Who should security issues be reported to?

In article <11************ *********@f14g2 000cwb.googlegr oups.com>,
<gr*****@dscpl. com.au> wrote:

Who are the appropriate people to report security problems to in
respect of a module included with the Python distribution? I don't
feel it appropriate to be reporting it on general mailing lists.

There is no generally appropriate non-public mechanism for reporting
security issues. If you really think this needs to be handled
privately, do some research to find out which core developer is most
likely to be familiar with it. Even before you do that, check
SourceForge to find out whether anyone else has reported it as a bug.
--
Aahz (aa**@pythoncra ft.com) <*> http://www.pythoncraft.com/

"19. A language that doesn't affect the way you think about programming,
is not worth knowing." --Alan Perlis

Aahz wrote:

In article <11************ *********@f14g2 000cwb.googlegr oups.com>,
<gr*****@dscpl. com.au> wrote:

Who are the appropriate people to report security problems to in
respect of a module included with the Python distribution? I don't
feel it appropriate to be reporting it on general mailing lists.

There is no generally appropriate non-public mechanism for reporting
security issues. If you really think this needs to be handled
privately, do some research to find out which core developer is most
likely to be familiar with it. Even before you do that, check
SourceForge to find out whether anyone else has reported it as a bug.

I find this response a bit dissappointing frankly. Open Source people
make
such a big deal about having lots of people being able to look at
source
code and from that discover security problems, thus making it somehow
making it better than proprietary source code. From what I can see, if
an
Open Source project is quite large with lots of people involved, it
makes it
very hard to try and identify who you should report something to when
there is no clearly identifiable single point of contact for security
related
issues. Why should I have to go through hoops to try and track down who
is appropriate to send it to? All you need is a single advertised email
address
for security issues which is forwarded onto a small group of developers
who can then evaluate the issue and forward it on to the appropriate
person.
Such developers could probably do such evaluation in minutes, yet I
have
to spend a lot longer trying to research who to send it to and then
potentially
wait days for some obscure person mentioned in the source code who has
not touched it in years to respond, if at all. Meanwhile you have a
potentially
severe security hole sitting there wating for someone to expliot, with
the
only saving grace being the low relative numbers of users who may be
using
it in the insecure manner and that it would be hard to identify the
actual web
sites which suffer the problem.

I'm sorry, but this isn't really good enough. If Open Source wants to
say that
they are better than these proprietary companies, they need to deal
with these
sorts of things more professionally and establish decent channels of
communications for dealing with it.

And yes I have tried mailing the only people mentioned in the module in
question and am still waiting for a response.

gr*****@dscpl.c om.au wrote:

I'm sorry, but this isn't really good enough. If Open Source wants to
say that
they are better than these proprietary companies, they need to deal
with these
sorts of things more professionally and establish decent channels of
communications for dealing with it.

Is that the sound of a volunteer I hear?

All you have to do is put your hand up, and the problem will be solved. If not
you, who?

Cheers,
Nick.

--
Nick Coghlan | nc******@email. com | Brisbane, Australia
---------------------------------------------------------------
http://boredomandlaziness.skystorm.net

Nick Coghlan <nc******@iinet .net.au> writes:

Is that the sound of a volunteer I hear?

All you have to do is put your hand up, and the problem will be
solved. If not you, who?

Tell me about it. See the "rotor replacement" thread.

gr*****@dscpl.c om.au wrote:

I find this response a bit dissappointing frankly. Open Source people
make
such a big deal about having lots of people being able to look at
source
code and from that discover security problems, thus making it somehow
making it better than proprietary source code.

I think part of the problem you are having is that Python doesn't make any
representations about security, so it is pretty hard to come up with issues
which really are security related. Products which are based on Python (e.g.
Zope) and which do aim to provide some kind of secure environment probably
will have some clear mechanism for reporting security related issues.

The only part of Python which used to claim to offer security was rexec and
the bastion module, but they had so many security issues that they were
removed from the distribution.

In other words, I'm intrigued how you managed to come up with something you
consider to be a security issue with Python since Python offers no
security. Perhaps, without revealing the actual issue in question, you
could give an example of some other situation which, if it came up in
Python you would consider to be a security issue?

Nick Coghlan wrote:

I'm sorry, but this isn't really good enough. If Open Source wants to
say that they are better than these proprietary companies, they need
to deal with these sorts of things more professionally and establish
decent channels of communications for dealing with it.

Is that the sound of a volunteer I hear?

All you have to do is put your hand up, and the problem will be solved. If not you, who?

oh, please. this is a security issue. it needs a little more coordination
than an ordinary bug report.

</F>

Duncan Booth <du**********@i nvalid.invalid> writes:

In other words, I'm intrigued how you managed to come up with something you
consider to be a security issue with Python since Python offers no
security. Perhaps, without revealing the actual issue in question, you
could give an example of some other situation which, if it came up in
Python you would consider to be a security issue?

Until fairly recently, the pickle module was insufficiently documented
as being unsafe to use with hostile data, so people used it that way.
As a result, the Cookie module's default settings allowed remote
attackers to take over Python web apps. See SF bug 467384.

[Duncan]

I'm intrigued how you managed to come up with something you
consider to be a security issue with Python since Python offers no
security. Perhaps, without revealing the actual issue in question, you
could give an example of some other situation which, if it came up in
Python you would consider to be a security issue?

I can't speak for the OP, but one hypothetical example might be a buffer
overrun vulnerability in the socket module.

--
Richie Hindle
ri****@entrian. com

Duncan Booth wrote:

I think part of the problem you are having is that Python doesn't make any
representations about security, so it is pretty hard to come up with issues
which really are security related. Products which are based on Python (e.g.
Zope) and which do aim to provide some kind of secure environment probably
will have some clear mechanism for reporting security related issues.

security issues occur when code that claims to do something can be used to do
something entirely different, by malevolent application users.

(wxPython doesn't make any security claims either, but if it turned out that you
could gain root access, modify the underlying database, modify variables in the
program, execute arbitrary code, or some other similar thing simply by typing the
right things into a password entry field, wouldn't you consider that a security
issue?)

(no, this issue isn't related to wxPython)

</F>