[Mageia-dev] Freeze push: python and python3
Antoine Pitrou
solipsis at pitrou.net
Thu Apr 19 14:52:44 CEST 2012
On Thu, 19 Apr 2012 09:13:12 +0800
Funda Wang <fundawang at gmail.com> wrote:
> Hello,
>
> Could somebody push python-2.7.3 and python3-3.2.3 into cauldron? They
> fixed CVE-2012-0876, oCERT-2011-003, CVE-2012-0845, CVE-2011-3389,
> and a lot of other minor bugs.
Note that oCERT-2011-003 is not plugged by default, because of
backwards compatibility issues (**). You need to use either the new "-R"
command-line option, or to set the PYTHONHASHSEED environment variable
to "random" (*). Perhaps that could be done for select Python
applications, especially Web applications (where malicious data can be
sent by anyone on the Internet).
(*) http://docs.python.org/using/cmdline.html#cmdoption-R
(**) “Changing hash values affects the order in which keys are
retrieved from a dict. Although Python has never made guarantees about
this ordering (and it typically varies between 32-bit and 64-bit
builds), enough real-world code implicitly relies on this
non-guaranteed behavior that the randomization is disabled by default.”
Regards
Antoine.
More information about the Mageia-dev
mailing list