Ned Deily <n...@python.org> added the comment:
A legitimate CVE should certainly be backported to all applicable releases, so, yes. However, I think that it is important for the CVE to be mentioned in the NEWS blurbs for each commit. So please update the NEWS items in each open PR to include the CVE. For master and 3.9 (if you hurry), you can update the original blurb file. For 3.8, the blurb file is in the process of being merged into the blurb for the release; for it, wait until the v3.8.4rc1 has been merged back into the main cpython repo and then update the merged the blob, please. Thanks! ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue41004> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com