Support for Python v3.9
PythonNet, Hi folks, I have no idea if this is the correct way to engage support / ask questions, so please redirect me. We need to deploy Python v3.9 to resolve a known Security issue in older versions. I'm told we're blocked on deploying until PythonNet is updated to support v3.9. So the question is when might that be? https://bugs.python.org/issue41944 CVE-2020-27619: WIndows Python versions 3.0.0 through 3.9.0 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected Versions Python versions 3.0.0 through 3.9.0 Thanks, Doug Wyant (Aptly Technology Corporation), GSEC, GCIH Service Engineer 2 Microsoft
Hi Douglas, It looks to me like this was fixed in Python 3.6, 3.7, 3.8 and 3.9: From https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html: <https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html:> Fixed In <https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html#fixed-in> Python 3.6.13 (2021-02-16) fixed by commit e912e94 (branch 3.6) <https://github.com/python/cpython/commit/e912e945f2960029d039d3390ea08835ad39374b> (2020-10-20) Python 3.7.10 (2021-02-16) fixed by commit 43e5231 (branch 3.7) <https://github.com/python/cpython/commit/43e523103886af66d6c27cd72431b5d9d14cd2a9> (2020-10-20) Python 3.8.7 (2020-12-21) fixed by commit 6c6c256 (branch 3.8) <https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33> (2020-10-06) Python 3.9.1 (2020-12-07) fixed by commit b664a1d (branch 3.9) <https://github.com/python/cpython/commit/b664a1df4ee71d3760ab937653b10997081b1794> (2020-10-06) So you should be able to address the CVE by upgrading to one of these patch versions. AFAIK we don't have a timeline for 3.9 support in Python for .NET yet. cheers, -Mark Mark Visser Senior Dev Manager, M&E Unity Technologies - www.unity3d.com <http://www.unity3d.com/>
On May 12, 2021, at 12:43 PM, Douglas Wyant (Aptly Technology Corporation) via PythonNet <pythonnet@python.org> wrote:
PythonNet, Hi folks, I have no idea if this is the correct way to engage support / ask questions, so please redirect me. We need to deploy Python v3.9 to resolve a known Security issue in older versions. I’m told we’re blocked on deploying until PythonNet is updated to support v3.9. So the question is when might that be?
https://bugs.python.org/issue41944 <https://bugs.python.org/issue41944> CVE-2020-27619: WIndows Python versions 3.0.0 through 3.9.0 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected Versions Python versions 3.0.0 through 3.9.0
Thanks,
Doug Wyant (Aptly Technology Corporation), GSEC, GCIH Service Engineer 2 Microsoft _______________________________________________ PythonNet mailing list -- pythonnet@python.org <mailto:pythonnet@python.org> To unsubscribe send an email to pythonnet-leave@python.org <mailto:pythonnet-leave@python.org> https://mail.python.org/mailman3/lists/pythonnet.python.org/ <https://mail.python.org/mailman3/lists/pythonnet.python.org/> Member address: markv@unity3d.com <mailto:markv@unity3d.com>
Hi guys, Am I missing something here, because Python.Net v2.5.2 already supports Python 3.9: https://github.com/pythonnet/pythonnet/releases "Additionally, includes support for Python 3.9" Regards, Vince ________________________________ From: Mark Visser <markv@unity3d.com> Sent: 13 May 2021 17:14 To: A list for users and developers of Python.NET <pythonnet@python.org> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com> Subject: [Python.NET] Re: Support for Python v3.9 Hi Douglas, It looks to me like this was fixed in Python 3.6, 3.7, 3.8 and 3.9: From https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html: Fixed In<https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html#fixed-in> * Python 3.6.13 (2021-02-16) fixed by commit e912e94 (branch 3.6)<https://github.com/python/cpython/commit/e912e945f2960029d039d3390ea08835ad39374b> (2020-10-20) * Python 3.7.10 (2021-02-16) fixed by commit 43e5231 (branch 3.7)<https://github.com/python/cpython/commit/43e523103886af66d6c27cd72431b5d9d14cd2a9> (2020-10-20) * Python 3.8.7 (2020-12-21) fixed by commit 6c6c256 (branch 3.8)<https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33> (2020-10-06) * Python 3.9.1 (2020-12-07) fixed by commit b664a1d (branch 3.9)<https://github.com/python/cpython/commit/b664a1df4ee71d3760ab937653b10997081b1794> (2020-10-06) So you should be able to address the CVE by upgrading to one of these patch versions. AFAIK we don't have a timeline for 3.9 support in Python for .NET yet. cheers, -Mark Mark Visser Senior Dev Manager, M&E Unity Technologies - www.unity3d.com<http://www.unity3d.com/> On May 12, 2021, at 12:43 PM, Douglas Wyant (Aptly Technology Corporation) via PythonNet <pythonnet@python.org<mailto:pythonnet@python.org>> wrote: PythonNet, Hi folks, I have