From victor.stinner at gmail.com Tue Jul 18 06:48:23 2017 From: victor.stinner at gmail.com (Victor Stinner) Date: Tue, 18 Jul 2017 12:48:23 +0200 Subject: [Security-sig] Vulnerability table updated for Python 3.6.2 Message-ID: Hi, I updated my vulnerability table for the Python 3.6.2 release: http://python-security.readthedocs.io/vulnerabilities.html I also added bpo-30730: "Environment variables injection in subprocess on Windows". Sadly, we missed to fix the "urllib FTP protocol stream injection" vulnerability. Victor From victor.stinner at gmail.com Fri Jul 28 07:44:35 2017 From: victor.stinner at gmail.com (Victor Stinner) Date: Fri, 28 Jul 2017 13:44:35 +0200 Subject: [Security-sig] All known security vunerabilities have been fixed in all branches Message-ID: Hi, I have a good news: I checked and all known security vunerabilities have been fixed in the 6 maintained Python branches: 2.7, 3.3, 3.4, 3.5, 3.6 and master. While the YAML file of my python-security tool contains all commits, the webpage still shows vulnerable branches since we are now waiting for releases. My tool only cares of public releases. http://python-security.readthedocs.io/vulnerabilities.html The other good news is that many releases are scheduled in next weeks: * 3.3.7, 3.4.7 and 3.5.4 final: August 7, 2017 * 2.7.14 around mi-september (after the CPython sprint) After 2.7.14 release, the last vulnerable Python version will be 3.6.2 with the "urllib FTP protocol stream injection" vulnerability: http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection While this bug is public since 2017-02-20, I'm still not sure about its severity. It doesn't seem to be an important one. Note: 3.3.7 will be the last release before 3.3 end of life. 3.5.4 will be the last binary release of the 3.5 branch. Victor