This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Upgrade to zlib v1.2.12 in CPython binary releases
Type: security Stage: patch review
Components: Extension Modules, Windows Versions: Python 3.11, Python 3.10, Python 3.9, Python 3.8, Python 3.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: gregory.p.smith, lukasz.langa, miss-islington, ned.deily, pablogsal, paul.moore, steve.dower, tim.golden, zach.ware
Priority: release blocker Keywords: patch

Created on 2022-04-01 19:25 by gregory.p.smith, last changed 2022-04-11 14:59 by admin.

Pull Requests
URL Status Linked Edit
PR 32241 merged zach.ware, 2022-04-01 20:00
PR 32248 merged miss-islington, 2022-04-02 13:11
PR 32249 merged miss-islington, 2022-04-02 13:11
PR 32250 open miss-islington, 2022-04-02 13:11
PR 32251 merged miss-islington, 2022-04-02 13:11
Messages (5)
msg416510 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2022-04-01 19:25
zlib v1.2.11 as used in Windows binary releases contains a security issue that, while fixed in its git repo years ago, never wound up in a release or a CVE until just now.

Folllow the https://www.openwall.com/lists/oss-security/2022/03/24/1 thread and the and recently assigned CVE-2018-25032.

I believe we only ship our own zlib on Windows so this issue is tagged as such.  The above oss-security thread is where an idea of severity will come out.
msg416552 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2022-04-02 13:10
New changeset 6066739ff7794e54c98c08b953a699cbc961cd28 by Zachary Ware in branch 'main':
bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241)
https://github.com/python/cpython/commit/6066739ff7794e54c98c08b953a699cbc961cd28
msg416555 - (view) Author: miss-islington (miss-islington) Date: 2022-04-02 13:37
New changeset 0f0f85e9d8088eb789cda35477900df32adff546 by Miss Islington (bot) in branch '3.9':
bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241)
https://github.com/python/cpython/commit/0f0f85e9d8088eb789cda35477900df32adff546
msg416556 - (view) Author: miss-islington (miss-islington) Date: 2022-04-02 13:39
New changeset 16a809ffb7af14898ce9ec8165960d96cbcd4ec3 by Miss Islington (bot) in branch '3.10':
bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241)
https://github.com/python/cpython/commit/16a809ffb7af14898ce9ec8165960d96cbcd4ec3
msg416651 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2022-04-04 03:27
New changeset 387f93c156288c170ff0016a75af06e109d48ee1 by Miss Islington (bot) in branch '3.7':
bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241) (GH-32251)
https://github.com/python/cpython/commit/387f93c156288c170ff0016a75af06e109d48ee1
History
Date User Action Args
2022-04-11 14:59:58adminsetgithub: 91350
2022-04-04 03:27:26ned.deilysetmessages: + msg416651
2022-04-02 13:39:10miss-islingtonsetmessages: + msg416556
2022-04-02 13:37:56miss-islingtonsetmessages: + msg416555
2022-04-02 13:11:24miss-islingtonsetpull_requests: + pull_request30322
2022-04-02 13:11:17miss-islingtonsetpull_requests: + pull_request30321
2022-04-02 13:11:09miss-islingtonsetpull_requests: + pull_request30320
2022-04-02 13:11:04miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request30319
2022-04-02 13:10:27steve.dowersetmessages: + msg416552
2022-04-01 20:00:10zach.waresetkeywords: + patch
stage: needs patch -> patch review
pull_requests: + pull_request30312
2022-04-01 19:25:42gregory.p.smithcreate