[Python-Dev] 2.3.6 for the unicode buffer overrun

Terry Reedy tjreedy at udel.edu
Thu Oct 12 19:34:09 CEST 2006

"Barry Warsaw" <barry at python.org> wrote in message 
news:2514DA1C-F5A1-4144-9068-006A933C516C at python.org...
> I've offered in the past to dust off my release manager cap and do a
> 2.3.6 release.  Having not done one in a long while, the most
> daunting part for me is getting the website updated, since I have
> none of those tools installed.
> I'm still willing to do a 2.3.6, though the last time this came up
> the response was too underwhelming to care.  I'm not sure this
> advisory is enough to change people's minds about that -- I'm sure
> any affected downstream distro is fully capable of patching and re-
> releasing their own packages.  Since this doesn't affect the
> binaries /we/ release, I'm not sure I care enough either.

Perhaps all that is needed from both a practical and public relations 
viewpoint is the release of a 2.3.5U4 security patch as a separate file 
listed just after 2.3.5 on the source downloads page (if this has not been 
done already).

Add a note (or link to a note) to the effect that it should be applied if 
one has or is going to compile a wide Unicode build for use in an 
environment exposed to untrusted Unicode text.


More information about the Python-Dev mailing list