On 21/05/2019 20.35, Guido van Rossum wrote: > On Tue, May 21, 2019 at 11:17 AM Christian Heimes <[email protected] > <mailto:[email protected]>> wrote: > > I'm already facing opposition for modules that are less controversial and > useful than http.server, too. > > > There's another argument here. This is an "omnibus" PEP, meaning it proposes > many unrelated changes. In order to get a consensus to pass the PEP, it may > be necessary to compromise. IOW I would recommend removing modules from the > PEP that bring up strong opposition, *even* if you yourself feel strongly > that those modules should be removed. > > The vast majority of modules on the list hasn't elicited any kind of feedback > at all -- those are clearly safe to remove (many people are probably, like > myself, hard-pressed to remember what they do). I'm not saying drop anything > from the list that elicits any pushback, but once the debate has gone back > and forth twice, it may be a hint that a module still has fans. Threatening > to open a CVE is more likely to reduce support for the PEP than it is to > convince anyone.
It was not a threat, but an illustration how critical the flaw with spwd + crypt is. The approach performs only authentication and completely bypasses any authorization. It does not take any login restrictions into account like account enabled flag, host/service based access control, IP restriction, credential strength, and so on. I would give the issue a CVSS rating between 8.3 (high) to 9.6 (critical), perhaps CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L By the way, Giampaolo and I have known each other for many years. I know that he'll address the issue and file a CVE himself. _______________________________________________ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
