[Python-Dev] Tracking fixes of security vulnerabilies: we are good!

Victor Stinner victor.stinner at gmail.com
Wed Oct 18 05:55:26 EDT 2017


Since the beginning of the year, I'm working on a tool to track if all
security vulnerabilities are fixed in all Python maintained versions
(versions still accepting security fixes):


Currently, five branches are maintained: 2.7, 3.4, 3.5, 3.6 and master.


Thanks to Ned Deily and Georg Brandl, Python 3.3 reached its
end-of-life (EOL) last month, after 5 years of good service (as
expected). It reduced the number of maintained branches from six to
five :-) Python 3.3.7 released last months contains the last security

The good news is that we got releases last months with fixes for
almost all security vulnerabilities. Only Python 3.4 and Python 3.5
have two known vulnerabilities, but I consider that their severity is
not high hopefully.

"Expat 2.2.3" is not fixed yet in Python 3.4 and 3.5, but I'm not sure
that Python is really affected by fixed Expat vulnerabilities, since
Python uses its own code to generate a secret key for the Expat "hash
secret". Our embedded expat copy is used on Windows and macOS, but not
on Linux.

"update zlib to 1.2.11" was fixed in the Python 3.4 branch, but no
release was made yet. This issue only impacts Windows. Linux and macOS
use the system zlib.


More information about the Python-Dev mailing list