Re: Canonical list of Python security vulnerabilities

On Sat, Jul 15, 2023 at 1:02 PM Dieter Maurer wrote: > > I am active in the `Zope` community (a web application server > based on Python). This community has a security mailing list > for security related reports > and issues public CVE (= "Commun Vulnerabilities and Exposu

Re: Canonical list of Python security vulnerabilities

Bob Kline wrote at 2023-7-14 13:35 -0400: >Can someone point me to the official catalog of security vulnerabilities in >Python (by which I mean cpython and the standard libraries)? I found >https://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Py

Re: Canonical list of Python security vulnerabilities

On Fri, Jul 14, 2023 at 3:02 PM Barry wrote: > Where do you get your python from? Directly from python.org. > You may find that the organisation that packages python that you use has such > a list. That's my hope. Just haven't found it yet. :-} --

Re: Canonical list of Python security vulnerabilities

> On 14 Jul 2023, at 19:14, Bob Kline via Python-list > wrote: > > Can someone point me to the official catalog of security vulnerabilities in > Python (by which I mean cpython and the standard libraries)? I found > https://www.cvedetails.com/vulnerability-list/vendor_i

Re: Canonical list of Python security vulnerabilities

On Fri, Jul 14, 2023 at 1:35 PM Bob Kline wrote: > Can someone point me to the official catalog of security vulnerabilities > in Python I did try entering "python security vulnerabilities" in the search box of the python.org web site, but what I got back was "No resu

Canonical list of Python security vulnerabilities

Can someone point me to the official catalog of security vulnerabilities in Python (by which I mean cpython and the standard libraries)? I found https://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html but that isn't maintained by python.org. I also found

[Python-announce] [RELEASE] Python versions 3.10.7, 3.9.14, 3.8.14, 3.7.14 now available with security content

We have some security content, and plenty of regular bug fixes for 3.10. Let’s dive right in. <https://discuss.python.org/#cve-2020-10735httpscvemitreorgcgi-bincvenamecginamecve-2020-10735-1>CVE-2020-10735 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735> Converting

[RELEASE] Python versions 3.10.7, 3.9.14, 3.8.14, 3.7.14 now available with security content

We have some security content, and plenty of regular bug fixes for 3.10. Let’s dive right in. <https://discuss.python.org/#cve-2020-10735httpscvemitreorgcgi-bincvenamecginamecve-2020-10735-1>CVE-2020-10735 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735> Converting

[issue533625] rexec: potential security hole

Change by admin : -- github: None -> 36312 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue500401] Security fix: webbrowser.py

Change by admin : -- github: None -> 35876 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue471893] Security review of pickle/marshal docs

Change by admin : -- github: None -> 35339 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[Python-announce] [RELEASE] Python 3.10.3, 3.9.11, 3.8.13, and 3.7.13 are now available with security content

Welcome again to the exciting world of releasing new Python versions! Last time around I was complaining about cursed releases <https://discuss.python.org/t/python-3-10-2-3-9-10-and-3-11-0a4-are-now-available/13146>. This time around I could complain about security content galore and h

[RELEASE] Python 3.10.3, 3.9.11, 3.8.13, and 3.7.13 are now available with security content

Welcome again to the exciting world of releasing new Python versions! Last time around I was complaining about cursed releases <https://discuss.python.org/t/python-3-10-2-3-9-10-and-3-11-0a4-are-now-available/13146>. This time around I could complain about security content galore and h

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

mattip added the comment: > [T]he test has been removed in CPython pull request > https://github.com/python/cpython/pull/31453/files Thanks, I missed that. Makes sense. -- ___ Python tracker

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

sping added the comment: Hi mattip, at the core the problem is not the use of non-URI character "}" for a namespace separator but the use of non-URI character "}" in a namespace URI. test_issue3151 is mistaken (meaning that non-URI characters in URIs are malformed XML) and the test has

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

mattip added the comment: On PyPy, the test `test_issue3151` in `test_xml_etree.py` is failing with libexpat 2.4.6. I think the problem is connected to instantiation of the `XMLParser()` with `parser = expat.ParserCreate(encoding, "}")` where `"}"` is not a valid URI character. In any case,

