On 2013-02-22 02:37, Ian Cordasco wrote:
On Thu, Feb 21, 2013 at 9:27 PM, MRAB wrote:
On 2013-02-22 02:09, Ian Cordasco wrote:
On Thu, Feb 21, 2013 at 9:02 PM, MRAB wrote:
Since the PyPI security notice of 2013-02-15 I've been unable to upload
to PyPI via "setup.py upload".
I changed my p
On Thu, Feb 21, 2013 at 9:27 PM, MRAB wrote:
> On 2013-02-22 02:09, Ian Cordasco wrote:
>>
>> On Thu, Feb 21, 2013 at 9:02 PM, MRAB wrote:
>>>
>>> Since the PyPI security notice of 2013-02-15 I've been unable to upload
>>> to PyPI via "setup.py upload".
>>>
>>> I changed my password during the gr
On 2013-02-22 02:09, Ian Cordasco wrote:
On Thu, Feb 21, 2013 at 9:02 PM, MRAB wrote:
Since the PyPI security notice of 2013-02-15 I've been unable to upload
to PyPI via "setup.py upload".
I changed my password during the grace period, and have reset it, but
it's still rejected:
Upload failed
This is probably better suited to Catalog-sig but you have to edit
your credentials in $HOME/.pypirc
On Thu, Feb 21, 2013 at 9:02 PM, MRAB wrote:
> Since the PyPI security notice of 2013-02-15 I've been unable to upload
> to PyPI via "setup.py upload".
>
> I changed my password during the grace p
Since the PyPI security notice of 2013-02-15 I've been unable to upload
to PyPI via "setup.py upload".
I changed my password during the grace period, and have reset it, but
it's still rejected:
Upload failed (401): Incorrect password
I can login to PyPI with the password.
Can anyone suggest wh
Am 22.02.2013 00:47, schrieb Paul Boddie:
> Perhaps related to the discussion of denial-of-service vulnerabilities is the
> matter of controlling access to remote resources. I suppose that after the
> following bug was closed, no improvements were made to the standard library:
>
> http://bugs.py
Perhaps related to the discussion of denial-of-service vulnerabilities is the
matter of controlling access to remote resources. I suppose that after the
following bug was closed, no improvements were made to the standard library:
http://bugs.python.org/issue2124
Do Python programs still visit t
On Thu, Feb 21, 2013 at 11:12 AM, Christian Heimes wrote:
> Am 21.02.2013 19:39, schrieb Eli Bendersky:
> > Just to clarify for my own curiosity. These attacks (e.g.
> > http://en.wikipedia.org/wiki/Billion_laughs) have been known and public
> > since 2003?
>
> Correct, see https://pypi.python.org
Am 21.02.2013 19:39, schrieb Eli Bendersky:
> Just to clarify for my own curiosity. These attacks (e.g.
> http://en.wikipedia.org/wiki/Billion_laughs) have been known and public
> since 2003?
Correct, see https://pypi.python.org/pypi/defusedxml#synopsis third
paragraph. All XML attacks in my analy
On Thu, Feb 21, 2013 at 9:23 AM, Stephen J. Turnbull wrote:
> Jesse Noller writes:
>
> > I guess someone need to write a proof of concept exploit for you
> > and release it into the wild.
>
> This is a bit ridiculous. This stuff looks easy enough that surely
> Christian's post informed any mali
Jesse Noller writes:
> I guess someone need to write a proof of concept exploit for you
> and release it into the wild.
This is a bit ridiculous. This stuff looks easy enough that surely
Christian's post informed any malicious body who didn't already know
how to do it. If the exploit matters,
On Thu, Feb 21, 2013 at 9:29 AM, Tres Seaver wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 02/21/2013 01:53 AM, Antoine Pitrou wrote:
>> On Thu, 21 Feb 2013 11:37:47 +1100 Steven D'Aprano
>> wrote:
>>>
>>> It's easy to forget that malware existed long before the Internet.
