I’m looking for help understanding how Python will release fixes related to the 
SHA3 critical security vulnerability (CVE-2022-37454).  I’ve tried to figure 
this out myself, but I’m far from a Python expert and I’m not sure where else I 
should look.

Apologies in advance if this is the wrong place to ask - if it is, a redirect 
to the correct place would be most appreciated.

Here’s what I’ve found so far:

* Python versions 3.6 through 3.10 appear to be affected
   * 3.6 is end of life, so no fix is expected
   * A code fix appears to have been applied to 3.7 through 3.10 
https://github.com/python/cpython/issues/98517
   * 3.9 and 3.10 by default use OpenSSL1.1.1+ if it’s available, appearing to 
default to the builtin, vulnerable SHA3 implementation if OpenSSL is not found 
(if there’s an exception)
      * 3.9 introduced this change via bpo-37630 in release 3.9.0 beta1
      * 3.10 appears to have had this functionality since it was originally 
released
* 3.11 uses tiny_sha3 and AFAICT was never affected by the CVE

But what I’m having trouble figuring out is when/how these fixes will become 
generally available and ready for users of Python to download.


* When will patched releases for Python 3.7-3.10 be released?  
* If pending releases are not in the release pipeline, what other patching 
opportunities exist?  

Ultimately I’m trying to set patching expectations for my company’s engineering 
teams who are still running vulnerable versions of Python.

More notes around what i’ve found, in case it helps clarify my questions:  From 
the Python project GitHub I can see gh-98517 to fix the buffer overflow in 
Python’s internal _sha3 module (CVE-2022-37454) has been committed to the 
Python 3.7 - 3.10 branches.  I understand that for Python releases 3.9 and 3.10 
if one is using the OpenSSL 1.1.1+ sha3 modules instead of the internal _sha3 
module that is already a mitigation.  I also understand that Python 3.11 and 
later has switched to using tiny_sha3, and no longer relies on the vulnerable 
_sha3 module.

Any information you could point me at would be most helpful.  If there is a 
more ideal forum to raise this question, please redirect me there.

Thank you in advance
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at 
https://mail.python.org/archives/list/python-dev@python.org/message/K7IYZUGOOLCGKZOLCZ27RSWZ7OWIP575/
Code of Conduct: http://python.org/psf/codeofconduct/

Reply via email to