Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://mail.python.org/pipermail/python-dev/2003-January/032527.html below:

[Python-Dev] Re: RHSA-2002:202-25

• Previous message: [Python-Dev] Re: RHSA-2002:202-25
• Next message: [Python-Dev] Re: Extended Function syntax
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I'm taking this thread across the great divide to the python-dev mailing
> list.  The point Yasushi makes is that the security hole found and fixed by
> Zack Weinberg back in August 2002 (os.py 1.59) should be avaiable as a patch
> for versions of Python "out there" which might be affected.  The versions
> he's concerned with are 1.5.2 and 2.1.3.  I don't think we have to worry
> about 2.2.1 because those users can (and should) upgrade to 2.2.2 if the
> patch is important to them.
> 
> To see the original thread, go here:
> 
>     http://mail.python.org/pipermail/python-list/2003-January/142352.html
> 
>     Yasushi> Thank you. But I think this patch or pached version of Python
>     Yasushi> should be placed on ftp.python.org.
> 
>     Yasushi> Zope doesn't work with Python 2.2 yet. So many new Zope users
>     Yasushi> will install Python 2.1.3. But there is no patch on
>     Yasushi> ftp.python.org and no security alert on www.python.org.
> 
> Zope ships with its own version of Python, often in binary (for Windows).
> The Zope folks probably need to provide their own patch.
> 
>     Yasushi> How do they know that Python 2.1.3 has security problem?
> 
> Who are "they"?
> 
> You have to realize that the people who develop Python don't know all the
> people who bundle Python in applications.  It's open source and most of the
> people who work on Python are volunteers.
> 
> Can someone on python-dev more in-the-know about these things respond?

For Python 2.1.3, the fix is in fact in CVS.  It would not take much
to release 2.1.4.

For Python versions before that, I don't see there's much point in
doing another release; those versions are widely deployed but it is
unlikely that publishing a patch will make much of a difference (the
very fact that people are still using those versions suggests that
they don't keep their systems up-to-date).  For people using e.g. Red
Hat's distribution, Red Hat has done the right thing already.

I checked the Zope source code, and it doesn't use os.execvp or any
other os.exec*p variant.  There's one call to os.execv, which isn't
vulnerable.

Since the attack is based on a symlink, Python on Windows is not
vulnerable.

--Guido van Rossum (home page: http://www.python.org/~guido/)

• Previous message: [Python-Dev] Re: RHSA-2002:202-25
• Next message: [Python-Dev] Re: Extended Function syntax
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4