[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

Christian Heimes christian at python.org
Fri Feb 24 06:55:33 EST 2017

On 2017-02-24 11:01, Antoine Pitrou wrote:
> On Thu, 23 Feb 2017 23:51:45 -0800
> Benjamin Peterson <benjamin at python.org> wrote:
>> Like all CPython developers, the Python security team are all
>> volunteers. That combined with the fact that dealing with security
>> issues is one of the least fun programming tasks means issues are
>> sometimes dropped.
>> Perhaps some organization with a stake Python security would like to
>> financially support Python security team members.
>> As for this, particular issue, we should determine if there's a tracker
>> issue yet and continue discussion there.
> Just for the record, I find the mailing-list scheme used by PSRT quite
> difficult to deal with.  For many people it's easy to lose track of
> e-mails received more than one week ago, so the necessary followup to
> security issues received by e-mail suffers.
> It's a bit sad that regular issues benefit from a full-fledged
> Roundup instance to allow for easy tracking of open issues (including
> comments and proposed fixes), but security issues are restricted to such
> a primitive communication setup which makes it so difficult to get work
> done.
> AFAIK, other projects have full-fledged private bug trackers for their
> security issues (or access-restricted sections in the main bug tracker,
> where the software supports it).


Antoine's and Benjamin's reply are the gist of my security talk at the
last language summit, https://lwn.net/Articles/691308/ . A dedicated bug
tracker or embargoed tickets would help the most. It would also make it
much easier to track and measure our response time.

A paid position would also help with the organizational overhead.
Personally, I'm good in finding and fixing security issues. The actual
communication, reporting and press releases are not my strength.

Victor's incredible work on
http://python-security.readthedocs.io/vulnerabilities.html is going to
help, too.


More information about the Python-Dev mailing list