Python updates for hash collision DoS problems - Update
The Python developers have released updates for Python 2.7 and 3.2 with changes that address several security issues. These include two fixes for hash collision problems which were brought into the spotlight at the Chaos Communications Congress (28C3) in December 2011.
The flaw allows attackers to create key/value data crafted so that the hashes for the keys are more likely to collide. This forces the system to spend much more time when creating key/value hash tables and can be used in a denial of service attack. The issue is avoided by using a randomised hash function, which has now been implemented in the four versions of currently supported Python. One fix corrects Python's own hashing, while another fix corrects the same issue in the C-based Expat XML parsing library embedded in Python.
An unrelated denial of service issue in the Simple XML-RPC Server with Python, where excessive CPU could be consumed if requests were begun but the connection closed before the request body was completely sent, has also been fixed. Finally, a countermeasure against the CBC IV attacks on SSL 3.0 and TLS 1.0 which was incorporated into OpenSSL has been turned back on in Python, after it was found that the coders had inadvertently disabled the countermeasure when setting options.
Further details on the fixes in Python 2.7.3, the current stable Python 2.x version, and Python 3.2.3, the current stable Python 3.x version, are available. Windows and Mac OS X installers and source code for both these versions are available for download. The fixes are also available for Python 2.6.8 which is in source-code-only security-fix-only mode ahead of its retirement in October 2013, and Python 3.1.5, which is in the same mode and due for retirement in 2014.
Update - The Python developers have pointed out that, to avoid breaking applications which rely on the order of dictionary iteration, they have made the hash randomisation disabled by default. This is despite the Python language making no guarantees on order of dictionaries and sets but they have not changed for some time and a number of applications may rely on them say the developers. To enable hash randomisation, users must add
-R to the python command line or set the environmental variable
PYTHONHASHSEED to "random". The expat XML parsing library is hash randomised by default.