Le mer. 12 août 2020 à 12:03, Ned Deily firstname.lastname@example.org a écrit :
Core developers: if you know of any additional security issues that should be addressed in these releases, please mark the relevant bpo issues as "release blocker" and, if possible, submit PRs for review prior to the end of 2020-08-13 AOE. Thanks!
The vulnerabilities that I'm tracking are all fixed in the 3.7 branch: good!
I'm maintaining https://python-security.readthedocs.io/vulnerabilities.html list manually. It's a list of known Python vulnerabilities. I'm using it to ensure that known vulnerabilities are fixed in all branches which still accept security fixes (3.5, 3.6, 3.7, 3.8, 3.9, master). It's common that the oldest branches are forgotten.
Right now, Python 3.7 is considered as vulnerable to these 4 vulnerabilities:
- https://python-security.readthedocs.io/vuln/ipaddress-hash-collisions.html - https://python-security.readthedocs.io/vuln/http-header-injection-method.htm... - https://python-security.readthedocs.io/vuln/tarfile-pax-dos.html - https://python-security.readthedocs.io/vuln/pysetpath-python-dll-path.html
All of them have "Python 3.7 (need release)" status: a fix is already merged in the 3.7 branch, but there is no release including it yet.
Again, I'm maintaining the list manually, so there are maybe a few other security fixes that I failed to track in this list.
By the way, I'm also maintaining https://pypi.org/project/check-python-vuln/ project: it checks Python for known vulnerabilities. The list of tested vulnerabilities is even shorter :-(
If you would like to help, visit: