On 03/08/2018 03:22, Larry Hastings wrote:
On 08/02/2018 07:17 AM, Victor Stinner wrote:
3.4.9 and 3.5.6 have no more known security vulnerabilities :-)
Well, not to be a complete pill, but...
https://bugs.python.org/issue17180
https://bugs.python.org/issue17239
https://bugs.python.org/issue19050
Sadly, just because they're languishing on bpo doesn't mean they
aren't valid security vulnerabilities.
+1 - Sadly, not fixed after 5 years - Why? Because it isn't sexy, or
fear for breaking things?
Breaking things could be valid - when it is a feature/design change, but
the whole point of security fixes is because we believe the security
vulnerability is breakage. Not fixing it keeps everything that depends
on it (intentional or not) also broken. Any app that depends on 'broken'
behavior needs to be fixed - rather than let a known vulnerability go
from 0-day to 1825-day vulnerability (or is it 2000 already?)
Only read the discussion for 17180 - but it seems anything old does not
get fixed because it did not get fixed years ago.
my two cents!
On a side note: I have been trying to test python on different
"enterprise" distros of linux and am amazed to see Python2-2.7.5 as the
'standard'. Rather disheartening for the all the good work that gets
done. i.e., I am amazed that CVE's like the ones fixed in 3.4.9 and
3.5.6 (and maybe already/later in 2.7.X) do not motivate distributions
to update to current levels.
oh my - up to 4 cents! :)
Thanks for the work - I'll get to packaging them for AIX.
//arry/
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/aixtools%40felt.demon.nl
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
