Thanks @oscarbenjamin for raising this issue on Discuss.
RedHat is a global company valued at USD $34 billion (with a B) when IBM purchased them three years ago. Let’s not blame overworked volunteers here.
If this were a high priority, or even a medium priority, for RedHat, the CVE details would have been populated less tardily.
This vulnerability is in a class of attack that has public knowledge for over a decade: pass a huge chunk of data to the application and try to DOS it or overflow a buffer. The specific vulnerability (quadratic behaviour of str ↔ int conversions) has been public for at least four years. RedHat reserved the CVE 30 months ago, and the Python security team has known about it for two years.
- Similar XML DOS attacks have been known before 2009, although I’m not sure whether specific str ↔ int conversion attacks would work.
- A four year old Scala example.
- A four year old whitepaper on the issue.
- Discussion on Reddit.
- A Haskell example made public a year ago.
I don’t buy the need to push out a fix to this without public discussion. This class of vulnerability was already public, and has been for years.
Even if it turns out that the chosen solution is the best, or only, solution, the secrecy and “trust us, we know best” from the security team was IMO not justified.
I feel that string hashing attacks are much more serious. Applications can, if they choose, perform length checks on data much more easily than they can recognise hash collisions. And yet we discussed hash randomization publicly in 2011 and 2012 before pushing it out. If we could discuss that publicly, why couldn’t we discuss this?
It seems that the threat here was in no way severe and urgent enough to justify the lack of community discussion.