[issue29740] Visual C++ CRT security update from 14 June 2011
Markus
report at bugs.python.org
Tue Mar 7 16:12:25 EST 2017
Markus added the comment:
I beg pardon to be pedantic.
The issue is not MFC, but CRT.
The related safety bulletin (https://technet.microsoft.com/library/security/ms11-025) says
Your application may be an attack vector if all of the following conditions are true:
- Your application makes use of the Microsoft Foundation Class (MFC) Library
- Your application allows the loading of dynamic link libraries from untrusted locations, such as WebDAV shares
This is clearly **not** the case for Python.
So far so good.
I am concerned that the security update contains an updated vc90.crt 9.0.30729.6161.
If Python find the 6161 update, it will use it.
I found no information on the change between the 4940 version (from Python 2.7.13) and the 6161 update (from the security update).
But as Python uses the 6161 update (if it is installed) I would like to raise the question if Python should ship it.
I am not a security expert, so this issue is based completely on the above observations and a crumb of logic.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29740>
_______________________________________
More information about the Python-bugs-list
mailing list