Dear team,

I have unsuccessfully tried to find it in the Python threads. I have a question, does anybody know for sure if this vulnerability impacts only Python 3.9 in combination with AIX 7.3 or it actually impacts also AIX 7.2? The CVSS score looks scary and we should leave no security gaps.

We are using AIX 7.2 and the bff Python version 3.9.1 which is the impacted range...

Thank you!

Karel

------------------------------
Karel Bouška
------------------------------

#AIXOpenSource

Do you have a CVE number for the vulnerability you are referring to?

------------------------------
Michael Neuling
------------------------------

Original Message:
Sent: Mon September 19, 2022 01:06 AM
From: Karel Bouška
Subject: Python3 vulnerability

Dear team,

I have unsuccessfully tried to find it in the Python threads. I have a question, does anybody know for sure if this vulnerability impacts only Python 3.9 in combination with AIX 7.3 or it actually impacts also AIX 7.2? The CVSS score looks scary and we should leave no security gaps.

We are using AIX 7.2 and the bff Python version 3.9.1 which is the impacted range...

Thank you!

Karel

------------------------------
Karel Bouška
------------------------------

#AIXOpenSource

ooops sorry, I forgot to attach it. The vulnerability is described in the below link:

https://www.ibm.com/support/pages/node/6607878

------------------------------
Karel Bouška
------------------------------

Original Message:
Sent: Mon September 19, 2022 01:17 AM
From: Michael Neuling
Subject: Python3 vulnerability

Do you have a CVE number for the vulnerability you are referring to?

------------------------------
Michael Neuling

Original Message:
Sent: Mon September 19, 2022 01:06 AM
From: Karel Bouška
Subject: Python3 vulnerability

Dear team,

I have unsuccessfully tried to find it in the Python threads. I have a question, does anybody know for sure if this vulnerability impacts only Python 3.9 in combination with AIX 7.3 or it actually impacts also AIX 7.2? The CVSS score looks scary and we should leave no security gaps.

We are using AIX 7.2 and the bff Python version 3.9.1 which is the impacted range...

Thank you!

Karel

------------------------------
Karel Bouška
------------------------------

#AIXOpenSource

All these CVEs are related to expat library (before version 2.4.5).
Python source code internally comes with a bundled expat source code. So one can build expat python module using this or use an externally built expat library already installed in the system. 
For AIX Toolbox python, we use an externally built expat library and link to it dynamically. Right now in Toolbox we have expat 2.4.6, so as long as the machine has this expat rpm installed , then there is no need to worry about these CVEs.

------------------------------
Ayappan P
------------------------------

Original Message:
Sent: Mon September 19, 2022 01:26 AM
From: Karel Bouška
Subject: Python3 vulnerability

ooops sorry, I forgot to attach it. The vulnerability is described in the below link:

https://www.ibm.com/support/pages/node/6607878

------------------------------
Karel Bouška

Original Message:
Sent: Mon September 19, 2022 01:17 AM
From: Michael Neuling
Subject: Python3 vulnerability

Do you have a CVE number for the vulnerability you are referring to?

------------------------------
Michael Neuling

Original Message:
Sent: Mon September 19, 2022 01:06 AM
From: Karel Bouška
Subject: Python3 vulnerability

Dear team,

I have unsuccessfully tried to find it in the Python threads. I have a question, does anybody know for sure if this vulnerability impacts only Python 3.9 in combination with AIX 7.3 or it actually impacts also AIX 7.2? The CVSS score looks scary and we should leave no security gaps.

We are using AIX 7.2 and the bff Python version 3.9.1 which is the impacted range...

Thank you!

Karel

------------------------------
Karel Bouška
------------------------------

#AIXOpenSource