[Python-Dev] PEP 594: Removing dead batteries from the standard library
On 21/05/2019 20.35, Guido van Rossum wrote:
> On Tue, May 21, 2019 at 11:17 AM Christian Heimes <christian at python.org <mailto:christian at python.org>> wrote:
> I'm already facing opposition for modules that are less controversial and useful than http.server, too.
> There's another argument here. This is an "omnibus" PEP, meaning it proposes many unrelated changes. In order to get a consensus to pass the PEP, it may be necessary to compromise. IOW I would recommend removing modules from the PEP that bring up strong opposition, *even* if you yourself feel strongly that those modules should be removed.
> The vast majority of modules on the list hasn't elicited any kind of feedback at all -- those are clearly safe to remove (many people are probably, like myself, hard-pressed to remember what they do). I'm not saying drop anything from the list that elicits any pushback, but once the debate has gone back and forth twice, it may be a hint that a module still has fans. Threatening to open a CVE is more likely to reduce support for the PEP than it is to convince anyone.
It was not a threat, but an illustration how critical the flaw with spwd + crypt is. The approach performs only authentication and completely bypasses any authorization. It does not take any login restrictions into account like account enabled flag, host/service based access control, IP restriction, credential strength, and so on. I would give the issue a CVSS rating between 8.3 (high) to 9.6 (critical), perhaps CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
By the way, Giampaolo and I have known each other for many years. I know that he'll address the issue and file a CVE himself.