[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Monotone-devel] ViewMTN affected by Python security issue
From: |
Grahame Bowland |
Subject: |
[Monotone-devel] ViewMTN affected by Python security issue |
Date: |
Mon, 23 Oct 2006 14:38:45 +0800 |
Hey all
ViewMTN is written in the Python programming language. There was
recently a security advisory for Python which I believe affects
ViewMTN installs:
http://www.python.org/news/security/PSF-2006-001/
All versions of ViewMTN may call repr() on untrusted strings as part
of debugging tracebacks; as a result, they might be vulnerable to this
issue. It's also true that malicious strings in data stored within
Monotone databases could be used to attack the install.
Note that ViewMTN does go to some lengths to properly escape strings
before output into HTML. This vulnerability is still a problem, as it
occurs at a lower level in the programming language.
I'd recommend upgrading Python on all ViewMTN servers.
Cheers
Grahame
- [Monotone-devel] ViewMTN affected by Python security issue,
Grahame Bowland <=