Python 3.11.5 (2023-08-24)

• https://github.com/python/cpython/releases/tag/v3.11.5

• https://www.python.org/downloads/release/python-3115/

• http://sethmlarson.dev/security-developer-in-residence-weekly-report-8?date=2023-08-26

Python vulnerability disclosure end-to-end

The advisory for CVE-2023-40217 was published this week which affects Python versions before 3.11.5, 3.10.13, 3.9.18, and 3.8.18.

This was my first end-to-end vulnerability disclosure for Python which included handling of embargoed info (ie non-public), a coordinated release of fixed Python versions, and publishing of the advisory to the security-announce @ python . org mailing list and to the PSF Advisory Database.

Now that I’ve experienced the flow from end-to-end and I can start to think about where there is potential for improvement and what items need to be on our “checklist” to reduce stress and guesswork from remediation developers, release managers, and coordinators.

This process is pretty opaque (for obvious reasons) so I also wanted to share the experience with everyone to know what’s happening in the background to keep Python users safe.