priyagupta108
commented
1 month ago Hello @sirkiza 👋, Thank you for your report. We'll take a look at this issue and get back to you.
Open sirkiza opened 1 month ago
priyagupta108
commented
1 month ago Hello @sirkiza 👋, Thank you for your report. We'll take a look at this issue and get back to you.
suyashgaonkar
commented
6 days ago Hello @sirkiza, Python version 3.9 is in the stage of the lifecycle phase where we could expect only source-only security fix release for python version 3.9.14 - 3.9.19, hence we could see python releases only for linux and not for windows in the artifacts. The vulnerability for urllib.parse() has been addressed in python version 3.10 security section. Please check this url for the reference: https://docs.python.org/release/3.10.0/whatsnew/changelog.html#python-3-10-0-beta-1 You can try by upgrading the python version to 3.10 to overcome the vulnerability.
Issue
No Windows installers have been released for Python versions 3.9.14 through 3.9.19, although they are available for Linux. The latest available Windows version, 3.9.13, is outdated and vulnerable.
Vulnerability
A vulnerability in urllib.parse allows attackers to bypass blocklisting methods by using URLs with leading blank characters.
Affected Versions:
Python versions prior to 3.7.17 3.8.0 to 3.8.17 (excluding) 3.9.0 to 3.9.17 (excluding) 3.10.0 to 3.10.12 (excluding) 3.11.0 to 3.11.4 (excluding)
Request
Please release updated Windows installers for Python 3.9.x versions to address these security issues.
Impact
Windows users are stuck with version 3.9.13, which contains known vulnerabilities.