[Monotone-devel] ViewMTN affected by Python security issue

monotone-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Monotone-devel] ViewMTN affected by Python security issue

From:	Grahame Bowland
Subject:	[Monotone-devel] ViewMTN affected by Python security issue
Date:	Mon, 23 Oct 2006 14:38:45 +0800

Hey all

ViewMTN is written in the Python programming language. There was
recently a security advisory for Python which I believe affects
ViewMTN installs:
http://www.python.org/news/security/PSF-2006-001/

All versions of ViewMTN may call repr() on untrusted strings as part
of debugging tracebacks; as a result, they might be vulnerable to this
issue. It's also true that malicious strings in data stored within
Monotone databases could be used to attack the install.

Note that ViewMTN does go to some lengths to properly escape strings
before output into HTML. This vulnerability is still a problem, as it
occurs at a lower level in the programming language.

I'd recommend upgrading Python on all ViewMTN servers.

Cheers
Grahame

[Prev in Thread]

Current Thread

[Next in Thread]

[Monotone-devel] ViewMTN affected by Python security issue, Grahame Bowland <=
- Re: [Monotone-devel] ViewMTN affected by Python security issue, Paul Moore, 2006/10/23

Prev by Date: Re: [Monotone-devel] Fwd: Monotone Bug on version 0.29
Next by Date: [Monotone-devel] review of .heights
Previous by thread: [Monotone-devel] [RFC] New options handling
Next by thread: Re: [Monotone-devel] ViewMTN affected by Python security issue
Index(es):
- Date
- Thread