Closed wildk1w1 closed 1 week ago
FWIW the forthcoming tiamat packaged Salt approach will help here
The latest we can go to is python 3.8.13. We have some dependencies (pythonnet for example) that do not have packages for 3.9+. So, we're going to have to start compiling our own binaries.
This is handled through relenv now
Description of Issue
CVE-2021-3426 has been identified as being in the 3.8.8 python bundle in the 3004 windows installer. This is specific CVE has been fixed in 3.8.9, 3.9.3, 3.10.0a7
There are several other CVEs identified in Python in 2021 that are later to this one and are relatively high status that also need addressing.
In the Windows installer, it bundles the version of Python 3.8.8 with it. As there is no manual process to update the python supplied this will require a new client installer build.
Python 3.8.10 is the last version that Python.Org will provide binary packages for Windows.
Release status of Python Products can be found here:
A jump to 3.9.10 would be a good solution but that is also now in Legacy status and due to drop to security related fixes only in the next release which is May-2022 and there after it will probably drop to source code only releases with no binaries available for windows.
A better solution would be to get to the 3.10 which is the current active state and not due to drop to source code only releases for another year.
It may be worth looking at a method to allow minor point release updates in the windows python install without having to build new release packages as well, considering that secutity related issues will continue to come along at a regular frequency.