1. Forum
  2. Usenet
  3. COMP.LANG.PYTHON

  • Canonical list of Python security vulnerabilities

    From Bob Kline@21:1/5 to All on Fri Jul 14 13:35:35 2023
    Can someone point me to the official catalog of security vulnerabilities in Python (by which I mean cpython and the standard libraries)? I found https://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html
    but that isn't maintained by python.org. I also found security-announce@python.org, but there hasn't been anything posted there
    in over a year as far as I can tell, and even before that it's pretty thin.

    If there's a better place to ask, please advise.

    Thanks.

    --
    Bob Kline
    https://www.rksystems.com
    mailto:bkline@rksystems.com

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Barry@21:1/5 to All on Fri Jul 14 20:01:59 2023
    On 14 Jul 2023, at 19:14, Bob Kline via Python-list <python-list@python.org> wrote:

    Can someone point me to the official catalog of security vulnerabilities in
    Python (by which I mean cpython and the standard libraries)? I found https://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html
    but that isn't maintained by python.org. I also found security-announce@python.org, but there hasn't been anything posted there
    in over a year as far as I can tell, and even before that it's pretty thin.

    If there's a better place to ask, please advise.

    Where do you get your python from?

    You may find that the organisation that packages python that you use has such a list.

    Barry

    Thanks.

    --
    Bob Kline
    https://www.rksystems.com
    mailto:bkline@rksystems.com
    --
    https://mail.python.org/mailman/listinfo/python-list


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bob Kline@21:1/5 to bkline@rksystems.com on Fri Jul 14 15:00:31 2023
    On Fri, Jul 14, 2023 at 1:35 PM Bob Kline <bkline@rksystems.com> wrote:

    Can someone point me to the official catalog of security vulnerabilities
    in Python ....

    I did try entering "python security vulnerabilities" in the search box
    of the python.org web site, but what I got back was "No results
    found."

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bob Kline@21:1/5 to barry@barrys-emacs.org on Fri Jul 14 15:16:29 2023
    On Fri, Jul 14, 2023 at 3:02 PM Barry <barry@barrys-emacs.org> wrote:

    Where do you get your python from?

    Directly from python.org.

    You may find that the organisation that packages python that you use has such a list.

    That's my hope. Just haven't found it yet. :-}

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dieter Maurer@21:1/5 to Bob Kline on Sat Jul 15 19:02:16 2023
    Bob Kline wrote at 2023-7-14 13:35 -0400:
    Can someone point me to the official catalog of security vulnerabilities in >Python (by which I mean cpython and the standard libraries)? I found >https://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html
    but that isn't maintained by python.org.

    I am active in the `Zope` community (a web application server
    based on Python). This community has a security mailing list
    for security related reports
    and issues public CVE (= "Commun Vulnerabilities and Exposures") reports
    (via a "GitHUB" service) as soon as a security risk has been resolved.

    I expect that security risks for Python itself are handled in
    a similar way (as, Python too, maintains its code on "GitHUB").
    This means that the CVE dictionary should contain **ALL**
    publicly announced security risk reports whether found by
    the Pyhton community or packagers.

    For details about CVE, read "https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures".

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bob Kline@21:1/5 to dieter@handshake.de on Sat Jul 15 15:23:01 2023
    On Sat, Jul 15, 2023 at 1:02 PM Dieter Maurer <dieter@handshake.de> wrote:

    I am active in the `Zope` community (a web application server
    based on Python). This community has a security mailing list
    for security related reports
    and issues public CVE (= "Commun Vulnerabilities and Exposures") reports
    (via a "GitHUB" service) as soon as a security risk has been resolved.

    I expect that security risks for Python itself are handled in
    a similar way (as, Python too, maintains its code on "GitHUB").

    Yes the Python community does have a security mailing list, but as I
    noted earlier, it appears to be moribund. And yes, the cpython GitHub repository does have a security tab, but it reports "There aren’t any published security advisories."

    ...
    For details about CVE, read "https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures".

    Thanks for the link, Dieter. I found the NIST search interface to be
    buggy, and there doesn't seem to be a way to search the Mitre site
    effectively to get vulnerabilities just for the Python language and
    standard libraries. I've downloaded the entire corpus of JSON CVEs and
    I'm digging into what would be involved in querying it myself.

    Cheers,
    Bob

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)