[issue44549] BZip 1.0.6 Critical Vulnerability

2021-07-20 Thread Dong-hee Na 


Dong-hee Na  added the comment:

> current macOS python.org installers dynamically link to the system-provided 
> copies of Bzip2

Okay, so this issue looks out of scope to the CPython team if the Windows 
distribution follows the same policy.

@steve.dowe

Can you check about this issue?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44549] BZip 1.0.6 Critical Vulnerability

2021-07-20 Thread Ned Deily 


Ned Deily  added the comment:

> Is it possible to update bz2 to 1.0.8 on macOS distribution?

Thanks for looking into this. As I commented on PR 27241, this change is not 
needed because current macOS python.org installers dynamically link to the 
system-provided copies of Bzip2; the code to build a private copy of BZip2 in 
build-installer.py was only used when building on very old versions of macOS, 
10.4 and earlier, versions for which we no longer support building installers. 
I've submitted another PR to remove that unused code to avoid future confusion.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44549] BZip 1.0.6 Critical Vulnerability

2021-07-19 Thread Dong-hee Na 


Dong-hee Na  added the comment:

Hmm since I am not a distribution expert, I would like to follow other core 
devs opinions.

Almost Linux distributions use bzip2 1.0.6 by default.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44549] BZip 1.0.6 Critical Vulnerability

2021-07-19 Thread Dong-hee Na 


Change by Dong-hee Na :


--
components: +macOS
nosy: +ronaldoussoren
type: crash -> security

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44549] BZip 1.0.6 Critical Vulnerability

2021-07-19 Thread Dong-hee Na 


Change by Dong-hee Na :


--
pull_requests: +25790
pull_request: https://github.com/python/cpython/pull/27241

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44549] BZip 1.0.6 Critical Vulnerability

2021-07-19 Thread Dong-hee Na 


Dong-hee Na  added the comment:

@ned.deily

Is it possible to update bz2 to 1.0.8 on macOS distribution?
I found the guide to update the library on Windows but for the macOS version, I 
can not find.

--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44549] BZip 1.0.6 Critical Vulnerability

2021-07-19 Thread Dong-hee Na 


Change by Dong-hee Na :


--
keywords: +patch
pull_requests: +25788
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/27239

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44549] BZip 1.0.6 Critical Vulnerability

2021-07-18 Thread Dong-hee Na 


Dong-hee Na  added the comment:

I request the dependency update to use bzip2 1.0.8 which is the stable version.

https://github.com/python/cpython-source-deps/pull/25

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44549] BZip 1.0.6 Critical Vulnerability

2021-07-18 Thread Dong-hee Na 


Change by Dong-hee Na :


--
nosy: +corona10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44549] BZip 1.0.6 Critical Vulnerability

2021-07-04 Thread Ma Lin 

Ma Lin  added the comment:

If you update python/cpython-source-deps, I can submit a simple PR to 
python/cpython.

I want to submit a PR to python/cpython-source-deps, but I think it’s better 
for a credible person to do this.

--
nosy: +malin

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue44549] BZip 1.0.6 Critical Vulnerability

2021-07-02 Thread siddhartha shankar mahato 


New submission from siddhartha shankar mahato :

Python (3.9.5 and 3.9.6 are using Bzip2 1.0.6 which has a known critical 
vulnerability. 
CVE-2019-12900 (BDSA-2019-1844)
9.8 Critical NVD CVE-2016-3189 (BDSA-2019-2036).

Please upgrade the same to a stable version.

--
components: Windows
messages: 396853
nosy: paul.moore, s.s.mahato, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
status: open
title: BZip 1.0.6 Critical Vulnerability
type: crash
versions: Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com