no idea if this is the correct way to engage support / ask questions, so please redirect me. We need to deploy Python v3.9 to resolve a known Security issue in older versions. I’m told we’re blocked on deploying until PythonNet is updated to support v3.9. So the question is when might that be? https://bugs.python.org/issue41944 CVE-2020-27619: WIndows Python versions 3.0.0 through 3.9.0 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected Versions Python versions 3.0.0 through 3.9.0 Thanks, Doug Wyant (Aptly Technology Corporation), GSEC, GCIH Service Engineer 2 Microsoft _______________________________________________ PythonNet mailing list -- pythonnet@python.org<mailto:pythonnet@python.org> To unsubscribe send an email to pythonnet-leave@python.org<mailto:pythonnet-leave@python.org> https://mail.python.org/mailman3/lists/pythonnet.python.org/ Member address: markv@unity3d.com<mailto:markv@unity3d.com>
Hi, Indeed, we back-ported support as such in Python.NET 2.5.2, but we ran into some ominous crashes in CI. That's why we don't claim support on Pypi and don't provide wheels for 3.9. You can either build 2.5.2 yourself or the try to use the current master instead. We'll try to come up with a concrete roadmap for the 3.0 release in one of the next biweekly meetings. Regards Benedikt
Hi Vince/Pythonnet, I tested again with Python 3.9.6 which is released on 6/28, still got error when running "pip install pythonnet". I got the same error on two machines. How could we solve it? [cid:image001.png@01D773E9.DC5410B0] Thanks, Di From: Vince Luff <vinceluff@hotmail.com> Sent: Saturday, May 15, 2021 4:19 AM To: A list for users and developers of Python.NET <pythonnet@python.org> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com> Subject: [EXTERNAL] Re: [Python.NET] Re: Support for Python v3.9 Hi guys, Am I missing something here, because Python.Net v2.5.2 already supports Python 3.9: https://github.com/pythonnet/pythonnet/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpythonnet%2Fpythonnet%2Freleases&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677417311%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OEVv80uryS4cAJj%2FVg3G1vn93T63vegHPQt2dbrYgaY%3D&reserved=0> "Additionally, includes support for Python 3.9" Regards, Vince ________________________________ From: Mark Visser <markv@unity3d.com<mailto:markv@unity3d.com>> Sent: 13 May 2021 17:14 To: A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com<mailto:v-diyan@microsoft.com>>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>> Subject: [Python.NET] Re: Support for Python v3.9 Hi Douglas, It looks to me like this was fixed in Python 3.6, 3.7, 3.8 and 3.9: From https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html:<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpython-security.readthedocs.io%2Fvuln%2Fcjk-codec-download-eval.html%3A&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677427307%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aS%2BV4jyLy5IzjSMrU%2F%2FtmHzJyDFKLKS6kfi2qG8l45Q%3D&reserved=0> Fixed In * Python 3.6.13 (2021-02-16) fixed by commit e912e94 (branch 3.6)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fe912e945f2960029d039d3390ea08835ad39374b&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677437300%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Plm8%2FnyOjoFqSGlnoi3x7K59r2w3dTRuHMtGWQCsr40%3D&reserved=0> (2020-10-20) * Python 3.7.10 (2021-02-16) fixed by commit 43e5231 (branch 3.7)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F43e523103886af66d6c27cd72431b5d9d14cd2a9&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677447302%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WSKZuaaaIjiBLv9GZt8rE%2BTfx8tB5lsktar77Wl1AeU%3D&reserved=0> (2020-10-20) * Python 3.8.7 (2020-12-21) fixed by commit 6c6c256 (branch 3.8)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F6c6c256df3636ff6f6136820afaefa5a10a3ac33&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677457296%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pne30qpj%2BZiNyvdYxh9XIqSU4Jpq2ck97I6SEtqzehI%3D&reserved=0> (2020-10-06) * Python 3.9.1 (2020-12-07) fixed by commit b664a1d (branch 3.9)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fb664a1df4ee71d3760ab937653b10997081b1794&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677457296%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ejy6IRCmbvUsY%2Busibc8FiEM0UKrBTZJ46rW9reCyac%3D&reserved=0> (2020-10-06) So you should be able to address the CVE by upgrading to one of these patch versions. AFAIK we don't have a timeline for 3.9 support in Python for .NET yet. cheers, -Mark Mark Visser Senior Dev Manager, M&E Unity Technologies - www.unity3d.