"Sneaky Python Package Security Fixes Help No One – Except Miscreants"
According to computer security researchers, Python security fixes are often implemented through "silent" code commits without an associated Common Vulnerabilities and Exposures (CVE) identifier. That is not ideal, they argue, because attackers like exploiting undisclosed vulnerabilities in unpatched systems. In addition, developers who are not security experts may not notice that an upstream commit is targeting an exploitable vulnerability relevant to their code. Therefore, application developers may not realize that a Python package could have a major flaw due to little or no announcement about it, and not incorporate a patched version into their code. Malicious actors could take advantage of this by exploiting those non-publicized vulnerabilities. In a paper titled "Exploring Security Commits in Python," a team of researchers from George Mason University and Dougherty Valley High School propose a solution, which is a database of security commits called PySecDB. The database would increase the community's visibility of Python code repairs. This article continues to discuss the proposed security commits database aimed at making Python code repairs more visible to the community.
The Register reports "Sneaky Python Package Security Fixes Help No One – Except Miscreants"