Posts: 6
Threads: 1
Joined: Oct 2022
Hi,
I have list of CVE for python and how do I find out what python version did has the fix for these list of CVE?
CVE-2018-20060, CVE-2019-16935, CVE-2016-0772, CVE-2011-4940, CVE-2018-1061, CVE-2019-16056, CVE-2018-1060, CVE-2015-2296, CVE-2015-20107, CVE-2014-1829, CVE-2019-9948, CVE-2011-1015, CVE-2014-1830, CVE-2019-9636 and CVE-2019-9947.
Thank you for your help.
Posts: 455
Threads: 16
Joined: Jun 2022
These are not CVEs for Python, per se, rather some of the Python libraries.
To take your first example: CVE-2018-20060
This is for the urllib3 library, versions before v1.23
A quick check and you'll see that urllib3 is now at v1.26.x (the current x release is .12, so far as I'm aware).
I'll leave the rest for you to research for yourself.
Sig:
>>> import this
The UNIX philosophy: "Do one thing, and do it well."
"The danger of computers becoming like humans is not as great as the danger of humans becoming like computers." :~ Konrad Zuse
"Everything should be made as simple as possible, but not simpler." :~ Albert Einstein
Posts: 6
Threads: 1
Joined: Oct 2022
(Oct-19-2022, 06:18 AM)rob101 Wrote: These are not CVEs for Python, per se, rather some of the Python libraries.
To take your first example: CVE-2018-20060
This is for the urllib3 library, versions before v1.23
A quick check and you'll see that urllib3 is now at v1.26.x (the current x release is .12, so far as I'm aware).
I'll leave the rest for you to research for yourself.
Hi Rob,
Thank you for your reply. Sorry that I thought python library also belong to python.
BTW how do I find out the python release of the libraries that I am using?
I am using jython2.7 and it includes all the python libraries and from the scanner it showed all the CVEs that I listed.
I have search on all the CVEs and found out the python release that has issue but then I do not know what python library release I am using and what jython release that has all the fixes.
Are all the CVEs I listed already fixed?
Thanks.
Posts: 1,936
Threads: 8
Joined: Jun 2018
(Oct-19-2022, 03:19 PM)juniarti Wrote: I am using jython2.7
Python 2 is not supported for almost three years: https://www.python.org/doc/sunset-python-2/. IMHO in order to improve security situation you should start with switching to Python 3 and only after that worry about CVE-s and their patches.
I'm not 'in'-sane. Indeed, I am so far 'out' of sane that you appear a tiny blip on the distant coast of sanity. Bucky Katt, Get Fuzzy
Da Bishop: There's a dead bishop on the landing. I don't know who keeps bringing them in here. ....but society is to blame.
Posts: 455
Threads: 16
Joined: Jun 2022
You are very welcome.
Why are you still using Python 2.7 ? At the very least you should be on Python 3.6 by now.
From a terminal, enter pip2.7 list and you'll get list of the installed packages and versions.
Are they all fixed? Short of visiting the website for any given package (e.g: https://urllib3.readthedocs.io/en/stable/) I don't know how else one would check on the status.
Sig:
>>> import this
The UNIX philosophy: "Do one thing, and do it well."
"The danger of computers becoming like humans is not as great as the danger of humans becoming like computers." :~ Konrad Zuse
"Everything should be made as simple as possible, but not simpler." :~ Albert Einstein
Posts: 6
Threads: 1
Joined: Oct 2022
(Oct-19-2022, 04:59 PM)perfringo Wrote: (Oct-19-2022, 03:19 PM)juniarti Wrote: I am using jython2.7
Python 2 is not supported for almost three years: https://www.python.org/doc/sunset-python-2/. IMHO in order to improve security situation you should start with switching to Python 3 and only after that worry about CVE-s and their patches.
Hi perfringo,
Thank you so much for your reply.
I am not actually using python directly but using jython and jython comes with python library and I am having trouble to find out what python library that jython2.7 used and what jython version that use python3.
From googling looks like jython is still under development for using python3.
Posts: 6
Threads: 1
Joined: Oct 2022
(Oct-19-2022, 05:05 PM)rob101 Wrote: You are very welcome.
Why are you still using Python 2.7 ? At the very least you should be on Python 3.6 by now.
From a terminal, enter pip2.7 list and you'll get list of the installed packages and versions.
Are they all fixed? Short of visiting the website for any given package (e.g: https://urllib3.readthedocs.io/en/stable/) I don't know how else one would check on the status.
Hi Rob,
The company I work for using jython not python but jython comes with python libraries and I am having trouble to figure out what python version that included in jython2.7 and what jython version I should use that has the python fix for all those CVEs.
I can't run the pip2.7 command as we include jython in our product, not install it on the system directly.
Thank you so much again for your reply.
Posts: 455
Threads: 16
Joined: Jun 2022
(Oct-19-2022, 06:57 PM)juniarti Wrote: Hi Rob,
The company I work for using jython not python...
My bad: I've never heard of jython and figured (wrongly) that it was a typo.
Unless someone here knows how to help or advise you, I'd seek help from the Jython community.
(Oct-19-2022, 06:57 PM)juniarti Wrote: Thank you so much again for your reply.
Again, you are very welcome; I'm sorry that I could not be of help.
Sig:
>>> import this
The UNIX philosophy: "Do one thing, and do it well."
"The danger of computers becoming like humans is not as great as the danger of humans becoming like computers." :~ Konrad Zuse
"Everything should be made as simple as possible, but not simpler." :~ Albert Einstein
Posts: 6
Threads: 1
Joined: Oct 2022
(Oct-19-2022, 07:11 PM)rob101 Wrote: (Oct-19-2022, 06:57 PM)juniarti Wrote: Hi Rob,
The company I work for using jython not python...
My bad: I've never heard of jython and figured (wrongly) that it was a typo.
Unless someone here knows how to help or advise you, I'd seek help from the Jython community.
(Oct-19-2022, 06:57 PM)juniarti Wrote: Thank you so much again for your reply.
Again, you are very welcome; I'm sorry that I could not be of help.
Hi Rob,
I tried to post question on jython community but so far nobody answer my question yet. So I thought I tried to post on python since all the CVEs showed python which included in jython.
I really appreciate all your reply. Better I heard something then nothing right?
Thank you so much.
Posts: 455
Threads: 16
Joined: Jun 2022
Oct-19-2022, 08:02 PM
(This post was last modified: Oct-19-2022, 08:02 PM by rob101.)
(Oct-19-2022, 07:13 PM)juniarti Wrote: I tried to post question on jython community but so far nobody answer my question yet.
Just a thought: have you asked for help on Github?
I can see that it's active, so it's more likely than not, that you'll get a reply, given time.
Edit to add: Ah... I see your post there, already.
Wow! 9 days ago, humm... not so active then.
Sig:
>>> import this
The UNIX philosophy: "Do one thing, and do it well."
"The danger of computers becoming like humans is not as great as the danger of humans becoming like computers." :~ Konrad Zuse
"Everything should be made as simple as possible, but not simpler." :~ Albert Einstein
|
