[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Python-3.5.8.tar.xz does NOT contain the fix for bpo-38243
From: Peter van Dijk <peter.van.dijk () powerdns ! com>
Date: 2019-10-31 8:13:31
Message-ID: 65fba71e1eb02e277f02de7549614237f977c11c.camel () powerdns ! com
[Download RAW message or body]
Python 3.5.8 is supposed to contain a fix for bpo-38243, as mentioned
> at
> https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-8-final
>
> It turns out python.org has accidentally shipped 3.5.8 without that
> fix, if you pick tar.xz instead of .tgz. Please find attached the email
> I have sent them.
>
> I'm reporting this to oss-security so that no downstream distributors
> accidentally ship the wrong 3.5.8. I have also reported it directly to
> FreeBSD at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241586 as
> they are the only distribution I could think of that still actually
> ship vanilla Python 3.5.
Reply from the Python project:
Thanks for the heads-up. During the 3.5.8 release process, I actually generated the tarball \
multiple times, and although I never officially released these previous versions, somehow the \
CDN latched onto this one .xz file from one of these test versions. As you note, the MD5 sum \
and file size on the release page were correct for the final version; also, the v3.5.8 tag in \
the Git repo and the GPG checksum file also match this final (correct) version.
Still, it's a messy situation. Fedora has already updated to 3.5.8, and they got the tarball \
without the fix for bpo-38243.
As you suggest, the best way to ameliorate this debacle is to just release a 3.5.9. I'll do \
that in the next day or so. In the meantime I'll send a quick note to the clp newsgroups.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic