In the ipaddress library there exists two classes IPv4Interface, and IPv6Interface. These classes' hash functions will always return 32 and 64 respectively. If IPv4Interface or IPv6Interface objects then are put in a dictionary, on for example a server storing IPs, this will cause hash collisions, which in turn can lead to DOS.

The root of this is on line 1421 and 2095. On both lines, self._ip and self.network.network_address will both be same, and when xor is applied they will cancel eachother out, leaving return self._prefixlen .
Since self._prefixlen is a constant, 32 and 64 respectively, this will lead to a constant hash.

The fix is trivial, on line 1421, change to:
return hash((self._ip, self._prefixlen, int(self.network.network_address)))

and on line 2095, change to:
return hash((self._ip, self._prefixlen, int(self.network.network_address)))

Good catch. Your approach seems like a good one.

Forgot to add, this applies to all versions, 3.10, 3.9, 3.8, 3.7, 3.6, 3.5

Can I make a PR for this?

Absolutely, go ahead Amir

Changing versions to where the fix would be applied.

Hi
I have raised a PR for this. But my PLA is yet to be updated (I have singed it).

But add the fix to the existing versions (3.8, 3.9 and 3.10), do I need to raise PR for each of those branches?

No @rvteja92, you don't need open multiple PRs, only make your changes on master branch. for more informations read this:
https://devguide.python.org/

And for the CLA sign it will take a while to be updated.

Hi

My CLA has been approved. Can someone review the PR.

New changeset b30ee26 by Ravi Teja P in branch 'master':
bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033)
b30ee26

New changeset dc8ce8e by Miss Islington (bot) in branch '3.8':
bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033)
dc8ce8e

New changeset 9a646aa by Miss Islington (bot) in branch '3.9':
bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033)
9a646aa

Ned: what are your thoughts on backporting this as a security issue?

https://nvd.nist.gov/vuln/detail?vulnId=CVE-2020-14422

https://nvd.nist.gov/vuln/detail?vulnId=CVE-2020-14422

As Eric said, this issue is assigned a CVE-2020-14422.
I re-open PRs for 3.5 - 3.7 and waiting for other core developers guide.

I am +1 on merge this PRs as the security patch.

A legitimate CVE should certainly be backported to all applicable releases, so, yes. However, I think that it is important for the CVE to be mentioned in the NEWS blurbs for each commit. So please update the NEWS items in each open PR to include the CVE. For master and 3.9 (if you hurry), you can update the original blurb file. For 3.8, the blurb file is in the process of being merged into the blurb for the release; for it, wait until the v3.8.4rc1 has been merged back into the main cpython repo and then update the merged the blob, please. Thanks!

New changeset b98e779 by Tapas Kundu in branch '3.7':
[3.7] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033) (GH-21231)
b98e779

New changeset cfc7ff8 by Tapas Kundu in branch '3.6':
[3.6] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033) (GH-21232)
cfc7ff8

New changeset 11d258c by Tapas Kundu in branch '3.5':
[3.5] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033) (bpo-21233)
11d258c