Hi, Python 3.6.12 includes a fix for this issue: https://python-security.readthedocs.io/vuln/pysetpath-python-dll-path.html
The commit in the 3.6 branch: https://github.com/python/cpython/commit/46cbf6148a46883110883488d3e9febbe46ba861 Victor On Thu, Jun 17, 2021 at 10:51 AM Prashanth Reddy <reddy.prashanth...@gmail.com> wrote: > > Hi Victor, > > https://mail.python.org/archives/list/security-annou...@python.org/thread/C5RIXC2ZIML3NOEIOGFPA6ISGU5L2QXL/ > > > Short description: > > Python Invalid Search Path Vulnerability > > > CVE-2020-15523 is an invalid search path in Python 3.6 and later on > Windows. It occurs during Py_Initialize() when the runtime attempts to > pre-load python3.dll. If Py_SetPath() has been called, the expected > location is not set, and locations elsewhere on the user's system will > be searched. > > This issue is not triggered when running python.exe. It only applies > when CPython has been embedded in another application. > > Issue: https://bugs.python.org/issue29778 Patch: > https://github.com/python/cpython/pull/21297 > > The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source > only), 3.6.12 (source only) > > Other than applying the patch, applications may mitigate the > vulnerability by explicitly calling LoadLibrary() on their copy of > python3.dll before calling Py_Initialize(). Even with the patch > applied, applications should include a copy of python3.dll alongside > their main Python DLL. > > Thanks to Eric Gantumur for detecting and reporting the issue to the > Python Security Response Team. > > Questions to security-sig@python.org or secur...@python.org. > > Cheers, Steve Dower Python Security Response Team > > > > > > > > > > Python Invalid Search Path Vulnerability > > > Python Invalid Search Path Vulnerability > > On Thu, Jun 17, 2021 at 3:29 AM Victor Stinner <vstin...@python.org> wrote: > > > > Hi, > > > > https://bugs.python.org/issue374252 is not a valid bug number. Which > > one do you mean? > > > > Victor > > > > On Wed, Jun 16, 2021 at 6:10 PM Prashanth Reddy > > <reddy.prashanth...@gmail.com> wrote: > > > > > > Hi Team, > > > > > > Can you help you how to resolve the issue. > > > > > > We are using python 3.6.5 version. > > > > > > Regards, > > > Prashanth > > > _______________________________________________ > > > Security-SIG mailing list -- security-sig@python.org > > > To unsubscribe send an email to security-sig-le...@python.org > > > https://mail.python.org/mailman3/lists/security-sig.python.org/ > > > Member address: vstin...@python.org > > > > > > > > -- > > Night gathers, and now my watch begins. It shall not end until my death. -- Night gathers, and now my watch begins. It shall not end until my death. _______________________________________________ Security-SIG mailing list -- security-sig@python.org To unsubscribe send an email to security-sig-le...@python.org https://mail.python.org/mailman3/lists/security-sig.python.org/ Member address: arch...@mail-archive.com