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Change by Dong-hee Na : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___ ___

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Łukasz Langa added the comment: New changeset eb6c840a2414dc057ffcfbb5ad68d6253c8dd57c by Miss Islington (bot) in branch '3.8': bpo-46794: Bump up the libexpat version into 2.4.6 (GH-31487) (GH-31520) https://github.com/python/cpython/commit/eb6c840a2414dc057ffcfbb5ad68d6253c8dd57c

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Ned Deily added the comment: New changeset 15d7594d9974cfef10e65cbb01161168c42abe9d by Miss Islington (bot) in branch '3.7': bpo-46794: Bump up the libexpat version into 2.4.6 (GH-31487) (GH-31521) https://github.com/python/cpython/commit/15d7594d9974cfef10e65cbb01161168c42abe9d --

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

miss-islington added the comment: New changeset 87cebb1e69758aa8b79f8e15187b976d62cba36a by Miss Islington (bot) in branch '3.9': bpo-46794: Bump up the libexpat version into 2.4.6 (GH-31487) https://github.com/python/cpython/commit/87cebb1e69758aa8b79f8e15187b976d62cba36a --

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

miss-islington added the comment: New changeset 4955a9ed14c681ed835bc8902a9db0bcc728bdee by Miss Islington (bot) in branch '3.10': bpo-46794: Bump up the libexpat version into 2.4.6 (GH-31487) https://github.com/python/cpython/commit/4955a9ed14c681ed835bc8902a9db0bcc728bdee --

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Change by miss-islington : -- pull_requests: +29647 pull_request: https://github.com/python/cpython/pull/31520 ___ Python tracker ___

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Dong-hee Na added the comment: New changeset 1935e1cc284942bec8006287c939e295e1a7bf13 by Dong-hee Na in branch 'main': bpo-46794: Bump up the libexpat version into 2.4.6 (GH-31487) https://github.com/python/cpython/commit/1935e1cc284942bec8006287c939e295e1a7bf13 --

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Change by miss-islington : -- pull_requests: +29648 pull_request: https://github.com/python/cpython/pull/31521 ___ Python tracker ___

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Change by miss-islington : -- pull_requests: +29646 pull_request: https://github.com/python/cpython/pull/31519 ___ Python tracker ___

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Change by miss-islington : -- nosy: +miss-islington nosy_count: 3.0 -> 4.0 pull_requests: +29645 pull_request: https://github.com/python/cpython/pull/31518 ___ Python tracker

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Change by Dong-hee Na : -- pull_requests: +29615, 29616 pull_request: https://github.com/python/cpython/pull/31487 ___ Python tracker ___

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Change by Dong-hee Na : -- pull_requests: +29615 pull_request: https://github.com/python/cpython/pull/31487 ___ Python tracker ___

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Change by Dong-hee Na : -- pull_requests: -29614 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Change by Dong-hee Na : -- keywords: +patch pull_requests: +29614 stage: -> patch review pull_request: https://github.com/python/cpython/pull/31486 ___ Python tracker ___

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Change by Dong-hee Na : -- assignee: -> corona10 nosy: +corona10 ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Ned Deily added the comment: New changeset 5fdacac8cecb123ae12669ceb3504b2f41075c20 by Dong-hee Na in branch '3.7': bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31298) https://github.com/python/cpython/commit/5fdacac8cecb123ae12669ceb3504b2f41075c20 --

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Change by Ned Deily : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___ ___

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Łukasz Langa added the comment: New changeset c60414de7cefd092643ba200c2c045da1569c391 by Dong-hee Na in branch '3.8': bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31297) https://github.com/python/cpython/commit/c60414de7cefd092643ba200c2c045da1569c391 -- nosy:

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

sping added the comment: I have created a dedicated ticket bpo-46811 now, test suite pull request upcoming. -- ___ Python tracker ___

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

sping added the comment: I'm busy with the release upstream at the moment. I'll see what I can do. -- ___ Python tracker ___ ___

