Update: 8th December 2015:
The Python Foundation have released Python 2.7.11. Please see this more recent blog post for details.
Thank you.
=======================
Update: 24th November 2015:
At this time, Python 2.7.11 has entered release candidate testing (defined).The final version should be available in early December. I will update this post and publish a dedicated post when this update becomes available.
Thank you.
=======================
Original Post:
=======================
Last weekend, the Python Foundation made available an update to its older series of Python installers. Version 2.7.10 was released for the 2.7 code branch (3.4.3 is the most recent branch with 3.5 in alpha testing). On one of my PCs I have a specific piece of purchased software installed that requires Python 2.7.
This 2.7.10 update is significant since it incorporates the following noteworthy changes:
- 4 buffer overflows resolved
- 2 integer overflows resolved
- 1 use after free bug resolved
- Removes the RC4 cipher from the SSL module’s default cipher list
- Upgrades the Windows build of Python 2.7.10 to include OpenSSL 1.0.2a (previously the OpenSSL version was 1.0.1j bundled with Python 2.7.9 released in December 2014)
The full changelog is available here.
While none of the above overflows or the use after free bug have been assigned CVE numbers and are not explicitly reported as security vulnerabilities, it is still best practice to patch these bugs if you are using an older version of Python. In addition, 14 CVEs have been resolved by the OpenSSL Project between the releases of OpenSSL 1.0.1k up to 1.0.2a (i.e. from the previous 2.7.9 version to the current 2.7.10). Please note that the total of 14 CVEs does not include CVEs that only affected the 1.0.2 branch.
For an explanation of what CVEs are, please see the first short aside within this blog post.
If you have Python 2.7 installed, please consider upgrading to the most recent 2.7.10 update to benefit from the above mentioned fixes. I installed the 2.7.10 update over the previous 2.7.9 version (the installer detects the previous version and offers to update it) and the application that requires Python mentioned above continues to work normally.
As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.
Thank you.
securityinaction 