Python 3.8.3 passively introduced open source software contains CVE vulnerability

[xcl]

BPO	41072
Nosy	@pfmoore, @tjguk, @zware, @zooba

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2020-06-23.18:34:34.999>
created_at = <Date 2020-06-22.07:32:29.933>
labels = ['type-security', 'invalid', '3.8', 'OS-windows']
title = 'Python 3.8.3 passively introduced open source software contains CVE vulnerability'
updated_at = <Date 2020-06-23.18:34:34.997>
user = 'https://bugs.python.org/xcl'

bugs.python.org fields:

activity = <Date 2020-06-23.18:34:34.997>
actor = 'steve.dower'
assignee = 'none'
closed = True
closed_date = <Date 2020-06-23.18:34:34.999>
closer = 'steve.dower'
components = ['Windows']
creation = <Date 2020-06-22.07:32:29.933>
creator = 'xcl'
dependencies = []
files = []
hgrepos = []
issue_num = 41072
keywords = []
message_count = 2.0
messages = ['372042', '372191']
nosy_count = 5.0
nosy_names = ['paul.moore', 'tim.golden', 'zach.ware', 'steve.dower', 'xcl']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue41072'
versions = ['Python 3.8']

[xcl]

Open source software introduced passively in Python 3.8.3：
sqlite3(Documents involved sqlite3.dll)，involve CVE-2020-11656，CVE-2020-11655，CVE-2020-13630，CVE-2020-13871，CVE-2020-9327，CVE-2020-13434，CVE-2020-13435，CVE-2020-13631，CVE-2020-13632
zlib 1.2.3(Documents involved wininst-7.1.exe、wininst-6.0.exe、wininst-9.0.exe、wininst-8.0.exe、wininst-9.0-amd64.exe).involve CVE-2016-9841，CVE-2016-9843，CVE-2016-9840，CVE-2016-9842
zlib 1.2.5(Documents involved wininst-14.0.exe、wininst-14.0-amd64.exe).involve CVE-2016-9841，CVE-2016-9843，CVE-2016-9840，CVE-2016-9842

zlib 1.2.8(Documents involved wininst-10.0.exe、wininst-10.0-amd64.exe).involve CVE-2016-9841，CVE-2016-9843，CVE-2016-9840，CVE-2016-9842
bzip2 1.0.6(Documents involved _bz2.pyd).involve CVE-2016-9841，CVE-2016-9843，CVE-2016-9840，CVE-2016-9842
openssl 1.1.1d(Documents involved _psycopg.cp38-win_amd64.pyd、_openssl.cp38-win_amd64.pyd).involve CVE-2020-1967，CVE-2019-1551
openssl 1.1.1f(Documents involved libcrypto-1_1.dll、libssl-1_1.dll).involve CVE-2020-1967
Does the above vulnerability pose a security risk to products using python 3.8.3, or is there a fix

[zooba]

It depends on your application. Almost all of these are exposed directly, so you will be vulnerable if your application uses them in the way described by the CVE.

I'm not familiar enough with the vulnerabilities in question to tell you for sure, and I doubt any of the other volunteers here are either.

I do seem to recall that one of the OpenSSL vulnerabilities only applied if you were serving a particular TLS version, which won't impact most Python apps. And the wininst*.exe files are only used with bdist_wininst packages, which nobody should be using anymore.

If you're not able to evaluate them yourself, you might look for a paid company or consultant who can help you out. We've already updated the dependencies that need to be updated for upcoming releases.