On Sun, Mar 17, 2013 at 12:00 PM, Stefan Behnel <stefan_ml at behnel.de> wrote: > Eli Bendersky, 17.03.2013 19:25: > > IMHO Benjamin is right, given that this attack has been known to exist > > since 2003. Moreover, as it appears that no changes whatsoever are going > to > > make it into 2.7, I don't see why patching of 3.1, 3.2 and 3.3 is needed. > > As for 3.4, it can't hurt to add an opt-in option for a safe mode to the > > affected libraries. > > Why keep the libraries vulnerable for another year (3.4 final is expected > for early 2014), if there is something we can do about them now? The fact > that the attacks have been known for a decade doesn't mean an attacker will > need another ten years to exploit them. > I'm using a conditional argument here. *If* we don't deem the changes important enough to go into 2.7, *then* they aren't important enough to go into 3.1 and 3.2; 3.3 is a question. That's because 2.7 is arguably more important in this respect, having no direct upgrade path, whereas for 3.x users the fix will be available with 3.4 anyway. Eli -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20130317/b8dc63e6/attachment.html>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4