I’m trying to understand the policy used to determine to which prior branches are particular security fixes backported. Let me explain based on a few recent examples.
Right now, branches down to 3.8 are still security supported. We’ve had a few security releases for 3.8 through 3.10 and they included a number of security backports. Afterwards, 3.11 and newer branches were released, and also included some security fixes.
I think that Use After Free in deque_index_impl · Issue #115243 · python/cpython · GitHub is not a security issue. It is a minor regular issue. Identical issues in other collections were fixed several years ago, it is surprisingly that this one slipped through the sieve. It can cause a crash if the code uses threads, deques, and comparison on equality of deques, and you are very unlucky. The crash condition does not depend directly on the user input, and in general is not controllable, unless you write a special Python code to trigger it.
Serhiy is correct, we usually backport crashers all the way back even if they aren’t otherwise marked as “Security”, because they might be denial-of-service in conjunction with other functionality of the user’s application. But that depends on backportability, if something’s too tricky to bring back to 3.8 then we won’t bother without a CVE.
In this case, we’re looking into the ssl one, while the other I think is mislabeled in NEWS. But since it’s already labeled as such, I have no qualms over porting it all the way back as well.