Łukasz Langa <luk...@langa.pl> added the comment: > it prevents using 3.8 because of this open vulnerability
What do you mean by this? Our understanding is that this is a low-severity CVE because in order for this to be a vulnerability, you'd have to have both: 1. user access to IP address input; and 2. control over two addresses sharing numerical representation with leading zeroes: the first resolving when leading zeroes are treated as octal numbers; the second resolving when leading zeroes are treated as decimal numbers. Access to both then allows you at best to circumvent IP address-based access control or denial of service. However, access to just 1. allows you to input any IP address to achieve the same goals. Hence low-severity. > it does not seem to be a breaking change It is a bona fide breaking change. Any IP address configuration saved in files or databases which might have used leading zeroes would be rejected by 3.8.12. The same was true for 3.9.5 but since this release series has much higher exposure (still receiving binary installers and regular-cadence bugfixes), it was less controversial to include it. If you still feel this ought to be fixed in 3.8, please elaborate. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36384> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
