Re: [Jython-users] CVE-2016-4000

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Going from the bug report, I didn’t work on it, and a core dev could correct me, but it’s specifically about deserializing Python objects.

https://hg.python.org/jython/rev/d06e29d100c0

It would depend on whether your app had an exposed endpoint that accepted Python objects. All the usual caveats about eg web form data hygiene apply.

Without knowing your exact organizational or technical constraint, I would mention that security bugs can be excellent sticks for pushing through needed, but delayed, upgrades to current versions of infrastructure and libraries, like upgrading to Jython 2.7.1. Priorities can suddenly realign.

Cheers
Adam

> 在 2019年6月21日，下午9:19，Adam Burke <ada...@gm...> 写道：
> 
> Going from the bug report, it’s specifically about deserializing Python objects.
> 
> https://hg.python.org/jython/rev/d06e29d100c0
> 
> It would depend on whether your app had an exposed endpoint that accepted Python objects. All the usual caveats about eg web form data hygiene apply.
> 
> Without knowing your exact organizational or technical constraint, I would say that security bugs can be excellent sticks for pushing through needed, but delayed, upgrades to current versions of infrastructure and libraries, like upgrading to Jython 2.7.1. Priorities can suddenly realign.
> 
> Cheers
> Adam
> 
>> 在 2019年6月21日，下午8:57，Samuel Schober <sam...@we...> 写道：
>> 
>> Hello,
>> 
>>  
>> 
>> I am using the jython package for an project and have a question about an issue you had.
>> 
>>  
>> 
>> The used version is 2.5.3 and unfortunally it can not be updated to 2.7.1. Now I found the following issue: 
>> 
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000
>> 
>>  
>> 
>> It notices that jython allows attackers to execute arbitrary code and I wanted to ask what kind of code could be executed?
>> 
>> Is it only python code which could be executed or is it possible to execute any kind of binary code?
>> 
>> And is it possible to have influence on the server outside of the application or does it just affect my application?
>> 
>>  
>> 
>> I hope you can help me with that question.
>> 
>>  
>> 
>> Best regards,
>> 
>> Samuel Schober
>> 
>> _______________________________________________
>> Jython-users mailing list
>> Jyt...@li...
>> https://lists.sourceforge.net/lists/listinfo/jython-users