[Python-Dev] [python-committers] [RELEASED] Python 3.4.9 and Python 3.5.6 are now available

Michael aixtools at felt.demon.nl
Sun Aug 5 14:57:40 EDT 2018


On 03/08/2018 03:22, Larry Hastings wrote:
>
>
> On 08/02/2018 07:17 AM, Victor Stinner wrote:
>> 3.4.9 and 3.5.6 have no more known security vulnerabilities :-)
>
> Well, not to be a complete pill, but...
>
>    https://bugs.python.org/issue17180
>    https://bugs.python.org/issue17239
>    https://bugs.python.org/issue19050
>
> Sadly, just because they're languishing on bpo doesn't mean they 
> aren't valid security vulnerabilities.
>
+1 - Sadly, not fixed after 5 years - Why? Because it isn't sexy, or 
fear for breaking things?

Breaking things could be valid - when it is a feature/design change, but 
the whole point of security fixes is because we believe the security 
vulnerability is breakage. Not fixing it keeps everything that depends 
on it (intentional or not) also broken. Any app that depends on 'broken' 
behavior needs to be fixed - rather than let a known vulnerability go 
from 0-day to 1825-day vulnerability (or is it 2000 already?)

Only read the discussion for 17180 - but it seems anything old does not 
get fixed because it did not get fixed years ago.

my two cents!

On a side note: I have been trying to test python on different 
"enterprise" distros of linux and am amazed to see Python2-2.7.5 as the 
'standard'. Rather disheartening for the all the good work that gets 
done. i.e., I am amazed that CVE's like the ones fixed in 3.4.9 and 
3.5.6 (and maybe already/later in 2.7.X) do not motivate distributions 
to update to current levels.

oh my - up to 4 cents! :)

Thanks for the work - I'll get to packaging them for AIX.

>
> //arry/
>
>
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/aixtools%40felt.demon.nl


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20180805/e0a9710a/attachment.html>


More information about the Python-Dev mailing list