Python 2.7: Extended Support Past EOL
The Python Software Foundation declared Python 2 End of Life (EOL) on January 1, 2020, and ended support. Python 2.7.18 was the final release of Python 2, released in April 2020. No version of Python 2 will receive updates, not even for critical security vulnerabilities.
ActiveState has been providing Python 2 support to organizations since EOL. Our customers receive timely updates to security issues so they can continue to safely run their Python 2 applications, services, and systems.
Contact our Sales team to discuss your Python 2 needs or get a free risk assessment of your Python 2 codebase by providing us your requirements.txt file using the form on this page.
Python 2 Risks In 2022
In 2022, your risk of using Python 2 code is growing exponentially as more Python 2 security vulnerabilities are reported.
- Python 2 applications will become less reliable and more vulnerable as bugs, security issues and CVEs continue to crop up, even 2 years after it was sunsetted.
- Popular packages have already sunset Python 2 support for their projects. No official support for the Python 2 interpreter or the Python 2 standard libraries from Python.org or the Python core team is being provided.
- Vendors that offered Python 2 distributions in the past (such as Linux vendors, Docker, cloud providers, etc) have mostly phased out their support for Python 2 or are doing so actively.
Additionally, in 2022, post the Log4j vulnerability scare and the next-gen SolarWinds cyberattack, the risk of using Python 2 in your supply chain, i.e. your import, build and run processes, is bigger than ever.
It is not enough to simply maintain or migrate your Python 2 production environments. It is also critical to consider maintaining the Python 2 code involved in your build process, as well as how it may be used/running in your development and test environments.
Python 2 Extended Support from ActiveState
As a founding member of the Python Software Foundation, ActiveState has a proven track record of providing commercial support for Python. We have supported Python 2 and Python 3 deployments in enterprises both large and small for the past 20 years.
An ActiveState extended support subscription helps you better manage your risks and secure your Python supply chain from end to end, by entitling you to:
- Python 2 Support – for Windows, Linux, macOS, AIX, Solaris and legacy operating systems – you can communicate with our Python experts via phone, email and chat.
- Patches – vulnerabilities will be addressed with backported patches from Python 3 libraries, community contributors, and our own Python experts. Bugfix releases will be provided as needed.
- Updated Packages – new versions of Python 2 third-party packages
- Python 2 Supply Chain Security – maintenance and security updates for Python 2.7, across dev, test, and staging environments
- Python 2 to 3 Migration Assistance – If you decide to migrate your old applications to Python 3, we can make the process easier.
We’ll work with you to create a custom plan that ensures the compatibility of your Python 2 applications with newer versions. You get support for all the core built-in libraries and 3rd-party packages in your application, backported fixes from Python 3, as well as regular patches and updates. Contact us for a free risk assessment of your Python 2 applications.
Get security for your legacy Python applications
Get ongoing support and security updates from our expert Python team, freeing up your developers from in-house maintenance.
- Backported security fixes from Python 3, as well as fixes by ActiveState in conjunction with community contributors.
- High-severity fixes within 2 months and critical fixes within 30 days – backed by enterprise service-level agreements (SLA’s).
- Security reporting provides a detailed list of all vulnerabilities whether they are in the language core, shared libraries, or packages.
- Updates for Python 2 core and third-party packages.
Meet regulatory compliance for Python
Meet compliance standards for PCI-DSS, ISO 27001, SOC 2, and other frameworks for keeping customer and internal data safe.
- PCI-DSS Requirement 6: Develop and maintain secure systems and applications, including applicable vendor-supplied security patches.
- ISO 27001, SOC 2: Demonstrate that you have identified the risks associated with unsupported software and are taking steps to address them.
- FedRAMP (NIST 800-53): Replace information system components when support for the components is no longer available from the developer.
- HIPAA Security Rule: Protect against malicious software, which includes updated patches on all systems.
Get expert guidance on Python 3 migration
If you’re considering porting your Python 2 application to Python 3.0+, we can help make your migration process faster and easier with advice around:
- Which Python 3 packages are well-maintained and suitably licensed for commercial use.
- Which Python 2 packages have suitable migration targets vs. which are no longer supported or have modified their licensing terms.
- Migration tooling.
Make use of our managed Python builds to help free up your dev teams
Let us handle your Python build engineering work so you can focus on creating real business value.
- ActiveState can create, update and maintain custom Python 2 and Python 3 distributions on your behalf.
- Use our self-serve build infrastructure to easily create and manage custom Python 2 and Python 3 distributions on-demand with the ActiveState Platform and its command line tool, the State Tool.
- Benefit from 20+ years of experience supporting Fortune 1000 enterprises and millions of developers wth Python, Perl and Tcl.
ActiveState can help you maintain your Python 2 code, business systems and mission-critical deployments going forward in much the same way you maintain them today.
Python 2 Security Vulnerability (CVE) Updates
ActiveState has assessed dozens of critical and high severity Python vulnerabilities impacting Python 2 to date. Fixes have been issued for Python 2.7.18 as part of our Python 2 support options.
Impact: OpenSSL – In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the “out” parameter can be NULL and, on exit, the “outlen” parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the “out” parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call….
Impact: OpenSSL – ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL’s own “d2i” functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the “data”…
Impact: An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.
For an extensive list of CVEs that ActiveState has resolved for our enterprise customers click here.
Python developers looking for Python 2 to 3 migration support can use this tutorial for help and get our Python 2-to-3 runtime, which contains all the useful conversion libraries, including modernize, 2to3, six, and python-future, to help migrate syntax level changes.
Individual users can get started with ActiveState Python for free. Organizations should see our plans and pricing details or contact us for a custom quote.
Get a free risk assessment of your Python 2 codebase
Provide us with a file to scan and we will email you a personalized Python 2 security report shortly.
Frequently Asked Questions
ActiveState provides Python 2 extended support with security updates for organizations that still need to run Python 2. However, Python 2 reached End of Life (EOL) in January 2020 and is no longer officially supported by the Python Software Foundation. Get a free assessment of your Python 2 applications.
ActiveState’s Python 2 support provides security patches for the core language and third-party packages. This includes backported security fixes from Python 3 to 2, as well as fixes created by ActiveState in conjunction with community contributors. Security patches are provided on a quarterly basis, with critical vulnerabilities addressed urgently. See the list of Python 2 security updates we have provided to-date.
ActiveState’s Python 2 extended support helps you address compliance requirements with standards such as PCI-DSS, ISO 27001, SOC 2 and FedRAMP. Specifically, Python 2 extended support addresses requirements around developing and maintaining secure systems and software, particularly for software no longer supported by the developers. See the list of Python 2 security updates we have provided to date.
ActiveState’s Python 2 support is available with an ActiveState Platform Enterprise tier subscription. Pricing varies based on your requirements. Python 2 support can include additional benefits such as extended security vulnerability (CVE) reports, open source license reports, legal indemnification, and managed builds. Contact us to discuss your Python 2 needs.