Re: python3 update

To: debian-user@lists.debian.org
Subject: Re: python3 update
From: Greg Wooledge <greg@wooledge.org>
Date: Sun, 19 Feb 2023 20:26:26 -0500
Message-id: <Y/LMQv1+BFVO5Mr0@wooledge.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] OS3P286MB15192581391BC2242CE33F788BA49@OS3P286MB1519.JPNP286.PROD.OUTLOOK.COM>
References: <[🔎] OS3P286MB15192581391BC2242CE33F788BA49@OS3P286MB1519.JPNP286.PROD.OUTLOOK.COM>

On Mon, Feb 20, 2023 at 12:23:03AM +0000, 王 悉奥 wrote:
> Hello, I have a question about python3 package. Take the stable python3.9 as
> an example, the upstream has released to 3.9.16 which contains a lot of
> security fixes, like CVE-2022-37454 and CVE-2022-42919 in 3.9.16 and the
> 3.9.3 in debian seems kind of old and not safe.

The Debian security team backports fixes to the stable version whenever
possible.  At some point, bugs like CVE-2022-37454 should be fixed in
the stable release.

Bugs that affect a large number of users tend to get fixed quickly.

Then you have bugs like CVE-2022-37454 ...

   The Keccak XKCP SHA-3 reference implementation before fdc6fef has an
   integer overflow [...]

I don't even know what that *is*.  Some sort of hash algorithm?  Are
you actually using it?  It sounds pretty niche to me, but maybe I'm
grossly mistaken.

As for the other one:

   [...]local privilege escalation in a non-default configuration. The
   Python multiprocessing library, when used with the forkserver start
   method on Linux, allows pickles to be deserialized from any user in
   the same machine local network namespace [...]

That sounds more serious, although I must admit I don't know what
"pickles" are in this context, nor do I know how many users are using
this non-default configuration.

If you aren't directly affected by theses issues, I wouldn't worry about
it.  There will be a fix at some point.

If you are directly affected by one of these, then your life does become
a lot more interesting.  You'll have to make a tough decision.  Do you
wait for the security update, not knowing how long it'll take?  Do you
build upstream Python in /opt or /usr/local and use that for your critical
services?  Do you migrate the affected machine to bullseye and risk all
of the other bugs (including security bugs) that may come as a result of
using a pre-release version of Debian?  Do you take your chances with
a bullseye-backport package, if there is one, knowing that *those* receive
no security support at all?

There aren't any good answers here.

Reply to:

References:
- python3 update
  - From: 王悉奥 <tasty0tomato@outlook.com>

Prev by Date: python3 update
Next by Date: Re: Remove route '169.254.0.0/16 dev ovs-system'
Previous by thread: python3 update
Next by thread: Fw: python thinking at debian
Index(es):
- Date
- Thread