[Python-Dev] Proposed dates for Python 3.4.10 and Python 3.5.7
Victor Stinner
vstinner at redhat.com
Fri Feb 15 06:28:45 EST 2019
Hi,
Le ven. 15 févr. 2019 à 12:07, Miro Hrončok <mhroncok at redhat.com> a écrit :
> I've checked Fedora CVE bugs against python 3.4 and 3.5. Here is one missing I
> found:
>
> CVE-2018-20406 https://bugs.python.org/issue34656
> memory exhaustion in Modules/_pickle.c:1393
> Marked as resolved, but I don't see it fixed on 3.5 or 3.4.
>
> Should we get it fixed? openSUSE AFAK has backported the patch.
I'm working on fixes :-) I had a draft email but you was faster than
me to post yours.
Le ven. 15 févr. 2019 à 03:29, Larry Hastings <larry at hastings.org> a écrit :
> What's going in these releases? Not much. I have two outstanding PRs against 3.5:
>
> bpo-33127 GH-10994: Compatibility patch for LibreSSL 2.7.0
> bpo-34623 GH-9933: XML_SetHashSalt in _elementtree
According to my tool tracking security fixes, 3.5 lacks fixes for:
https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html
https://python-security.readthedocs.io/vuln/pickle-load-dos.html
https://python-security.readthedocs.io/vuln/xml-pakage-ignore-environment.html
> and one PR against 3.4:
>
> bpo-34623 GH-9953: Use XML_SetHashSalt in _elementtree
and 3.4 lacks fixes for:
https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html
https://python-security.readthedocs.io/vuln/pickle-load-dos.html =>
Matej Cepl backported the change to 3.4, but the patch should be
converted into a PR
https://python-security.readthedocs.io/vuln/xml-pakage-ignore-environment.html
Victor
--
Night gathers, and now my watch begins. It shall not end until my death.
More information about the Python-Dev
mailing list