Upcoming 3.7.9 and 3.6.12 Security Releases
We are planning to produce security-fix rollup releases for Python 3.7.x and 3.6.x on 2020-08-14. The most recent releases for these versions were on 2020-06-27 and 3.7.8 was the final bugfix release for 3.7. Shortly after those releases, several security issues affecting them were fixed. Because one of those fixes addresses a potential security vulnerability when using Python on Windows (https://bugs.python.org/issue29778), we are making an exception and providing updated binary installers for 3.7.9 since this first 3.7.x security release follows so soon after the final 3.7.x bugfix release. Also, starting with these releases, we plan to no longer produce release candidates for 3.7.x and 3.6.x security releases, and instead simply provide final releases, as we receive little to no feedback from security release candidates and the number of changes in each security releases is small. Core developers: if you know of any additional security issues that should be addressed in these releases, please mark the relevant bpo issues as "release blocker" and, if possible, submit PRs for review prior to the end of 2020-08-13 AOE. Thanks! -- Ned Deily nad@python.org -- []
Le mer. 12 août 2020 à 12:03, Ned Deily <nad@python.org> a écrit :
Core developers: if you know of any additional security issues that should be addressed in these releases, please mark the relevant bpo issues as "release blocker" and, if possible, submit PRs for review prior to the end of 2020-08-13 AOE. Thanks!
The vulnerabilities that I'm tracking are all fixed in the 3.7 branch: good! -- I'm maintaining https://python-security.readthedocs.io/vulnerabilities.html list manually. It's a list of known Python vulnerabilities. I'm using it to ensure that known vulnerabilities are fixed in all branches which still accept security fixes (3.5, 3.6, 3.7, 3.8, 3.9, master). It's common that the oldest branches are forgotten. Right now, Python 3.7 is considered as vulnerable to these 4 vulnerabilities: - https://python-security.readthedocs.io/vuln/ipaddress-hash-collisions.html - https://python-security.readthedocs.io/vuln/http-header-injection-method.htm... - https://python-security.readthedocs.io/vuln/tarfile-pax-dos.html - https://python-security.readthedocs.io/vuln/pysetpath-python-dll-path.html All of them have "Python 3.7 (need release)" status: a fix is already merged in the 3.7 branch, but there is no release including it yet. Again, I'm maintaining the list manually, so there are maybe a few other security fixes that I failed to track in this list. -- By the way, I'm also maintaining https://pypi.org/project/check-python-vuln/ project: it checks Python for known vulnerabilities. The list of tested vulnerabilities is even shorter :-( If you would like to help, visit: * https://github.com/vstinner/python-security/ * https://github.com/vstinner/check_python_vuln Victor -- Night gathers, and now my watch begins. It shall not end until my death.
Hi, I am sorry to intrude in this thread. But I think there is a vulnerability in macos caused by ftruncate. For instance running the following code abruptly crashed macos (mojave and catalina). ``` from multiprocessing.shared_memory import SharedMemory shm = SharedMemory(name='test-crash', create=True, size=1000000000000000000) ``` This is being tracked at https://bugs.python.org/issue39584 <https://bugs.python.org/issue39584>. Could please comment whether this should be fixed by python, or we should wait for a macos fix.
On 12-Aug-2020, at 4:38 PM, Victor Stinner <vstinner@python.org> wrote:
https://pypi.org/project/check-python-vuln/ <https://pypi.org/project/check-python-vuln/>
Le mer. 12 août 2020 à 14:09, Vinay Sharma <vinay04sharma@icloud.com> a écrit :
This is being tracked at https://bugs.python.org/issue39584. Could please comment whether this should be fixed by python, or we should wait for a macos fix.
This issue looks like a regular bug. I suggest not holding a security release for it. It's more important than fixes for security vulnerabilities are released as soon as possible. Also, it seems easy to work around the issue: don't attempt to allocate 1 PB if you only have 8 GB of memory :-) Victor -- Night gathers, and now my watch begins. It shall not end until my death.
participants (3)
-
Ned Deily -
Victor Stinner -
Vinay Sharma