I have a good news: I checked and all known security vunerabilities
have been fixed in the 6 maintained Python branches: 2.7, 3.3, 3.4,
3.5, 3.6 and master.
While the YAML file of my python-security tool contains all commits,
the webpage still shows vulnerable branches since we are now waiting
for releases. My tool only cares of public releases.
The other good news is that many releases are scheduled in next weeks:
* 3.3.7, 3.4.7 and 3.5.4 final: August 7, 2017
* 2.7.14 around mi-september (after the CPython sprint)
After 2.7.14 release, the last vulnerable Python version will be 3.6.2
with the "urllib FTP protocol stream injection" vulnerability:
While this bug is public since 2017-02-20, I'm still not sure about
its severity. It doesn't seem to be an important one.
Note: 3.3.7 will be the last release before 3.3 end of life. 3.5.4
will be the last binary release of the 3.5 branch.
I updated my vulnerability table for the Python 3.6.2 release:
I also added bpo-30730: "Environment variables injection in subprocess
Sadly, we missed to fix the "urllib FTP protocol stream injection"