Open frenzymadness opened 4 years ago
Sorry that it took so long, but I'm currently working on updating to the current cpython version of ipaddress. Unfortunately, there's a high number of merge conflicts. I'll look at them, and if I don't get it done soon, will merge this quickfix.
No worries. I've also made a mistake because this commit is not marked as released on Github but it actually is released in 3.8.4.
So, update to the latest cpython version should be enough or you can release just this fix if the update would take too long.
Hi @phihag! Just a friendly note that I too would like to see this issue resolved. If there is anything I can do to help it along, let me know!
Hello. Could we please move this forward? We can either help you to update the package to the latest cpython version or you can just merge and release this fix. After all, it's a moderate severity CVE and this package is a dependency of many very popular libraries.
Hi! Can you make a release with this fix?
I'm gonna try to update this package from the upstream Python. If you want to help, follow my progress in #59
@frenzymadness @shadchin We (ActiveState) forked it and fixed it here: https://github.com/ActiveState/ipaddress. Obviously not ideal as it would be best if this project was the canonical source but the CVE has been addressed.
@zoofood Thanks for the info. I can also maintain this patch downstream (on RPM level) but I'd rather fix this project.
A PR with an update to the CPython 3.8 is available at #60
Is this going to be merged? Is there anything we can do to help that happen soon?
The hash() methods of classes IPv4Interface and IPv6Interface had issue of generating constant hash values of 32 and 128 respectively causing hash collisions. The fix uses the hash() function to generate hash values for the objects instead of XOR operation
Fixes: https://github.com/phihag/ipaddress/issues/55
Backported from: https://github.com/python/cpython/pull/21221/commits/bd32b1fc950e6633d237855ceddd84ea83904238
Ir you prefert to wait for the next Python 3.8 release, please let me know.