Python 2.5.3: call for patches
Michael Ströder
michael at stroeder.com
Fri Oct 10 15:17:36 EDT 2008
troelswh at gmail.com wrote:
> On Oct 7, 9:27 am, "Martin v. Löwis" <mar... at v.loewis.de> wrote:
>> In principle, the release will include all changes that are already on
>> the release25-maint branch in subversion [1]. If you think that specific
>> changes should be considered, please create an issue in the bug tracker
>> [2], and label it with the 2.5.3 version. Backports of changes that
>> are already released in Python 2.6 but may apply to 2.5 are of
>> particular interest.
>
> There is a number of Python 2.5.2 security vulnerabilities registered
> with CVE. It would be great if the 2.5.3 release included fixes for
> all of these!
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2316
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1887
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1679
Yes!
> For some reason none of these have made it into Python security
> advisories (http://www.python.org/news/security/), but many vendors
> who ship Python have released patched versions already.
Yes, this is strange. I asked for this a couple of weeks ago. That the
upstream release is behind the packages shipped by vendors regarding
security patches is pretty poor.
Ciao, Michael.
More information about the Python-list
mailing list