[Python-Dev] Security Advisory for unicode repr() bug?
g.brandl at gmx.net
Sat Oct 7 14:27:09 CEST 2006
skip at pobox.com wrote:
> Georg> [ Bug http://python.org/sf/1541585 ]
> Georg> This seems to be handled like a security issue by linux
> Georg> distributors, it's also a news item on security related pages.
> Georg> Should a security advisory be written and official patches be
> Georg> provided?
> I asked about this a few weeks ago. I got no direct response. Secunia sent
> mail to webmaster and the SF project admins asking about how this could be
> exploited. (Isn't figuring that stuff out their job?)
Perhaps, judging from the name :)
> This was corrected before 2.5 was released and the 2.4 source has (I think)
> already been patched, with 2.4.4 right around the corner. The bulk of the
> Python installations in the field are probably running on Windows (most of
> them provided by HP/Compaq), and it seems the Linux vendors are all over it.
> I don't know if Apple has picked up on it (or if the version they currently
> distribute is affected - 2.3.5 built Oct 5 2005). Would you provide a patch
> of some sort for Windows or just refer people to corrected installers?
> Given the apparently miserable results trying to get Windows users to
> install security fixes manually, I doubt a new 2.4.3 Windows installer would
> get much exercise.
Even if the patch / corrected installer is used by only 1% of all installations,
reacting quickly and providing it in the first place is going to make a much
better impression than saying "well, nobody is going to apply it and the next
release is due in a few weeks".
[CC'ing security at python.org]
More information about the Python-Dev