From owner-freebsd-python@FreeBSD.ORG Wed Feb 15 09:30:02 2012 Return-Path: Delivered-To: python@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C72F106564A; Wed, 15 Feb 2012 09:30:02 +0000 (UTC) (envelope-from cvs-src@yandex.ru) Received: from forward14.mail.yandex.net (forward14.mail.yandex.net [IPv6:2a02:6b8:0:801::4]) by mx1.freebsd.org (Postfix) with ESMTP id DA83A8FC16; Wed, 15 Feb 2012 09:30:01 +0000 (UTC) Received: from smtp13.mail.yandex.net (smtp13.mail.yandex.net [95.108.130.68]) by forward14.mail.yandex.net (Yandex) with ESMTP id 627CF198339A; Wed, 15 Feb 2012 13:30:00 +0400 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1329298200; bh=/Z/CPxsy9o2tKqIgoGuIQIF8+P1xnoB5MtrE838Vze4=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=KW8ipo1TyF1gTMY5EbWchVrXkBPUcignECTR2AWUeuSNI3CxtQGEC3YJ5cp+TGWRZ GK9JJCKb8IDAWuCc5Fjgw/s2YJg/VgeXCMu5iKYkJaS+cpELVaSYwZSNw2kh8+tQ8G P73r2/yJN4l64CeP28yb3I6sncilYLh5z/pPECsM= Received: from smtp13.mail.yandex.net (localhost [127.0.0.1]) by smtp13.mail.yandex.net (Yandex) with ESMTP id 2F08EE404F8; Wed, 15 Feb 2012 13:30:00 +0400 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1329298200; bh=/Z/CPxsy9o2tKqIgoGuIQIF8+P1xnoB5MtrE838Vze4=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=KW8ipo1TyF1gTMY5EbWchVrXkBPUcignECTR2AWUeuSNI3CxtQGEC3YJ5cp+TGWRZ GK9JJCKb8IDAWuCc5Fjgw/s2YJg/VgeXCMu5iKYkJaS+cpELVaSYwZSNw2kh8+tQ8G P73r2/yJN4l64CeP28yb3I6sncilYLh5z/pPECsM= Received: from unknown (unknown [213.27.65.65]) by smtp13.mail.yandex.net (nwsmtp/Yandex) with ESMTP id TxqKEom8-Txq8OuVW; Wed, 15 Feb 2012 13:29:59 +0400 X-Yandex-Spam: 1 Message-ID: <4F3B7AEC.5090905@yandex.ru> Date: Wed, 15 Feb 2012 13:29:16 +0400 From: Ruslan Mahmatkhanov User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:10.0.1) Gecko/20120214 Thunderbird/10.0.1 MIME-Version: 1.0 To: Doug Barton References: <4F3ADE3D.706@FreeBSD.org> In-Reply-To: <4F3ADE3D.706@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: python@FreeBSD.org, FreeBSD ports list Subject: Re: Python upgrade to address vulnerability? X-BeenThere: freebsd-python@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: FreeBSD-specific Python issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2012 09:30:02 -0000 Doug Barton wrote on 15.02.2012 02:20: > So apparently we have a python vulnerability according to > http://portaudit.FreeBSD.org/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html, > but I'm not seeing an upgrade to address it yet. Any idea when that will > happen? > > > Thanks, > > Doug > Patch is there: http://people.freebsd.org/~rm/python-CVE-2012-0845.diff.txt Patch for 3.2 is taken there directly: http://bugs.python.org/file24522/xmlrpc_loop-1.diff Patch for 2.5, 2.6, 2.7, 3.1 is adopted from this patch: http://bugs.python.org/file24513/xmlrpc_loop.diff SimpleXMLRPCServer.py in 2.4 is too different and it is going to die anyway so I didn't messed with it. If noone objects, I can commit it. Please tell me what should i do. -- Regards, Ruslan Tinderboxing kills... the drives.