New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-jm46-725r-hh9v] An issue was found in the CPython zipfile
module...
#4204
base: sparrowt/advisory-improvement-4204
Are you sure you want to change the base?
[GHSA-jm46-725r-hh9v] An issue was found in the CPython zipfile
module...
#4204
Conversation
Note: I was unable to submit the 'improve' form without selecting something under the mandatory "Affected products" field (see here for someone else hitting the same issue). In order to proceed therefore I chose 'pip' as it was the closest thing, but clearly it is not correct - but "python" or "cpython" was not an option. |
{ | ||
"package": { | ||
"ecosystem": "PyPI", | ||
"name": "" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "0" | ||
} | ||
] | ||
} | ||
] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unfortunately it seems I cannot edit this auto-created branch, so I'll put it here as a suggestion instead:
{ | |
"package": { | |
"ecosystem": "PyPI", | |
"name": "" | |
}, | |
"ranges": [ | |
{ | |
"type": "ECOSYSTEM", | |
"events": [ | |
{ | |
"introduced": "0" | |
} | |
] | |
} | |
] | |
} |
Removing the 'affected' details which I was forced to add (as explained here)
👋 Hi @sparrowt, as you discovered when submitting the However, if you have not done so already, I encourage you to contact the Python Software Foundation, the CVE Numbering Authority that issued CVE-2024-0450, with your findings and request that they amend the CVE record to include corrected vulnerable version information. Thank you for your interest in GHSA-jm46-725r-hh9v/CVE-2024-0450. |
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
Updates
Comments
This PR makes a correcttion to the list of python versions which GHSA-jm46-725r-hh9v states are affected by CVE-2024-0450, for example:
gh-109858
is listed as fixed in the python 3.11.8 release notes at https://docs.python.org/3.11/whatsnew/changelog.html#python-3-11-8-finalgh-109858
on https://docs.python.org/3.12/whatsnew/changelog.html#python-3-12-2-final(I'm unsure for earlier python versions, for example although it appears to have been backported to the 3.10 branch by python/cpython#113914 it is not yet shown on https://docs.python.org/3.10/whatsnew/changelog.html so I'm unclear on whether there is yet a released version of 3.10 with the patch or not.)