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.unity3d.com%2F&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677467285%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=X2Oxx%2FMu1ICHWF78nx7LZKOHkIlI3lRmbdMPcKPvlRE%3D&reserved=0> On May 12, 2021, at 12:43 PM, Douglas Wyant (Aptly Technology Corporation) via PythonNet <pythonnet@python.org<mailto:pythonnet@python.org>> wrote: PythonNet, Hi folks, I have no idea if this is the correct way to engage support / ask questions, so please redirect me. We need to deploy Python v3.9 to resolve a known Security issue in older versions. I'm told we're blocked on deploying until PythonNet is updated to support v3.9. So the question is when might that be? https://bugs.python.org/issue41944<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.python.org%2Fissue41944&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677477281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=T5QVFG7AmqWaaznwx%2By9bVNNfZefsx3D8DMiGjFQimM%3D&reserved=0> CVE-2020-27619: WIndows Python versions 3.0.0 through 3.9.0 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected Versions Python versions 3.0.0 through 3.9.0 Thanks, Doug Wyant (Aptly Technology Corporation), GSEC, GCIH Service Engineer 2 Microsoft _______________________________________________ PythonNet mailing list -- pythonnet@python.org<mailto:pythonnet@python.org> To unsubscribe send an email to pythonnet-leave@python.org<mailto:pythonnet-leave@python.org> https://mail.python.org/mailman3/lists/pythonnet.python.org/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.python.org%2Fmailman3%2Flists%2Fpythonnet.python.org%2F&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677477281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zNuEosAM2hYnX%2BT36L7YQiSvg%2Bd7buhnz3G5lBnS2Lc%3D&reserved=0> Member address: markv@unity3d.com<mailto:markv@unity3d.com>
Hi Vince/Pythonnet, Is there any update on this? Thanks, Di From: Di Yang (PACTERA TECHNOLOGIES INC) Sent: Thursday, July 8, 2021 11:11 AM To: Vince Luff <vinceluff@hotmail.com>; A list for users and developers of Python.NET <pythonnet@python.org> Cc: Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com>; Fan Yang (COMMERCE) <fay@microsoft.com> Subject: RE: [Python.NET] Re: Support for Python v3.9 Hi Vince/Pythonnet, I tested again with Python 3.9.6 which is released on 6/28, still got error when running "pip install pythonnet". I got the same error on two machines. How could we solve it? [cid:image001.png@01D7770C.52B31560] Thanks, Di From: Vince Luff <vinceluff@hotmail.com<mailto:vinceluff@hotmail.com>> Sent: Saturday, May 15, 2021 4:19 AM To: A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com<mailto:v-diyan@microsoft.com>>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>> Subject: [EXTERNAL] Re: [Python.NET] Re: Support for Python v3.9 Hi guys, Am I missing something here, because Python.Net v2.5.2 already supports Python 3.9: https://github.com/pythonnet/pythonnet/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpythonnet%2Fpythonnet%2Freleases&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677417311%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OEVv80uryS4cAJj%2FVg3G1vn93T63vegHPQt2dbrYgaY%3D&reserved=0> "Additionally, includes support for Python 3.9" Regards, Vince ________________________________ From: Mark Visser <markv@unity3d.com<mailto:markv@unity3d.com>> Sent: 13 May 2021 17:14 To: A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com<mailto:v-diyan@microsoft.com>>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>> Subject: [Python.NET] Re: Support for Python v3.9 Hi Douglas, It looks to me like this was fixed in Python 3.6, 3.7, 3.8 and 3.9: From https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html:<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpython-security.readthedocs.io%2Fvuln%2Fcjk-codec-download-eval.html%3A&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677427307%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aS%2BV4jyLy5IzjSMrU%2F%2FtmHzJyDFKLKS6kfi2qG8l45Q%3D&reserved=0> Fixed In * Python 3.6.13 (2021-02-16) fixed by commit e912e94 (branch 3.6)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fe912e945f2960029d039d3390ea08835ad39374b&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677437300%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Plm8%2FnyOjoFqSGlnoi3x7K59r2w3dTRuHMtGWQCsr40%3D&reserved=0> (2020-10-20) * Python 3.7.10 (2021-02-16) fixed by commit 43e5231 (branch 3.7)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F43e523103886af66d6c27cd72431b5d9d14cd2a9&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677447302%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WSKZuaaaIjiBLv9GZt8rE%2BTfx8tB5lsktar77Wl1AeU%3D&reserved=0> (2020-10-20) * Python 3.8.7 (2020-12-21) fixed by commit 6c6c256 (branch 3.8)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F6c6c256df3636ff6f6136820afaefa5a10a3ac33&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677457296%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pne30qpj%2BZiNyvdYxh9XIqSU4Jpq2ck97I6SEtqzehI%3D&reserved=0> (2020-10-06) * Python 3.9.1 (2020-12-07) fixed by commit b664a1d (branch 3.9)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fb664a1df4ee71d3760ab937653b10997081b1794&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677457296%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ejy6IRCmbvUsY%2Busibc8FiEM0UKrBTZJ46rW9reCyac%3D&reserved=0> (2020-10-06) So you should be able to address the CVE by upgrading to one of these patch versions. AFAIK we don't have a timeline for 3.9 support in Python for .NET yet. cheers, -Mark Mark Visser Senior Dev Manager, M&E Unity Technologies - www.unity3d.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.unity3d.com%2F&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677467285%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=X2Oxx%2FMu1ICHWF78nx7LZKOHkIlI3lRmbdMPcKPvlRE%3D&reserved=0> On May 12, 2021, at 12:43 PM, Douglas Wyant (Aptly Technology Corporation) via PythonNet <pythonnet@python.org<mailto:pythonnet@python.org>> wrote: PythonNet, Hi folks, I have no idea if this is the correct way to engage support / ask questions, so please redirect me. We need to deploy Python v3.9 to resolve a known Security issue in older versions. I'm told we're blocked on deploying until PythonNet is updated to support v3.9. So the question is when might that be? https://bugs.python.org/issue41944<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.python.org%2Fissue41944&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677477281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=T5QVFG7AmqWaaznwx%2By9bVNNfZefsx3D8DMiGjFQimM%3D&reserved=0> CVE-2020-27619: WIndows Python versions 3.0.0 through 3.9.0 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected Versions Python versions 3.0.0 through 3.9.0 Thanks, Doug Wyant (Aptly Technology Corporation), GSEC, GCIH Service Engineer 2 Microsoft _______________________________________________ PythonNet mailing list -- pythonnet@python.org<mailto:pythonnet@python.org> To unsubscribe send an email to pythonnet-leave@python.org<mailto:pythonnet-leave@python.org> https://mail.python.org/mailman3/lists/pythonnet.python.org/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.python.org%2Fmailman3%2Flists%2Fpythonnet.python.org%2F&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677477281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zNuEosAM2hYnX%2BT36L7YQiSvg%2Bd7buhnz3G5lBnS2Lc%3D&reserved=0> Member address: markv@unity3d.com<mailto:markv@unity3d.com>
Hi Vince/Pythonnet, Is there any update on this? Thanks, Di From: Di Yang (PACTERA TECHNOLOGIES INC) Sent: Monday, July 12, 2021 10:55 AM To: 'Vince Luff' <vinceluff@hotmail.com>; 'A list for users and developers of Python.NET' <pythonnet@python.org> Cc: Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com>; Fan Yang (COMMERCE) <fay@microsoft.com> Subject: RE: [Python.NET] Re: Support for Python v3.9 Hi Vince/Pythonnet, Is there any update on this? Thanks, Di From: Di Yang (PACTERA TECHNOLOGIES INC) Sent: Thursday, July 8, 2021 11:11 AM To: Vince Luff <vinceluff@hotmail.com<mailto:vinceluff@hotmail.com>>; A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>>; Fan Yang (COMMERCE) <fay@microsoft.com<mailto:fay@microsoft.com>> Subject: RE: [Python.NET] Re: Support for Python v3.9 Hi Vince/Pythonnet, I tested again with Python 3.9.6 which is released on 6/28, still got error when running "pip install pythonnet". I got the same error on two machines. How could we solve it? [cid:image001.png@01D77965.F7BAEF00] Thanks, Di From: Vince Luff <vinceluff@hotmail.com<mailto:vinceluff@hotmail.com>> Sent: Saturday, May 15, 2021 4:19 AM To: A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com<mailto:v-diyan@microsoft.com>>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>> Subject: [EXTERNAL] Re: [Python.NET] Re: Support for Python v3.9 Hi guys, Am I missing something here, because Python.Net v2.5.2 already supports Python 3.9: https://github.com/pythonnet/pythonnet/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpythonnet%2Fpythonnet%2Freleases&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677417311%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OEVv80uryS4cAJj%2FVg3G1vn93T63vegHPQt2dbrYgaY%3D&reserved=0> "Additionally, includes support for Python 3.9" Regards, Vince ________________________________ From: Mark Visser <markv@unity3d.com<mailto:markv@unity3d.com>> Sent: 13 May 2021 17:14 To: