[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

Victor Stinner victor.stinner at gmail.com
Tue Jun 20 19:57:41 EDT 2017


Thank you. Now you can admire the beautiful timeline :-)
http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#timeline

Timeline using the disclosure date 2017-02-20 as reference:

2016-01-15 (-402 days): Reported (email sent to the PSRT list)
2017-02-20: Disclosure date (blog post, mail to oss-security)
2017-02-20 (+0 days): Python issue #29606 reported by ecbftw

2017-06-21 1:06 GMT+02:00 Guido van Rossum <guido at python.org>:
> I think that the first email about this was received from Timothy D. Morgan
> on 1/15/16. You should be able to get confirmation of this from Christian
> Heimes. I think that was a dark year for the PSRT.
>
> On Tue, Jun 20, 2017 at 3:35 PM, Victor Stinner <victor.stinner at gmail.com>
> wrote:
>>
>> Hi,
>>
>> Re: "[Python-Dev] Python FTP Injections Allow for Firewall Bypass
>> (oss-security advisory)"
>>
>> 2017-02-24 5:36 GMT+01:00 Steven D'Aprano <steve at pearwood.info>:
>> > I am not qualified to judge the merits of this, but it does seem
>> > worrying that (alledgedly) the Python security team hasn't responded for
>> > over 12 months.
>> >
>> > Is anyone able to comment?
>>
>> I don't have the archives of the PSRT mailing list and I'm not sure
>> that I was subscribed when "the" email was sent. Does someone have the
>> date of this email? It's to complete the new entry in my doc:
>>
>> http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
>>
>> I don't want to blame anyone, I just want to collect data to help us
>> to enhance our process to handle security vulnerabilities.
>>
>> FYI I tried to take care of a few security vulnerabilities recently,
>> and as expected, each issue is more tricky than expected :-)
>>
>> While fixing http://bugs.python.org/issue30500 I noticed that urllib
>> accepts newline characters in URLs. I don't know if it's deliberate or
>> not... So I created a new issue http://bugs.python.org/issue30713
>>
>> I updated expat from 2.1.1 to 2.2.0, but now the compilation fails in
>> 2.7 on Windows with Visual Studio 2008. And just when I was done,
>> expat 2.2.1 was released. I have to do the same job again :-)
>>
>> Victor
>> _______________________________________________
>> Python-Dev mailing list
>> Python-Dev at python.org
>> https://mail.python.org/mailman/listinfo/python-dev
>> Unsubscribe:
>> https://mail.python.org/mailman/options/python-dev/guido%40python.org
>
>
>
>
> --
> --Guido van Rossum (python.org/~guido)


More information about the Python-Dev mailing list