[Python-Dev] 2.3.6 for the unicode buffer overrun
Nick Craig-Wood
nick at craig-wood.com
Thu Oct 12 13:35:31 CEST 2006
On Thu, Oct 12, 2006 at 06:08:46PM +1000, Anthony Baxter wrote:
> I've had a couple of queries about whether PSF-2006-001 merits a 2.3.6.
> Personally, I lean towards "no" - 2.4 was nearly two years ago now. But I'm
> open to other opinions - I guess people see the phrase "buffer overrun" and
> they get scared.
As a data point: python 2.3 is the shipped version of python in
current stable Debian release (sarge). It is also vulnerable by
default (sys.maxunicode == 1114111).
I'm sure the debian maintainers are capable of picking up the patch
and sending out a security update themselves, but by releasing a fixed
2.3 you'll send a stronger message to all the distributions hopefully!
> Plus once 2.4.4 final is out next week, I'll have cut 12 releases
> since March. Assuming a 2.5.1 before March (very likely) that'll be
> 14 releases in 12 months. 16 releases in 12 months would just about
> make me go crazy.
I sympathise! I do released for my current workplace and it is time
consuming and exacting work.
--
Nick Craig-Wood <nick at craig-wood.com> -- http://www.craig-wood.com/nick
More information about the Python-Dev
mailing list