[Python-Dev] Security Advisory for unicode repr() bug?
mal at egenix.com
Sat Oct 7 16:36:00 CEST 2006
Georg Brandl wrote:
> skip at pobox.com wrote:
>> Georg> [ Bug http://python.org/sf/1541585 ]
>> Georg> This seems to be handled like a security issue by linux
>> Georg> distributors, it's also a news item on security related pages.
>> Georg> Should a security advisory be written and official patches be
>> Georg> provided?
>> I asked about this a few weeks ago. I got no direct response. Secunia sent
>> mail to webmaster and the SF project admins asking about how this could be
>> exploited. (Isn't figuring that stuff out their job?)
> Perhaps, judging from the name :)
>> This was corrected before 2.5 was released and the 2.4 source has (I think)
>> already been patched, with 2.4.4 right around the corner. The bulk of the
>> Python installations in the field are probably running on Windows (most of
>> them provided by HP/Compaq), and it seems the Linux vendors are all over it.
>> I don't know if Apple has picked up on it (or if the version they currently
>> distribute is affected - 2.3.5 built Oct 5 2005). Would you provide a patch
>> of some sort for Windows or just refer people to corrected installers?
>> Given the apparently miserable results trying to get Windows users to
>> install security fixes manually, I doubt a new 2.4.3 Windows installer would
>> get much exercise.
> Even if the patch / corrected installer is used by only 1% of all installations,
> reacting quickly and providing it in the first place is going to make a much
> better impression than saying "well, nobody is going to apply it and the next
> release is due in a few weeks".
Note that the bug refers to a UCS4 Python build. Most Linux
distros ship UCS4 builds nowadays, so they care. The Windows
builds are UCS2 (except maybe the ones for Win64 - don't know)
which doesn't seem to be affected.
+1 on publishing the patch for 2.4. It's always better to react
quickly in such cases, even if it just gives users a fuzzy warm
feeling of being cared for :-) Whether such patches get installed
or not is not really a question to ask, since it's not within
Professional Python Services directly from the Source (#1, Oct 07 2006)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! ::::
More information about the Python-Dev