[RELEASED] Python 3.4.9 and Python 3.5.6 are now available
On behalf of the Python development community, I'm happy to announce the availability of Python 3.4.9 and Python 3.5.6. Both Python 3.4 and 3.5 are in "security fixes only" mode. Both versions only accept security fixes, not conventional bug fixes, and both releases are source-only. You can find Python 3.4.9 here: https://www.python.org/downloads/release/python-349/ And you can find Python 3.5.6 here: https://www.python.org/downloads/release/python-356/ We now return you to your pitched debate already in progress, //arry/
Hi, 2018-08-02 16:00 GMT+02:00 Larry Hastings <larry@hastings.org>:
On behalf of the Python development community, I'm happy to announce the availability of Python 3.4.9 and Python 3.5.6.
Great! FYI these versions fix two security vulnerabilities: (*) CVE-2018-1000117: Buffer overflow vulnerability in os.symlink on Windows http://python-security.readthedocs.io/vuln/cve-2018-1000117_buffer_overflow_... (*) CVE-2018-1060: difflib and poplib catastrophic backtracking http://python-security.readthedocs.io/vuln/cve-2018-1060_difflib_and_poplib_... 3.4.9 and 3.5.6 have no more known security vulnerabilities :-) Victor
On 08/02/2018 07:17 AM, Victor Stinner wrote:
3.4.9 and 3.5.6 have no more known security vulnerabilities :-)
Well, not to be a complete pill, but... https://bugs.python.org/issue17180 https://bugs.python.org/issue17239 https://bugs.python.org/issue19050 Sadly, just because they're languishing on bpo doesn't mean they aren't valid security vulnerabilities. //arry/
On 03/08/2018 03:22, Larry Hastings wrote:
On 08/02/2018 07:17 AM, Victor Stinner wrote:
3.4.9 and 3.5.6 have no more known security vulnerabilities :-)
Well, not to be a complete pill, but...
https://bugs.python.org/issue17180 https://bugs.python.org/issue17239 https://bugs.python.org/issue19050
Sadly, just because they're languishing on bpo doesn't mean they aren't valid security vulnerabilities.
+1 - Sadly, not fixed after 5 years - Why? Because it isn't sexy, or fear for breaking things? Breaking things could be valid - when it is a feature/design change, but the whole point of security fixes is because we believe the security vulnerability is breakage. Not fixing it keeps everything that depends on it (intentional or not) also broken. Any app that depends on 'broken' behavior needs to be fixed - rather than let a known vulnerability go from 0-day to 1825-day vulnerability (or is it 2000 already?) Only read the discussion for 17180 - but it seems anything old does not get fixed because it did not get fixed years ago. my two cents! On a side note: I have been trying to test python on different "enterprise" distros of linux and am amazed to see Python2-2.7.5 as the 'standard'. Rather disheartening for the all the good work that gets done. i.e., I am amazed that CVE's like the ones fixed in 3.4.9 and 3.5.6 (and maybe already/later in 2.7.X) do not motivate distributions to update to current levels. oh my - up to 4 cents! :) Thanks for the work - I'll get to packaging them for AIX.
//arry/
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/aixtools%40felt.demon.nl
On 2018-08-05 19:57, Michael wrote:
On 03/08/2018 03:22, Larry Hastings wrote:
On 08/02/2018 07:17 AM, Victor Stinner wrote:
3.4.9 and 3.5.6 have no more known security vulnerabilities :-)
Well, not to be a complete pill, but...
https://bugs.python.org/issue17180 https://bugs.python.org/issue17239 https://bugs.python.org/issue19050
Sadly, just because they're languishing on bpo doesn't mean they aren't valid security vulnerabilities.
+1 - Sadly, not fixed after 5 years - Why? Because it isn't sexy, or fear for breaking things?
[snip]Re https://bugs.python.org/issue19050, on Windows 10, Python 3.6 and Python 3.7 both work OK and Python 3.5 complains about a bad file descriptor.
