Hi, I maintain a list of CPython vulnerabilities. It's a long YAML file which is used to compute multiple information:
* which Python versions are vulnerable * build a timeline to understand when the vulnerability has been discovered, when it has been made public, when it has been fixed I care of public Python releases, but my tool renders when a change is merged in a branch. I also added some notes about security, but they are not well organized. One day, Ernest asked me if I would like to move my website to python.org. Today, I saw that my website is referrenced from a very official Red Hat vulnerability report: https://access.redhat.com/security/cve/cve-2019-5010 One of my main issue is to get an unique identifier for each vulnerability. Some vulnerabilities have no issuse associated. Some have a CVE, some others don't. Maybe we need a Python registry which would be reset each new year, like PYTHON-2009-001? Right now, the "identifier" is the URL, like "ssl-crl-dps-dos" for "CVE-2019-5010" also known as "TALOS-2018-0758": https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html I have no strict rule to decide which bugs are qualified as vulnerabilities and should be tracked by this website. For example, pickle.load() denial-of-service has been qualified as a regular "bug" by Serhiy Storchaka, but the bug got a CVE: https://python-security.readthedocs.io/vuln/pickle-load-dos.html I decided to mention it because of the CVE. Even if pickle is known to be unsecure... well... people use it, and I would prefer to fix known DoS :-) If someone would like to move python-security to python.org, I would suggest to: * Decide how to assign unique identifiers * Decide if we move the whole website and only the vulnerabilities So, what do you think? Victor -- Night gathers, and now my watch begins. It shall not end until my death. _______________________________________________ Security-SIG mailing list -- security-sig@python.org To unsubscribe send an email to security-sig-le...@python.org https://mail.python.org/mailman3/lists/security-sig.python.org/
