On Mon, Feb 20, 2023 at 12:23:03AM +0000, 王 悉奥 wrote: > Hello, I have a question about python3 package. Take the stable python3.9 as > an example, the upstream has released to 3.9.16 which contains a lot of > security fixes, like CVE-2022-37454 and CVE-2022-42919 in 3.9.16 and the > 3.9.3 in debian seems kind of old and not safe.
The Debian security team backports fixes to the stable version whenever possible. At some point, bugs like CVE-2022-37454 should be fixed in the stable release. Bugs that affect a large number of users tend to get fixed quickly. Then you have bugs like CVE-2022-37454 ... The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow [...] I don't even know what that *is*. Some sort of hash algorithm? Are you actually using it? It sounds pretty niche to me, but maybe I'm grossly mistaken. As for the other one: [...]local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace [...] That sounds more serious, although I must admit I don't know what "pickles" are in this context, nor do I know how many users are using this non-default configuration. If you aren't directly affected by theses issues, I wouldn't worry about it. There will be a fix at some point. If you are directly affected by one of these, then your life does become a lot more interesting. You'll have to make a tough decision. Do you wait for the security update, not knowing how long it'll take? Do you build upstream Python in /opt or /usr/local and use that for your critical services? Do you migrate the affected machine to bullseye and risk all of the other bugs (including security bugs) that may come as a result of using a pre-release version of Debian? Do you take your chances with a bullseye-backport package, if there is one, knowing that *those* receive no security support at all? There aren't any good answers here.
