[Python-Dev] [python-committers] Winding down 3.4

Victor Stinner vstinner at redhat.com
Mon Aug 20 08:52:28 EDT 2018


> "shutil copy* unsafe on POSIX - they preserve setuid/setgit bits"
> https://bugs.python.org/issue17180

There is no fix. A fix may break the backward compatibility. Is it really
worth it for the last 3.4 release?

> "XML vulnerabilities in Python"
> https://bugs.python.org/issue17239

Bug inactive since 2015. I don't expect that anyone will step in next weeks
with a wonderful solution to all XML issues. I suggest to ignore this one
as well, this issue is as old as XML support in Python and I am not aware
of any victim of these issues.

Obviously, it would be "nice" to see a fix for these issues but it seems
like core devs are more interested to work on other topics and other
security issues.


> "fflush called on pointer to potentially closed file" (Windows only)
> https://bugs.python.org/issue19050

It seems like two core devs are opposed to fix this issue.

--

There are open security issues on the HTTP server and urllib. I am more
concerned by these issues, but it's hard to fix them, there is a risk of
introducing regressions.

Victor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20180820/581125e3/attachment.html>


More information about the Python-Dev mailing list