osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] [python-committers] [RELEASED] Python 3.4.9 and Python 3.5.6 are now available


----- Original Message -----

> From: "Michael" <aixtools at felt.demon.nl>
> To: "Larry Hastings" <larry at hastings.org>, python-dev at python.org
> Sent: Sunday, August 5, 2018 8:57:40 PM
> Subject: Re: [Python-Dev] [python-committers] [RELEASED] Python 3.4.9 and
> Python 3.5.6 are now available

> On 03/08/2018 03:22, Larry Hastings wrote:

> > On 08/02/2018 07:17 AM, Victor Stinner wrote:
> 

> > > 3.4.9 and 3.5.6 have no more known security vulnerabilities :-)
> > 
> 

> > Well, not to be a complete pill, but...
> 

> > https://bugs.python.org/issue17180
> 
> > https://bugs.python.org/issue17239
> 
> > https://bugs.python.org/issue19050
> 

> > Sadly, just because they're languishing on bpo doesn't mean they aren't
> > valid
> > security vulnerabilities.
> 

> +1 - Sadly, not fixed after 5 years - Why? Because it isn't sexy, or fear for
> breaking things?

> Breaking things could be valid - when it is a feature/design change, but the
> whole point of security fixes is because we believe the security
> vulnerability is breakage. Not fixing it keeps everything that depends on it
> (intentional or not) also broken. Any app that depends on 'broken' behavior
> needs to be fixed - rather than let a known vulnerability go from 0-day to
> 1825-day vulnerability (or is it 2000 already?)

> Only read the discussion for 17180 - but it seems anything old does not get
> fixed because it did not get fixed years ago.

> my two cents!

> On a side note: I have been trying to test python on different "enterprise"
> distros of linux and am amazed to see Python2-2.7.5 as the 'standard'.
> Rather disheartening for the all the good work that gets done. i.e., I am
> amazed that CVE's like the ones fixed in 3.4.9 and 3.5.6 (and maybe
> already/later in 2.7.X) do not motivate distributions to update to current
> levels.

A side note on your side note. Different distro's have different standards, use/customer cases to address etc. In enterprise distributions the usual scheme is that the version that you see is the minimum one and many fixes coming from upstream or the redistributor 
are incorporated on top of that version. Just check the package changelogs. :) CVE's do get fixed and there is actually cooperation with upstream on different levels in regards to those. And speaking here as one of the people doing that for one of the enterprise 
distros. 

> oh my - up to 4 cents! :)

> Thanks for the work - I'll get to packaging them for AIX.

> > //arry/
> 

> > _______________________________________________
> 
> > Python-Dev mailing list Python-Dev at python.org
> > https://mail.python.org/mailman/listinfo/python-dev Unsubscribe:
> > https://mail.python.org/mailman/options/python-dev/aixtools%40felt.demon.nl
> 

> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/cstratak%40redhat.com

-- 
Regards, 

Charalampos Stratakis 
Software Engineer 
Python Maintenance Team, Red Hat 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20180806/a9a1a75f/attachment.html>