-1

The version of python3 in 18.04 is 3.6.9, missing out on the security issues fixed in 3.6.10 back in Dec 2019. I thought that since python3 is in main it would get all security updates for the life of the LTS? Am I wrong about that?

Mohamed Hafez
  • 805
  • 1
    What makes you think it doesn't get all security updates? – mikewhatever Apr 30 '20 at 16:45
  • 1
    You cannot use version numbers. Use CVE numbers instead. The Ubuntu Security Team patches security vulns without pushing new upstream versions. – user535733 Apr 30 '20 at 17:09
  • 1
    @user535733 thank you! looked it up and not only do they have patches for issues raised in 3.6.10, but even fixes for CVE's that haven't even been fixed in an official python release yet! Wow i mean the idea that they do this for every package in main... just developed even more respect for those maintainers <3 – Mohamed Hafez Apr 30 '20 at 18:18

1 Answers1

0

For anybody else that comes across this, it turns out that the Ubuntu Security Team patches security vulns without pushing new upstream versions. (thanks @user535733!)

python --version might report an old version, but its not the stock old version that you would get from the python.org download page directly, the Ubuntu team has been patching it to fix the latest CVEs all the time. At the time of this writing, not only does the python 3.6.9 version in 18.04 contain all the CVEs fixed in 3.6.10, but also CVEs whose fixes haven't landed in an official python release yet!

If you look up the changelog of python3.6 or whatever package you are worried about, you can see all the CVEs that have been fixed in it.

This question and its answer also has a lot of good info it: How do new package versions find their way to the LTS distribution? (Current example: OpenSSL)

Mohamed Hafez
  • 805