Di, since we're not getting any response, have you tried these support resources? Resources Information on installation, FAQ, troubleshooting, debugging, and projects using pythonnet can be found in the Wiki: https://github.com/pythonnet/pythonnet/wiki Chat https://gitter.im/pythonnet/pythonnet Surely someone else using PythonNet has encountered and figured out a way to resolve this Python Security issue: Python Buffer Overflow/Web Cache Poisoning Vulnerability CVE-2021-3177 : A vulnerability in Python 3 may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.<P> Affected Versions: <BR> Python Versions 3.X up to 3.6.12<BR> Python Versions 3.7.0 up to 3.7.9<BR> Python Versions 3.8.0 up to 3.8.7<BR> Python Versions 3.9.0 up to 3.9.1<P> CVE-2021-23336 : A vulnerability in python may lead to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. Affected Versions: <BR> Python Versions 0.X up to 3.6.12<BR> Python Versions 3.7.0 up to 3.7.9<BR> Python Versions 3.8.0 up to 3.8.7<BR> Python Versions 3.9.0 up to 3.9.1<P> Thanks, Doug Wyant (Aptly Technology Corporation), GSEC, GCIH Service Engineer 2 C & AI | CEO | Data, Insights, and Tools Compliance Management & Operations Team From: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com> Sent: Thursday, July 15, 2021 10:42 AM To: Vince Luff <vinceluff@hotmail.com>; A list for users and developers of Python.NET <pythonnet@python.org> Cc: Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com>; Fan Yang (COMMERCE) <fay@microsoft.com> Subject: RE: [Python.NET] Re: Support for Python v3.9 Hi Vince/Pythonnet, Is there any update on this? Thanks, Di From: Di Yang (PACTERA TECHNOLOGIES INC) Sent: Monday, July 12, 2021 10:55 AM To: 'Vince Luff' <vinceluff@hotmail.com<mailto:vinceluff@hotmail.com>>; 'A list for users and developers of Python.NET' <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>>; Fan Yang (COMMERCE) <fay@microsoft.com<mailto:fay@microsoft.com>> Subject: RE: [Python.NET] Re: Support for Python v3.9 Hi Vince/Pythonnet, Is there any update on this? Thanks, Di From: Di Yang (PACTERA TECHNOLOGIES INC) Sent: Thursday, July 8, 2021 11:11 AM To: Vince Luff <vinceluff@hotmail.com<mailto:vinceluff@hotmail.com>>; A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>>; Fan Yang (COMMERCE) <fay@microsoft.com<mailto:fay@microsoft.com>> Subject: RE: [Python.NET] Re: Support for Python v3.9 Hi Vince/Pythonnet, I tested again with Python 3.9.6 which is released on 6/28, still got error when running "pip install pythonnet". I got the same error on two machines. How could we solve it? [cid:image001.png@01D77D57.9ACCAA90] Thanks, Di From: Vince Luff <vinceluff@hotmail.com<mailto:vinceluff@hotmail.com>> Sent: Saturday, May 15, 2021 4:19 AM To: A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com<mailto:v-diyan@microsoft.com>>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>> Subject: [EXTERNAL] Re: [Python.NET] Re: Support for Python v3.9 Hi guys, Am I missing something here, because Python.Net v2.5.2 already supports Python 3.9: https://github.com/pythonnet/pythonnet/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpythonnet%2Fpythonnet%2Freleases&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954953236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Vn7wuuh7jCz4EaWR7iA3nyz5tOR0f2t62jOoLlWGqmY%3D&reserved=0> "Additionally, includes support for Python 3.9" Regards, Vince ________________________________ From: Mark Visser <markv@unity3d.com<mailto:markv@unity3d.com>> Sent: 13 May 2021 17:14 To: A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com<mailto:v-diyan@microsoft.com>>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>> Subject: [Python.NET] Re: Support for Python v3.9 Hi Douglas, It looks to me like this was fixed in Python 3.6, 3.7, 3.8 and 3.9: From https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html:<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpython-security.readthedocs.io%2Fvuln%2Fcjk-codec-download-eval.html%3A&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954953236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LwJ48%2B93hfls8OFcZj8iBbS2N7IlCTT4Y3wQGwgJBcs%3D&reserved=0> Fixed In * Python 3.6.13 (2021-02-16) fixed by commit e912e94 (branch 3.6)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fe912e945f2960029d039d3390ea08835ad39374b&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954963232%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2Fb15hZIZYy5IcBIxhRWPRKIknXxag1qoceppBllsb5Q%3D&reserved=0> (2020-10-20) * Python 3.7.10 (2021-02-16) fixed by commit 43e5231 (branch 3.7)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F43e523103886af66d6c27cd72431b5d9d14cd2a9&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954973226%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ii79WDE1nnGaVtUgLByU8EoJGXNqToW9by%2BgThsEi2Y%3D&reserved=0> (2020-10-20) * Python 3.8.7 (2020-12-21) fixed by commit 6c6c256 (branch 3.8)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F6c6c256df3636ff6f6136820afaefa5a10a3ac33&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954973226%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LPgSOm7XoggsCw%2BYM%2FlwsMrObpa3tR8B7ZtPWxjaWa0%3D&reserved=0> (2020-10-06) * Python 3.9.1 (2020-12-07) fixed by commit b664a1d (branch 3.9)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fb664a1df4ee71d3760ab937653b10997081b1794&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954983218%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=T1WwALSxVQBXrJTOIs9c2FwFPvzqrWRiUrn%2Fs57eL7I%3D&reserved=0> (2020-10-06) So you should be able to address the CVE by upgrading to one of these patch versions. AFAIK we don't have a timeline for 3.9 support in Python for .NET yet. cheers, -Mark Mark Visser Senior Dev Manager, M&E Unity Technologies - www.unity3d.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.unity3d.com%2F&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954993217%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2BdeP52S8F74iaR%2Bs2vB5nbw9arvZmbCExXAthoDp6f8%3D&reserved=0> On May 12, 2021, at 12:43 PM, Douglas Wyant (Aptly Technology Corporation) via PythonNet <pythonnet@python.org<mailto:pythonnet@python.org>> wrote: PythonNet, Hi folks, I have no idea if this is the correct way to engage support / ask questions, so please redirect me. We need to deploy Python v3.9 to resolve a known Security issue in older versions. I'm told we're blocked on deploying until PythonNet is updated to support v3.9. So the question is when might that be? https://bugs.python.org/issue41944<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.python.org%2Fissue41944&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954993217%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5WL6tqvBIW4ercAReHrMSjbiICbFbKP5MTQ0AoKlaio%3D&reserved=0> CVE-2020-27619: WIndows Python versions 3.0.0 through 3.9.0 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected Versions Python versions 3.0.0 through 3.9.0 Thanks, Doug Wyant (Aptly Technology Corporation), GSEC, GCIH Service Engineer 2 Microsoft _______________________________________________ PythonNet mailing list -- pythonnet@python.org<mailto:pythonnet@python.org> To unsubscribe send an email to pythonnet-leave@python.org<mailto:pythonnet-leave@python.org> https://mail.python.org/mailman3/lists/pythonnet.python.org/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.python.org%2Fmailman3%2Flists%2Fpythonnet.python.org%2F&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676955003216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=JEpLuTqf1n8VRywAOZ1%2BNbHsC2zjOSDAJtv%2FMj%2FyNUs%3D&reserved=0> Member address: markv@unity3d.com<mailto:markv@unity3d.com>