[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Python-3.5.8.tar.xz does NOT contain the fix for bpo-38243
From:       Peter van Dijk <peter.van.dijk () powerdns ! com>
Date:       2019-10-31 8:13:31
Message-ID: 65fba71e1eb02e277f02de7549614237f977c11c.camel () powerdns ! com
[Download RAW message or body]

Python 3.5.8 is supposed to contain a fix for bpo-38243, as mentioned
> at 
> https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-8-final
> 
> It turns out python.org has accidentally shipped 3.5.8 without that
> fix, if you pick tar.xz instead of .tgz. Please find attached the email
> I have sent them.
> 
> I'm reporting this to oss-security so that no downstream distributors
> accidentally ship the wrong 3.5.8. I have also reported it directly to
> FreeBSD at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241586 as
> they are the only distribution I could think of that still actually
> ship vanilla Python 3.5.

Reply from the Python project:

Thanks for the heads-up.  During the 3.5.8 release process, I actually generated the tarball \
multiple times, and although I never officially released these previous versions, somehow the \
CDN latched onto this one .xz file from one of these test versions.  As you note, the MD5 sum \
and file size on the release page were correct for the final version; also, the v3.5.8 tag in \
the Git repo and the GPG checksum file also match this final (correct) version.

Still, it's a messy situation.  Fedora has already updated to 3.5.8, and they got the tarball \
without the fix for bpo-38243.

As you suggest, the best way to ameliorate this debacle is to just release a 3.5.9.  I'll do \
that in the next day or so.  In the meantime I'll send a quick note to the clp newsgroups.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/


[prev in list] [next in list] [prev in thread] [next in thread]