Python announces first security releases since becoming a CNA

The Python project has announced three security releases, 3.10.14,3.9.19,and 3.8.19.In addition to the security fixes, these releases are notable for two reasons;they are the first to make use of GitHub Actions to performpublic builds instead of building artifacts "on a local computer of oneof the release managers", and the first since Python became aCVE Numbering Authority (CNA).

Python release team member ukasz Langa saidthat being a CNA means Python is able to "ensure the quality of the vulnerabilityreports is high, and that the severity estimates are accurate." It alsoallows Python to coordinate CVE announcements with the patched versions ofPython, as it has with two CVEs addressed in these releases. CVE-2023-6597 CVE-2024-0450describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 CVE-2023-6597 is anissue with Python's tempfile.TemporaryDirectory class which could beexploited to modify permissions of files referenced by symbolic links. Users of affected versions should upgrade soon.