[issue29740] Visual C++ CRT security update from 14 June 2011

[Steve Dower]

Steve Dower added the comment:

There will be no changes to the CRT in the update. It's been released as a 
major upgrade package rather than a patch, which is why it contains all the 
files, but the last version field typically (and in this case definitely) 
indicates no change to the API or implementation beyond that described in the 
associated KB article.

So thanks for being through and bringing it to our attention, but it's not 
necessary to change anything here on our side, and it's probably riskier to 
make any change than to not make it.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29740] Visual C++ CRT security update from 14 June 2011

[Markus]

Markus added the comment:

I beg pardon to be pedantic.
The issue is not MFC, but CRT.

The related safety bulletin 
(https://technet.microsoft.com/library/security/ms11-025) says

Your application may be an attack vector if all of the following conditions 
are true:

 - Your application makes use of the Microsoft Foundation Class (MFC) 
Library
 - Your application allows the loading of dynamic link libraries from 
untrusted locations, such as WebDAV shares

This is clearly **not** the case for Python.
So far so good.

I am concerned that the security update contains an updated vc90.crt 
9.0.30729.6161. 
If Python find the 6161 update, it will use it.

I found no information on the change between the 4940 version (from Python 
2.7.13) and the 6161 update (from the security update).

But as Python uses the 6161 update (if it is installed) I would like to raise 
the question if Python should ship it.

I am not a security expert, so this issue is based completely on the above 
observations and a crumb of logic.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29740] Visual C++ CRT security update from 14 June 2011

[Steve Dower]

Steve Dower added the comment:

We don't use MFC in Python, so we are not affected.

--
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29740] Visual C++ CRT security update from 14 June 2011

[Markus]

New submission from Markus:

In 14 June 2011 Microsoft released Visual C++ 2008 runtime MFC Security Update 
https://www.microsoft.com/en-us/download/details.aspx?id=26368

The Security Update also updates the CRT runtime (used by Python 2.7)

Without the security update, Python 2.7.13 uses vc90.crt 9.0.30729.4940
With the security  update, Python 2.7.13 uses vc90.crt 9.0.30729.6161
(Use e.g. Sysinternals procexp to see)

Why does Python not install the vc90.crt of the security update?

--
components: Build, Windows
messages: 289135
nosy: markuskramerIgitt, paul.moore, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
status: open
title: Visual C++ CRT security update from 14 June 2011
type: security
versions: Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com