Post Syndicated from original https://lwn.net/Articles/907572/

Typically, an urgent security release of a project is not for a
two-year-old CVE, but such is the case for a recent
Python release of four versions of the language. The bug is a
denial of service (DoS) that can be caused by converting enormous numbers to
strings—or vice versa—but it was not deemed serious enough to fix
when it
was first
reported. Evidently more recent reports, including a remote exploit of the
bug, have raised its importance—causing a rushed-out fix. But the
fix breaks some existing Python code, and the process of handling the
incident has left something to be desired, leading the project to look at
ways to improve its processes.