[ubuntu-hardened] Python 2.7.9 security update?
Dario Bertini
berdario at gmail.com
Wed Jan 27 22:26:24 UTC 2016
On Mon, Jan 25, 2016 at 3:54 PM, Tyler Hicks <tyhicks at canonical.com> wrote:
> At first glance, it would seem like the fix for CVE-2014-9365 is
> something we'd want to backport to all stable Ubuntu releases so that we
> get proper certificate verification everywhere.
>
> However, we feel like it was mostly known that applications were meant
> to handle certificate verification themselves at the time of the Ubuntu
> releases that shipped versions of Python that did not do full
> certificate verification. Changing this behavior underneath applications
> could cause regressions so we've opted to fix individual applications
> that are found to not perform proper verification rather than backport
> the fix for CVE-2014-9365.
>
> This is documented in the Ubuntu CVE tracker:
>
> http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9365.html
>
Thank you,
indeed, I was not aware of ~ubuntu-security/cve
I'm obviously a bit disappointed that the choice went in the direction
of not backporting, but I understand the rationale and at least now I
have a confirmation and if I'll stumble on a 12.04 machine I'll know
to pay attention.
More information about the ubuntu-hardened
mailing list