Bug 755383

Summary: VUL-0: python: hash collision DoS
Product: [openSUSE] openSUSE 12.1 Reporter: Michal Vyskocil <mvyskocil>
Component: OtherAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: lnussel, security-team
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2012-1150:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 751718    
Bug Blocks:    

Description Michal Vyskocil 2012-04-03 07:35:13 UTC 
+++ This bug was initially created as a clone of Bug #751718 +++

Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

CVE-2012-1150

python dictionaries are prone to hash table collision attacks. Web services for example might store parameters of a GET or POST request in a dictionary. An attacker may use this to cause high CPU load

http://bugs.python.org/issue13703
http://seclists.org/fulldisclosure/2011/Dec/477
http://www.ocert.org/advisories/ocert-2011-003.html
https://bugzilla.redhat.com/show_bug.cgi?id=750555

---------------------------

This one is for python3 for openSUSE 12.1 only.
Comment 1 Jan Matejek 2012-04-06 17:28:50 UTC 
python3 is fixed in SR #112896

reassigning to security
Comment 2 Ludwig Nussel 2012-06-06 08:12:07 UTC 
already released