[Python-Dev] 2.3.6 for the unicode buffer overrun
Terry Reedy
tjreedy at udel.edu
Thu Oct 12 19:34:09 CEST 2006
"Barry Warsaw" <barry at python.org> wrote in message
news:2514DA1C-F5A1-4144-9068-006A933C516C at python.org...
> -----BEGIN PGP SIGNED MESSAGE-----
> I've offered in the past to dust off my release manager cap and do a
> 2.3.6 release. Having not done one in a long while, the most
> daunting part for me is getting the website updated, since I have
> none of those tools installed.
>
> I'm still willing to do a 2.3.6, though the last time this came up
> the response was too underwhelming to care. I'm not sure this
> advisory is enough to change people's minds about that -- I'm sure
> any affected downstream distro is fully capable of patching and re-
> releasing their own packages. Since this doesn't affect the
> binaries /we/ release, I'm not sure I care enough either.
Perhaps all that is needed from both a practical and public relations
viewpoint is the release of a 2.3.5U4 security patch as a separate file
listed just after 2.3.5 on the source downloads page (if this has not been
done already).
Add a note (or link to a note) to the effect that it should be applied if
one has or is going to compile a wide Unicode build for use in an
environment exposed to untrusted Unicode text.
tjr
More information about the Python-Dev
mailing list