On Mon, Nov 01, 2010 at 02:26:28PM +0100, Matthias Klose wrote:
> tag 601690 + moreinfo help
> thanks
>
> On 28.10.2010 16:26, Moritz Muehlenhoff wrote:
>> Package: python2.6
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Dear Python maintainers,
>> please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3493
>> for details.
>>
>> A patch is available here:
>> http://svn.python.org/view/python/branches/release26-maint/Lib/smtpd.py?r1=73770&r2=82406&view=patch
>>
>> Python 3.1 is already fixed.
>
> and 2.6.6 too ... at least the svn version you mention.
You're right. Python 2.6 is fixed as well. I must've mixed that up
with Python 2.5, which is still unfixed.
(I still need to review more open issues for python2.5 and will file a
separate bug for it)
> however the issue6706 and issue9129 don't seem to be fixed?
>
> issue6706 again references CVE-2010-3492 which you don't mention at all.
CVE-2010-3492 is a design limitation of the existing asyncore API, we
could backport the fixes mentioned in msg120132 (r86084 for 2.7),
but this is still something people need to fix in their apps using
the interface.
issue9129 is CVE-2010-3493.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
