Re: Python rexec and Bastion flaws
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jan 21, 2003 at 07:47:11AM +0100, Martin Schulze wrote: I suggest to disable the above two modules in python2.2 (which is in woody), even if existing applications can break. What do you think? I'd rather know about the vulnerability (and maybe doko is able to implement a fix) than to blindly castrate software. Theo d.R. already taught us that blindly releasing updates are not good. Yup, ok. I will see if I can identify packages using rexec or Bastion and provide patches for them instead of disabling modules. Cheers, Bastian - -- Bastian Kleineidam Atombombe Plutonium Fat Man Do it Yourself Tim Taylor -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+MBnOeBwlBDLsbz4RAvkdAKDJwrV2OBbeoaO4jkKYNlsCfPapeQCeMa/x KjqJsBk60KpWPQ2GL/nstRI= =DgqG -END PGP SIGNATURE-
Re: Python rexec and Bastion flaws
Martin Schulze wrote: I'd rather know about the vulnerability (and maybe doko is able to implement a fix) than to blindly castrate software. Theo d.R. already taught us that blindly releasing updates are not good. Here's some relevant links for the bugs: Deleting __builtins__: http://python.org/sf/577530 Modifying new-style classes: http://mail.python.org/pipermail/python-dev/2002-December/031160.html Final thread about dropping rexec: http://mail.python.org/pipermail/python-dev/2003-January/031842.html Please note that the two bugs described above are only the two *known* bugs - nobody knows how many other bugs there are in rexec. -- Hanging is too good for a man who makes puns; he should be drawn and quoted. -- Fred Allen
Re: Python rexec and Bastion flaws
Martin Schulze wrote: Ouch. It's very sad that upstream says that they don't have the resources to fix security bugs in a widely used software. AFAIK, rexec and Bastion are not widely used. Neil
Python rexec and Bastion flaws
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I just read this Post from Guido van Rossum[1] that the rexec.py and Bastian.py modules have severe security flaws. These modules will be disabled in the next 2.2 and 2.3 releases to avoid security risks. [1] http://groups.google.com/groups?selm=mailman.1041875417.12807.clpa-moderators%40python.org I suggest to disable the above two modules in python2.2 (which is in woody), even if existing applications can break. What do you think? Cheers, Bastian - -- Bastian Kleineidam Atombombe Plutonium Fat Man Do it Yourself Tim Taylor -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+LGW3eBwlBDLsbz4RAu+ZAKDN5VLaGu+PLBRTaSegm6slrw2O8QCfQ0Ts PbQcu2UTjLbDq38JnGFk32Y= =YLz7 -END PGP SIGNATURE-
Re: Python rexec and Bastion flaws
Bastian Kleineidam writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I just read this Post from Guido van Rossum[1] that the rexec.py and Bastian.py modules have severe security flaws. These modules will be disabled in the next 2.2 and 2.3 releases to avoid security risks. [1] http://groups.google.com/groups?selm=mailman.1041875417.12807.clpa-moderators%40python.org I suggest to disable the above two modules in python2.2 (which is in woody), even if existing applications can break. What do you think? as long as the upgrade situation is not resolved (new versions in security and woody-proposed-updates), an upload does not make any sense. what about providing a patch to _ask_ the user, if the two modules should be installed? (no, I don't write it).