[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

[Michał Górny]

Michał Górny <mgorny at gentoo.org> added the comment:

> If it takes years for users to get to 3.10, we should reevaluate our 
> release cycle, not whether we aggressively break maintenance releases.

I don't really understand how that would help.  The problem is that users have major inertia for switching to newer Python versions.  A part of it is that a lot of people just don't care about deprecation warnings, and don't fix stuff until it's actually broken.  In the end, your projects are blocked from using new major Python version by broken dependencies with long release cycles.

I can't imagine deliberately leaving 3.8 and 3.9 vulnerable when 3.10 isn't going to reach final release in the next half year.  Gentoo stable is only switching to 3.9 next month.  I'm pretty sure some of our (few) corporate users are still on 3.7 or earlier.  Then, there are projects that literally include a vulnerable copy of Python 2.7 to get around distributions removing it.

I dare say this has less breakage potential than the &/; change.  It should be fixed on all affected versions.  If you don't do that, distributions will have to patch it anyway, and this will only lead to incompatibility between different Python package vendors.

----------
nosy: +mgorny

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue36384>
_______________________________________