant hg.python.org links on the
> tracker issue at http://bugs.python.org/issue20246
Would it be possible to have a table with all known Python security
vulnerabilities and the Python versions which are fixed? Bo
On 25 February 2014 17:43, Stuart Bishop wrote:
> On 23 February 2014 08:56, Ethan Furman wrote:
>
>> ``%a`` will call :func:``ascii()`` on the interpolated value's
>> :func:``repr()``.
>> This is intended as a debugging aid, rather than something that should be
>> used
>> in production. Non-asc
40 matches
Mail list logo
