➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2021-07-02 10:46 by s.s.mahato, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 27239 | closed | corona10, 2021-07-19 15:47 | |
| PR 27241 | closed | corona10, 2021-07-19 16:01 | |
| PR 31731 | merged | steve.dower, 2022-03-07 17:48 | |
| PR 31732 | merged | steve.dower, 2022-03-07 18:33 | |
| PR 31733 | merged | steve.dower, 2022-03-07 19:19 | |
| PR 31734 | merged | steve.dower, 2022-03-07 19:19 | |
| PR 31735 | merged | steve.dower, 2022-03-07 19:19 | |
| Messages (14) | |||
|---|---|---|---|
| msg396853 - (view) | Author: siddhartha shankar mahato (s.s.mahato) | Date: 2021-07-02 10:46 | |
Python (3.9.5 and 3.9.6 are using Bzip2 1.0.6 which has a known critical vulnerability. CVE-2019-12900 (BDSA-2019-1844) 9.8 Critical NVD CVE-2016-3189 (BDSA-2019-2036). Please upgrade the same to a stable version. |
|||
| msg396966 - (view) | Author: Ma Lin (malin) * | Date: 2021-07-05 04:08 | |
If you update python/cpython-source-deps, I can submit a simple PR to python/cpython. I want to submit a PR to python/cpython-source-deps, but I think it’s better for a credible person to do this. |
|||
| msg397752 - (view) | Author: Dong-hee Na (corona10) *  |
Date: 2021-07-18 14:06 | |
I request the dependency update to use bzip2 1.0.8 which is the stable version. https://github.com/python/cpython-source-deps/pull/25 |
|||
| msg397811 - (view) | Author: Dong-hee Na (corona10) * |
Date: 2021-07-19 15:54 | |
@ned.deily Is it possible to update bz2 to 1.0.8 on macOS distribution? I found the guide to update the library on Windows but for the macOS version, I can not find. |
|||
| msg397813 - (view) | Author: Dong-hee Na (corona10) * |
Date: 2021-07-19 16:18 | |
Hmm since I am not a distribution expert, I would like to follow other core devs opinions. Almost Linux distributions use bzip2 1.0.6 by default. |
|||
| msg397853 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2021-07-20 06:31 | |
> Is it possible to update bz2 to 1.0.8 on macOS distribution? Thanks for looking into this. As I commented on PR 27241, this change is not needed because current macOS python.org installers dynamically link to the system-provided copies of Bzip2; the code to build a private copy of BZip2 in build-installer.py was only used when building on very old versions of macOS, 10.4 and earlier, versions for which we no longer support building installers. I've submitted another PR to remove that unused code to avoid future confusion. |
|||
| msg397854 - (view) | Author: Dong-hee Na (corona10) * |
Date: 2021-07-20 06:35 | |
> current macOS python.org installers dynamically link to the system-provided copies of Bzip2 Okay, so this issue looks out of scope to the CPython team if the Windows distribution follows the same policy. @steve.dowe Can you check about this issue? |
|||
| msg414686 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2022-03-07 17:46 | |
cpython-source-deps was updated middle of last year, but apparently we never merged the main repo change to use it. I'll do it now. |
|||
| msg414687 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2022-03-07 17:58 | |
Adding RMs - this should get merged before we do any security releases for issue46948 |
|||
| msg414690 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2022-03-07 18:23 | |
New changeset 105b9ac00174d7bcc653f9e9dc5052215e197c77 by Steve Dower in branch 'main': bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31731) https://github.com/python/cpython/commit/105b9ac00174d7bcc653f9e9dc5052215e197c77 |
|||
| msg414693 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2022-03-07 19:15 | |
