[Python-Dev] Status of XML fixes (original) (raw)
Eli Bendersky eliben at gmail.com
Sun Mar 17 21:03:21 CET 2013
- Previous message: [Python-Dev] Status of XML fixes
- Next message: [Python-Dev] Status of XML fixes
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, Mar 17, 2013 at 12:00 PM, Stefan Behnel <stefan_ml at behnel.de> wrote:
Eli Bendersky, 17.03.2013 19:25: > IMHO Benjamin is right, given that this attack has been known to exist > since 2003. Moreover, as it appears that no changes whatsoever are going to > make it into 2.7, I don't see why patching of 3.1, 3.2 and 3.3 is needed. > As for 3.4, it can't hurt to add an opt-in option for a safe mode to the > affected libraries.
Why keep the libraries vulnerable for another year (3.4 final is expected for early 2014), if there is something we can do about them now? The fact that the attacks have been known for a decade doesn't mean an attacker will need another ten years to exploit them.
I'm using a conditional argument here. If we don't deem the changes important enough to go into 2.7, then they aren't important enough to go into 3.1 and 3.2; 3.3 is a question. That's because 2.7 is arguably more important in this respect, having no direct upgrade path, whereas for 3.x users the fix will be available with 3.4 anyway.
Eli -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20130317/b8dc63e6/attachment.html>
- Previous message: [Python-Dev] Status of XML fixes
- Next message: [Python-Dev] Status of XML fixes
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]