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

Michał Górny added the comment: Could you make a PR to fix the test failures? I suppose that could speed things up and if not, I'd at least have something to pull into Gentoo. -- ___ Python tracker

[issue46794] Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

_MM)(encoding, , "}"); …in file Modules/_elementtree.c (which is okay but part of the test fail). Best Sebastian -- title: Please update bundled libexpat to 2.4.5 with security fixes (5 CVEs) -> Please update bundled libexpat to 2.4.6 with security fixes (5 CVEs)

[issue46794] Please update bundled libexpat to 2.4.5 with security fixes (5 CVEs)

Michał Górny added the comment: BTW there are test regressions with expat 2.4.5, apparently due to some test snippets now being rejected as invalid XML: == ERROR: test_issue3151 (test.test_xml_etree.BugsTest)

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

sping added the comment: Overlooked your reference, so you already know, my bad, nevermind. -- ___ Python tracker ___ ___

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

sping added the comment: Yes, I have already created bpo-46794 for 2.4.5. -- ___ Python tracker ___ ___ Python-bugs-list mailing

[issue46200] Discourage logging f-strings due to security considerations

Arie Bovenberg added the comment: Thanks @gregory.p.smith! I didn't know about discuss.python.org. I created a new topic there: https://discuss.python.org/t/safer-logging-methods-for-f-strings-and-new-style-formatting/13802 -- ___ Python tracker

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Ned Deily added the comment: expat 2.4.5 was released today (Issue46794). -- nosy: +ned.deily ___ Python tracker ___ ___

[issue46200] Discourage logging f-strings due to security considerations

Gregory P. Smith added the comment: A new system of logging APIs has been on several of our (core dev and otherwise) minds ever since f-strings were introduced. For this specific issue, agreed that documentation is key. The old logging APIs cannot change. And practically preventing

[issue46794] Please update bundled libexpat to 2.4.5 with security fixes (5 CVEs)

with security fixes (5 CVEs) type: security versions: Python 3.10, Python 3.11, Python 3.7, Python 3.8, Python 3.9 ___ Python tracker <https://bugs.python.org/issue46

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Dong-hee Na added the comment: New changeset e7828904f39588dad438c5d341a31e72e9cb1775 by Miss Islington (bot) in branch '3.9': bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31295) https://github.com/python/cpython/commit/e7828904f39588dad438c5d341a31e72e9cb1775 --

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Dong-hee Na added the comment: New changeset cb7551d5663f35c6993f3c6d8e361bc73f1c43d4 by Dong-hee Na in branch '3.10': bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31296) https://github.com/python/cpython/commit/cb7551d5663f35c6993f3c6d8e361bc73f1c43d4 --

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Change by Dong-hee Na : -- pull_requests: +29457 pull_request: https://github.com/python/cpython/pull/31298 ___ Python tracker ___

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Change by Dong-hee Na : -- pull_requests: +29456 pull_request: https://github.com/python/cpython/pull/31297 ___ Python tracker ___

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Change by Dong-hee Na : -- nosy: +corona10 nosy_count: 4.0 -> 5.0 pull_requests: +29455 pull_request: https://github.com/python/cpython/pull/31296 ___ Python tracker ___

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Change by Dong-hee Na : -- nosy: -corona10 versions: +Python 3.7, Python 3.8 ___ Python tracker ___ ___ Python-bugs-list mailing

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Dong-hee Na added the comment: New changeset 8aaaf7e182e22026c3487a3b86d4d7d4f0f5f778 by Cyril Jouve in branch 'main': bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) https://github.com/python/cpython/commit/8aaaf7e182e22026c3487a3b86d4d7d4f0f5f778 -- nosy: +corona10

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Change by miss-islington : -- nosy: +miss-islington nosy_count: 3.0 -> 4.0 pull_requests: +29454 pull_request: https://github.com/python/cpython/pull/31295 ___ Python tracker

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

sping added the comment: Just to understand, why has Python 3.7 and 3.8 been dropped? Neither seems to be end-of-life but affected. Thank you! -- ___ Python tracker ___

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Change by Dong-hee Na : -- versions: -Python 3.7, Python 3.8 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960)

Change by STINNER Victor : -- title: Please update bundled libexpat to 2.4.4 with security fixes -> Please update bundled libexpat to 2.4.4 with security fixes (CVE-2021-45960) ___ Python tracker <https://bugs.python.org/issu

[issue43882] [security] CVE-2022-0391: urllib.parse should sanitize urls containing ASCII newline and tabs.

