Sneaky Python package security fixes help no one – except miscreants


According to a team of computer security researchers, Python security updates frequently take the form of silent code contributions that lack an associated Common Vulnerabilities and Exposures identifier. They argue that this is not ideal as attackers frequently target unknown flaws in unpatched systems and developers who are not security specialists may not be aware that an upstream commit is addressing a vulnerability that is relevant to their code.

Therefore, a Python package may contain a significant flaw, application developers may not be aware of this because there may have been little or no mention about it, and they may not have included a patched version into their code. This leaves room for miscreants to take advantage of by exploiting those unreported vulnerabilities.

Read More…