This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author dmalcolm
Recipients dmalcolm
Date 2012-03-09.00:56:27
SpamBayes Score 0.0177331
Marked as misclassified No
Message-id <>
Expat 2.1.0 Beta was recently announced:
which contains (among other things) a fix for a hash-collision denial-of-service attack (CVE-2012-0876)

I'm attaching a patch which minimally backports the hash-collision fix part of expat 2.1.0 to the embedded copy of expat in the CPython source tree, and which adds a call to XML_SetHashSalt() to pyexpat when creating parsers.  It reuses part of the hash secret from Py_HashSecret.
Date User Action Args
2012-03-09 00:56:34dmalcolmsetrecipients: + dmalcolm
2012-03-09 00:56:31dmalcolmsetmessageid: <>
2012-03-09 00:56:30dmalcolmlinkissue14234 messages
2012-03-09 00:56:30dmalcolmcreate