Hi,
I have a good news: I checked and all known security vunerabilities
have been fixed in the 6 maintained Python branches: 2.7, 3.3, 3.4,
3.5, 3.6 and master.
While the YAML file of my python-security tool contains all commits,
the webpage still shows vulnerable branches since we are now waiting
for releases. My tool only cares of public releases.
http://python-security.readthedocs.io/vulnerabilities.html
The other good news is that many releases are scheduled in next weeks:
* 3.3.7, 3.4.7 and 3.5.4 final: August 7, 2017
* 2.7.14 around mi-september (after the CPython sprint)
After 2.7.14 release, the last vulnerable Python version will be 3.6.2
with the "urllib FTP protocol stream injection" vulnerability:
http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injec…
While this bug is public since 2017-02-20, I'm still not sure about
its severity. It doesn't seem to be an important one.
Note: 3.3.7 will be the last release before 3.3 end of life. 3.5.4
will be the last binary release of the 3.5 branch.
Victor
Hi,
I updated my vulnerability table for the Python 3.6.2 release:
http://python-security.readthedocs.io/vulnerabilities.html
I also added bpo-30730: "Environment variables injection in subprocess
on Windows".
Sadly, we missed to fix the "urllib FTP protocol stream injection"
vulnerability.
Victor
