On 9/10/20 1:45 PM, Michał Górny wrote:
So far I and the Fedora maintainer were able to independently backport
one vulnerability that clearly applied (the tarfile one) but we weren't
able to get a clear match of any other Python 3.x fixes to 2.7 codebase.
Well, until today when thanks to you I've noticed that http.request
code has a vulnerable match in httplib.
But this all is lots of work, and I'm really supposed to be doing
something else right now. I'm trying my best but I'm not sure if I can
manage to fix several months of negligence in two days.
Thanks for all you are doing. The release deadline is only a motivator
for now since we could do another much smaller release next month if needed.
I want to move toward python3.7 as soon as possible since the scientific
python stack's stated python version policy means 3.6 will no longer be
expressly supported especially after 3.9 comes out.
Matti
_______________________________________________
pypy-dev mailing list
pypy-dev@python.org
https://mail.python.org/mailman/listinfo/pypy-dev
