Issue2454

classification
Title: Security Vulnerability in Jython
Type: security Severity: major
Components: Core Versions:
Milestone:
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: alvaro, cschneider4711, darjus, fwierzbicki, jeff.allen, stefan.richthofer, zyasoft
Priority: Keywords:

Created on 2016-01-19.13:46:46 by cschneider4711, last changed 2016-04-12.19:57:45 by cschneider4711.

Messages
msg10659 (view) Author: Christian Schneider (cschneider4711) Date: 2016-01-19.13:46:44
We - Alvaro Munoz (alvaro@pwntester.com) and Christian Schneider (mail@Christian-Schneider.net) - have found a security issue related with Jython. 

Please let us know what is the best way to report this issue: Direct disclosure in this public bug tracker, or prior to that private disclosure (via email etc.)?
msg10660 (view) Author: Jim Baker (zyasoft) Date: 2016-01-19.18:30:55
Alvaro/Christian, please send us email first. Let's restrict this to the most active Jython committers, which I will arbitrarily define as those who have worked on 2.7.1 since beta 2 (see our commit log at https://hg.python.org/jython, but filtering out non committers):

Darjus Loktevic <darjus@gmail.com>
Jim Baker <jim.baker@rackspace.com>
Jeff Allen <ja.py@farowl.co.uk>
Stefan Richthofer <stefan.richthofer@gmx.de>
Frank Wierzbicki <fwierzbicki@gmail.com>

Other Jython committers may also request access if they are interested; please contact me or Frank so we can coordinate with the OP.
msg10661 (view) Author: Christian Schneider (cschneider4711) Date: 2016-01-19.18:34:47
Thanks, we'll send the details of the ticket to the email addresses you provided. We've created this ticket here after two mails we sent on 2016-01-12 and 2016-01-15 to a mail address of the jython community remained unanswered.
msg10662 (view) Author: Jim Baker (zyasoft) Date: 2016-01-19.18:41:32
Christian, I appreciate you contacted us through the second channel. Feel free to contact me directly jim.baker@rackspace.com (or equivalently jim.baker@python.org, doesn't matter) for details of that initial attempt, including email address. I don't know about others, but I did not receive any email from you prior to this bug report. I suspect we have outdated/wrong information floating around the internet!
msg10663 (view) Author: Frank Wierzbicki (fwierzbicki) Date: 2016-01-19.19:00:37
Looking through my email (fwierzbicki@gmail.com), it looks like I did get some emails on this, sorry to have dropped the ball. I should put some kind of filter in my email for this sort of thing so that it jumps out better.
msg10664 (view) Author: Alvaro Munoz (alvaro) Date: 2016-01-19.20:39:54
No problem :) we will send you the details to the emails listed above
msg10678 (view) Author: Jim Baker (zyasoft) Date: 2016-02-02.03:37:45
Fixed as of https://hg.python.org/jython/rev/d06e29d100c0
msg10832 (view) Author: Christian Schneider (cschneider4711) Date: 2016-04-12.19:57:45
BTW: MITRE has assigned CVE-2016-4000 for this
History
Date User Action Args
2016-04-12 19:57:45cschneider4711setmessages: + msg10832
2016-02-09 23:50:00zyasoftsetstatus: pending -> closed
2016-02-02 03:37:45zyasoftsetstatus: open -> pending
resolution: fixed
messages: + msg10678
2016-01-19 20:39:54alvarosetnosy: + alvaro
messages: + msg10664
2016-01-19 19:00:38fwierzbickisetmessages: + msg10663
2016-01-19 18:41:33zyasoftsetmessages: + msg10662
2016-01-19 18:34:48cschneider4711setmessages: + msg10661
2016-01-19 18:32:51zyasoftsetnosy: + fwierzbicki, jeff.allen, darjus, stefan.richthofer
2016-01-19 18:30:55zyasoftsetnosy: + zyasoft
messages: + msg10660
2016-01-19 13:46:46cschneider4711create