Security News > 2023 > July > Sneaky Python package security fixes help no one – except miscreants

Python security fixes often happen through "Silent" code commits, without an associated Common Vulnerabilities and Exposures identifier, according to a group of computer security researchers.

In a preprint paper titled, "Exploring Security Commits in Python," Shiyu Sun, Shu Wang, Xinda Wang, Yunlong Xing, Kun Sun from George Mason University, and Elisa Zhang from Dougherty Valley High School, all in the United States, propose a remedy: a database of security commits called PySecDB to make Python code repairs more visible to the community.

More security commits fall in the wild silently, without being indexed by CVE. "Since the CVE records on Python programs are limited, we observe that only 46 percent of them provide the corresponding security commits and more security commits fall in the wild silently, without being indexed by CVE," the group concluded in their paper, which was accepted for the 2023 ICSME conference.

To improve the security situation, Sun argues for increasing the awareness of silent security patches, creating guidance to help developers identify and label vulnerabilities, and applying tools to spot silent security patches.

Seth Michael Larson, security developer-in-residence at the Python Software Foundation, told The Register that while silent security patches have some impact on security, he suspects that serious flaws with significant impact are being appropriately recorded in CVE notices.

"Right now there's a variety of reasons there may be a discrepancy between security fixes and CVEs like lack of time and resources for open source maintainers or mismatches between an automatically annotated security fix and a projects' security model which typically can't be processed automatically," Larson explained.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/07/26/python_silent_security_fixes/