Mailing List Archive

On Fri, Jul 14, 2023 at 1:35?PM Bob Kline <bkline@rksystems.com> wrote:

> Can someone point me to the official catalog of security vulnerabilities
> in Python ....

I did try entering "python security vulnerabilities" in the search box
of the python.org web site, but what I got back was "No results
found."
--
https://mail.python.org/mailman/listinfo/python-list

> On 14 Jul 2023, at 19:14, Bob Kline via Python-list <python-list@python.org> wrote:
>
> ?Can someone point me to the official catalog of security vulnerabilities in
> Python (by which I mean cpython and the standard libraries)? I found
> https://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html
> but that isn't maintained by python.org. I also found
> security-announce@python.org, but there hasn't been anything posted there
> in over a year as far as I can tell, and even before that it's pretty thin.
>
> If there's a better place to ask, please advise.

Where do you get your python from?

You may find that the organisation that packages python that you use has such a list.

Barry
>
> Thanks.
>
> --
> Bob Kline
> https://www.rksystems.com
> mailto:bkline@rksystems.com
> --
> https://mail.python.org/mailman/listinfo/python-list
>

--
https://mail.python.org/mailman/listinfo/python-list

On Fri, Jul 14, 2023 at 3:02?PM Barry <barry@barrys-emacs.org> wrote:

> Where do you get your python from?

Directly from python.org.

> You may find that the organisation that packages python that you use has such a list.

That's my hope. Just haven't found it yet. :-}
--
https://mail.python.org/mailman/listinfo/python-list

Bob Kline wrote at 2023-7-14 13:35 -0400:
>Can someone point me to the official catalog of security vulnerabilities in
>Python (by which I mean cpython and the standard libraries)? I found
>https://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html
>but that isn't maintained by python.org.

I am active in the `Zope` community (a web application server
based on Python). This community has a security mailing list
for security related reports
and issues public CVE (= "Commun Vulnerabilities and Exposures") reports
(via a "GitHUB" service) as soon as a security risk has been resolved.

I expect that security risks for Python itself are handled in
a similar way (as, Python too, maintains its code on "GitHUB").
This means that the CVE dictionary should contain **ALL**
publicly announced security risk reports whether found by
the Pyhton community or packagers.

For details about CVE, read
"https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures".
--
https://mail.python.org/mailman/listinfo/python-list

On Sat, Jul 15, 2023 at 1:02?PM Dieter Maurer <dieter@handshake.de> wrote:
>
> I am active in the `Zope` community (a web application server
> based on Python). This community has a security mailing list
> for security related reports
> and issues public CVE (= "Commun Vulnerabilities and Exposures") reports
> (via a "GitHUB" service) as soon as a security risk has been resolved.
>
> I expect that security risks for Python itself are handled in
> a similar way (as, Python too, maintains its code on "GitHUB").

Yes the Python community does have a security mailing list, but as I
noted earlier, it appears to be moribund. And yes, the cpython GitHub
repository does have a security tab, but it reports "There aren’t any
published security advisories."

> ...
> For details about CVE, read
> "https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures".

Thanks for the link, Dieter. I found the NIST search interface to be
buggy, and there doesn't seem to be a way to search the Mitre site
effectively to get vulnerabilities just for the Python language and
standard libraries. I've downloaded the entire corpus of JSON CVEs and
I'm digging into what would be involved in querying it myself.

Cheers,
Bob
--
https://mail.python.org/mailman/listinfo/python-list