Sean Whitton wrote: > I was thinking that it would be appropriate to issue DLA-..-2 and > ELA-..-2 advisories, but the problem is that buster was under Security > Team support at the time of the previous update, and stretch was under > LTS, not ELTS. Another option would be to roll the information into my > advisories for CVE-2023-50447, the fixes for which I'll upload at the > same time. What would be preferable?
As a user of LTS/ELTS, I think I would probably prefer the clarity that a new, 1-based DLA might confer — and especially if it outlined the situation in brief and, for instance, included the potential confusion surrounding buster not being LTS at the time of the previous fix and so on (ie. essentially your paragraph above). > Based on my understanding of the vulnerability I think that this > [eval/exec] modification to the tests is okay, but it would be best > if someone with more knowledge of Python's evaluation model thinks > it through. I think it is okay to make this change. :) As it happens, I've had this StackOverflow answer bookmarked for a little while on the differences: https://stackoverflow.com/a/29456463 … which also has a lot of details that expose just enough info about Python's evaluation model to be interesting. Curiously , it also demonstrates how to use compile(…) in pretty much the same way that the patch for CVE-2022-22817 performs its check. Regards, -- ,''`. : :' : Chris Lamb `. `'` [email protected] 🍥 chris-lamb.co.uk `-