>>> Th
On Thu, Feb 21, 2013 at 6:35 AM, Tres Seaver wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 02/20/2013 09:08 PM, Barry Warsaw wrote:
>> On Feb 21, 2013, at 10:38 AM, Nick Coghlan wrote:
>>
>>> - make it possible to enable safer behaviour globally in at least
>>> 2.7 and 3.3 (and p
Le Thu, 21 Feb 2013 13:04:59 +0100,
Christian Heimes a écrit :
> Am 21.02.2013 11:32, schrieb Antoine Pitrou:
> > You haven't proved that these were actual threats, nor how they
> > actually worked. I'm gonna remain skeptical if there isn't anything
> > more precise than "It highly depends on the
Le Thu, 21 Feb 2013 13:19:54 +0100,
Christian Heimes a écrit :
> Am 21.02.2013 12:16, schrieb Antoine Pitrou:
> > I don't know whether you are trying to be ironic but, for the
> > record, proof of concepts needn't be "released into the wild" as
> > long as they exist.
>
> Fun fact:
>
> In fact t
Am 21.02.2013 12:16, schrieb Antoine Pitrou:
> I don't know whether you are trying to be ironic but, for the record,
> proof of concepts needn't be "released into the wild" as long as they
> exist.
Fun fact:
In fact the abbreviation 'ap' doesn't stand for 'Antoine Pitrou' but for
'antipole'. I'm
Am 21.02.2013 11:32, schrieb Antoine Pitrou:
> You haven't proved that these were actual threats, nor how they
> actually worked. I'm gonna remain skeptical if there isn't anything
> more precise than "It highly depends on the parser and the application
> what kind of exploit is possible".
https:/
Le Thu, 21 Feb 2013 06:05:52 -0500,
Jesse Noller a écrit :
> On Feb 21, 2013, at 5:32 AM, Antoine Pitrou
> wrote:
>
> > Le Thu, 21 Feb 2013 11:18:35 +0100,
> > Christian Heimes a écrit :
> >> Am 21.02.2013 08:42, schrieb Antoine Pitrou:
> >>> Sure, but in many instances, rebooting a machine is
On Feb 21, 2013, at 5:32 AM, Antoine Pitrou wrote:
> Le Thu, 21 Feb 2013 11:18:35 +0100,
> Christian Heimes a écrit :
>> Am 21.02.2013 08:42, schrieb Antoine Pitrou:
>>> Sure, but in many instances, rebooting a machine is not
>>> business-threatening. You will have a couple of minutes' downtim
Le Thu, 21 Feb 2013 11:18:35 +0100,
Christian Heimes a écrit :
> Am 21.02.2013 08:42, schrieb Antoine Pitrou:
> > Sure, but in many instances, rebooting a machine is not
> > business-threatening. You will have a couple of minutes' downtime
> > and that's all. Which is why the attack must be repeat
Am 21.02.2013 08:42, schrieb Antoine Pitrou:
> Sure, but in many instances, rebooting a machine is not
> business-threatening. You will have a couple of minutes' downtime and
> that's all. Which is why the attack must be repeated many times to be a
> major annoyance.
Is this business-threatening e
Am 21.02.2013 10:23, schrieb Antoine Pitrou:
> If you like being paranoid, there are other things than security to
> be paranoid about: reference cycles, performance on micro-benchmarks,
> memory consumption of docstrings, etc. :-)
snappy(__doc__)?
http://code.google.com/p/snappy/
Christian
___
Le Thu, 21 Feb 2013 00:30:56 +0100,
Christian Heimes a écrit :
> Am 21.02.2013 00:08, schrieb Antoine Pitrou:
> > Not everyone is a security nuts.
>
> But, but, but ... it's fun to be paranoid! You get so many new
> potential enemies. :)
If you like being paranoid, there are other things than se
23 matches
Mail list logo
