On Thu, Feb 21, 2013 at 11:12 AM, Christian Heimes <christian@python.org> wrote:

Am 21.02.2013 19:39, schrieb Eli Bendersky:

> Just to clarify for my own curiosity. These attacks (e.g.
> http://en.wikipedia.org/wiki/Billion_laughs) have been known and public
> since 2003?

Correct, see https://pypi.python.org/pypi/defusedxml#synopsis third
paragraph. All XML attacks in my analysis are well known for years,
billion laughs for about a decade.

As far as I know it's the first time somebody has compiled and published
a detailed list of vulnerabilities in Python's XML libraries. However
I'm not the only one. OpenStack and Django were contacted by several
people in the past few weeks, too.

Thanks, Christian. I think this should put the urgency of the fix into context. While I agree that we should work on making future versions resilient by default, I have doubts about the urgency of back-patching existing, in-mainteinance-mode stable versions with something that's not opt-in.

Eli