Georg Brandl wrote: > [EMAIL PROTECTED] wrote: >> Georg> [ Bug http://python.org/sf/1541585 ] >> >> Georg> This seems to be handled like a security issue by linux >> Georg> distributors, it's also a news item on security related pages. >> >> Georg> Should a security advisory be written and official patches be >> Georg> provided? >> >> I asked about this a few weeks ago. I got no direct response. Secunia sent >> mail to webmaster and the SF project admins asking about how this could be >> exploited. (Isn't figuring that stuff out their job?) > > Perhaps, judging from the name :) > >> This was corrected before 2.5 was released and the 2.4 source has (I think) >> already been patched, with 2.4.4 right around the corner. The bulk of the >> Python installations in the field are probably running on Windows (most of >> them provided by HP/Compaq), and it seems the Linux vendors are all over it. >> I don't know if Apple has picked up on it (or if the version they currently >> distribute is affected - 2.3.5 built Oct 5 2005). Would you provide a patch >> of some sort for Windows or just refer people to corrected installers? >> Given the apparently miserable results trying to get Windows users to >> install security fixes manually, I doubt a new 2.4.3 Windows installer would >> get much exercise. > > Even if the patch / corrected installer is used by only 1% of all > installations, > reacting quickly and providing it in the first place is going to make a much > better impression than saying "well, nobody is going to apply it and the next > release is due in a few weeks".
Note that the bug refers to a UCS4 Python build. Most Linux distros ship UCS4 builds nowadays, so they care. The Windows builds are UCS2 (except maybe the ones for Win64 - don't know) which doesn't seem to be affected. +1 on publishing the patch for 2.4. It's always better to react quickly in such cases, even if it just gives users a fuzzy warm feeling of being cared for :-) Whether such patches get installed or not is not really a question to ask, since it's not within our responsibility. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Oct 07 2006) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! :::: _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