A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com<mailto:v-diyan@microsoft.com>>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>> Subject: [Python.NET] Re: Support for Python v3.9 Hi Douglas, It looks to me like this was fixed in Python 3.6, 3.7, 3.8 and 3.9: From https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html:<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpython-security.readthedocs.io%2Fvuln%2Fcjk-codec-download-eval.html%3A&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677427307%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aS%2BV4jyLy5IzjSMrU%2F%2FtmHzJyDFKLKS6kfi2qG8l45Q%3D&reserved=0> Fixed In * Python 3.6.13 (2021-02-16) fixed by commit e912e94 (branch 3.6)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fe912e945f2960029d039d3390ea08835ad39374b&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677437300%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Plm8%2FnyOjoFqSGlnoi3x7K59r2w3dTRuHMtGWQCsr40%3D&reserved=0> (2020-10-20) * Python 3.7.10 (2021-02-16) fixed by commit 43e5231 (branch 3.7)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F43e523103886af66d6c27cd72431b5d9d14cd2a9&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677447302%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WSKZuaaaIjiBLv9GZt8rE%2BTfx8tB5lsktar77Wl1AeU%3D&reserved=0> (2020-10-20) * Python 3.8.7 (2020-12-21) fixed by commit 6c6c256 (branch 3.8)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F6c6c256df3636ff6f6136820afaefa5a10a3ac33&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677457296%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pne30qpj%2BZiNyvdYxh9XIqSU4Jpq2ck97I6SEtqzehI%3D&reserved=0> (2020-10-06) * Python 3.9.1 (2020-12-07) fixed by commit b664a1d (branch 3.9)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fb664a1df4ee71d3760ab937653b10997081b1794&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677457296%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ejy6IRCmbvUsY%2Busibc8FiEM0UKrBTZJ46rW9reCyac%3D&reserved=0> (2020-10-06) So you should be able to address the CVE by upgrading to one of these patch versions. AFAIK we don't have a timeline for 3.9 support in Python for .NET yet. cheers, -Mark Mark Visser Senior Dev Manager, M&E Unity Technologies - www.unity3d.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.unity3d.com%2F&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677467285%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=X2Oxx%2FMu1ICHWF78nx7LZKOHkIlI3lRmbdMPcKPvlRE%3D&reserved=0> On May 12, 2021, at 12:43 PM, Douglas Wyant (Aptly Technology Corporation) via PythonNet <pythonnet@python.org<mailto:pythonnet@python.org>> wrote: PythonNet, Hi folks, I have no idea if this is the correct way to engage support / ask questions, so please redirect me. We need to deploy Python v3.9 to resolve a known Security issue in older versions. I'm told we're blocked on deploying until PythonNet is updated to support v3.9. So the question is when might that be? https://bugs.python.org/issue41944<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.python.org%2Fissue41944&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677477281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=T5QVFG7AmqWaaznwx%2By9bVNNfZefsx3D8DMiGjFQimM%3D&reserved=0> CVE-2020-27619: WIndows Python versions 3.0.0 through 3.9.0 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected Versions Python versions 3.0.0 through 3.9.0 Thanks, Doug Wyant (Aptly Technology Corporation), GSEC, GCIH Service Engineer 2 Microsoft _______________________________________________ PythonNet mailing list -- pythonnet@python.org<mailto:pythonnet@python.org> To unsubscribe send an email to pythonnet-leave@python.org<mailto:pythonnet-leave@python.org> https://mail.python.org/mailman3/lists/pythonnet.python.org/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.python.org%2Fmailman3%2Flists%2Fpythonnet.python.org%2F&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677477281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zNuEosAM2hYnX%2BT36L7YQiSvg%2Bd7buhnz3G5lBnS2Lc%3D&reserved=0> Member address: markv@unity3d.com<mailto:markv@unity3d.com>
