Can a fix for CVE-2022-26488 be available sooner than April 4th?


We’re currently using Python 3.9.9. CVE-2022-26488 was just flagged in this Python release, and the suggested remediation for us is to move to Python 3.10.3. Python 3.10.3 is currently planned for release on April 4th, but standard remediation timelines prescribe that this vulnerability be addressed by March 24th based on when it was initially discovered. So I’m trying to figure out my options…

Is there some other Python release that would contain this fix sooner than March 24th (eg.- 3.9.x)?
Can 3.10.3 be released sooner?

Thanks in advance for your help with figuring out a path here.

Releases were planned for March 14th, but due to an impending OpenSSL update scheduled for March 15th, the Python releases will be postponed long enough to include OpenSSL 1.1.1n in the Windows and macOS installers.

Thanks for the follow-up, I’ll keep my eyes open for it.

You might try

The core devs may have an answer, or at least point you in a better
direction. (A dedicated security mailing list?)

If all else fails, you could ask on the bug tracker.

Don’t worry about the fact that the ticket is closed, you can still
comment there (if you have an account).