Join Log in
Score:1
hlesnt395 avatar Ubuntu

Python3 vulnerabilities

us flag
hlesnt395

Can anyone help me to understand difference between these two python outputs.

root@ip-192-168-20-21:~# apt install python3
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3 is already the newest version (3.6.7-1~18.04).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.


root@ip-192-168-20-21:~# apt install python3.6
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3.6 is already the newest version (3.6.9-1~18.04ubuntu1.4).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

root@ip-192-168-20-21:~# python3 --version
Python 3.6.9

cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

My problem is Python 3.6.9 has lot of security vulnerabilities such as CVE-2021-3177. As per https://ubuntu.com/security/cve-2021-3177 this vulnerability has been fixed in (3.6.9-1~18.04ubuntu1.4) and released.

OS servers are up2date with the latest Ubuntu patches. However, My VA tool still reporting the same vulnerabilities are still exists in these systems. Does anyone know why this is happening and any idea to overcome this?

I hope this is happening my because my default python3 version still shows Python 3.6.9 as in last command output. Can anyone advice on this?

118
1 + 4
apt
Bruni avatar
cn flag
Bruni
I can imagine that the problem lies with the VA tool, which only checks the upstream version of Python, ignoring that the fix to this vulnerability has been backported, but I do not know that for sure.
2
Reply
muru avatar
us flag
muru
Ask your VA tool provider why its misbehaving. There's nothing we or anybody from Ubuntu can do if it doesn't work properly.
1
Reply
raj avatar
cn flag
raj
Probably your VA tool does not check if the vulnerability actually exists, but only checks for reported software versions.
0
Reply
hlesnt395 avatar
us flag
hlesnt395
Yes. That's what my observations too. Thank you so much for you comments!
0
Reply
Score:1
Stof avatar Ubuntu
cc flag
Stof

The python3 command is linked to one of many installed python binaries.

You can see that there are others avaialble, for your specific example i imagine using python3.6 --version will produce output telling you it is 3.6.9-1~18.04ubuntu1.4 and simply running python3.6 itself will start a python version 3.6 repl

To know which version variations of python3 binaries are installed and available try running ls -la /usr/bin | grep python3 (drop the 3 to see any python 2 there also).

There can only by 1 python version linked to python3 command, the output for the above command should give you something like python3 -> python3.6

You can verify which is current by doing which python3 which shoudl be /usr/bin/python3.

It's not very good practice, but you can make your user session use a different version for the python3 command via aliases: alias python3='/usr/bin/python3.9'. Best practice would be to apt install python-venv and then ina project directory where a specific version is needed /usr/bin/python3.9 -m venv .venv

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.