Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aXPKOvcPCd_ARqpQ@symphytum.spacehopper.org>
Date: Fri, 23 Jan 2026 19:21:30 +0000
From: Stuart Henderson <stu@...cehopper.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2025-56005 Undocumented RCE in PLY via
 `picklefile` Parameter

On 2026/01/23 11:06, Alan Coopersmith wrote:
> Of note, https://github.com/dabeaz/ply now bears a banner:
> "This repository was archived by the owner on Dec 21, 2025. It is now read-only."

And the most recent commit added to the readme:

    "After 25 years, I've decided to abandon the PLY project.  No further
    maintenance is expected.  At this point, there are many high-quality
    parsing libraries that you might consider using instead.  Or you could
    continue to use PLY by copying it into your project. Or you could write
    a hand-rolled recursive descent parser.  I don't really have a
    specific recommendation (although writing a parser by hand can be
    a fun challenge)."

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.