New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python 3.8.3 passively introduced open source software contains CVE vulnerability #85244
Comments
Open source software introduced passively in Python 3.8.3: zlib 1.2.8(Documents involved wininst-10.0.exe、wininst-10.0-amd64.exe).involve CVE-2016-9841,CVE-2016-9843,CVE-2016-9840,CVE-2016-9842 |
It depends on your application. Almost all of these are exposed directly, so you will be vulnerable if your application uses them in the way described by the CVE. I'm not familiar enough with the vulnerabilities in question to tell you for sure, and I doubt any of the other volunteers here are either. I do seem to recall that one of the OpenSSL vulnerabilities only applied if you were serving a particular TLS version, which won't impact most Python apps. And the wininst*.exe files are only used with bdist_wininst packages, which nobody should be using anymore. If you're not able to evaluate them yourself, you might look for a paid company or consultant who can help you out. We've already updated the dependencies that need to be updated for upcoming releases. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: