[ubuntu-hardened] Python 2.7.9 security update?
Tyler Hicks
tyhicks at canonical.com
Mon Jan 25 15:54:46 UTC 2016
On 2016-01-23 16:25:06, Dario Bertini wrote:
> Hi, I hope that this is the correct venue for this inquiry.
Hello Dario - This is a perfectly fine way of discussing Ubuntu security
topics.
> I want to attract a bit of attention over
>
> https://bugs.launchpad.net/ubuntu/+source/python-defaults/+bug/1401322
>
> It has been opened by one of Python core developers, and has a CVE reference.
>
> I guess that backporting huge changes might not be easy, so that might
> be the rationale for why this hasn't been done yet, but I'd like to
> know it for certain from someone who has experience with the security
> updates process in Ubuntu.
At first glance, it would seem like the fix for CVE-2014-9365 is
something we'd want to backport to all stable Ubuntu releases so that we
get proper certificate verification everywhere.
However, we feel like it was mostly known that applications were meant
to handle certificate verification themselves at the time of the Ubuntu
releases that shipped versions of Python that did not do full
certificate verification. Changing this behavior underneath applications
could cause regressions so we've opted to fix individual applications
that are found to not perform proper verification rather than backport
the fix for CVE-2014-9365.
This is documented in the Ubuntu CVE tracker:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9365.html
Thanks!
Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160125/aa1b0db3/attachment.pgp>
More information about the ubuntu-hardened
mailing list