[Security-sig] Python Vulnerabilities: Vulnerable Python versions added
Victor Stinner
victor.stinner at gmail.com
Thu Mar 23 08:32:57 EDT 2017
Hi,
I just added the list of vulnerable Python versions to my report:
http://python-security.readthedocs.io/vulnerabilities.html
So I checked the status of backports, and I identified one last
vulnerability not fixed in Python 3.4 yet: HTTP directory traversal on
Windows. I proposed a cherry-pick:
https://github.com/python/cpython/pull/782
Python 3.2 and 3.3 lack a lot of fixes, but the last release was in
2014. Fixes were backported in the meanwhile, but no new security
version was released since that time.
gettext:
FIXME 3.2
3.3 fixed: no release yet
Sweet32
3.4 fixed: no release yet
HTTPoxy attack: 3.2 and 3.3
FIXME 3.2
3.3 fixed: no release yet
smtplib TLS striping
FIXME 3.2
3.3 fixed: no release yet
HTTP directory traversal
FIXME 3.2
FIXME 3.3
FIXME 3.4
=> https://github.com/python/cpython/pull/782
Expat 2.1.1
FIXME 3.2
FIXME 3.3
zipimporter overflow
FIXME 3.2
3.3 fixed, no release yet
HTTP Header injection
FIXME 3.2
FIXME 3.3
Validate TLS certificate
3.2 and 3.3 vulnerable: no plan to backport the feature
SSL: NULL byte
3.3 fixed: no release yet
match_hostname IDNA
FIXME 3.2
xmlrpc gzip decode
3.2 fixed in 2014: no release yet
3.3 fixed: no release yet
Victor
More information about the Security-SIG
mailing list