[Zope] Re: [Fwd: [USN-359-1] Python vulnerability]

Tres Seaver tseaver at palladion.com
Mon Oct 9 09:57:00 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Withers wrote:
> Tres Seaver wrote:
>> Chris Withers wrote:
>>> ouch... I'd imagine Zope is vulnerable to this?
>>>
>>> What source version(s) of python have these problems fixed?
>>
>> I think the issue only surfaces if you compile Python for UCS4, which
>> the desktop-centric versions shipped by the distros do.  If you build
>> Python using the default config, it uses UCS2 (which is a better choice
>> for long-running appservers, anyway).
>>
>> I just verified this by running the example code from the SF bug[1]:  it
>> aborts when run with Ubuntu's own python2.4, but not with the one I run
>> Zope with.
> 
> Right. Same here. System python barfs on the 2nd example,
> source-compiled python doesn't for me...
> 
>> Python 2.4.4 will have this fix, when released.
>>
>> [1]
>> http://sourceforge.net/tracker/index.php?func=detail&aid=1541585&group_id=5470&atid=305470
>>
> 
> I do think it's worth stressing that if you're running Zope, you should
> at least check that the two examples don't barf on your machine.
> 
> I'm sure there are lots of people out there using system builds of
> python, and it looks like at least the stable debian and ubuntu builds
> are vulnerable...

Anybody running Zope in production with the system-supplied Python
should be aware of the USN (or equivalent Debian) updates, and apply
them as soon as possible.  (The fact that they are crazy doesn't imply
that they must be stupid. ;)


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFKlUs+gerLs4ltQ4RAusGAJ9dPHJH9D9+iW5uuu6Ql0uax9D33ACbBdsj
/dW8i2obB3ubd3bPxYC1TC8=
=63Xc
-----END PGP SIGNATURE-----


More information about the Zope mailing list