Di, since we're not getting any response, have you tried these support resources? Resources Information on installation, FAQ, troubleshooting, debugging, and projects using pythonnet can be found in the Wiki: https://github.com/pythonnet/pythonnet/wiki Chat https://gitter.im/pythonnet/pythonnet Surely someone else using PythonNet has encountered and figured out a way to resolve this Python Security issue: Python Buffer Overflow/Web Cache Poisoning Vulnerability CVE-2021-3177 : A vulnerability in Python 3 may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.<P> Affected Versions: <BR> Python Versions 3.X up to 3.6.12<BR> Python Versions 3.7.0 up to 3.7.9<BR> Python Versions 3.8.0 up to 3.8.7<BR> Python Versions 3.9.0 up to 3.9.1<P> CVE-2021-23336 : A vulnerability in python may lead to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. Affected Versions: <BR> Python Versions 0.X up to 3.6.12<BR> Python Versions 3.7.0 up to 3.7.9<BR> Python Versions 3.8.0 up to 3.8.7<BR> Python Versions 3.9.0 up to 3.9.1<P> Thanks, Doug Wyant (Aptly Technology Corporation), GSEC, GCIH Service Engineer 2 C & AI | CEO | Data, Insights, and Tools Compliance Management & Operations Team From: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com> Sent: Thursday, July 15, 2021 10:42 AM To: Vince Luff <vinceluff@hotmail.com>; A list for users and developers of Python.NET <pythonnet@python.org> Cc: Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com>; Fan Yang (COMMERCE) <fay@microsoft.com> Subject: RE: [Python.NET] Re: Support for Python v3.9 Hi Vince/Pythonnet, Is there any update on this? Thanks, Di From: Di Yang (PACTERA TECHNOLOGIES INC) Sent: Monday, July 12, 2021 10:55 AM To: 'Vince Luff' <vinceluff@hotmail.com<mailto:vinceluff@hotmail.com>>; 'A list for users and developers of Python.NET' <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>>; Fan Yang (COMMERCE) <fay@microsoft.com<mailto:fay@microsoft.com>> Subject: RE: [Python.NET] Re: Support for Python v3.9 Hi Vince/Pythonnet, Is there any update on this? Thanks, Di From: Di Yang (PACTERA TECHNOLOGIES INC) Sent: Thursday, July 8, 2021 11:11 AM To: Vince Luff <vinceluff@hotmail.com<mailto:vinceluff@hotmail.com>>; A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>>; Fan Yang (COMMERCE) <fay@microsoft.com<mailto:fay@microsoft.com>> Subject: RE: [Python.NET] Re: Support for Python v3.9 Hi Vince/Pythonnet, I tested again with Python 3.9.6 which is released on 6/28, still got error when running "pip install pythonnet". I got the same error on two machines. How could we solve it? [cid:image001.png@01D77D57.9ACCAA90] Thanks, Di From: Vince Luff <vinceluff@hotmail.com<mailto:vinceluff@hotmail.com>> Sent: Saturday, May 15, 2021 4:19 AM To: A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com<mailto:v-diyan@microsoft.com>>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>> Subject: [EXTERNAL] Re: [Python.NET] Re: Support for Python v3.9 Hi guys, Am I missing something here, because Python.Net v2.5.2 already supports Python 3.9: https://github.com/pythonnet/pythonnet/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpythonnet%2Fpythonnet%2Freleases&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954953236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Vn7wuuh7jCz4EaWR7iA3nyz5tOR0f2t62jOoLlWGqmY%3D&reserved=0> "Additionally, includes support for Python 3.9" Regards, Vince ________________________________ From: Mark Visser <markv@unity3d.com<mailto:markv@unity3d.com>> Sent: 13 May 2021 17:14 To: A list for users and developers of Python.NET <pythonnet@python.org<mailto:pythonnet@python.org>> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com<mailto:v-diyan@microsoft.com>>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com<mailto:v-douglw@microsoft.com>> Subject: [Python.NET] Re: Support for Python v3.9 Hi Douglas, It looks to me like this was fixed in Python 3.6, 3.7, 3.8 and 3.9: From https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html:<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpython-security.readthedocs.io%2Fvuln%2Fcjk-codec-download-eval.html%3A&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954953236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LwJ48%2B93hfls8OFcZj8iBbS2N7IlCTT4Y3wQGwgJBcs%3D&reserved=0> Fixed In * Python 3.6.13 (2021-02-16) fixed by commit e912e94 (branch 3.6)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fe912e945f2960029d039d3390ea08835ad39374b&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954963232%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2Fb15hZIZYy5IcBIxhRWPRKIknXxag1qoceppBllsb5Q%3D&reserved=0> (2020-10-20) * Python 3.7.10 (2021-02-16) fixed by commit 43e5231 (branch 3.7)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F43e523103886af66d6c27cd72431b5d9d14cd2a9&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954973226%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ii79WDE1nnGaVtUgLByU8EoJGXNqToW9by%2BgThsEi2Y%3D&reserved=0> (2020-10-20) * Python 3.8.7 (2020-12-21) fixed by commit 6c6c256 (branch 3.8)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F6c6c256df3636ff6f6136820afaefa5a10a3ac33&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954973226%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LPgSOm7XoggsCw%2BYM%2FlwsMrObpa3tR8B7ZtPWxjaWa0%3D&reserved=0> (2020-10-06) * Python 3.9.1 (2020-12-07) fixed by commit b664a1d (branch 3.9)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fb664a1df4ee71d3760ab937653b10997081b1794&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954983218%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=T1WwALSxVQBXrJTOIs9c2FwFPvzqrWRiUrn%2Fs57eL7I%3D&reserved=0> (2020-10-06) So you should be able to address the CVE by upgrading to one of these patch versions. AFAIK we don't have a timeline for 3.9 support in Python for .NET yet. cheers, -Mark Mark Visser Senior Dev Manager, M&E Unity Technologies - www.unity3d.