Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > Who should security issues be reported to?

Reply
Thread Tools

Who should security issues be reported to?

 
 
grahamd@dscpl.com.au
Guest
Posts: n/a
 
      01-27-2005
Who are the appropriate people to report security problems to
in respect of a module included with the Python distribution?
I don't feel it appropriate to be reporting it on general mailing
lists.

 
Reply With Quote
 
 
 
 
Aahz
Guest
Posts: n/a
 
      01-28-2005
In article <(E-Mail Removed). com>,
<(E-Mail Removed)> wrote:
>
>Who are the appropriate people to report security problems to in
>respect of a module included with the Python distribution? I don't
>feel it appropriate to be reporting it on general mailing lists.


There is no generally appropriate non-public mechanism for reporting
security issues. If you really think this needs to be handled
privately, do some research to find out which core developer is most
likely to be familiar with it. Even before you do that, check
SourceForge to find out whether anyone else has reported it as a bug.
--
Aahz ((E-Mail Removed)) <*> http://www.pythoncraft.com/

"19. A language that doesn't affect the way you think about programming,
is not worth knowing." --Alan Perlis
 
Reply With Quote
 
 
 
 
grahamd@dscpl.com.au
Guest
Posts: n/a
 
      01-28-2005

Aahz wrote:
> In article <(E-Mail Removed). com>,
> <(E-Mail Removed)> wrote:
> >
> >Who are the appropriate people to report security problems to in
> >respect of a module included with the Python distribution? I don't
> >feel it appropriate to be reporting it on general mailing lists.

>
> There is no generally appropriate non-public mechanism for reporting
> security issues. If you really think this needs to be handled
> privately, do some research to find out which core developer is most
> likely to be familiar with it. Even before you do that, check
> SourceForge to find out whether anyone else has reported it as a bug.


I find this response a bit dissappointing frankly. Open Source people
make
such a big deal about having lots of people being able to look at
source
code and from that discover security problems, thus making it somehow
making it better than proprietary source code. From what I can see, if
an
Open Source project is quite large with lots of people involved, it
makes it
very hard to try and identify who you should report something to when
there is no clearly identifiable single point of contact for security
related
issues. Why should I have to go through hoops to try and track down who
is appropriate to send it to? All you need is a single advertised email
address
for security issues which is forwarded onto a small group of developers
who can then evaluate the issue and forward it on to the appropriate
person.
Such developers could probably do such evaluation in minutes, yet I
have
to spend a lot longer trying to research who to send it to and then
potentially
wait days for some obscure person mentioned in the source code who has
not touched it in years to respond, if at all. Meanwhile you have a
potentially
severe security hole sitting there wating for someone to expliot, with
the
only saving grace being the low relative numbers of users who may be
using
it in the insecure manner and that it would be hard to identify the
actual web
sites which suffer the problem.

I'm sorry, but this isn't really good enough. If Open Source wants to
say that
they are better than these proprietary companies, they need to deal
with these
sorts of things more professionally and establish decent channels of
communications for dealing with it.

And yes I have tried mailing the only people mentioned in the module in
question and am still waiting for a response.

 
Reply With Quote
 
Nick Coghlan
Guest
Posts: n/a
 
      01-28-2005
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> I'm sorry, but this isn't really good enough. If Open Source wants to
> say that
> they are better than these proprietary companies, they need to deal
> with these
> sorts of things more professionally and establish decent channels of
> communications for dealing with it.


Is that the sound of a volunteer I hear?

All you have to do is put your hand up, and the problem will be solved. If not
you, who?

Cheers,
Nick.

--
Nick Coghlan | (E-Mail Removed) | Brisbane, Australia
---------------------------------------------------------------
http://boredomandlaziness.skystorm.net
 
Reply With Quote
 
phr@localhost.localdomain
Guest
Posts: n/a
 
      01-28-2005
Nick Coghlan <(E-Mail Removed)> writes:
> Is that the sound of a volunteer I hear?
>
> All you have to do is put your hand up, and the problem will be
> solved. If not you, who?


Tell me about it. See the "rotor replacement" thread.
 
