[Security-sig] 3.3 and 3.4 branches not well maintained
Ned Deily
nad at python.org
Tue Feb 21 16:05:23 EST 2017
On Feb 21, 2017, at 13:07, Victor Stinner <victor.stinner at gmail.com> wrote:
> I completed my list of vulnerabilities. It helps to track if a
> vulnerability has been fixed in all security maintained branches.
> http://python-security.readthedocs.io/vulnerabilities.html
>
> Currently, the following branches are maintained for security: 2.7,
> 3.3, 3.4, 3.4, 3.5 and 3.6
> https://docs.python.org/devguide/#status-of-python-branches
>
> I looked at the 5 latest vulnerabilities, and we didn't backport fixes
> to all maintained branches:
>
> Issue #28563:
> 3.3 backported, no release yet
> CVE-2016-2183:
> 3.3 and 3.4 not fixed yet <====
> https://bugs.python.org/issue27850#msg275073
> CVE-2016-1000110
> 3.3 backported, no release yet
> CVE-2016-0772
> 3.3 needs backport <====
> Issue #26657
> 3.3 and 3.4 need backport <====
>
> Maybe a 3.3 release may be needed as well.
Have you contacted the 3.3 and 3.4 release managers about this?
--
Ned Deily
nad at python.org -- []
More information about the Security-SIG
mailing list