On Tue, 2020-09-08 at 23:15 +0300, Matti Picus wrote: > I have uploaded rc1 of pypy v7.3.2 to https://buildbot.pypy.org/pypy/ (note > the trailing slash) which should be mirrored soon to > https://downloads.python.org/pypy/ > > The hashes are here > https://foss.heptapod.net/pypy/pypy.org/-/blob/branch/default/pages/download_advanced.rst#L465 > > The release note is here https://doc.pypy.org/en/latest/release-v7.3.2.html > > This release does include a 3.7 alpha. > > Please try them out, especially on windows (extra points for non-english > interfaces and install paths) and macos (extra points for machines that run > without homebrew stuff installed), to make sure you can run your project with > them. > > Any comments are welcome. >
What's the vulnerability status of stdlib? I've tested pypy2.7 and pypy3.6 so far and neither seems to contain CVE- 2019-20907 fix (it was never backported to py2.7), the patch from [1] seems to apply cleanly to both. pypy3.6 seems to be missing bpo-39603, and the patch from [2] doesn't apply cleanly (does pypy3 contain outdated version or modified?). CVE-2020-14422 is also unresolved. Could you please either update stdlib of pypy3.6 or look through CPython changes and backport the security fixes? For pypy2.7, please backport [1] directly since upstream is no longer maintaining that branch. [1] https://github.com/python/cpython/commit/47a2955589bdb1a114d271496ff803ad73f954b8 [2] https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
_______________________________________________ pypy-dev mailing list pypy-dev@python.org https://mail.python.org/mailman/listinfo/pypy-dev