Reply With Quote
 
Fredrik Lundh
Guest
Posts: n/a
 
      01-28-2005
Nick Coghlan wrote:

>> I'm sorry, but this isn't really good enough. If Open Source wants to
>> say that they are better than these proprietary companies, they need
>> to deal with these sorts of things more professionally and establish
>> decent channels of communications for dealing with it.

>
> Is that the sound of a volunteer I hear?
>
> All you have to do is put your hand up, and the problem will be solved. If not you, who?


oh, please. this is a security issue. it needs a little more coordination
than an ordinary bug report.

</F>



 
Reply With Quote
 
Duncan Booth
Guest
Posts: n/a
 
      01-28-2005
(E-Mail Removed) wrote:

> I find this response a bit dissappointing frankly. Open Source people
> make
> such a big deal about having lots of people being able to look at
> source
> code and from that discover security problems, thus making it somehow
> making it better than proprietary source code.


I think part of the problem you are having is that Python doesn't make any
representations about security, so it is pretty hard to come up with issues
which really are security related. Products which are based on Python (e.g.
Zope) and which do aim to provide some kind of secure environment probably
will have some clear mechanism for reporting security related issues.

The only part of Python which used to claim to offer security was rexec and
the bastion module, but they had so many security issues that they were
removed from the distribution.

In other words, I'm intrigued how you managed to come up with something you
consider to be a security issue with Python since Python offers no
security. Perhaps, without revealing the actual issue in question, you
could give an example of some other situation which, if it came up in
Python you would consider to be a security issue?

 
Reply With Quote
 
Paul Rubin
Guest
Posts: n/a
 
      01-28-2005
Duncan Booth <(E-Mail Removed)> writes:
> In other words, I'm intrigued how you managed to come up with something you
> consider to be a security issue with Python since Python offers no
> security. Perhaps, without revealing the actual issue in question, you
> could give an example of some other situation which, if it came up in
> Python you would consider to be a security issue?


Until fairly recently, the pickle module was insufficiently documented
as being unsafe to use with hostile data, so people used it that way.
As a result, the Cookie module's default settings allowed remote
attackers to take over Python web apps. See SF bug 467384.
 
Reply With Quote
 
Richie Hindle
Guest
Posts: n/a
 
      01-28-2005

[Duncan]
> I'm intrigued how you managed to come up with something you
> consider to be a security issue with Python since Python offers no
> security. Perhaps, without revealing the actual issue in question, you
> could give an example of some other situation which, if it came up in
> Python you would consider to be a security issue?


I can't speak for the OP, but one hypothetical example might be a buffer
overrun vulnerability in the socket module.

--
Richie Hindle
(E-Mail Removed)

 
Reply With Quote
 
Fredrik Lundh
Guest
Posts: n/a
 
      01-28-2005
Duncan Booth wrote:

> I think part of the problem you are having is that Python doesn't make any
> representations about security, so it is pretty hard to come up with issues
> which really are security related. Products which are based on Python (e.g.
> Zope) and which do aim to provide some kind of secure environment probably
> will have some clear mechanism for reporting security related issues.


security issues occur when code that claims to do something can be used to do
something entirely different, by malevolent application users.

(wxPython doesn't make any security claims either, but if it turned out that you
could gain root access, modify the underlying database, modify variables in the
program, execute arbitrary code, or some other similar thing simply by typing the
right things into a password entry field, wouldn't you consider that a security
issue?)

(no, this issue isn't related to wxPython)

</F>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Why does SpamCop tell me this should be reported to postmaster@postini.com? Lookout Computer Support 3 04-09-2006 04:38 PM
WiFi vulnerabilty reported by ZDnet Barb Bowman MVP-Windows Wireless Networking 0 01-17-2006 10:19 AM
same network-2 different strengths reported =?Utf-8?B?cHNhbG1pc3Q3?= Wireless Networking 1 11-20-2005 04:42 PM
Reported Wireless speed w/ repeater 7-9x Measured Speed Lance Wireless Networking 0 10-31-2004 09:31 PM
Backup Error: The device reported an error on a request to write data to media. Error reported: bad data. Ismaiel Computer Support 0 10-26-2004 11:42 AM



Advertisments