0

Python3 versions prior to February 16. 2021 has a vulnerability (CVE 2021-3177). I see that the current version of python3.7 on ubuntu 18.04 is 3.7.5. The CVE is fixed in python 3.7.10.

How is this usually handled? Will ubuntu usually create a new package with python 3.7.10 that has the fix, or do users normally compile from source or use pyenv if they want the latest version?

sighol
  • 103
  • 2
  • Fixes are usually back-ported for *stable* releases, unless it's more work to back-port the fix than upgrading the package to the later version (as recently occurred with a `thunderbird` package for a stable release; warnings went out about this). You can use https://people.canonical.com/~ubuntu-security/cve/ to look up fixes for various CVEs – guiverc Feb 23 '21 at 22:51

1 Answers1

3

So long as you installed a package through one of Canonical's official channels and are running a supported release of Ubuntu (or are part of the Extended Support program), they take care of updates. You will not need to do anything beyond sudo apt upgrade. That said, some updates may take longer than others depending on the severity of the issue.

You can find specific information about CVE-2021-3177 on the security website, including which versions have the bug and the status of the update.