Python3 vulnerabilities

python security apt package-management python3

Can anyone help me to understand difference between these two python outputs.

root@ip-192-168-20-21:~# apt install python3
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3 is already the newest version (3.6.7-1~18.04).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.


root@ip-192-168-20-21:~# apt install python3.6
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3.6 is already the newest version (3.6.9-1~18.04ubuntu1.4).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

root@ip-192-168-20-21:~# python3 --version
Python 3.6.9

cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

My problem is Python 3.6.9 has lot of security vulnerabilities such as CVE-2021-3177. As per https://ubuntu.com/security/cve-2021-3177 this vulnerability has been fixed in (3.6.9-1~18.04ubuntu1.4) and released.

OS servers are up2date with the latest Ubuntu patches. However, My VA tool still reporting the same vulnerabilities are still exists in these systems. Does anyone know why this is happening and any idea to overcome this?

I hope this is happening my because my default python3 version still shows Python 3.6.9 as in last command output. Can anyone advice on this?


The python3 command is linked to one of many installed python binaries.

You can see that there are others avaialble, for your specific example i imagine using python3.6 --version will produce output telling you it is 3.6.9-1~18.04ubuntu1.4 and simply running python3.6 itself will start a python version 3.6 repl

To know which version variations of python3 binaries are installed and available try running ls -la /usr/bin | grep python3 (drop the 3 to see any python 2 there also).

There can only by 1 python version linked to python3 command, the output for the above command should give you something like python3 -> python3.6

You can verify which is current by doing which python3 which shoudl be /usr/bin/python3.

It's not very good practice, but you can make your user session use a different version for the python3 command via aliases: alias python3='/usr/bin/python3.9'. Best practice would be to apt install python-venv and then ina project directory where a specific version is needed /usr/bin/python3.9 -m venv .venv

Related

How to selectively delete infected files
Cache Refresh Stuck At 100%
Using Unikey to type Vietnamese in different Keyboard layout
Change keyboard layout in Wine?
Install Realtek Audio drivers in Ubuntu 20.04 (Intel Nuc nuc10i7fnh)
assign ip to ubuntu 20.04 during installation (packer/cloud-init context)
Unable to read from serial port on command line
How can one let two users share the same home directory in Xubuntu 20.04
Why does sudo su not work in my script? [duplicate]
How do I setup multiple minicom / Cisco console server sessions without too much hassle?
How can I tell if Ubuntu has booted securely?
Bootable USB is not persistent, reinstalls from scratch every time I boot