Issue2454
Created on 2016-01-19.13:46:46 by cschneider4711, last changed 2016-04-12.19:57:45 by cschneider4711.
msg10659 (view) |
Author: Christian Schneider (cschneider4711) |
Date: 2016-01-19.13:46:44 |
|
We - Alvaro Munoz (alvaro@pwntester.com) and Christian Schneider (mail@Christian-Schneider.net) - have found a security issue related with Jython.
Please let us know what is the best way to report this issue: Direct disclosure in this public bug tracker, or prior to that private disclosure (via email etc.)?
|
msg10660 (view) |
Author: Jim Baker (zyasoft) |
Date: 2016-01-19.18:30:55 |
|
Alvaro/Christian, please send us email first. Let's restrict this to the most active Jython committers, which I will arbitrarily define as those who have worked on 2.7.1 since beta 2 (see our commit log at https://hg.python.org/jython, but filtering out non committers):
Darjus Loktevic <darjus@gmail.com>
Jim Baker <jim.baker@rackspace.com>
Jeff Allen <ja.py@farowl.co.uk>
Stefan Richthofer <stefan.richthofer@gmx.de>
Frank Wierzbicki <fwierzbicki@gmail.com>
Other Jython committers may also request access if they are interested; please contact me or Frank so we can coordinate with the OP.
|
msg10661 (view) |
Author: Christian Schneider (cschneider4711) |
Date: 2016-01-19.18:34:47 |
|
Thanks, we'll send the details of the ticket to the email addresses you provided. We've created this ticket here after two mails we sent on 2016-01-12 and 2016-01-15 to a mail address of the jython community remained unanswered.
|
msg10662 (view) |
Author: Jim Baker (zyasoft) |
Date: 2016-01-19.18:41:32 |
|
Christian, I appreciate you contacted us through the second channel. Feel free to contact me directly jim.baker@rackspace.com (or equivalently jim.baker@python.org, doesn't matter) for details of that initial attempt, including email address. I don't know about others, but I did not receive any email from you prior to this bug report. I suspect we have outdated/wrong information floating around the internet!
|
msg10663 (view) |
Author: Frank Wierzbicki (fwierzbicki) |
Date: 2016-01-19.19:00:37 |
|
Looking through my email (fwierzbicki@gmail.com), it looks like I did get some emails on this, sorry to have dropped the ball. I should put some kind of filter in my email for this sort of thing so that it jumps out better.
|
msg10664 (view) |
Author: Alvaro Munoz (alvaro) |
Date: 2016-01-19.20:39:54 |
|
No problem :) we will send you the details to the emails listed above
|
msg10678 (view) |
Author: Jim Baker (zyasoft) |
Date: 2016-02-02.03:37:45 |
|
Fixed as of https://hg.python.org/jython/rev/d06e29d100c0
|
msg10832 (view) |
Author: Christian Schneider (cschneider4711) |
Date: 2016-04-12.19:57:45 |
|
BTW: MITRE has assigned CVE-2016-4000 for this
|
|
Date |
User |
Action |
Args |
2016-04-12 19:57:45 | cschneider4711 | set | messages:
+ msg10832 |
2016-02-09 23:50:00 | zyasoft | set | status: pending -> closed |
2016-02-02 03:37:45 | zyasoft | set | status: open -> pending resolution: fixed messages:
+ msg10678 |
2016-01-19 20:39:54 | alvaro | set | nosy:
+ alvaro messages:
+ msg10664 |
2016-01-19 19:00:38 | fwierzbicki | set | messages:
+ msg10663 |
2016-01-19 18:41:33 | zyasoft | set | messages:
+ msg10662 |
2016-01-19 18:34:48 | cschneider4711 | set | messages:
+ msg10661 |
2016-01-19 18:32:51 | zyasoft | set | nosy:
+ fwierzbicki, jeff.allen, darjus, stefan.richthofer |
2016-01-19 18:30:55 | zyasoft | set | nosy:
+ zyasoft messages:
+ msg10660 |
2016-01-19 13:46:46 | cschneider4711 | create | |
|