On 9/10/20 1:45 PM, Michał Górny wrote:
So far I and the Fedora maintainer were able to independently backport one vulnerability that clearly applied (the tarfile one) but we weren't able to get a clear match of any other Python 3.x fixes to 2.7 codebase. Well, until today when thanks to you I've noticed that http.request code has a vulnerable match in httplib.
But this all is lots of work, and I'm really supposed to be doing something else right now. I'm trying my best but I'm not sure if I can manage to fix several months of negligence in two days.
Thanks for all you are doing. The release deadline is only a motivator for now since we could do another much smaller release next month if needed. I want to move toward python3.7 as soon as possible since the scientific python stack's stated python version policy means 3.6 will no longer be expressly supported especially after 3.9 comes out. Matti