+- Python Forum (https://python-forum.io)
+-- Forum: General (https://python-forum.io/forum-1.html)
+--- Forum: News and Discussions (https://python-forum.io/forum-31.html)
+--- Thread: what version has the fix for the CVEs? (/thread-38484.html)
Pages:
1
2
what version has the fix for the CVEs? - juniarti - Oct-18-2022
Hi,
I have list of CVE for python and how do I find out what python version did has the fix for these list of CVE?
CVE-2018-20060, CVE-2019-16935, CVE-2016-0772, CVE-2011-4940, CVE-2018-1061, CVE-2019-16056, CVE-2018-1060, CVE-2015-2296, CVE-2015-20107, CVE-2014-1829, CVE-2019-9948, CVE-2011-1015, CVE-2014-1830, CVE-2019-9636 and CVE-2019-9947.
Thank you for your help.
RE: what version has the fix for the CVEs? - rob101 - Oct-19-2022
These are not CVEs for Python, per se, rather some of the Python libraries.
To take your first example: CVE-2018-20060
This is for the urllib3 library, versions before v1.23
A quick check and you'll see that urllib3 is now at v1.26.x (the current x release is .12, so far as I'm aware).
I'll leave the rest for you to research for yourself.
RE: what version has the fix for the CVEs? - juniarti - Oct-19-2022
(Oct-19-2022, 06:18 AM)rob101 Wrote: These are not CVEs for Python, per se, rather some of the Python libraries.
To take your first example: CVE-2018-20060
This is for the urllib3 library, versions before v1.23
A quick check and you'll see that urllib3 is now at v1.26.x (the current x release is .12, so far as I'm aware).
I'll leave the rest for you to research for yourself.
Hi Rob,
Thank you for your reply. Sorry that I thought python library also belong to python.
BTW how do I find out the python release of the libraries that I am using?
I am using jython2.7 and it includes all the python libraries and from the scanner it showed all the CVEs that I listed.
I have search on all the CVEs and found out the python release that has issue but then I do not know what python library release I am using and what jython release that has all the fixes.
Are all the CVEs I listed already fixed?
Thanks.
RE: what version has the fix for the CVEs? - perfringo - Oct-19-2022
(Oct-19-2022, 03:19 PM)juniarti Wrote: I am using jython2.7
Python 2 is not supported for almost three years: https://www.python.org/doc/sunset-python-2/. IMHO in order to improve security situation you should start with switching to Python 3 and only after that worry about CVE-s and their patches.
RE: what version has the fix for the CVEs? - rob101 - Oct-19-2022
You are very welcome.
Why are you still using Python 2.7 ? At the very least you should be on Python 3.6 by now.
From a terminal, enter
pip2.7 list and you'll get list of the installed packages and versions.Are they all fixed? Short of visiting the website for any given package (e.g: https://urllib3.readthedocs.io/en/stable/) I don't know how else one would check on the status.
RE: what version has the fix for the CVEs? - juniarti - Oct-19-2022
(Oct-19-2022, 04:59 PM)perfringo Wrote:(Oct-19-2022, 03:19 PM)juniarti Wrote: I am using jython2.7
Python 2 is not supported for almost three years: https://www.python.org/doc/sunset-python-2/. IMHO in order to improve security situation you should start with switching to Python 3 and only after that worry about CVE-s and their patches.
Hi perfringo,
Thank you so much for your reply.
I am not actually using python directly but using jython and jython comes with python library and I am having trouble to find out what python library that jython2.7 used and what jython version that use python3.
From googling looks like jython is still under development for using python3.
RE: what version has the fix for the CVEs? - juniarti - Oct-19-2022
(Oct-19-2022, 05:05 PM)rob101 Wrote: You are very welcome.
Why are you still using Python 2.7 ? At the very least you should be on Python 3.6 by now.
From a terminal, enterpip2.7 listand you'll get list of the installed packages and versions.
Are they all fixed? Short of visiting the website for any given package (e.g: https://urllib3.readthedocs.io/en/stable/) I don't know how else one would check on the status.
Hi Rob,
The company I work for using jython not python but jython comes with python libraries and I am having trouble to figure out what python version that included in jython2.7 and what jython version I should use that has the python fix for all those CVEs.
I can't run the pip2.7 command as we include jython in our product, not install it on the system directly.
Thank you so much again for your reply.
RE: what version has the fix for the CVEs? - rob101 - Oct-19-2022
(Oct-19-2022, 06:57 PM)juniarti Wrote: Hi Rob,
The company I work for using jython not python...
My bad: I've never heard of jython and figured (wrongly) that it was a typo.
Unless someone here knows how to help or advise you, I'd seek help from the Jython community.
(Oct-19-2022, 06:57 PM)juniarti Wrote: Thank you so much again for your reply.
Again, you are very welcome; I'm sorry that I could not be of help.
RE: what version has the fix for the CVEs? - juniarti - Oct-19-2022
(Oct-19-2022, 07:11 PM)rob101 Wrote:(Oct-19-2022, 06:57 PM)juniarti Wrote: Hi Rob,
The company I work for using jython not python...
My bad: I've never heard of jython and figured (wrongly) that it was a typo.
Unless someone here knows how to help or advise you, I'd seek help from the Jython community.
(Oct-19-2022, 06:57 PM)juniarti Wrote: Thank you so much again for your reply.
Again, you are very welcome; I'm sorry that I could not be of help.
Hi Rob,
I tried to post question on jython community but so far nobody answer my question yet. So I thought I tried to post on python since all the CVEs showed python which included in jython.
I really appreciate all your reply. Better I heard something then nothing right?
Thank you so much.
RE: what version has the fix for the CVEs? - rob101 - Oct-19-2022
(Oct-19-2022, 07:13 PM)juniarti Wrote: I tried to post question on jython community but so far nobody answer my question yet.
Just a thought: have you asked for help on Github?
I can see that it's active, so it's more likely than not, that you'll get a reply, given time.
Edit to add: Ah... I see your post there, already.
Wow! 9 days ago, humm... not so active then.