Python 2.7: Extended Support Past EOL
Since open source Python 2 reached End of Life (EOL) on January 1, 2020, it is no longer supported by the Python Software Foundation. Python 2.7.18 is the last release of Python 2 with a release date of April 2020. No version of Python 2 will receive updates at this point – not even for critical security vulnerabilities. But that doesn’t mean it will disappear any time soon from organizations that have relied on it for years.
That means risk. Security vulnerabilities and critical bugs will emerge as you continue to run your Python 2 applications on newer systems. Don’t yet have a plan in place? If so, you’re not alone as our Python 2 EOL survey results show.
Your Python 2 applications will keep running past end of life – but they will become less reliable and more vulnerable over time as bugs, security issues and CVEs crop up. Some things to think about:
- There is no official support forthcoming for the Python 2 interpreter or the Python 2 standard libraries from Python.org or the Python 2 core team.
- Community developers working on Python 2 and Python 3 versions of their packages have deprioritized working on their Python 2 code.
- Vendors that offered Python 2 distributions in the past (such as Linux vendors, Docker, cloud providers, etc) are phasing out their support for Python 2 over time.
Python 2 Extended Support from ActiveState
Are your Python 2 applications secure? Ensure security and compliance with Python 2 extended support from ActiveState.
As a founding member of the Python Software Foundation, ActiveState has a proven track record of providing commercial support for this popular programming language. We have supported Python 2 and Python 3 deployments in enterprises both large and small for the past 20 years.
ActiveState continues to provide ongoing support and security updates for Python 2.7, so you can better manage your risks. And, if you decide to migrate your old applications to Python 3, we can make the process easier.
We’ll work with you to create a custom plan that ensures the compatibility of your Python 2 applications with newer versions. You get support for all the core built-in libraries and 3rd-party packages in your application, backported fixes from Python 3, as well as regular patches and updates. Contact us for a free risk assessment of your Python 2 applications.
What is included in our Python 2 extended support for enterprises
An ActiveState extended support subscription entitles you to:
- Python 2 Support for Windows, Linux, macOS, AIX, Solaris and legacy operating systems – you can communicate with our Python experts via phone, email and chat.
- Patches – vulnerabilities will be addressed with backported patches from Python 3 libraries, community contributors, and our own Python experts. Bugfix releases will be provided as needed.
- Updated Packages – new versions of Python 2 third-party packages
Security for your legacy Python applications
Get ongoing support and security updates from our expert Python team, freeing up your developers from in-house maintenance.
- Backported security fixes from Python 3, as well as fixes by ActiveState in conjunction with community contributors.
- High-severity fixes within 2 months and critical fixes within 30 days – backed by enterprise service-level agreements (SLA’s).
- Security reporting provides a detailed list of all vulnerabilities whether they are in the language core, shared libraries, or packages.
- Updates for Python 2 core and third-party packages.
Meet compliance standards for PCI-DSS, ISO 27001, SOC 2, and other frameworks for keeping customer and internal data safe.
- PCI-DSS Requirement 6: Develop and maintain secure systems and applications, including applicable vendor-supplied security patches.
- ISO 27001, SOC 2: Demonstrate that you have identified the risks associated with unsupported software and are taking steps to address them.
- FedRAMP (NIST 800-53): Replace information system components when support for the components is no longer available from the developer.
- HIPAA Security Rule: Protect against malicious software, which includes updated patches on all systems.
Expert Guidance On Python 3 Migration
If you’re considering porting your Python 2 application to Python 3.0+, we can help make your migration process faster and easier with advice around:
- Which Python 3 packages are well-maintained and suitably licensed for commercial use.
- Which Python 2 packages have suitable migration targets vs. which are no longer supported or have modified their licensing terms.
- Migration tooling.
Managed Python Builds to Help Free Up Dev Resources
Let us handle your Python build engineering work so you can focus on creating real business value.
- ActiveState can create, update and maintain custom Python 2 and Python 3 distributions on your behalf.
- Use our self-serve build infrastructure to easily create and manage custom Python 2 and Python 3 distributions on-demand with the ActiveState Platform and its command line tool, the State Tool.
- Benefit from 20+ years of experience supporting Fortune 1000 enterprises and millions of developers wth Python, Perl and Tcl.
ActiveState can help you maintain your Python 2 code, business systems and mission-critical deployments going forward in much the same way you maintain them today.
Python 2 Security Vulnerability (CVE) Updates
ActiveState has assessed more than ten critical severity and dozens of high severity Python vulnerabilities impacting Python 2 to date. Fixes have been issued for Python 2.7.18 as part of our Python 2 support options.
Impact: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
Impact: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
Impact: In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Impact: Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, also present in Python 126.96.36.199 (and earlier 2.7.18 versions)
Package Impacted: SQLite prior to 3.31.1
Package Impacted: Bleach prior to 3.11
Package Impacted: urllib
Impact: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
Learn all about our Python 2 security vulnerability (CVE) changelog and updates here.
Contact us for a free risk assessment of your Python 2 applications. Or reach out to our Sales team for information.
Python developers looking for Python 2 to 3 migration support can use this tutorial for help and get our Python 2-to-3 runtime, which contains all the useful conversion libraries, including modernize, 2to3, six, and python-future, to help migrate syntax level changes. Or download ActivePython 2.7.18 Community Edition here.
Frequently Asked Questions
ActiveState provides Python 2 extended support with security updates for organizations that still need to run Python 2. However, Python 2 reached End of Life (EOL) in January 2020 and is no longer officially supported by the Python Software Foundation. Get a free assessment of your Python 2 applications.
ActiveState’s Python 2 support provides security patches for the core language and third-party packages. This includes backported security fixes from Python 3 to 2, as well as fixes created by ActiveState in conjunction with community contributors. Security patches are provided on a quarterly basis, with critical vulnerabilities addressed urgently. See the list of Python 2 security updates we have provided to-date.
ActiveState’s Python 2 extended support helps you address compliance requirements with standards such as PCI-DSS, ISO 27001, SOC 2 and FedRAMP. Specifically, Python 2 extended support addresses requirements around developing and maintaining secure systems and software, particularly for software no longer supported by the developers. See the list of Python 2 security updates we have provided to date.
ActiveState’s Python 2 support is available with an ActiveState Platform Enterprise tier subscription. Pricing varies based on your requirements. Python 2 support can include additional benefits such as extended security vulnerability (CVE) reports, open source license reports, legal indemnification, and managed builds. Contact us to discuss your Python 2 needs.