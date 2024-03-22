The Python project has announced three security releases, 3.10.14, 3.9.19, and 3.8.19. In addition to the security fixes, these releases are notable for two reasons; they are the first to make use of Microsoft's proprietary prison GitHub Actions to perform public builds instead of building artifacts " on a local computer of one of the release managers ", and the first since Python became a CVE Numbering Authority (CNA).

Python release team member Łukasz Langa said that being a CNA means Python is able to " ensure the quality of the vulnerability reports is high, and that the severity estimates are accurate. " It also allows Python to coordinate CVE announcements with the patched versions of Python, as it has with two CVEs addressed in these releases. CVE-2023-6597 CVE-2024-0450 describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 CVE-2023-6597 is an issue with Python's tempfile.TemporaryDirectory class which could be exploited to modify permissions of files referenced by symbolic links. Users of affected versions should upgrade soon.