On Wed, Jan 4, 2012 at 12:02 AM, Bill Janssen wrote:
> Christian Heimes wrote:
>
>> Am 29.12.2011 12:13, schrieb Mark Shannon:
>> > The attack relies on being able to predict the hash value for a given
>> > string. Randomising the string hash function is quite straightforward.
>> > There is no ne
> Well what if /dev/urandom is unavailable because the program is run
> e.g. in a chroot?
If the system ought to have /dev/urandom (as e.g. determined during
configure), I propose that Python fails fast, unless the command line
option is given that disables random hash seeds.
For the security fix
On Wed, 4 Jan 2012 09:59:15 +0200
Maciej Fijalkowski wrote:
>
> Is it *really* a security issue? We knew all along that dicts are
> O(n^2) in worst case scenario, how is this suddenly a security
> problem?
Because it has been shown to be exploitable for malicious purposes?
Regards
Antoine.
_
Am 04.01.2012 08:59, schrieb Maciej Fijalkowski:
> Is it *really* a security issue? We knew all along that dicts are
> O(n^2) in worst case scenario, how is this suddenly a security
> problem?
For example Microsoft has released an extraordinary and unscheduled
security patch for the issue between
> (or is /dev/urandom still available in a chroot?)
Last time that I played with chroot, I "binded" /dev and /proc. Many
programs rely on specific devices like /dev/null.
Python should not refuse to start if /dev/urandom (or CryptoGen) is
missing or cannot be used, but should use a weak fallback.
Oops, it's a typo in the doc (copy/paste failure). It's now fixed, thanks.
Victor
2012/1/4 Antoine Pitrou :
>
>> +.. c:function:: int PyUnicode_Fill(PyObject *unicode, Py_ssize_t start, \
>> + Py_ssize_t length, Py_UCS4 fill_char)
>> +
>> + Fill a string with a character:
On Wed, Jan 4, 2012 at 00:30, Stephen J. Turnbull wrote:
> Benjamin Peterson writes:
>
> > My goodness, I was trying to make a ridiculous-sounding proposition.
>
> In this kind of discussion, that's in the same class as "be careful
> what you wish for -- because you might just get it."
I wish we
(I've added back python-ideas, because I think that is still the
appropriate forum.)
> A new
> suite type - the ``transaction`` will be added to the language. The
> suite will have the semantics discussed above: modifying an object in
> the suite will trigger creation of a thread-local shallow
On Jan 04, 2012, at 02:59 AM, Antoine Pitrou wrote:
>Well what if /dev/urandom is unavailable because the program is run
>e.g. in a chroot?
>(or is /dev/urandom still available in a chroot?)
It is (apparently) in an schroot in Ubuntu, so I'd guess it's also available
in Debian (untested).
-Barry
On Wed, Jan 4, 2012 at 12:59 AM, Maciej Fijalkowski wrote:
> On Wed, Jan 4, 2012 at 12:02 AM, Bill Janssen wrote:
>> Christian Heimes wrote:
>>
>>> Am 29.12.2011 12:13, schrieb Mark Shannon:
>>> > The attack relies on being able to predict the hash value for a given
>>> > string. Randomising the
On Wed, Jan 04, 2012 at 11:55:13AM +0100, Antoine Pitrou wrote:
> On Wed, 4 Jan 2012 09:59:15 +0200
> Maciej Fijalkowski wrote:
> >
> > Is it *really* a security issue? We knew all along that dicts are
> > O(n^2) in worst case scenario, how is this suddenly a security
> > problem?
>
> Because it
11 matches
Mail list logo