Change by Mariusz Felisiak : -- nosy: +felixxm ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue43882] [security] CVE-2022-0391: urllib.parse should sanitize urls containing ASCII newline and tabs.

STINNER Victor added the comment: > Looks like that CVE isn't public yet. > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0391 > Any chance I can get access (I originally reported this vuln.). Message from Gaurav Kamathe who requested the CVE: "We've sent a request to MITRE to get

[issue43882] [security] CVE-2022-0391: urllib.parse should sanitize urls containing ASCII newline and tabs.

Mike Lissner added the comment: Looks like that CVE isn't public yet. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0391 Any chance I can get access (I originally reported this vuln.). My email is m...@free.law, if it's possible and my email is needed. Thanks! --

[issue43882] [security] CVE-2022-0391: urllib.parse should sanitize urls containing ASCII newline and tabs.

STINNER Victor added the comment: CVE-2022-0391 has been assigned to this vulnerability. -- nosy: +vstinner title: [security] urllib.parse should sanitize urls containing ASCII newline and tabs. -> [security] CVE-2022-0391: urllib.parse should sanitize urls containing ASCII newl

[issue46200] Discourage logging f-strings due to security considerations

Tin Tvrtković added the comment: I mean, I agree with your point about being able to accidentally format twice when using the standard library logger. I'm not a core dev but I think getting new APIs in will be challenging. And if by some fluke of chance you did get the approval to introduce

[issue46200] Discourage logging f-strings due to security considerations

Change by Erlend E. Aasland : -- nosy: -erlendaasland ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue46200] Discourage logging f-strings due to security considerations

Arie Bovenberg added the comment: @rhettinger @tinchester I definitely see now that f-strings should have a place in logging. But do you agree that f-strings don't mix 100% safely with the current logger API? What are your thoughts on a safer set of logger functions (see my comments above,

[issue46200] Discourage logging f-strings due to security considerations

Raymond Hettinger added the comment: In a favor of deferred substitution, the cookbook should have a recipe where substituted messages are logged to a file and the unsubstituted message stored in SQLite3 database with the parameters stored as JSON.This gives both human readable output

[issue46200] Discourage logging f-strings due to security considerations

Raymond Hettinger added the comment: > Eric is absolutely right, due to function calls being > somewhat slow in Python the performance argument in > practice falls in favor of f-strings. Also f-strings can evaluate expressions in the template which is also a big win: f('Pending

[issue46200] Discourage logging f-strings due to security considerations

Tin Tvrtković added the comment: Eric is absolutely right, due to function calls being somewhat slow in Python the performance argument in practice falls in favor of f-strings. So if they're faster, more readable, and more convenient to write, no wonder people prefer them (including me).

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes

Change by Roundup Robot : -- keywords: +patch nosy: +python-dev nosy_count: 2.0 -> 3.0 pull_requests: +29203 stage: -> patch review pull_request: https://github.com/python/cpython/pull/31022 ___ Python tracker

[issue46400] Please update bundled libexpat to 2.4.4 with security fixes

sping added the comment: 2.4.4 with more security fixes has been released, adjusting the ticket to be about updating to 2.4.4 now. -- title: Please update bundled libexpat to 2.4.3 with security fixes -> Please update bundled libexpat to 2.4.4 with security fi

[issue46400] Please update bundled libexpat to 2.4.3 with security fixes

Change by Ned Deily : -- nosy: -ned.deily, paul.moore, ronaldoussoren, steve.dower, tim.golden, zach.ware ___ Python tracker ___

