Re: Python rexec and Bastion flaws

2003-05-14 Thread Bastian Kleineidam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, May 13, 2003 at 11:40:45PM -0400, Matt Zimmerman wrote: > > Yup, ok. I will see if I can identify packages using rexec or Bastion > > and provide patches for them instead of disabling modules. > > Were you able to make any progress with this?

Re: Python rexec and Bastion flaws

2003-05-13 Thread Matt Zimmerman
On Thu, Jan 23, 2003 at 05:35:26PM +0100, Bastian Kleineidam wrote: > On Tue, Jan 21, 2003 at 07:47:11AM +0100, Martin Schulze wrote: > > > I suggest to disable the above two modules in python2.2 (which is in > > > woody), even if existing applications can break. What do you think? > > > > I'd ra

Re: Python rexec and Bastion flaws

2003-01-25 Thread Martin Schulze
Bastian Kleineidam wrote: > > > I suggest to disable the above two modules in python2.2 (which is in > > > woody), even if existing applications can break. What do you think? > > > > I'd rather know about the vulnerability (and maybe doko is able to > > implement a fix) than to blindly castrate so

Re: Python rexec and Bastion flaws

2003-01-23 Thread Bastian Kleineidam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jan 21, 2003 at 07:47:11AM +0100, Martin Schulze wrote: > > I suggest to disable the above two modules in python2.2 (which is in > > woody), even if existing applications can break. What do you think? > > I'd rather know about the vulnerabilit

Re: Python rexec and Bastion flaws

2003-01-21 Thread Neil Schemenauer
Martin Schulze wrote: > Ouch. It's very sad that upstream says that they don't have the resources > to fix security bugs in a widely used software. AFAIK, rexec and Bastion are not widely used. Neil

Re: Python rexec and Bastion flaws

2003-01-21 Thread Carey Evans
Martin Schulze wrote: I'd rather know about the vulnerability (and maybe doko is able to implement a fix) than to blindly castrate software. Theo d.R. already taught us that blindly releasing updates are not good. Here's some relevant links for the bugs: Deleting __builtins__: http://python.org/

Re: Python rexec and Bastion flaws

2003-01-21 Thread Martin Schulze
Bastian Kleineidam wrote: > Hi, > > I just read this Post from Guido van Rossum[1] that the rexec.py and > Bastian.py modules have severe security flaws. These modules will be > disabled in the next 2.2 and 2.3 releases to avoid security risks. > [1] > http://groups.google.com/groups?selm=mailman

Re: Python rexec and Bastion flaws

2003-01-20 Thread Matthias Klose
Bastian Kleineidam writes: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi, > > I just read this Post from Guido van Rossum[1] that the rexec.py and > Bastian.py modules have severe security flaws. These modules will be > disabled in the next 2.2 and 2.3 releases to avoid security risks.