[issue41072] Python 3.8.3 passively introduced open source software contains CVE vulnerability

2020-06-23 Thread Steve Dower 


Steve Dower  added the comment:

It depends on your application. Almost all of these are exposed directly, so 
you will be vulnerable if your application uses them in the way described by 
the CVE.

I'm not familiar enough with the vulnerabilities in question to tell you for 
sure, and I doubt any of the other volunteers here are either. 

I do seem to recall that one of the OpenSSL vulnerabilities only applied if you 
were serving a particular TLS version, which won't impact most Python apps. And 
the wininst*.exe files are only used with bdist_wininst packages, which nobody 
should be using anymore.

If you're not able to evaluate them yourself, you might look for a paid company 
or consultant who can help you out. We've already updated the dependencies that 
need to be updated for upcoming releases.

--
resolution:  -> not a bug
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41072] Python 3.8.3 passively introduced open source software contains CVE vulnerability

2020-06-22 Thread SilentGhost 


Change by SilentGhost :


--
components: +Windows
nosy: +paul.moore, steve.dower, tim.golden, zach.ware

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41072] Python 3.8.3 passively introduced open source software contains CVE vulnerability

2020-06-22 Thread xcl 


Change by xcl <1318683...@qq.com>:


--
versions: +Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41072] Python 3.8.3 passively introduced open source software contains CVE vulnerability

2020-06-22 Thread xcl 

New submission from xcl <1318683...@qq.com>:

Open source software introduced passively in Python 3.8.3:
sqlite3(Documents involved sqlite3.dll),involve 
CVE-2020-11656,CVE-2020-11655,CVE-2020-13630,CVE-2020-13871,CVE-2020-9327,CVE-2020-13434,CVE-2020-13435,CVE-2020-13631,CVE-2020-13632
zlib 1.2.3(Documents involved 
wininst-7.1.exe、wininst-6.0.exe、wininst-9.0.exe、wininst-8.0.exe、wininst-9.0-amd64.exe).involve
 CVE-2016-9841,CVE-2016-9843,CVE-2016-9840,CVE-2016-9842
zlib 1.2.5(Documents involved wininst-14.0.exe、wininst-14.0-amd64.exe).involve 
CVE-2016-9841,CVE-2016-9843,CVE-2016-9840,CVE-2016-9842

zlib 1.2.8(Documents involved wininst-10.0.exe、wininst-10.0-amd64.exe).involve 
CVE-2016-9841,CVE-2016-9843,CVE-2016-9840,CVE-2016-9842
bzip2 1.0.6(Documents involved _bz2.pyd).involve 
CVE-2016-9841,CVE-2016-9843,CVE-2016-9840,CVE-2016-9842
openssl 1.1.1d(Documents involved 
_psycopg.cp38-win_amd64.pyd、_openssl.cp38-win_amd64.pyd).involve 
CVE-2020-1967,CVE-2019-1551
openssl 1.1.1f(Documents involved   
libcrypto-1_1.dll、libssl-1_1.dll).involve CVE-2020-1967
Does the above vulnerability pose a security risk to products using python 
3.8.3, or is there a fix

--
resolution: not a bug -> 
status: closed -> open
title: Python -> Python 3.8.3 passively introduced open source software 
contains CVE vulnerability
type:  -> security

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com