Le Thu, 21 Feb 2013 00:30:56 +0100,
Christian Heimes christ...@python.org a écrit :
Am 21.02.2013 00:08, schrieb Antoine Pitrou:
Not everyone is a security nuts.
But, but, but ... it's fun to be paranoid! You get so many new
potential enemies. :)
If you like being paranoid, there are other
Am 21.02.2013 10:23, schrieb Antoine Pitrou:
If you like being paranoid, there are other things than security to
be paranoid about: reference cycles, performance on micro-benchmarks,
memory consumption of docstrings, etc. :-)
snappy(__doc__)?
http://code.google.com/p/snappy/
Christian
Am 21.02.2013 08:42, schrieb Antoine Pitrou:
Sure, but in many instances, rebooting a machine is not
business-threatening. You will have a couple of minutes' downtime and
that's all. Which is why the attack must be repeated many times to be a
major annoyance.
Is this business-threatening
Le Thu, 21 Feb 2013 11:18:35 +0100,
Christian Heimes christ...@python.org a écrit :
Am 21.02.2013 08:42, schrieb Antoine Pitrou:
Sure, but in many instances, rebooting a machine is not
business-threatening. You will have a couple of minutes' downtime
and that's all. Which is why the attack
On Feb 21, 2013, at 5:32 AM, Antoine Pitrou solip...@pitrou.net wrote:
Le Thu, 21 Feb 2013 11:18:35 +0100,
Christian Heimes christ...@python.org a écrit :
Am 21.02.2013 08:42, schrieb Antoine Pitrou:
Sure, but in many instances, rebooting a machine is not
business-threatening. You will
Le Thu, 21 Feb 2013 06:05:52 -0500,
Jesse Noller jnol...@gmail.com a écrit :
On Feb 21, 2013, at 5:32 AM, Antoine Pitrou solip...@pitrou.net
wrote:
Le Thu, 21 Feb 2013 11:18:35 +0100,
Christian Heimes christ...@python.org a écrit :
Am 21.02.2013 08:42, schrieb Antoine Pitrou:
Sure, but
Am 21.02.2013 11:32, schrieb Antoine Pitrou:
You haven't proved that these were actual threats, nor how they
actually worked. I'm gonna remain skeptical if there isn't anything
more precise than It highly depends on the parser and the application
what kind of exploit is possible.
Am 21.02.2013 12:16, schrieb Antoine Pitrou:
I don't know whether you are trying to be ironic but, for the record,
proof of concepts needn't be released into the wild as long as they
exist.
Fun fact:
In fact the abbreviation 'ap' doesn't stand for 'Antoine Pitrou' but for
'antipole'. I'm a
Le Thu, 21 Feb 2013 13:19:54 +0100,
Christian Heimes christ...@python.org a écrit :
Am 21.02.2013 12:16, schrieb Antoine Pitrou:
I don't know whether you are trying to be ironic but, for the
record, proof of concepts needn't be released into the wild as
long as they exist.
Fun fact:
Le Thu, 21 Feb 2013 13:04:59 +0100,
Christian Heimes christ...@python.org a écrit :
Am 21.02.2013 11:32, schrieb Antoine Pitrou:
You haven't proved that these were actual threats, nor how they
actually worked. I'm gonna remain skeptical if there isn't anything
more precise than It highly
On Thu, Feb 21, 2013 at 6:35 AM, Tres Seaver tsea...@palladion.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/20/2013 09:08 PM, Barry Warsaw wrote:
On Feb 21, 2013, at 10:38 AM, Nick Coghlan wrote:
- make it possible to enable safer behaviour globally in at least
2.7 and
On Thu, Feb 21, 2013 at 9:29 AM, Tres Seaver tsea...@palladion.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/21/2013 01:53 AM, Antoine Pitrou wrote:
On Thu, 21 Feb 2013 11:37:47 +1100 Steven D'Aprano
st...@pearwood.info wrote:
It's easy to forget that malware existed long
Jesse Noller writes:
I guess someone need to write a proof of concept exploit for you
and release it into the wild.
This is a bit ridiculous. This stuff looks easy enough that surely
Christian's post informed any malicious body who didn't already know
how to do it. If the exploit matters,
On Thu, Feb 21, 2013 at 9:23 AM, Stephen J. Turnbull step...@xemacs.orgwrote:
Jesse Noller writes:
I guess someone need to write a proof of concept exploit for you
and release it into the wild.
This is a bit ridiculous. This stuff looks easy enough that surely
Christian's post
Am 21.02.2013 19:39, schrieb Eli Bendersky:
Just to clarify for my own curiosity. These attacks (e.g.
http://en.wikipedia.org/wiki/Billion_laughs) have been known and public
since 2003?
Correct, see https://pypi.python.org/pypi/defusedxml#synopsis third
paragraph. All XML attacks in my
On Thu, Feb 21, 2013 at 11:12 AM, Christian Heimes christ...@python.orgwrote:
Am 21.02.2013 19:39, schrieb Eli Bendersky:
Just to clarify for my own curiosity. These attacks (e.g.
http://en.wikipedia.org/wiki/Billion_laughs) have been known and public
since 2003?
Correct, see
Perhaps related to the discussion of denial-of-service vulnerabilities is the
matter of controlling access to remote resources. I suppose that after the
following bug was closed, no improvements were made to the standard library:
http://bugs.python.org/issue2124
Do Python programs still visit
Am 22.02.2013 00:47, schrieb Paul Boddie:
Perhaps related to the discussion of denial-of-service vulnerabilities is the
matter of controlling access to remote resources. I suppose that after the
following bug was closed, no improvements were made to the standard library:
Since the PyPI security notice of 2013-02-15 I've been unable to upload
to PyPI via setup.py upload.
I changed my password during the grace period, and have reset it, but
it's still rejected:
Upload failed (401): Incorrect password
I can login to PyPI with the password.
Can anyone suggest
This is probably better suited to Catalog-sig but you have to edit
your credentials in $HOME/.pypirc
On Thu, Feb 21, 2013 at 9:02 PM, MRAB pyt...@mrabarnett.plus.com wrote:
Since the PyPI security notice of 2013-02-15 I've been unable to upload
to PyPI via setup.py upload.
I changed my
On 2013-02-22 02:09, Ian Cordasco wrote:
On Thu, Feb 21, 2013 at 9:02 PM, MRAB pyt...@mrabarnett.plus.com wrote:
Since the PyPI security notice of 2013-02-15 I've been unable to upload
to PyPI via setup.py upload.
I changed my password during the grace period, and have reset it, but
it's still
On Thu, Feb 21, 2013 at 9:27 PM, MRAB pyt...@mrabarnett.plus.com wrote:
On 2013-02-22 02:09, Ian Cordasco wrote:
On Thu, Feb 21, 2013 at 9:02 PM, MRAB pyt...@mrabarnett.plus.com wrote:
Since the PyPI security notice of 2013-02-15 I've been unable to upload
to PyPI via setup.py upload.
I
On 2013-02-22 02:37, Ian Cordasco wrote:
On Thu, Feb 21, 2013 at 9:27 PM, MRAB pyt...@mrabarnett.plus.com wrote:
On 2013-02-22 02:09, Ian Cordasco wrote:
On Thu, Feb 21, 2013 at 9:02 PM, MRAB pyt...@mrabarnett.plus.com wrote:
Since the PyPI security notice of 2013-02-15 I've been unable to
23 matches
Mail list logo