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.unity3d.com%2F&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954993217%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2BdeP52S8F74iaR%2Bs2vB5nbw9arvZmbCExXAthoDp6f8%3D&reserved=0> On May 12, 2021, at 12:43 PM, Douglas Wyant (Aptly Technology Corporation) via PythonNet <pythonnet@python.org<mailto:pythonnet@python.org>> wrote: PythonNet, Hi folks, I have no idea if this is the correct way to engage support / ask questions, so please redirect me. We need to deploy Python v3.9 to resolve a known Security issue in older versions. I'm told we're blocked on deploying until PythonNet is updated to support v3.9. So the question is when might that be? https://bugs.python.org/issue41944<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.python.org%2Fissue41944&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676954993217%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5WL6tqvBIW4ercAReHrMSjbiICbFbKP5MTQ0AoKlaio%3D&reserved=0> CVE-2020-27619: WIndows Python versions 3.0.0 through 3.9.0 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected Versions Python versions 3.0.0 through 3.9.0 Thanks, Doug Wyant (Aptly Technology Corporation), GSEC, GCIH Service Engineer 2 Microsoft _______________________________________________ PythonNet mailing list -- pythonnet@python.org<mailto:pythonnet@python.org> To unsubscribe send an email to pythonnet-leave@python.org<mailto:pythonnet-leave@python.org> https://mail.python.org/mailman3/lists/pythonnet.python.org/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.python.org%2Fmailman3%2Flists%2Fpythonnet.python.org%2F&data=04%7C01%7Cv-douglw%40microsoft.com%7C28cb55aef4024cb5895708d947b7c928%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619676955003216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=JEpLuTqf1n8VRywAOZ1%2BNbHsC2zjOSDAJtv%2FMj%2FyNUs%3D&reserved=0> Member address: markv@unity3d.com<mailto:markv@unity3d.com>
Hi Di & other folks, Just quoting Benedikt from earlier in the thread in case it was missed:
Hi,
Indeed, we back-ported support as such in Python.NET <http://python.net/> 2.5.2, but we ran into some ominous crashes in CI. That's why we don't claim support on Pypi and don't provide wheels for 3.9. You can either build 2.5.2 yourself or the try to use the current master instead. We'll try to come up with a concrete roadmap for the 3.0 release in one of the next biweekly meetings.
Regards Benedikt
To summarize, Python.NET <http://python.net/> does NOT support Python 3.9.x at this time. Python.NET <http://python.net/> is an open-source project with a very small number of part-time volunteer maintainers, so any investigation you're able to do on Python 3.9 is appreciated. If you're able to reproduce crashes, please log them as issues at https://github.com/pythonnet/pythonnet/issues <https://github.com/pythonnet/pythonnet/issues>. If you're able to commit development resources to fixing crashes, even better! Pull requests are always welcome! cheers, -Mark
On Jul 8, 2021, at 2:10 PM, Di Yang (PACTERA TECHNOLOGIES INC) via PythonNet <pythonnet@python.org> wrote:
Hi Vince/Pythonnet,
I tested again with Python 3.9.6 which is released on 6/28, still got error when running “pip install pythonnet”. I got the same error on two machines. How could we solve it? <image001.png>
Thanks, Di
From: Vince Luff <vinceluff@hotmail.com> Sent: Saturday, May 15, 2021 4:19 AM To: A list for users and developers of Python.NET <pythonnet@python.org> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com> Subject: [EXTERNAL] Re: [Python.NET] Re: Support for Python v3.9
Hi guys,
Am I missing something here, because Python.Net v2.5.2 already supports Python 3.9:
https://github.com/pythonnet/pythonnet/releases <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpythonnet%2Fpythonnet%2Freleases&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677417311%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OEVv80uryS4cAJj%2FVg3G1vn93T63vegHPQt2dbrYgaY%3D&reserved=0>
"Additionally, includes support for Python 3.9"
