Trying to understand security backport policy


I’m trying to understand the policy used to determine to which prior branches are particular security fixes backported. Let me explain based on a few recent examples.

Right now, branches down to 3.8 are still security supported. We’ve had a few security releases for 3.8 through 3.10 and they included a number of security backports. Afterwards, 3.11 and newer branches were released, and also included some security fixes.

The two I’ve looked at were:

The first one was backported down to 3.10, but FWICS the patch also applies cleanly to 3.8 and 3.9.

The second one was backported down to 3.11, but FWICS it also applies cleanly to 3.10, and with small modifications to 3.8 and 3.9.

What I’d really like to understand is why these specific branches were chosen to backport the fix and the earlier branches were not.

Neither of those issues were labeled type-security.

1 Like

Well, they were listed in the changelogs under “Security”:

I think that Use After Free in deque_index_impl · Issue #115243 · python/cpython · GitHub is not a security issue. It is a minor regular issue. Identical issues in other collections were fixed several years ago, it is surprisingly that this one slipped through the sieve. It can cause a crash if the code uses threads, deques, and comparison on equality of deques, and you are very unlucky. The crash condition does not depend directly on the user input, and in general is not controllable, unless you write a special Python code to trigger it.

1 Like

On other hand, I would backport simple crash fixes without labeling them as security fixes. But it is up to the release managers.

1 Like

Serhiy is correct, we usually backport crashers all the way back even if they aren’t otherwise marked as “Security”, because they might be denial-of-service in conjunction with other functionality of the user’s application. But that depends on backportability, if something’s too tricky to bring back to 3.8 then we won’t bother without a CVE.

In this case, we’re looking into the ssl one, while the other I think is mislabeled in NEWS. But since it’s already labeled as such, I have no qualms over porting it all the way back as well.

1 Like

It is also reasonable to edit news if something was miscategorized. :slight_smile:

Right, if you notice in time based on the filename alone :slight_smile: