Markus added the comment: I beg pardon to be pedantic. The issue is not MFC, but CRT.
The related safety bulletin (https://technet.microsoft.com/library/security/ms11-025) says Your application may be an attack vector if all of the following conditions are true: - Your application makes use of the Microsoft Foundation Class (MFC) Library - Your application allows the loading of dynamic link libraries from untrusted locations, such as WebDAV shares This is clearly **not** the case for Python. So far so good. I am concerned that the security update contains an updated vc90.crt 9.0.30729.6161. If Python find the 6161 update, it will use it. I found no information on the change between the 4940 version (from Python 2.7.13) and the 6161 update (from the security update). But as Python uses the 6161 update (if it is installed) I would like to raise the question if Python should ship it. I am not a security expert, so this issue is based completely on the above observations and a crumb of logic. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29740> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
