The Python in AIX web download pack is only for AIX 7.3. It is packaged in lpp format and ships files in a private path "/usr/opt/python3" with symbolic links for binaries like python3, pip3.., created in /usr/bin. As I mentioned earlier, AIX native components can use this python in the future if they want to. AIX native components cannot use Toolbox python or any Toolbox packages.
This Python and AIX Toolbox Python will not interfere with each other. And the AIX Toolbox packages like dnf, python3 modules.., all are based out of Toolbox python. We will soon be updating the Toolbox default python 3.7 to python3.9.
------------------------------
Ayappan P
------------------------------
Original Message:
Sent: Mon August 22, 2022 07:09 PM
From: Erich Wolz
Subject: AIX is affected by multiple vulnerabilities in Python.
> So this should not be confused with AIX Toolbox python
Except that I'm still confused... mostly because I don't have the AIX Web Download Pack version of python installed, so I don't have access to a copy of the "/usr/opt/python3/python3.9_README" file :-)
I get that the two packages are built differently, but don't both of these packages provide python3 functionality (one, the v3.7 version ; the other, the 3.9 version)?
------------------------------
Erich Wolz
Original Message:
Sent: Mon August 22, 2022 03:30 AM
From: Ayappan P
Subject: AIX is affected by multiple vulnerabilities in Python.
We are shipping Python3.9 in AIX base from AIX 7.3 onwards. This python is not a replacement for AIX Toolbox python but rather a useful thing if any other AIX native components want to use python. It is built with xlc and linked statically against the dependencies (like expat, bzip2 , gdbm .. etc). Please check "/usr/opt/python3/python3.9_README" for more details.
Inorder to address the security vulnerabilites faster, we are shipping the updated Python fileset in AIX web download pack programs (just like openssl).
So this should not be confused with AIX Toolbox python.
------------------------------
Ayappan P
Original Message:
Sent: Fri August 19, 2022 04:35 PM
From: Erich Wolz
Subject: AIX is affected by multiple vulnerabilities in Python.
Per https://www.ibm.com/support/pages/node/6607878, AIX is affected by multiple vulnerabilities due to Python, and a new version of python (python-3.9.12.0) is available from https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do?source=aixbp.
This caught my eye for a couple of reasons:
a) all the CVE's listed at https://www.ibm.com/support/pages/node/6607878 are against either expat or libexpat (i.e. not python), and
b) the level of python available from the AIX Toolbox is only python3-3.7.12-1.ppc (i.e. not 3.9.12.0)
Should we be concerned that the AIX Web Download Pack version of python appears to be so much newer than the AIX Toolbox version? Or does the AIX Toolbox version incorporate all of the fixes that are in the AIX Web Download Pack version?
------------------------------
Erich Wolz
------------------------------
#AIXOpenSource