On 12/02/2006, at 10:39 PM, Alan Kennedy wrote: > Note the security hole incovered in the standard library xml-rpc lib > last year. > > PSF-2005-001 - SimpleXMLRPCServer.py allows unrestricted traversal > http://www.python.org/security/PSF-2005-001/ > > This particular security hole is the very reason why the Python > Security > response team had to be founded, and required point-releases of the > entire python distribution to fix, i.e. python 2.3.5 and python 2.4.1 > were released simply to fix this bug.
FWIW, that isn't entirely true. Python 2.3.5 was about to be released at that time anyway for other reasons. Because of this issue it was though delayed a little bit to add the change. As to Python 2.4.1 I can't find the exact details. There was going to be a 2.4.1 release a few weeks later, again for other reasons, so I think the fix got rolled into the first release candidate. Anyway, not that it matters, but the security fix was not the only thing in those releases. Graham _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
