New Release of Python 2 Now Available

Wait, what? Python 2 has been EOL since Jan 1 2020, so how can there be a new release in June 2024? 

The answer is that ActiveState is the only commercial Python vendor that continues to maintain our own Python 2 codebase from which we’ve been creating new versions of Python 2 on a regular basis. While there are a few vendors that still offer extended support based on the last official community version, only ActiveState is actively creating new Python 2 releases that incorporate not only security fixes, but also new features, as well. 

The obvious question, though, is why? After all, there aren’t many organizations still developing with Python 2, as evidenced by pypistats.org where Python 2 downloads total only ~1% of all traffic:

But like any technology that gets widely adopted, expunging it from the enterprise can take quite a while. After all, large financial institutions are still running tools, languages and systems they purchased back in the 80’s; airplanes still get updates via floppy disks; and Windows XP embedded (XPe) still runs numerous devices, such as signage displays.

Similarly, Python 2 is still being used in a number of applications. From a sampling of reddit posts, those applications may still include:

• Animation and game development tooling
• Gas detectors
• Robotics
• SCADA software

Other applications are evident from some of ActiveState’s Python 2 customers, including:

• Cloud data storage
• Credit card industry
• Software logging and monitoring
• GIS industry software 
• Fintech reporting software 
• Payment solutions
• Enterprise reporting solutions

The old adage of “if it ain’t broke, don’t fix it” applies here, especially when it’s a Python 2 application that’s still generating significant revenue. But the need to comply with security and industry regulations often mean organizations must secure commercial support for their Python 2 applications. That’s where ActiveState comes in, providing security fixes for the Python 2 core libraries, as well as many of the most popular packages in each new release.

Python 2.7.8.18 Fixes & Features

ActiveState’s latest release is a little different from our usual versions, in that this one provides not only security fixes but also a new feature (support for Windows 64 bit), as well. The last official release of Python 2 was 2.7.8 back in April 2020. Since then, ActiveState has released more than a dozen patch versions to address (primarily) security vulnerabilities. 

ActiveState’s version of Python 2.7.8.18 rolls up all previously released fixes, and adds a number of new ones, including:

• • Python 2 Core Security Fixes – the CPython interpreter
    • 1 Critical (CVE-2022-48565) 
    • 1 High (CVE-2023-24329)
    • 6 Medium (CVE-2023-40217, CVE-2020-10177, CVE-2020-10378, CVE-2020-10994, CVE-2020-35655, CVE-2021-25292, CVE-2021-28678)
  • Pillow for Python 2 Security Fixes  – a popular library for working with images  
    • 2 Critical (CVE-2022-22817 & CVE-2022-24303)
    • 1 High (2020-10379);
  • Gevent for Python 2 Security Fixes – provides an asynchronous API and lightweight multi-threading 
    • 1 Critical (CVE-2023-41419)
  • Mako for Python 2 Fixes – a popular template library
    • 1 High (CVE-2022-40023)
  • Twisted for Python 2 Security Fixes – an event-driven network programming framework
    • 2 High (CVE-2022-21712, CVE-2022-24801)
    • 1 Medium (CVE-2022-39348)
  • Cryptography for Python 2 Security Fixes – cryptographic package
    • 1 Medium (CVE-2023-23931)
    • 1 High (CVE-2023-49083)
  • Pygments for Python 2 Security Fixes – a syntax highlighting package
    • 1 Medium (CVE-2022-40896)
  • Tornado for Python 2 Security Fixes – a web server and web application framework
    • 1 Medium (CVE-2023-28370)

• Python 2 Core Libraries Security Fixes

• • zlib – Critical (CVE-2023-45853)
  • expat – High (CVE-2023-52425); Medium (CVE-2023-52426)
  • libxslt – High (CVE-2021-30560); Medium (CVE-2022-29824)
  • libxml2 – High (CVE-2020-7595, CVE-2021-3517, CVE-2021-3518, CVE-2019-20388, CVE-2022-23308, CVE-2022-40303, CVE-2022-40304); Medium (CVE-2023-45322, CVE-2016-3709, CVE-2021-3537, CVE-2021-3541, CVE-2020-24977, CVE-2022-29824, CVE-2023-28484, CVE-2023-29469)

Conclusions – Outsourcing The Python 2 Supply Chain

Customers come to ActiveState for many reasons. Some need commercial support while they undertake migration, while others have no intention of migrating but want their Python 2 applications to remain secure, and still others need to comply with industry regulations and periodic audits, such as PCI-DSS.

By outsourcing their Python 2 software supply chain to ActiveState, our customers like Druva and Mercury Financial free up their development teams to work on current projects (such as migration), rather than spending the time and resources managing, maintaining and securing their Python 2 legacy codebase. 

If you need an expert to help you manage and maintain the security and compliance of your Python 2 application, Contact Us.

Next Steps

Read about ActiveState’s Python 2 extended support offering.