[Stackless] Stackless to address multiple buffer overflow vulnerability?
Guy Hulbert
gwhulbert at eol.ca
Fri Aug 15 22:02:07 CEST 2008
On Fri, 2008-15-08 at 11:52 -0500, David E. Sallis wrote:
> Guy Hulbert said the following on 8/15/2008 11:36 AM:
> > This is an old problem.
> >
> http://www.python.org/files/news/security/PSF-2006-001/PSF-2006-001.txt
>
> I must respectfully disagree. Did you read the bulletin I
> referenced?
Nope. I read the link you posted:
http://www.securityfocus.com/bid/30491
and I followed this:
http://www.securityfocus.com/bid/30491/solution
Solution:
The vendor has released fixes to address the issues. Please see
the references for more information.
to:
http://www.securityfocus.com/bid/30491/references
and to:
http://www.python.org/
The only reference to a fix I could find was on the downloads page:
http://www.python.org/download/
Note: there's a security fix for Python 2.2, 2.3 and 2.4. Of the
releases below, only 2.4.4 and 2.5 and later include the fix.
> CVE-2008-2315, for one, was published in late July 2008. It
> states in part:
You did not reference this CVE although the link you posted does mention
it (with 4 other ones).
[snip]
> This is *not* an old problem.
You seem to be correct here. The python pages seem to know nothing
about this one. Google brings up:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
However:
This CVE Identifier has "Candidate" status and must be reviewed
and accepted by the CVE Editorial Board before it can be updated
to official "Entry" status on the CVE List. It may be modified
or even rejected in the future.
pointing to:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2315
Which has 3 links to gentoo. The first one is more informative than
anything else I've found so far:
http://www.gentoo.org/security/en/glsa/glsa-200807-16.xml
>
--
--gh
More information about the Stackless
mailing list