[Python-Dev] Security fixes in 2.5 and 2.4
"Martin v. Löwis"
martin at v.loewis.de
Thu Mar 19 10:04:11 CET 2009
I just got a few questions on how to apply security fixes.
To clarify, I recommend the following guidelines:
- whether something constitutes a security bug is sometimes
debatable - in case of doubt, discussion is needed. I would
be in favor of fixing it if the patch is small and obviously
correct, and opposed if the patch looks tricky. Double check
that the routine behavior (the "good" cases) stay completely
unchanged (in particular, be aware of not allowing new
exceptions to occur).
- if you want to backport a security bug fix to 2.5, ALWAYS
consider 2.4 as well. They are in the same state, and should
get the same care (2.3 is closed for good). Of course, it
might be that the bug doesn't exist in 2.4.
- ALWAYS notify security at python.org. For one thing, they might
offer advise on how to proceed, but also, they might consider
publishing an advisory, and/or notifying some CERT. Notification
is in particular necessary if you are unfamiliar with security
issues, how they get classified, and so on - so do ask the
experts. (and no, I'm not one of them :-)
Regards,
Martin
More information about the Python-Dev
mailing list