New changeset 58d576a43cb1800dd68f06a429d7d41f746a8c01 by Steve Dower in branch '3.10': bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) https://github.com/python/cpython/commit/58d576a43cb1800dd68f06a429d7d41f746a8c01 |
|||
| msg414695 - (view) | Author: Ned Deily (ned.deily) * |
Date: 2022-03-07 19:34 | |
New changeset 4a3c610cd635f14747cf02c77908e80620aae6ea by Steve Dower in branch '3.7': bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) (GH-31735) https://github.com/python/cpython/commit/4a3c610cd635f14747cf02c77908e80620aae6ea |
|||
| msg414697 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2022-03-07 20:11 | |
New changeset e1639f361ee0dfbf08bb8538839d3d557c1a995c by Steve Dower in branch '3.9': bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) https://github.com/python/cpython/commit/e1639f361ee0dfbf08bb8538839d3d557c1a995c |
|||
| msg414734 - (view) | Author: Łukasz Langa (lukasz.langa) * |
Date: 2022-03-08 09:05 | |
New changeset 6649519e67841b1aa12672f1d9b5cb24494f6196 by Steve Dower in branch '3.8': bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) (GH-31734) https://github.com/python/cpython/commit/6649519e67841b1aa12672f1d9b5cb24494f6196 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:47 | admin | set | github: 88715 |
| 2022-03-08 13:30:36 | steve.dower | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2022-03-08 09:05:05 | lukasz.langa | set | messages: + msg414734 |
| 2022-03-07 20:11:29 | steve.dower | set | messages: + msg414697 |
| 2022-03-07 19:34:57 | ned.deily | set | messages: + msg414695 |
| 2022-03-07 19:19:40 | steve.dower | set | pull_requests: + pull_request29852 |
| 2022-03-07 19:19:25 | steve.dower | set | pull_requests: + pull_request29851 |
| 2022-03-07 19:19:20 | steve.dower | set | pull_requests: + pull_request29850 |
| 2022-03-07 19:15:32 | steve.dower | set | messages: + msg414693 |
| 2022-03-07 18:33:49 | steve.dower | set | pull_requests: + pull_request29849 |
| 2022-03-07 18:23:38 | steve.dower | set | messages: + msg414690 |
| 2022-03-07 18:15:20 | ned.deily | set | priority: critical -> release blocker |
| 2022-03-07 17:58:15 | steve.dower | set | nosy:
+ lukasz.langa, pablogsal messages: + msg414687 versions: + Python 3.7, Python 3.8 |
| 2022-03-07 17:48:55 | steve.dower | set | pull_requests: + pull_request29848 |
| 2022-03-07 17:46:00 | steve.dower | set | messages: + msg414686 |
| 2022-03-04 16:50:17 | ned.deily | set | title: Update Windows installer to use BZip 1.0.8 -> Update Windows installer to use bzip2 1.0.8 |
| 2022-03-04 16:48:45 | ned.deily | set | priority: normal -> critical assignee: steve.dower title: BZip 1.0.6 Critical Vulnerability -> Update Windows installer to use BZip 1.0.8 versions: + Python 3.10, Python 3.11 |
| 2022-03-04 16:35:26 | ned.deily | link | issue46919 superseder |
| 2021-09-01 03:45:20 | zach.ware | link | issue45071 superseder |
| 2021-07-20 06:35:45 | corona10 | set | messages: + msg397854 |
| 2021-07-20 06:31:09 | ned.deily | set | messages: + msg397853 |
| 2021-07-19 16:18:20 | corona10 | set | messages: + msg397813 |
| 2021-07-19 16:04:39 | corona10 | set | nosy:
+ ronaldoussoren type: crash -> security components: + macOS |
| 2021-07-19 16:01:44 | corona10 | set | pull_requests: + pull_request25790 |
| 2021-07-19 15:54:40 | corona10 | set | nosy:
+ ned.deily messages: + msg397811 |
| 2021-07-19 15:47:23 | corona10 | set | keywords:
+ patch stage: patch review pull_requests: + pull_request25788 |
| 2021-07-18 14:06:15 | corona10 | set | messages: + msg397752 |
| 2021-07-18 13:40:46 | corona10 | set | nosy:
+ corona10 |
| 2021-07-05 04:08:06 | malin | set | nosy:
+ malin messages: + msg396966 |
| 2021-07-02 10:46:07 | s.s.mahato | create | |