From: Gregory P. Smith <greg@krypto.org>
Date: Wed, 14 Mar 2012 22:00:39 +0000 (-0700)
Subject: Fixes Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes
X-Git-Tag: v3.3.0a2~192
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=70c9c4dca6bcb9b304c48915b32af74d133c01cc;p=python

Fixes Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes
in the hash table internal to the pyexpat module's copy of the expat
library to avoid a denial of service due to hash collisions.
Patch by David Malcolm with some modifications by the expat project.
---

70c9c4dca6bcb9b304c48915b32af74d133c01cc
diff --cc Misc/NEWS
index 8dace0c759,1b4e09fcea..a9f33a23d9
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@@ -24,17 -22,8 +24,22 @@@ Core and Builtin
  Library
  -------
  
 -- Issue #14062: Header objects now correctly respect the 'linesep' setting
 -  when processed by BytesParser (which smtplib.SMTP.send_message uses).
++- Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes in the hash
++  table internal to the pyexpat module's copy of the expat library to avoid a
++  denial of service due to hash collisions.  Patch by David Malcolm with some
++  modifications by the expat project.
++
 +- Issue #14200: Idle shell crash on printing non-BMP unicode character.
 +
 +- Issue #12818: format address no longer needlessly \ escapes ()s in names when
 +  the name ends up being quoted.
 +
 +- Issue #14062: BytesGenerator now correctly folds Header objects,
 +  including using linesep when folding.
 +
 +- Issue #13839: When invoked on the command-line, the pstats module now
 +  accepts several filenames of profile stat files and merges them all.
 +  Patch by Matt Joiner.
  
  - Issue #14291: Email now defaults to utf-8 for non-ASCII unicode headers
    instead of raising an error.  This fixes a regression relative to 2.7.