Python 3.5.0 Released

Update: 8th December 2015:
The Python Foundation have released Python 3.5.1. Please see this more recent blog post for details.

Thank you.

=======================
Original Post:
=======================

Last weekend, the Python Foundation made available version 3.5.0 of Python. This 3.5.0 update is significant since it incorporates the following noteworthy changes:

=======================

  • 7 buffer overreads resolved (essentially these are buffer overflows)
  • 10 integer overflows resolved (11 other general overflows resolved)
  • 1 use after free and 1 double free issue resolved
  • 1 CVE (defined) resolved (resolves an issue with returning too much data, possible buffer overflow)
  • Improved parsing of HTTP cookies to resolve a possible security issue
  • Improved URL handling by CGIHTTPServer to prevent a security issue
  • Resolved an arbitrary code execution vulnerability in the dbm.dumb module
  • Disables SSL v3 (it can still be re-enabled manually (see the heading “Security improvements” for details)) while prioritizing the use of perfect forward secrecy (defined).

=======================

The full changelog is available here.

While none of the above overflows or the use after/double free bugs have been assigned CVE numbers and are not explicitly reported as security vulnerabilities, it is still best practice to patch these bugs if you are using an affected version of Python.

If you have an older release of Python installed e.g. 3.4.3 or older, please consider upgrading to the most recent 3.5.0 update to benefit from the above mentioned fixes.

Advice on porting (adapting) older Python code to newer releases is available here and here.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s