[Zope] Re: [Fwd: [USN-359-1] Python vulnerability]
Tres Seaver wrote: Chris Withers wrote: ouch... I'd imagine Zope is vulnerable to this? What source version(s) of python have these problems fixed? I think the issue only surfaces if you compile Python for UCS4, which the desktop-centric versions shipped by the distros do. If you build Python using the default config, it uses UCS2 (which is a better choice for long-running appservers, anyway). I just verified this by running the example code from the SF bug[1]: it aborts when run with Ubuntu's own python2.4, but not with the one I run Zope with. Right. Same here. System python barfs on the 2nd example, source-compiled python doesn't for me... Python 2.4.4 will have this fix, when released. [1] http://sourceforge.net/tracker/index.php?func=detailaid=1541585group_id=5470atid=305470 I do think it's worth stressing that if you're running Zope, you should at least check that the two examples don't barf on your machine. I'm sure there are lots of people out there using system builds of python, and it looks like at least the stable debian and ubuntu builds are vulnerable... Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: [Fwd: [USN-359-1] Python vulnerability]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Withers wrote: Tres Seaver wrote: Chris Withers wrote: ouch... I'd imagine Zope is vulnerable to this? What source version(s) of python have these problems fixed? I think the issue only surfaces if you compile Python for UCS4, which the desktop-centric versions shipped by the distros do. If you build Python using the default config, it uses UCS2 (which is a better choice for long-running appservers, anyway). I just verified this by running the example code from the SF bug[1]: it aborts when run with Ubuntu's own python2.4, but not with the one I run Zope with. Right. Same here. System python barfs on the 2nd example, source-compiled python doesn't for me... Python 2.4.4 will have this fix, when released. [1] http://sourceforge.net/tracker/index.php?func=detailaid=1541585group_id=5470atid=305470 I do think it's worth stressing that if you're running Zope, you should at least check that the two examples don't barf on your machine. I'm sure there are lots of people out there using system builds of python, and it looks like at least the stable debian and ubuntu builds are vulnerable... Anybody running Zope in production with the system-supplied Python should be aware of the USN (or equivalent Debian) updates, and apply them as soon as possible. (The fact that they are crazy doesn't imply that they must be stupid. ;) Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFKlUs+gerLs4ltQ4RAusGAJ9dPHJH9D9+iW5uuu6Ql0uax9D33ACbBdsj /dW8i2obB3ubd3bPxYC1TC8= =63Xc -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: [Fwd: [USN-359-1] Python vulnerability]
--On 6. Oktober 2006 12:32:51 -0400 Tres Seaver [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Withers wrote: ouch... I'd imagine Zope is vulnerable to this? What source version(s) of python have these problems fixed? If you build Python using the default config, it uses UCS2 (which is a better choice for long-running appservers, anyway). Why should be UCS2 the better choice (except for the reduced memory usage)? -aj pgpp4ImdGQT5Z.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: [Fwd: [USN-359-1] Python vulnerability]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Jung wrote: --On 6. Oktober 2006 12:32:51 -0400 Tres Seaver [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Withers wrote: ouch... I'd imagine Zope is vulnerable to this? What source version(s) of python have these problems fixed? If you build Python using the default config, it uses UCS2 (which is a better choice for long-running appservers, anyway). Why should be UCS2 the better choice (except for the reduced memory usage)? That *is* the reason -- doubling the storage required for Unicode strings provides no benefit, unless most of the strings you use are in codepoint ranges which require escaping in UCS2 (which won't be true for sites using Western languages, anyway). Zope is RAM-hungry enough, without that overhead. Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFKDMv+gerLs4ltQ4RAjSeAKCi8wwEVg5ZLD93OC3/IuQVkx6auQCeOPKw 5NF4/ffEGbKEh50RKvY6fFY= =WGr4 -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: [Fwd: [USN-359-1] Python vulnerability]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Withers wrote: ouch... I'd imagine Zope is vulnerable to this? What source version(s) of python have these problems fixed? I think the issue only surfaces if you compile Python for UCS4, which the desktop-centric versions shipped by the distros do. If you build Python using the default config, it uses UCS2 (which is a better choice for long-running appservers, anyway). I just verified this by running the example code from the SF bug[1]: it aborts when run with Ubuntu's own python2.4, but not with the one I run Zope with. Python 2.4.4 will have this fix, when released. [1] http://sourceforge.net/tracker/index.php?func=detailaid=1541585group_id=5470atid=305470 Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFJoUz+gerLs4ltQ4RAgSkAKCnUJxf0Rlv9EzBN/w3FkbTT3B2AgCgk4ag j2smGvS6oNy+G0JR/AhyPRI= =m8i0 -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )