This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author lukasz.langa
Recipients Joel Croteau, Julian, achraf-mer, christian.heimes, docs@python, eric.smith, gc2, lukasz.langa, mgorny, miss-islington, ncoghlan, ned.deily, pablogsal, pmoody, python-dev, serhiy.storchaka, steve.dower, vstinner
Date 2021-08-17.22:22:15
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
> it prevents using 3.8 because of this open vulnerability

What do you mean by this?

Our understanding is that this is a low-severity CVE because in order for this to be a vulnerability, you'd have to have both:

1. user access to IP address input; and
2. control over two addresses sharing numerical representation with leading zeroes: the first resolving when leading zeroes are treated as octal numbers; the second resolving when leading zeroes are treated as decimal numbers.

Access to both then allows you at best to circumvent IP address-based access control or denial of service. However, access to just 1. allows you to input any IP address to achieve the same goals.

Hence low-severity.

> it does not seem to be a breaking change

It is a bona fide breaking change. Any IP address configuration saved in files or databases which might have used leading zeroes would be rejected by 3.8.12. The same was true for 3.9.5 but since this release series has much higher exposure (still receiving binary installers and regular-cadence bugfixes), it was less controversial to include it.

If you still feel this ought to be fixed in 3.8, please elaborate.
Date User Action Args
2021-08-17 22:22:15lukasz.langasetrecipients: + lukasz.langa, ncoghlan, vstinner, eric.smith, christian.heimes, ned.deily, pmoody, docs@python, mgorny, Julian, python-dev, serhiy.storchaka, steve.dower, pablogsal, miss-islington, Joel Croteau, gc2, achraf-mer
2021-08-17 22:22:15lukasz.langasetmessageid: <>
2021-08-17 22:22:15lukasz.langalinkissue36384 messages
2021-08-17 22:22:15lukasz.langacreate