Regards, Vince From: Mark Visser <markv@unity3d.com <mailto:markv@unity3d.com>> Sent: 13 May 2021 17:14 To: A list for users and developers of Python.NET <pythonnet@python.org <mailto:pythonnet@python.org>> Cc: Di Yang (PACTERA TECHNOLOGIES INC) <v-diyan@microsoft.com <mailto:v-diyan@microsoft.com>>; Douglas Wyant (Aptly Technology Corporation) <v-douglw@microsoft.com <mailto:v-douglw@microsoft.com>> Subject: [Python.NET] Re: Support for Python v3.9
Hi Douglas,
It looks to me like this was fixed in Python 3.6, 3.7, 3.8 and 3.9:
From https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html: <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpython-security.readthedocs.io%2Fvuln%2Fcjk-codec-download-eval.html%3A&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677427307%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aS%2BV4jyLy5IzjSMrU%2F%2FtmHzJyDFKLKS6kfi2qG8l45Q%3D&reserved=0>
Fixed In
· Python 3.6.13 (2021-02-16) fixed by commit e912e94 (branch 3.6) <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fe912e945f2960029d039d3390ea08835ad39374b&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677437300%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Plm8%2FnyOjoFqSGlnoi3x7K59r2w3dTRuHMtGWQCsr40%3D&reserved=0> (2020-10-20) · Python 3.7.10 (2021-02-16) fixed by commit 43e5231 (branch 3.7) <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F43e523103886af66d6c27cd72431b5d9d14cd2a9&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677447302%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WSKZuaaaIjiBLv9GZt8rE%2BTfx8tB5lsktar77Wl1AeU%3D&reserved=0> (2020-10-20) · Python 3.8.7 (2020-12-21) fixed by commit 6c6c256 (branch 3.8) <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2F6c6c256df3636ff6f6136820afaefa5a10a3ac33&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677457296%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pne30qpj%2BZiNyvdYxh9XIqSU4Jpq2ck97I6SEtqzehI%3D&reserved=0> (2020-10-06) · Python 3.9.1 (2020-12-07) fixed by commit b664a1d (branch 3.9) <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fcommit%2Fb664a1df4ee71d3760ab937653b10997081b1794&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677457296%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ejy6IRCmbvUsY%2Busibc8FiEM0UKrBTZJ46rW9reCyac%3D&reserved=0> (2020-10-06) So you should be able to address the CVE by upgrading to one of these patch versions. AFAIK we don't have a timeline for 3.9 support in Python for .NET yet.
cheers, -Mark
Mark Visser Senior Dev Manager, M&E Unity Technologies - www.unity3d.com <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.unity3d.com%2F&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677467285%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=X2Oxx%2FMu1ICHWF78nx7LZKOHkIlI3lRmbdMPcKPvlRE%3D&reserved=0>
On May 12, 2021, at 12:43 PM, Douglas Wyant (Aptly Technology Corporation) via PythonNet <pythonnet@python.org <mailto:pythonnet@python.org>> wrote:
PythonNet, Hi folks, I have no idea if this is the correct way to engage support / ask questions, so please redirect me. We need to deploy Python v3.9 to resolve a known Security issue in older versions. I’m told we’re blocked on deploying until PythonNet is updated to support v3.9. So the question is when might that be?
https://bugs.python.org/issue41944 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.python.org%2Fissue41944&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677477281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=T5QVFG7AmqWaaznwx%2By9bVNNfZefsx3D8DMiGjFQimM%3D&reserved=0> CVE-2020-27619: WIndows Python versions 3.0.0 through 3.9.0 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected Versions Python versions 3.0.0 through 3.9.0
Thanks,
Doug Wyant (Aptly Technology Corporation), GSEC, GCIH Service Engineer 2 Microsoft _______________________________________________ PythonNet mailing list -- pythonnet@python.org <mailto:pythonnet@python.org> To unsubscribe send an email to pythonnet-leave@python.org <mailto:pythonnet-leave@python.org> https://mail.python.org/mailman3/lists/pythonnet.python.org/ <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.python.org%2Fmailman3%2Flists%2Fpythonnet.python.org%2F&data=04%7C01%7Cv-diyan%40microsoft.com%7Cf693f50050c04d3878ea08d91793480b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637566744677477281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zNuEosAM2hYnX%2BT36L7YQiSvg%2Bd7buhnz3G5lBnS2Lc%3D&reserved=0> Member address: markv@unity3d.com <mailto:markv@unity3d.com>
_______________________________________________ PythonNet mailing list -- pythonnet@python.org To unsubscribe send an email to pythonnet-leave@python.org https://mail.python.org/mailman3/lists/pythonnet.python.org/ Member address: markv@unity3d.com
participants (5)
-
Benedikt Reinartz -
Di Yang (PACTERA TECHNOLOGIES INC) -
Douglas Wyant (Aptly Technology Corporation) -
Mark Visser -
Vince Luff