Issue2454

We - Alvaro Munoz (alvaro@pwntester.com) and Christian Schneider (mail@Christian-Schneider.net) - have found a security issue related with Jython. 

Please let us know what is the best way to report this issue: Direct disclosure in this public bug tracker, or prior to that private disclosure (via email etc.)?

Alvaro/Christian, please send us email first. Let's restrict this to the most active Jython committers, which I will arbitrarily define as those who have worked on 2.7.1 since beta 2 (see our commit log at https://hg.python.org/jython, but filtering out non committers):

Darjus Loktevic <darjus@gmail.com>
Jim Baker <jim.baker@rackspace.com>
Jeff Allen <ja.py@farowl.co.uk>
Stefan Richthofer <stefan.richthofer@gmx.de>
Frank Wierzbicki <fwierzbicki@gmail.com>

Other Jython committers may also request access if they are interested; please contact me or Frank so we can coordinate with the OP.

Thanks, we'll send the details of the ticket to the email addresses you provided. We've created this ticket here after two mails we sent on 2016-01-12 and 2016-01-15 to a mail address of the jython community remained unanswered.

Christian, I appreciate you contacted us through the second channel. Feel free to contact me directly jim.baker@rackspace.com (or equivalently jim.baker@python.org, doesn't matter) for details of that initial attempt, including email address. I don't know about others, but I did not receive any email from you prior to this bug report. I suspect we have outdated/wrong information floating around the internet!

Looking through my email (fwierzbicki@gmail.com), it looks like I did get some emails on this, sorry to have dropped the ball. I should put some kind of filter in my email for this sort of thing so that it jumps out better.

No problem :) we will send you the details to the emails listed above

Fixed as of https://hg.python.org/jython/rev/d06e29d100c0

BTW: MITRE has assigned CVE-2016-4000 for this