On Feb 21, 2013, at 5:32 AM, Antoine Pitrou <solip...@pitrou.net> wrote:
> Le Thu, 21 Feb 2013 11:18:35 +0100, > Christian Heimes <christ...@python.org> a écrit : >> Am 21.02.2013 08:42, schrieb Antoine Pitrou: >>> Sure, but in many instances, rebooting a machine is not >>> business-threatening. You will have a couple of minutes' downtime >>> and that's all. Which is why the attack must be repeated many times >>> to be a major annoyance. >> >> Is this business-threatening enough? >> >> https://pypi.python.org/pypi/defusedxml#external-entity-expansion-remote > > You haven't proved that these were actual threats, nor how they > actually worked. I'm gonna remain skeptical if there isn't anything > more precise than "It highly depends on the parser and the application > what kind of exploit is possible". > > Regards > > Antoine. > I guess someone need to write a proof of concept exploit for you and release it into the wild. Ok > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/jnoller%40gmail.com _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