[issue46400] Please update bundled libexpat to 2.4.3 with security fixes

Ned Deily added the comment: The bundled expat is potentially used by all Python builds, not just Windows or Mac builds. -- ___ Python tracker ___

[issue46400] Please update bundled libexpat to 2.4.3 with security fixes

Change by Kumar Aditya : -- nosy: +ned.deily, paul.moore, ronaldoussoren, steve.dower, tim.golden, zach.ware ___ Python tracker ___

[issue46400] Please update bundled libexpat to 2.4.3 with security fixes

Change by thomgree : -- nosy: +thomgree ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue46400] Please update bundled libexpat to 2.4.3 with security fixes

Change by sping : -- title: Please updated bundled libexpat to 2.4.3 with security fixes -> Please update bundled libexpat to 2.4.3 with security fixes ___ Python tracker <https://bugs.python.org/issu

[issue46400] Please updated bundled libexpat to 2.4.3 with security fixes

New submission from sping : Expat 2.4.3 released, includes security fixes https://blog.hartwork.org/posts/expat-2-4-3-released/ Thank you! PS: This is similar to bpo-44394 excect now it's 2.4.3. -- components: XML messages: 410700 nosy: sping priority: normal severity: normal status

[issue46200] Discourage logging f-strings due to security considerations

Arie Bovenberg added the comment: Indeed the `__format__` style offers a lot more options (see https://pyformat.info/). Regarding performance you make an interesting point. One possible solution is to allow f-strings _only_ if there are no args/kwargs. In that one case formatting would

[issue46200] Discourage logging f-strings due to security considerations

Eric V. Smith added the comment: I think there's definitely room for improvement here, and at face value I like the debugf() functions. __format__ style formatting solves a big problem for me: being able to provide format strings for timestamps. One thing: I'd be careful about saying that

[issue46200] Discourage logging f-strings due to security considerations

Change by Erlend E. Aasland : -- nosy: +erlendaasland ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue46200] Discourage logging f-strings due to security considerations

Arie Bovenberg added the comment: I've done some more digging, and have read the related issue bpo-30995. There are IMHO two challenges that are worth tackling: 1. A great number[1] of developers do their own string formatting. This is sub-optimal for performance and - in rare cases -

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

Change by Guido van Rossum : -- nosy: -gvanrossum ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue44394] [security] CVE-2013-0340 "Billion Laughs" fixed in Expat >=2.4.0: Update vendored copy to expat 2.4.1

, in this ticket here, the libexpat version was updated all the way back to Py3.6, to solve a security issue. Should we also backport the error constants then? -- nosy: +scoder ___ Python tracker <https://bugs.python.org/issue44

[issue46200] Discourage logging f-strings due to security considerations

Arie Bovenberg added the comment: Absolutely agree! In practice I find some people are not swayed by this argument -- and prefer the readability of f-strings. My expectation is that a clear recommendation in the official docs will convince more people. Especially if there are security

[issue46200] Discourage logging f-strings due to security considerations

Vinay Sajip added the comment: Another (minor) point against using f-strings or .format is that formatting prematurely might be doing unnecessary work - by default, logging formats messages lazily, waiting until a message actually needs to be output. This could perhaps be more prominently

[issue46200] Discourage logging f-strings due to security considerations

Change by Eric V. Smith : -- nosy: +eric.smith ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue46200] Discourage logging f-strings due to security considerations

Change by Serhiy Storchaka : -- nosy: +vinay.sajip ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue46200] Discourage logging f-strings due to security considerations

with security risks which should explicitly be mentioned in the logging documentation. The following example illustrates the problem: logger.info('look: %s', untrusted_string)# OK logger.info('look: %(foo)s', {'foo', untrusted_string}) # OK logger.info(f'look

[issue46056] Cannot use virtual environment on Windows 10 in corporate security settings

Gregory P. Smith added the comment: While the discussion is interesting for some who are trying to work around security policy mechanisms, we can't control what policies people enforce upon themselves that make their machines useless for software development. Marking as not a bug

