Re: [IBMiOSS] Fwd: Security Bulletin: Vulnerabilities CVE-2016-5636 and CVE-2016-5699 in Python affect IBM i (2017.03.23)

"OpenSource" <opensource-bounces@xxxxxxxxxxxx> wrote on 03/23/2017
03:45:43 PM:

From: John Yeung <gallium.arsenide@xxxxxxxxx>
To: IBMi Open Source Roundtable <opensource@xxxxxxxxxxxx>
Cc: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 03/23/2017 03:46 PM
Subject: [IBMiOSS] Fwd: Security Bulletin: Vulnerabilities
CVE-2016-5636 and CVE-2016-5699 in Python affect IBM i (2017.03.23)
Sent by: "OpenSource" <opensource-bounces@xxxxxxxxxxxx>

The below appeared in the more general midrange list, which I'm now
cross-posting to the open source list.

It is not clear to me whether IBM is offering its own in-house fixes
or backporting the upstream fixes. And in general, I don't know if IBM
is offering complete 2.7.x and 3.4.x update releases as PTFs.

In this case, we just updated to the latest versions of Python, which
included fixes for the CVEs.

(According to those vulnerability reports, the official 2.7.12 and
3.4.5 from python.org do not suffer from the listed vulnerabilities.)

Correct, but before these PTFs, we were at 2.7.11 and 3.4.4 (and 3.4.2
before that) which were vulnerable to at least some of the CVEs.

After applying the PTFs, you will get upgraded to 2.7.13 and 3.4.6, which
are the most recent versions of Python 2.7 and 3.4 available at this time.
Generally when new Python point releases come out, we will build a new PTF
for them.


These Python PTFs also include support for sqlite3, which should make Pete
Helgren (and others) happy. You'll need recently released SI63270 (from
option 7) as well to actually use it, though.