[Stackless] Stackless to address multiple buffer overflow vulnerability?
David E. Sallis
David.Sallis at noaa.gov
Fri Aug 15 23:02:57 CEST 2008
Guy Hulbert said the following on 8/15/2008 3:11 PM:
> If you want the "Not Vulnerable" versions, I think you'd need to
> build Stackless from the gentoo sources.
That would be great if I were a Gentoo user, but I'm not. And I build Stackless from source anyway. Right now Stackless Python
source code from stackless.com is unpatched, including Stackless 2.5.2.
> You did not reference this CVE although the link you posted does mention it (with 4 other ones).
I apologize for not including each specific link to the CVEs encompassed by the SecurityFocus bulletin, because I assumed that a
reader of my OP would be able to look them up to see WTF. I certainly learned MY lesson.
> The only reference to a fix I could find was on the downloads page:
> http://www.python.org/download/
> Note: there's a security fix for Python 2.2, 2.3 and 2.4. Of the
> releases below, only 2.4.4 and 2.5 and later include the fix.
Right. A two-year-old security release. So you read this and brushed me off with "This is an old problem."
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
If you read the Mitre link carefully, you will notice in the 'References' section that several Linux vendors have patched or have
begun patching their package-managed Python implementations, to include Gentoo, Ubuntu, Mandriva and others. Great for them, but
I'm a RedHat user, and, again, I build all of my Python interpreters from source.
Can anyone else chime in? For some reason I have developed a headache of inordinate size and scope.
--
David E. Sallis, Software Architect
General Dynamics Information Technology
NOAA Coastal Data Development Center
Stennis Space Center, Mississippi
228.688.3805
david.sallis at gdit.com
david.sallis at noaa.gov
--------------------------------------------
"Better Living Through Software Engineering"
--------------------------------------------
More information about the Stackless
mailing list