[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)
Hello, I have just noticed that an FTP injection advisory has been made public on the oss-security list. The author says that he an exploit exists but it won't be published until the code is patched You may be already aware, but it would be good to understand what is the position of the core developers about this. The advisory is linked below (with some excerpts in this message): http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html Protocol injection flaws like this have been an area of research of mine for the past few couple of years and as it turns out, this FTP protocol injection allows one to fool a victim's firewall into allowing TCP connections from the Internet to the vulnerable host's system on any "high" port (1024-65535). A nearly identical vulnerability exists in Python's urllib2 and urllib libraries. In the case of Java, this attack can be carried out against desktop users even if those desktop users do not have the Java browser plugin enabled. As of 2017-02-20, the vulnerabilities discussed here have not been patched by the associated vendors, despite advance warning and ample time to do so. [...] Python's built-in URL fetching library (urllib2 in Python 2 and urllib in Python 3) is vulnerable to a nearly identical protocol stream injection, but this injection appears to be limited to attacks via directory names specified in the URL. [...] The Python security team was notified in January 2016. Information provided included an outline of the possibility of FTP/firewall attacks. Despite repeated follow-ups, there has been no apparent action on their part. Best regards, -- Stefano P.S. I am posting from gmane, I hope that this is OK. ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] 3.3 release plans
Hi all, now that the final PEP scheduled for 3.3 is final, we're entering the next round of the 3.3 cycle. I've decided to make Tuesday 26th the big release day. That means: - Saturday: last feature-level changes that should be done before beta, e.g. removal of packaging - Sunday: final feature freeze, bug fixing - Monday: focus on stability of the buildbots, even unstable ones - Tuesday: forking of the 3.3.0b1 release clone, tagging, start of binary building cheers, Georg -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] 3.3 release plans
Hi all, I've checked in the (hopefully final) update of PEP 398: all PEP scale changes are now final or deferred to 3.4. I also adjusted the release day to be the 26th of June, which leaves us with the following rough plan: - Saturday: last large changes, such as removal of packaging - Sunday: final feature freeze for 3.3; resolve last blockers from bugs.python.org - Monday: ensure build stability for stable buildbots, and as many unstable buildbots as possible - Tuesday: release clone forked off the main repo; tagging and start of binary building cheers, Georg -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] 3.3 release plans
Original-Nachricht > Datum: Sat, 23 Jun 2012 21:55:55 +0200 > Von: Christian Heimes > An: python-dev@python.org > Betreff: Re: [Python-Dev] 3.3 release plans > Am 23.06.2012 12:54, schrieb g.brandl-nos...@gmx.net: > > Hi all, > > > > now that the final PEP scheduled for 3.3 is final, we're entering > > the next round of the 3.3 cycle. > > > > I've decided to make Tuesday 26th the big release day. That means: > > > > - Saturday: last feature-level changes that should be done before beta, > > e.g. removal of packaging > > - Sunday: final feature freeze, bug fixing > > - Monday: focus on stability of the buildbots, even unstable ones > > - Tuesday: forking of the 3.3.0b1 release clone, tagging, start > > of binary building > > I'd like to get the C implementation of the timing safe compare_digest > into 3.3. http://bugs.python.org/issue15061 > > The patch went to several incarnations and I implemented input from > Antoine, Serhiy and others. The function finally ended up as private > function in the operator module because the _hashlib module isn't > available without openssl and a new module for a single function is > kinda overkill. Fine with me. You have time until tomorrow to push it. Georg -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] 3.3 feature freeze
Hi all, please consider the default branch frozen for new features as of now. As you know, this also includes changes like large cleanups that cannot be considered bug fixes. Contact me directly (IRC or mail) with urgent questions regarding the release. I hope that we will see the branch (and the buildbots) calm down and stabilize a bit tomorrow, so that everything is ready for Tuesday. cheers, Georg -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
