"shutil copy* unsafe on POSIX - they preserve setuid/setgit bits" https://bugs.python.org/issue17180
There is no fix. A fix may break the backward compatibility. Is it really worth it for the last 3.4 release?
"XML vulnerabilities in Python" https://bugs.python.org/issue17239
Bug inactive since 2015. I don't expect that anyone will step in next weeks with a wonderful solution to all XML issues. I suggest to ignore this one as well, this issue is as old as XML support in Python and I am not aware of any victim of these issues.
Obviously, it would be "nice" to see a fix for these issues but it seems like core devs are more interested to work on other topics and other security issues.
"fflush called on pointer to potentially closed file" (Windows only) https://bugs.python.org/issue19050
It seems like two core devs are opposed to fix this issue.
--
There are open security issues on the HTTP server and urllib. I am more concerned by these issues, but it's hard to fix them, there is a risk of introducing regressions.
Victor