[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal
Łukasz Langa
report at bugs.python.org
Sun May 2 06:01:01 EDT 2021
Łukasz Langa <lukasz at langa.pl> added the comment:
Due to the relative obscurity of the bug and potential disruption of the fix, I decided not to include it in 3.8.
However, Michał's argument about 3.10 not being released for another five months is resonating with me and so we will be backporting the change to 3.9.5, to be released tomorrow. Victor's argument about opt-ins being a bad way to fix security also makes sense, although let me point out that we've made decisions the other way in the past as well, for instance with hash randomization.
In any case, the issue will be solved in Python 3.10.0 Beta 1 and Python 3.9.5. Having the fixed behavior "in 3.9.5 and newer" makes for easy mechanical checks whether a given version is affected.
----------
assignee: docs at python ->
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36384>
_______________________________________
More information about the Python-bugs-list
mailing list