[Python-Dev] Python 2.5.3: call for patches

Matthias Klose doko at ubuntu.com
Wed Nov 12 08:31:03 CET 2008


Martin v. Löwis schrieb:
>> I would like to apply fixes for some CVE's which are addressed in 2.5 but not
>> yet in 2.4. this would include
>>
>> CVE-2007-4965
>> CVE-2008-1679
>> CVE-2008-1721
>> CVE-2008-2315
>> CVE-2008-3144
>> CVE-2008-1887
>> CVE-2008-4864
> 
> Can you identify the revisions that would need backporting?
> 
> I could only find (trunk revisions)
>   CVE-2007-4965: r65880
>   CVE-2008-1721: r62235, issue2586
>   CVE-2008-3144: issue2588, issue2589, r63734, r63728.
>   CVE-2008-1887: issue2587, r62261, r62271
>   CVE-2008-4864: r66689
> 
> So what about
> 
>   CVE-2008-1679: claimed to be issue1179 in the CVE, but
>                  that says it fixes CVE-2007-4965 only?

the original fix for CVE-2007-4965 did miss two chunks, which are included in
r65878 on the 2.5 branch.

>   CVE-2008-2315

this is r65334 on the 2.5 branch and r65335 on the trunk:
Security patches from Apple:  prevent int overflow when allocating memory
this was already checked in, with an added NEWS item in 2.4.5. Moved this
to 2.4.6.

> In principle, this is fine with me, so go ahead.

Done.


More information about the Python-Dev mailing list