Python announces first security releases since becoming a CNA

The Python project has announced three security releases, 3.10.14,
3.9.19,
and 3.8.19.
In addition to the security fixes, these releases are notable for two reasons;
they are the first to make use of GitHub Actions to perform
public builds instead of building artifacts 'on a local computer of one
of the release managers', and the first since Python became a
CVE Numbering Authority (CNA).

Python release team member Łukasz Langa said
that being a CNA means Python is able to 'ensure the quality of the vulnerability
reports is high, and that the severity estimates are accurate.' It also
allows Python to coordinate CVE announcements with the patched versions of
Python, as it has with two CVEs addressed in these releases. CVE-2023-6597 CVE-2024-0450
describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 CVE-2023-6597 is an
issue with Python's tempfile.TemporaryDirectory class which could be
exploited to modify permissions of files referenced by symbolic links.
Users of affected versions should upgrade soon.