[Security-sig] All known security vunerabilities have been fixed in all branches
Victor Stinner
victor.stinner at gmail.com
Fri Jul 28 07:44:35 EDT 2017
Hi,
I have a good news: I checked and all known security vunerabilities
have been fixed in the 6 maintained Python branches: 2.7, 3.3, 3.4,
3.5, 3.6 and master.
While the YAML file of my python-security tool contains all commits,
the webpage still shows vulnerable branches since we are now waiting
for releases. My tool only cares of public releases.
http://python-security.readthedocs.io/vulnerabilities.html
The other good news is that many releases are scheduled in next weeks:
* 3.3.7, 3.4.7 and 3.5.4 final: August 7, 2017
* 2.7.14 around mi-september (after the CPython sprint)
After 2.7.14 release, the last vulnerable Python version will be 3.6.2
with the "urllib FTP protocol stream injection" vulnerability:
http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
While this bug is public since 2017-02-20, I'm still not sure about
its severity. It doesn't seem to be an important one.
Note: 3.3.7 will be the last release before 3.3 end of life. 3.5.4
will be the last binary release of the 3.5 branch.
Victor
More information about the Security-SIG
mailing list