CVE-2012-1150
Published: 9 March 2012
Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Notes
| Author | Note |
|---|---|
| jdstrand | patch does not change the default, so the risk of backporting to python2.5 and python2.4 outweighs the benefit of adding the patch. Ubuntu 8.04 LTS who require this patch should upgrade to Ubuntu 10.04 LTS or another supported release. the patch for 3.2 on oneiric is somewhere between the upstream 3.1 and 3.2 patches. Specifically, need the Modules/_datetimemodule.c changes |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python2.4 Launchpad, Ubuntu, Debian |
hardy |
Ignored
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
python2.5 Launchpad, Ubuntu, Debian |
hardy |
Ignored
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
python2.6 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Released
(2.6.5-1ubuntu6.1)
|
|
| maverick |
Ignored
(end of life)
|
|
| natty |
Released
(2.6.6-6ubuntu7.1)
|
|
| oneiric |
Released
(2.6.7-4ubuntu1.1)
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| upstream |
Released
(2.6.8)
|
|
|
Patches: upstream: http://hg.python.org/cpython/rev/6b7704fe1be1 |
||
|
python2.7 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| maverick |
Ignored
(end of life)
|
|
| natty |
Released
(2.7.1-5ubuntu2.2)
|
|
| oneiric |
Released
(2.7.2-5ubuntu1.1)
|
|
| precise |
Not vulnerable
(2.7.3~rc1-1ubuntu2)
|
|
| quantal |
Not vulnerable
(2.7.3~rc1-1ubuntu2)
|
|
| upstream |
Released
(2.7.3~rc1-1)
|
|
|
Patches: upstream: http://hg.python.org/cpython/rev/a0f43f4481e0 |
||
|
python3.1 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Released
(3.1.2-0ubuntu3.2)
|
|
| maverick |
Ignored
(end of life)
|
|
| natty |
Released
(3.1.3-1ubuntu1.2)
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: http://hg.python.org/cpython/rev/f4b7ecf8a5f8 upstream: http://hg.python.org/cpython/rev/ab1886e7fc19 |
||
|
python3.2 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Released
(3.2-1ubuntu1.2)
|
|
| oneiric |
Released
(3.2.2-0ubuntu1.1)
|
|
| precise |
Not vulnerable
(3.2.3~rc1-1)
|
|
| quantal |
Not vulnerable
(3.2.3~rc1-1)
|
|
| upstream |
Released
(3.2.3~rc1-1)
|
|
|
Patches: upstream: http://hg.python.org/cpython/rev/ed76dc34b39d |
||