Hi,

I fixed all FIXME and "completed" the list:
http://python-security.readthedocs.io/en/latest/vulnerabilities.html

IMHO the main missing information is the severity, but sadly I'm not
aware of any methodology in Python to choose a severity. Maybe we
would use the CVE severity when available?

Currently, the worst score is 881 days to fix a vulnerability. Many
"unlimited read" vulnerability got a bad score like that.

CVE-2013-1752 (smtplib)
Issue #16041: poplib: unlimited readline() from connection.
Issue #16043:Add a default limit for the amount of data
xmlrpclib.gzip_decode will return.

Fixed In:

2.7.9 (806 days): 2014-12-10, commit faad6bb (2014-12-06, 802 days)
3.2.6 (746 days): 2014-10-11, commit eaca861 (2014-09-30, 735 days)
3.4.3 (881 days): 2015-02-23, commit eaca861 (2014-09-30, 735 days)

Victor
_______________________________________________
Security-SIG mailing list
Security-SIG@python.org
https://mail.python.org/mailman/listinfo/security-sig

Reply via email to