See here, 2.5.2 and all versions below probably affected: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1721
+*python-2.5.2 (18 Apr 2008) +*python-2.4.4-r10 (18 Apr 2008) +*python-2.3.6-r5 (18 Apr 2008) + + 18 Apr 2008; Ali Polatel <hawking@gentoo.org> +python-2.3.6-r5.ebuild, + +python-2.4.4-r10.ebuild, +python-2.5.2.ebuild: + Version bumps. Updated patchsets to fix buffer overflow in zlib extension + (CVE-2008-1721) bug 217221 and unsafe PyString_FromStringAndSize(). Added + patch by Mark Peloquin for distutils to respect CXXFLAGS, bug 145206. Add + wininst USE flag to conditionally install MS Windows executables, bug + 198021. Use EAPI=1, rename nothreads and nocxx USE flags to threads and + cxx. + Updated versions have the fix included. A note for testers please check if the pocs attached on upstream bug raise ValueError instead of dumping core :)
The "PyString_FromStringAndSize()" is CVE-2008-1887. Ali, can you also address bug 216673 before we stable?
hawking, I read your comment about dropping python 2.3. When exactly do you plan to do that?
GLSA 200807-01