Re: [pypy-dev] time for a new release

Wed, 09 Sep 2020 02:41:32 -0700 


On 9/9/20 9:55 AM, Michał Górny wrote:

On Tue, 2020-09-08 at 23:15 +0300, Matti Picus wrote:

I have uploaded rc1 of pypy v7.3.2 to https://buildbot.pypy.org/pypy/ (note the 
trailing slash) which should be mirrored soon to 
https://downloads.python.org/pypy/

The hashes are here 
https://foss.heptapod.net/pypy/pypy.org/-/blob/branch/default/pages/download_advanced.rst#L465

The release note is here https://doc.pypy.org/en/latest/release-v7.3.2.html

This release does include a 3.7 alpha.

Please try them out, especially on windows (extra points for non-english 
interfaces and install paths) and macos (extra points for machines that run 
without homebrew stuff installed), to make sure you can run your project with 
them.

Any comments are welcome.


What's the vulnerability status of stdlib?

I've tested pypy2.7 and pypy3.6 so far and neither seems to contain CVE-
2019-20907 fix (it was never backported to py2.7), the patch from [1]
seems to apply cleanly to both.

pypy3.6 seems to be missing bpo-39603, and the patch from [2] doesn't
apply cleanly (does pypy3 contain outdated version or modified?).

CVE-2020-14422 is also unresolved.

Could you please either update stdlib of pypy3.6 or look through CPython
changes and backport the security fixes?  For pypy2.7, please backport
[1] directly since upstream is no longer maintaining that branch.

[1] 
https://github.com/python/cpython/commit/47a2955589bdb1a114d271496ff803ad73f954b8
[2] 
https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae
Thanks for looking at this.We ship stdlib 2.7.13, 3.6.9, 3.7.4 with some slight modifications, including backporting some fixes.
I fixed CVE-2019-20907 for  pypy2.7, pypy3,6, and CVE-2020-14422 for py3.6, 3.7 

bpo-39603 is part of 3.6.12, 3.7.9 which were shipped 25 days ago, and that 
file has changed significantly since the versions we ship.
Updating the stdlib is a large undertaking, help welcome for py2.7 and py3.7. I don't think it is worth the effort for py3.6. 

There are directions in lib-python/stdlib-upgrade.txt.


Matti


_______________________________________________
pypy-dev mailing list
pypy-dev@python.org
https://mail.python.org/mailman/listinfo/pypy-dev

Reply via email to