[Python-Dev] Status of XML fixes
Stefan Behnel
stefan_ml at behnel.de
Sun Mar 17 20:00:19 CET 2013
Eli Bendersky, 17.03.2013 19:25:
> IMHO Benjamin is right, given that this attack has been known to exist
> since 2003. Moreover, as it appears that no changes whatsoever are going to
> make it into 2.7, I don't see why patching of 3.1, 3.2 and 3.3 is needed.
> As for 3.4, it can't hurt to add an opt-in option for a safe mode to the
> affected libraries.
Why keep the libraries vulnerable for another year (3.4 final is expected
for early 2014), if there is something we can do about them now? The fact
that the attacks have been known for a decade doesn't mean an attacker will
need another ten years to exploit them.
Stefan
More information about the Python-Dev
mailing list