[Python-Dev] Re: RHSA-2002:202-25
Skip Montanaro
skip@pobox.com
Wed, 29 Jan 2003 21:20:59 -0600
I'm taking this thread across the great divide to the python-dev mailing
list. The point Yasushi makes is that the security hole found and fixed by
Zack Weinberg back in August 2002 (os.py 1.59) should be avaiable as a patch
for versions of Python "out there" which might be affected. The versions
he's concerned with are 1.5.2 and 2.1.3. I don't think we have to worry
about 2.2.1 because those users can (and should) upgrade to 2.2.2 if the
patch is important to them.
To see the original thread, go here:
http://mail.python.org/pipermail/python-list/2003-January/142352.html
Yasushi> Thank you. But I think this patch or pached version of Python
Yasushi> should be placed on ftp.python.org.
Yasushi> Zope doesn't work with Python 2.2 yet. So many new Zope users
Yasushi> will install Python 2.1.3. But there is no patch on
Yasushi> ftp.python.org and no security alert on www.python.org.
Zope ships with its own version of Python, often in binary (for Windows).
The Zope folks probably need to provide their own patch.
Yasushi> How do they know that Python 2.1.3 has security problem?
Who are "they"?
You have to realize that the people who develop Python don't know all the
people who bundle Python in applications. It's open source and most of the
people who work on Python are volunteers.
Can someone on python-dev more in-the-know about these things respond?
Skip