Python Security

This page is an attempt to document security vulnerabilities in Python and the versions including the fix.

Python branches

  • Python 2.6, 3.0 and 3.1 don’t get security fixes anymore and so should be considered as vulnerable
  • Branches getting security fixes: 2.7, 3.2, 3.3, 3.4 and 3.5
  • See Status of Python branches

Security vulnerabilities

Bug Disclosure Fixed In Vulnerable Comment
CVE-2016-0772 2016-06-11
2.7.12 (17 days)
3.4.5 (16 days)
3.5.2 (16 days)
2.7.0-2.7.11
3.2.0-3.4.4
3.5.0-3.5.1
Fix smtplib TLS stripping
Issue #26657 2016-03-28
2.7.12 (92 days)
3.5.2 (91 days)
2.7.0-2.7.11
3.3.5-3.5.1
Fix directory traversal vulnerability with http.server on Windows. Regression of Python 3.3.5.
CVE-2015-1283 2015-07-24
2.7.12 (340 days)
3.4.5 (339 days)
3.5.2 (339 days)
2.7.0-2.7.11
3.2.0-3.4.4
3.5.0-3.5.1
Update expat to 2.1.1. Multiple integer overflows have been discovered in Expat.
CVE-2016-5699 2014-11-24
2.7.10 (180 days)
3.4.4 (392 days)
2.7.0-2.7.9
3.2.0-3.4.3
HTTP header injection in urrlib2/urllib/httplib/http.client
Hash DoS 2011-12-28
2.6.8 (104 days)
2.7.3 (103 days)
3.1.5 (102 days)
3.2.3 (104 days)
2.6.0-2.6.7
2.7.0-2.7.2
3.1.0-3.1.4
3.2.0-3.2.2
Hash collision denial of service. Python 2 requires -R option to enable the fix.
CVE-2016-5636 2016-01-21
2.7.12 (159 days)
3.4.5 (158 days)
3.5.2 (158 days)
2.7.0-2.7.11
3.2.0-3.4.4
3.5.0-3.5.1
Heap overflow in zipimporter module.
  • Sorted by the Disclosure column
  • Disclosure: Disclosure date, first time that the vulnerability was public

Python releases

  • 2.7.12: 2016-06-28
  • 2.7.10: 2015-05-23
  • 3.4.5, 3.5.2: 2016-06-27
  • 3.4.4: 2015-12-21
  • 2.6.8: 2012-04-10
  • 3.2.3: 2012-04-10
  • 2.7.3: 2012-04-09
  • 3.1.5: 2012-04-08

See Misc/NEWS for release dates.

CVE-2016-0772

  • Fix TLS stripping vulnerability in smtplib, CVE-2016-0772. Reported by Team Oststrom
  • 2.7: change b3ce713fb9be
  • 3.4: change d590114c2394
  • 2016-06-11: commit in 2.7 and 3.4 branches (and merges)

Issue #26657

CVE-2015-1283

CVE-2016-5699

Hash DoS

CVE-2016-5636