Post Syndicated from jzb original https://lwn.net/Articles/966056/
The Python project has announced three security releases, 3.10.14,
3.9.19,
and 3.8.19.
In addition to the security fixes, these releases are notable for two reasons;
they are the first to make use of GitHub Actions to perform
public builds instead of building artifacts “on a local computer of one
“, and the first since Python became a
of the release managers
CVE Numbering Authority (CNA).
Python release team member Łukasz Langa said
that being a CNA means Python is able to “ensure the quality of the vulnerability
” It also
reports is high, and that the severity estimates are accurate.
allows Python to coordinate CVE announcements with the patched versions of
Python, as it has with two CVEs addressed in these releases. CVE-2023-6597
describes a flaw in CPython’s zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 is an
issue with Python’s tempfile.TemporaryDirectory class which could be
exploited to modify permissions of files referenced by symbolic links.
Users of affected versions should upgrade soon.