All known security vunerabilities have been fixed in all branches
Hi, I have a good news: I checked and all known security vunerabilities have been fixed in the 6 maintained Python branches: 2.7, 3.3, 3.4, 3.5, 3.6 and master. While the YAML file of my python-security tool contains all commits, the webpage still shows vulnerable branches since we are now waiting for releases. My tool only cares of public releases. http://python-security.readthedocs.io/vulnerabilities.html The other good news is that many releases are scheduled in next weeks: * 3.3.7, 3.4.7 and 3.5.4 final: August 7, 2017 * 2.7.14 around mi-september (after the CPython sprint) After 2.7.14 release, the last vulnerable Python version will be 3.6.2 with the "urllib FTP protocol stream injection" vulnerability: http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_inject... While this bug is public since 2017-02-20, I'm still not sure about its severity. It doesn't seem to be an important one. Note: 3.3.7 will be the last release before 3.3 end of life. 3.5.4 will be the last binary release of the 3.5 branch. Victor
participants (1)
-
Victor Stinner