Python CVE Patch Fixes

Anaconda has backported a patch to fix CVE-2015-20107, which affected all (upstream) Python versions before 3.10.8. These backported patches have been applied to our Python 3.10.6; 3.9.13 and later; 3.8.13 and later; and 3.7.13 and later packages.

Anaconda will release packages for Python 3.10.8, 3.9.15, 3.8.15, and 3.7.15 on 2022-11-14. These releases contain upstream fixes for CVE-2020-10735, which is known to break existing releases of packages like SymPy and Sage in certain circumstances. Anaconda has decided to release the upstream fixes as is, and users who encounter: “ValueError: Exceeds the limit (4300)” for integer string conversion errors are encouraged to consult the upstream CPython documentation on “Integer string conversion length limitation” for possible workarounds.

1 Like