[Python-Dev] FWD: Python execvpe symlink race condition.
Guido van Rossum
guido@python.org
Sun, 16 Feb 2003 16:50:23 -0500
> Shouldn't there be at least some notification to the community at large?
> Something that requires the least amount of work possible short of doing
> nothing at all. Like a notice that 2.1.3 has known security
> vulnerabilities, and the recommended fix is to upgrade to 2.2.2 posted
> on http://www.python.org/2.1/ , http://www.python.org/2.1.3/ and
> python-announce. And possibly a python-security list for the future
> that security minded people can subscribe to.
I don't think that would send the right message. There's no need to
panic -- it's pretty tough to imagine how this vulnerability could be
exploited, but a message recommending that everyone upgrade would
not make this clear.
--Guido van Rossum (home page: http://www.python.org/~guido/)