[Python-Dev] Releases for recent security vulnerability
Senthil Kumaran
orsenthil at gmail.com
Fri Apr 15 11:07:17 CEST 2011
On Fri, Apr 15, 2011 at 09:35:06AM +0100, Gustavo Narea wrote:
>
> How come a description of how to exploit a security vulnerability
> comes before a release for said vulnerability? I'm talking about this:
> http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html
>
> My understanding is that the whole point of asking people not to
> report security vulnerability publicly was to allow time to release a
> fix.
Yes, I agree with you. I am surprised that it made it to blog and just
catching more attention (via Responses/Retweets) than what it is
worth.
FWIW, if we analyze the technical details more carefully,
urllib/urllib2 as a library could have redirected to file:// url, but
it is library and not web-server and person who wrote the server could
catch the redirection and handle it at higher level too. This may
sound less drastic than what it appears in the post.
Anyways it was an issue and it is fixed.
--
Senthil
<calc> Knghtbrd: irc doesn't compile c code very well ;)
More information about the Python-Dev
mailing list