[issue46056] Cannot use virtual environment on Windows 10 in corporate security settings

wolfgang kuehn added the comment: I can confirm that setting __PYVENV_LAUNCHER__ to ANY path with prefix ./venv/Scripts/ does indeed mark the python session as being a virtual environment, no special permissions needed. However, you will have no tooling support whatsoever (e.g. PyCharms

[issue46056] Cannot use virtual environment on Windows 10 in corporate security settings

Steve Dower added the comment: Also, if you see people discussing PEP 582, you might want to throw in a vote of support. It is intended to provide the benefits of a venv without needing to do tricks like we do for the current design, but it keeps being rejected for "not being sufficiently

[issue46056] Cannot use virtual environment on Windows 10 in corporate security settings

Steve Dower added the comment: If you execute "python -m venv --without-pip ..." to create, then as a workaround you can set the __PYVENV_LAUNCHER__ environment variable to the full path to the venv's python.exe and run the normal python3.10.exe. As Eryk mentioned, you'll need to run

[issue20949] Missing platform security integrations

Ammar Askar added the comment: Hi Jeffrey, your second solution where you omit `-pie` is almost there. Instead of modifying the Makefile you can pass `-pie` in `LINKFORSHARED`: export CFLAGS="-fPIC -fstack-protector-all -D_FORTIFY_SOURCE=2" export CXXFLAGS="-fPIC -fstack-protector-all

[issue46056] Cannot use virtual environment on Windows 10 in corporate security settings

wolfgang kuehn added the comment: Currently we have a glitch in our internal access rights system. This resulted in me loosing my Admin-privileges. I can only install python from the app-store, which is ok. But without venv support I am stuck for the time being. --

[issue46056] Cannot use virtual environment on Windows 10 in corporate security settings

Eryk Sun added the comment: > symlinks do not work for me Sorry, I forgot that you're using the store app. The store app has to use the copied venv launchers. When a store app is run from the command line, the system executes an appexec link from "%LocalAppData%\Microsoft\WindowsApps".

[issue46056] Cannot use virtual environment on Windows 10 in corporate security settings

wolfgang kuehn added the comment: symlinks do not work for me, this may be another bug (should I create a new issue?): python -m venv --without-pip --symlinks venv Unable to symlink

[issue46056] Cannot use virtual environment on Windows 10 in corporate security settings

be able to use EXE script wrappers in an active environment due to the security restrictions in place on your system. You'll need to use `python -m ` alternative commands, such as `python -m pip` instead of `pip`. -- components: -Windows nosy: +eryksun

[issue46056] Cannot use virtual environment on Windows 10 in corporate security settings

Change by Eric V. Smith : -- components: +Windows nosy: +paul.moore, steve.dower, tim.golden, zach.ware title: Cannot use virtual environment on Windows 10 in cooperate security settings -> Cannot use virtual environment on Windows 10 in corporate security setti

[issue46056] Cannot use virtual environment on Windows 10 in cooperate security settings

Change by wolfgang kuehn : -- title: Cannot use virtual environment on Windows 10 in cooperate security settingss -> Cannot use virtual environment on Windows 10 in cooperate security settings type: -> behavior ___ Python tracker

[issue46056] Cannot use virtual environment on Windows 10 in cooperate security settingss

-kuehn priority: normal severity: normal status: open title: Cannot use virtual environment on Windows 10 in cooperate security settingss versions: Python 3.10, Python 3.6, Python 3.7, Python 3.8, Python 3.9 ___ Python tracker <https://bugs.python.org/i

[issue21557] [doc] os.popen & os.system lack shell-related security warnings

Change by Irit Katriel : -- title: os.popen & os.system lack shell-related security warnings -> [doc] os.popen & os.system lack shell-related security warnings versions: +Python 3.10, Python 3.11, Python 3.9 -Python 2.7, Python 3.5 ___

[issue13703] Hash collision security issue

Change by STINNER Victor : -- nosy: -vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue13703] Hash collision security issue

Terry J. Reedy added the comment: Because today's spammer, whose message was removed, deleted us all. Restoring the version to 3.3 is not possible. -- ___ Python tracker

  1   2   3   4   5   6   7   8   9   10   >