[Python-Dev] Security Advisory for unicode repr() bug? (original) (raw)
M.-A. Lemburg mal at egenix.com
Sat Oct 7 16:36:00 CEST 2006
- Previous message: [Python-Dev] Security Advisory for unicode repr() bug?
- Next message: [Python-Dev] Security Advisory for unicode repr() bug?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Georg Brandl wrote:
skip at pobox.com wrote:
Georg> [ Bug http://python.org/sf/1541585 ]
Georg> This seems to be handled like a security issue by linux Georg> distributors, it's also a news item on security related pages. Georg> Should a security advisory be written and official patches be Georg> provided? I asked about this a few weeks ago. I got no direct response. Secunia sent mail to webmaster and the SF project admins asking about how this could be exploited. (Isn't figuring that stuff out their job?) Perhaps, judging from the name :) This was corrected before 2.5 was released and the 2.4 source has (I think) already been patched, with 2.4.4 right around the corner. The bulk of the Python installations in the field are probably running on Windows (most of them provided by HP/Compaq), and it seems the Linux vendors are all over it. I don't know if Apple has picked up on it (or if the version they currently distribute is affected - 2.3.5 built Oct 5 2005). Would you provide a patch of some sort for Windows or just refer people to corrected installers? Given the apparently miserable results trying to get Windows users to install security fixes manually, I doubt a new 2.4.3 Windows installer would get much exercise. Even if the patch / corrected installer is used by only 1% of all installations, reacting quickly and providing it in the first place is going to make a much better impression than saying "well, nobody is going to apply it and the next release is due in a few weeks".
Note that the bug refers to a UCS4 Python build. Most Linux distros ship UCS4 builds nowadays, so they care. The Windows builds are UCS2 (except maybe the ones for Win64 - don't know) which doesn't seem to be affected.
+1 on publishing the patch for 2.4. It's always better to react quickly in such cases, even if it just gives users a fuzzy warm feeling of being cared for :-) Whether such patches get installed or not is not really a question to ask, since it's not within our responsibility.
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source (#1, Oct 07 2006)
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! ::::
- Previous message: [Python-Dev] Security Advisory for unicode repr() bug?
- Next message: [Python-Dev] Security Advisory for unicode repr() bug?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]