[Python-Dev] Security fixes in 2.5 and 2.4
Brett Cannon
brett at python.org
Thu Mar 19 22:15:22 CET 2009
On Thu, Mar 19, 2009 at 02:04, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> I just got a few questions on how to apply security fixes.
> To clarify, I recommend the following guidelines:
>
> - whether something constitutes a security bug is sometimes
> debatable - in case of doubt, discussion is needed. I would
> be in favor of fixing it if the patch is small and obviously
> correct, and opposed if the patch looks tricky. Double check
> that the routine behavior (the "good" cases) stay completely
> unchanged (in particular, be aware of not allowing new
> exceptions to occur).
> - if you want to backport a security bug fix to 2.5, ALWAYS
> consider 2.4 as well. They are in the same state, and should
> get the same care (2.3 is closed for good). Of course, it
> might be that the bug doesn't exist in 2.4.
> - ALWAYS notify security at python.org. For one thing, they might
> offer advise on how to proceed, but also, they might consider
> publishing an advisory, and/or notifying some CERT. Notification
> is in particular necessary if you are unfamiliar with security
> issues, how they get classified, and so on - so do ask the
> experts. (and no, I'm not one of them :-)
All sounds reasonable, although getting those of us on security@ to get an
announcement out has not gone so well as of late. =)
-Brett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20090319/a22ec219/attachment.htm>
More information about the Python-Dev
mailing list