Your submission was sent successfully! Close

CVE-2012-1150

Published: 9 March 2012

Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Notes

AuthorNote
jdstrand
patch does not change the default, so the risk of backporting to
python2.5 and python2.4 outweighs the benefit of adding the patch. Ubuntu
8.04 LTS who require this patch should upgrade to Ubuntu 10.04 LTS or
another supported release.
the patch for 3.2 on oneiric is somewhere between the upstream 3.1
and 3.2 patches. Specifically, need the Modules/_datetimemodule.c changes
Priority

Medium

Status

Package Release Status
python2.4
Launchpad, Ubuntu, Debian
hardy Ignored

lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

precise Does not exist

quantal Does not exist

upstream Needs triage

python2.5
Launchpad, Ubuntu, Debian
hardy Ignored

lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

precise Does not exist

quantal Does not exist

upstream Needs triage

python2.6
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (2.6.5-1ubuntu6.1)
maverick Ignored
(reached end-of-life)
natty
Released (2.6.6-6ubuntu7.1)
oneiric
Released (2.6.7-4ubuntu1.1)
precise Does not exist

quantal Does not exist

upstream
Released (2.6.8)
Patches:
upstream: http://hg.python.org/cpython/rev/6b7704fe1be1




python2.7
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

maverick Ignored
(reached end-of-life)
natty
Released (2.7.1-5ubuntu2.2)
oneiric
Released (2.7.2-5ubuntu1.1)
precise Not vulnerable
(2.7.3~rc1-1ubuntu2)
quantal Not vulnerable
(2.7.3~rc1-1ubuntu2)
upstream
Released (2.7.3~rc1-1)
Patches:

upstream: http://hg.python.org/cpython/rev/a0f43f4481e0



python3.1
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (3.1.2-0ubuntu3.2)
maverick Ignored
(reached end-of-life)
natty
Released (3.1.3-1ubuntu1.2)
oneiric Does not exist

precise Does not exist

quantal Does not exist

upstream Needs triage

Patches:


upstream: http://hg.python.org/cpython/rev/f4b7ecf8a5f8 (pt1)
upstream: http://hg.python.org/cpython/rev/ab1886e7fc19 (pt2)

python3.2
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

maverick Does not exist

natty
Released (3.2-1ubuntu1.2)
oneiric
Released (3.2.2-0ubuntu1.1)
precise Not vulnerable
(3.2.3~rc1-1)
quantal Not vulnerable
(3.2.3~rc1-1)
upstream
Released (3.2.3~rc1-1)
Patches:




upstream: http://hg.python.org/cpython/rev/ed76dc34b39d