+- Python Forum (https://python-forum.io)
+-- Forum: General (https://python-forum.io/forum-1.html)
+--- Forum: News and Discussions (https://python-forum.io/forum-31.html)
+--- Thread: what version has the fix for the CVEs? (/thread-38484.html)
Pages:
1
2
RE: what version has the fix for the CVEs? - juniarti - Nov-10-2022
Hi Rob,
I need to ask you more question related to CVE-2018-20060.
Under Lib/ensurepip/_bundled/ directory there are pip*.whl and setuptools*.whl files.
Inside that *whl file contains poolmanager.py script that cause security vulnerability.
Do you know if there are the fix to the *whl file that I can downloaded somewhere? So I can backport it to put to our python library inside the jython2.7.2 that we are using.
Thanks again for your help,
Juni.
(Oct-19-2022, 08:02 PM)rob101 Wrote:(Oct-19-2022, 07:13 PM)juniarti Wrote: I tried to post question on jython community but so far nobody answer my question yet.
Just a thought: have you asked for help on Github?
I can see that it's active, so it's more likely than not, that you'll get a reply, given time.
Edit to add: Ah... I see your post there, already.
Wow! 9 days ago, humm... not so active then.
RE: what version has the fix for the CVEs? - rob101 - Nov-11-2022
I can't offer you much advice on this, but my thoughts are that if you mess with the install of jython2.7.2 you will, as likely as not, break something, so if I were to offer any advice at all, it would be to leave well alone unless you know what you're doing, and why.
This CVE is for the urllib3 package (primarily). If you are concerned about the possibility of an exploit and the impact of that, then report it to whom ever is responsible for the security of the network. If that person is you and you can't see a fix for this, then I'd question the use of jython2.7.2 as a whole, if an exploit is a real possibility and is a danger to the users of the computer network.