I'm looking for advice on managing Python versions on RHEL8. Our security team is flagging vulnerabilities because RHEL8 uses Python 3.6 by default, and our security software, Rapid 7, is reporting issues due to this. I know it's possible to install a newer version like Python 3.11, but is there any way to set this newer version as the default for all python3 related installations? For example, if I install a package like Ansible using `yum`, it still pulls in Python 3.6 as a dependency, even if I've already installed Python 3.11. I've tried using Alternatives but it hasn't worked for yum dependencies. Any suggestions? Thanks!
4 Answers
While I appreciate the intent of security checks, remember that RHEL's system Python version is static for compatibility. Just ensure that your system is updated with any backported security fixes. Pointing your team towards those patches could save you a lot of hassle with false vulnerabilities.
Red Hat does backport security fixes, so tools that only check the package version might flag false positives. It’s worth discussing this with your security team. Let them know that their tool might be misreading the situation. They should focus on the fact that security updates are provided even for older package versions.
Unfortunately, there's no straightforward way to set Python 3.11 as the default for yum since the 3.6 interpreter is linked to essential system tools like dnf through the `platform-python` package. Removing it would break several functions on your system. I recommend pushing your security team to adjust their software to consider backports instead of blind version checks.
Exactly, ignoring backports is a big misstep. Your security audits need to account for the fact that the presence of Python 3.6 isn’t a clear indication of a vulnerability.
By the way, is there a reliable public source for mapping backport versions to RHEL Security Advisories? The official documentation seems a bit sparse on that.
I totally get the frustration with Rapid 7; it often misinterprets the RHEL-specific builds for upstream versions.