Python 2.5.3: call for patches
Terry Reedy
tjreedy at udel.edu
Fri Oct 10 17:32:15 EDT 2008
troelswh at gmail.com wrote:
> On Oct 7, 9:27 am, "Martin v. Löwis" <mar... at v.loewis.de> wrote:
>> In principle, the release will include all changes that are already on
>> the release25-maint branch in subversion [1]. If you think that specific
>> changes should be considered, please create an issue in the bug tracker
>> [2], and label it with the 2.5.3 version. Backports of changes that
>> are already released in Python 2.6 but may apply to 2.5 are of
>> particular interest.
>
> There is a number of Python 2.5.2 security vulnerabilities registered
> with CVE. It would be great if the 2.5.3 release included fixes for
> all of these!
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144
This references
http://bugs.python.org/issue2588
http://bugs.python.org/issue2589
both of which report fixes backported to 2.5.3
I will let you investigate whether the name is true of the rest, or
whether someone should be nudged to either report or submit a patch
or help review a patch.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2316
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1887
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1679
>
> For some reason none of these have made it into Python security
> advisories (http://www.python.org/news/security/), but many vendors
> who ship Python have released patched versions already.
Presumably, none were considered really critical, or the volunteer core
developers were busy doing something else. Also, release schedules differ.
More information about the Python-list
mailing list