[Python-Dev] 2.3.6 for the unicode buffer overrun

Nick Craig-Wood nick at craig-wood.com
Thu Oct 12 13:35:31 CEST 2006

On Thu, Oct 12, 2006 at 06:08:46PM +1000, Anthony Baxter wrote:
> I've had a couple of queries about whether PSF-2006-001 merits a 2.3.6. 
> Personally, I lean towards "no" - 2.4 was nearly two years ago now. But I'm 
> open to other opinions - I guess people see the phrase "buffer overrun" and 
> they get scared.

As a data point: python 2.3 is the shipped version of python in
current stable Debian release (sarge).  It is also vulnerable by
default (sys.maxunicode == 1114111).

I'm sure the debian maintainers are capable of picking up the patch
and sending out a security update themselves, but by releasing a fixed
2.3 you'll send a stronger message to all the distributions hopefully!

> Plus once 2.4.4 final is out next week, I'll have cut 12 releases
> since March. Assuming a 2.5.1 before March (very likely) that'll be
> 14 releases in 12 months. 16 releases in 12 months would just about
> make me go crazy.

I sympathise!  I do released for my current workplace and it is time
consuming and exacting work.
Nick Craig-Wood <nick at craig-wood.com> -- http://www.craig-wood.com/nick

More information about the Python-Dev mailing list