[Stackless] Stackless to address multiple buffer overflow vulnerability?

Guy Hulbert gwhulbert at eol.ca
Fri Aug 15 22:02:07 CEST 2008


On Fri, 2008-15-08 at 11:52 -0500, David E. Sallis wrote:
> Guy Hulbert said the following on 8/15/2008 11:36 AM:
>  > This is an old problem.
>  >
> http://www.python.org/files/news/security/PSF-2006-001/PSF-2006-001.txt
> 
> I must respectfully disagree.  Did you read the bulletin I
> referenced?  

Nope.  I read the link you posted:
http://www.securityfocus.com/bid/30491

and I followed this:
http://www.securityfocus.com/bid/30491/solution

        Solution:
        The vendor has released fixes to address the issues. Please see
        the references for more information.

to:
http://www.securityfocus.com/bid/30491/references

and to:
http://www.python.org/

The only reference to a fix I could find was on the downloads page:
http://www.python.org/download/

        Note: there's a security fix for Python 2.2, 2.3 and 2.4. Of the
        releases below, only 2.4.4 and 2.5 and later include the fix.


> CVE-2008-2315, for one, was published in late July 2008.  It 
> states in part:

You did not reference this CVE although the link you posted does mention
it (with 4 other ones).

[snip]
> This is *not* an old problem.

You seem to be correct here.  The python pages seem to know nothing
about this one.  Google brings up:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315

However:

        This CVE Identifier has "Candidate" status and must be reviewed
        and accepted by the CVE Editorial Board before it can be updated
        to official "Entry" status on the CVE List. It may be modified
        or even rejected in the future.

pointing to:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2315

Which has 3 links to gentoo.  The first one is more informative than
anything else I've found so far:
http://www.gentoo.org/security/en/glsa/glsa-200807-16.xml


>  
-- 
--gh






More information about the Stackless mailing list