----- Original Message -----
From: "Michael" <aixtools@felt.demon.nl> To: "Larry Hastings" <larry@hastings.org>, python-dev@python.org Sent: Sunday, August 5, 2018 8:57:40 PM Subject: Re: [Python-Dev] [python-committers] [RELEASED] Python 3.4.9 and Python 3.5.6 are now available
On 03/08/2018 03:22, Larry Hastings wrote:
On 08/02/2018 07:17 AM, Victor Stinner wrote:
3.4.9 and 3.5.6 have no more known security vulnerabilities :-)
Well, not to be a complete pill, but...
Sadly, just because they're languishing on bpo doesn't mean they aren't valid security vulnerabilities.
+1 - Sadly, not fixed after 5 years - Why? Because it isn't sexy, or fear for breaking things?
Breaking things could be valid - when it is a feature/design change, but the whole point of security fixes is because we believe the security vulnerability is breakage. Not fixing it keeps everything that depends on it (intentional or not) also broken. Any app that depends on 'broken' behavior needs to be fixed - rather than let a known vulnerability go from 0-day to 1825-day vulnerability (or is it 2000 already?)
Only read the discussion for 17180 - but it seems anything old does not get fixed because it did not get fixed years ago.
my two cents!
On a side note: I have been trying to test python on different "enterprise" distros of linux and am amazed to see Python2-2.7.5 as the 'standard'. Rather disheartening for the all the good work that gets done. i.e., I am amazed that CVE's like the ones fixed in 3.4.9 and 3.5.6 (and maybe already/later in 2.7.X) do not motivate distributions to update to current levels.
A side note on your side note. Different distro's have different standards, use/customer cases to address etc. In enterprise distributions the usual scheme is that the version that you see is the minimum one and many fixes coming from upstream or the redistributor are incorporated on top of that version. Just check the package changelogs. :) CVE's do get fixed and there is actually cooperation with upstream on different levels in regards to those. And speaking here as one of the people doing that for one of the enterprise distros.
oh my - up to 4 cents! :)
Thanks for the work - I'll get to packaging them for AIX.
//arry/
_______________________________________________
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/aixtools%40felt.demon.nl
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/cstratak%40redhat.com
-- Regards, Charalampos Stratakis Software Engineer Python Maintenance Team, Red Hat
On 8/6/2018 11:38 AM, Charalampos Stratakis wrote:
A side note on your side note. Different distro's have different standards, use/customer cases to address etc. In enterprise distributions the usual scheme is that the version that you see is the minimum one and many fixes coming from upstream or the redistributor are incorporated on top of that version. Just check the package changelogs. :) CVE's do get fixed and there is actually cooperation with upstream on different levels in regards to those. And speaking here as one of the people doing that for one of the enterprise distros.
a) good to hear b) On AIX they stayed with ssh at version 6.0 for so long, that even with all the CVE et al included it was still extremely weak compared to 6.7 and later when they tightened the default ciphers. And yes, I fell over the change - but was glad, in the end, to rid of weak ssh clients. c) read package changelogs. The :) is because they are hard to read or non-existent. I do not mean to criticize any "enterprise" methods. My "enterprise" of choice is AIX and when it comes to OSS I dare say everyone else does a better job (which is why I got started with packaging in the first place - but only what I need and/or someone requests). However, I do find it very very hard to know what python 2.7.5 has or has not, that 2.7.15 now has. There are, iirc, quite a few important changes. The "hard" freeze seems to have come at roughly 2.7.8 or 2.7.9 (just a guess). Also, as I am trying to test on other platforms it gets a bit frustrating when the latest python3 I can find is a v3.4.X. Might be good project developers (in general, not meant as specific to python) to understand that version number changes are not followed - blindly - by enterprise patch management and being too quick with version number changes will make it more difficult for users to know what they have. p.s. I do not do this (packaging/patch management) for any "distro". In that sense I am "just a consumer" who "rolls his own" when/if needed.
participants (6)
-
Charalampos Stratakis -
Larry Hastings -
Michael -
Michael Felt
-
MRAB -
Victor Stinner