Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://python-security.readthedocs.io/vuln/hash-dos.html below:

Hash DoS — Python Security 0.0 documentation

Hash collision denial of service.

Python 2.7 and older and Python 3.2 and older require the -R command line option to enable the enable hash function randomization. Randomization is enabled by default since Python 3.3 (the -R option is ignored).

“Effective Denial of Service attacks against web application platforms” talk at the CCC: 2011-12-28

See also the PEP 456: Secure and interchangeable hash algorithm: Python 3.4 switched to SipHash.

• Ruby: CRuby 1.9 fixed the vulnerability in 2008 with randomized hash function; JRuby has also been fixed.

• Perl: Perl 5.8.1 fixed the vulnerability in 2003 using a random “PERL_HASH_SEED”.

Dates:

• Disclosure date: 2011-12-28 (CCC talk)

• Reported by: Alexander “alech” Klink and Julian “zeri” Wälde

• Python 2.6.8 (2012-04-10) fixed by commit 1e13eb0 (branch 2.6) (2012-02-21)

• Python 2.7.3 (2012-04-09) fixed by commit 1e13eb0 (branch 2.6) (2012-02-21)

• Python 3.1.5 (2012-04-06) fixed by commit 2daf6ae (branch 2.7) (2012-02-20)

• Python 3.2.3 (2012-04-10) fixed by commit 2daf6ae (branch 2.7) (2012-02-20)

• Python 3.3.0 (2012-09-29) fixed by commit 2daf6ae (branch 2.7) (2012-02-20)

Hash collision security issue.

• Python issue: bpo-13703

• Creation date: 2012-01-03

• Reporter: Barry A. Warsaw

Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

• CVE ID: CVE-2012-1150

• Published: 2012-10-05

• CVSS Score: 5.0

Timeline using the disclosure date 2011-12-28 as reference:

• 2011-12-28: Disclosure date (CCC talk)

• 2012-01-03 (+6 days): Python issue bpo-13703 reported by Barry A. Warsaw

• 2012-02-20 (+54 days): commit 2daf6ae (branch 2.7)

• 2012-02-21 (+55 days): commit 1e13eb0 (branch 2.6)

• 2012-04-06 (+100 days): Python 3.1.5 released

• 2012-04-09 (+103 days): Python 2.7.3 released

• 2012-04-10 (+104 days): Python 2.6.8 released

• 2012-04-10 (+104 days): Python 3.2.3 released

• 2012-09-29: Python 3.3.0 released

• 2012-10-05 (+282 days): CVE-2012-1150 published

• https://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html

• http://www.ocert.org/advisories/ocert-2011-003.html

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4