Hi, I fixed all FIXME and "completed" the list: http://python-security.readthedocs.io/en/latest/vulnerabilities.html
IMHO the main missing information is the severity, but sadly I'm not aware of any methodology in Python to choose a severity. Maybe we would use the CVE severity when available? Currently, the worst score is 881 days to fix a vulnerability. Many "unlimited read" vulnerability got a bad score like that. CVE-2013-1752 (smtplib) Issue #16041: poplib: unlimited readline() from connection. Issue #16043:Add a default limit for the amount of data xmlrpclib.gzip_decode will return. Fixed In: 2.7.9 (806 days): 2014-12-10, commit faad6bb (2014-12-06, 802 days) 3.2.6 (746 days): 2014-10-11, commit eaca861 (2014-09-30, 735 days) 3.4.3 (881 days): 2015-02-23, commit eaca861 (2014-09-30, 735 days) Victor _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
