2023-07-30 16:41:06 by Adam Ciarcinski | Files touched by this commit (52) | |
Log message:
python37, py37-html-docs: removed; end of life; use Python 3.8, 3.9, 3.10 or 3.11
|
2023-06-07 15:23:58 by Adam Ciarcinski | Files touched by this commit (5) | |
Log message:
python37 py37-html-docs: updated to 3.7.17
Python 3.7.17
Security
gh-103142: The version of OpenSSL used in our binary builds has been upgraded to \
1.1.1u to address several CVEs.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory \
traversal based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes \
produced by http.client.SimpleHTTPRequestHandler.
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space \
characters following the specification for URLs defined by WHATWG in response to \
CVE-2023-24329. Patch by Illia Volochii.
gh-101727: Updated the OpenSSL version used in Windows and macOS binary release \
builds to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per \
the OpenSSL 2023-02-07 security advisory.
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when \
launching with shell=True. Patch by Eryk Sun, based on a patch by Oleg Iarygin.
Library
gh-101997: Upgrade pip wheel bundled with ensurepip (pip 23.0.1)
Build
gh-102306: Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK.
Windows
gh-100180: Update Windows installer to OpenSSL 1.1.1s
|
2022-10-12 10:38:36 by Adam Ciarcinski | Files touched by this commit (4) | |
Log message:
python37 py37-html-docs: updated to 3.7.15
Python 3.7.15
Security
gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer \
overflow when the new allocated length is close to the maximum size. Issue \
reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the \
get-remote-certificate.py example script. The script no longer uses a shell to \
run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by \
Victor Stinner.
Core and Builtins
gh-96848: Fix command line parsing: reject -X int_max_str_digits option with no \
value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a \
valid limit. Patch by Victor Stinner.
gh-95778: When ValueError is raised if an integer is larger than the limit, \
mention the sys.set_int_max_str_digits() function in the error message. Patch by \
Victor Stinner.
Library
gh-97005: Update bundled libexpat to 2.4.9
Windows
gh-96577: Fixes a potential buffer overrun in msilib.
|
2022-09-12 09:58:55 by Adam Ciarcinski | Files touched by this commit (6) | |
Log message:
python37 py37-html-docs: updated to 3.7.14
Python 3.7.14
Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 \
(octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a \
ValueError if the number of digits in string form is above a limit to avoid \
potential denial of service attacks due to the algorithmic complexity. This is a \
mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment variable, command \
line flag, or sys APIs. See the integer string conversion length limitation \
documentation. The default limit is 4300 digits in string form.
Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback \
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server \
when an URI path starts with //. Vulnerability discovered, and initial fix \
proposed, by Hamza Avvan.
Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.
The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for \
more details.
Library
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of \
cursors in sqlite3 converters. Patch by Sergey Fedoseev.
Documentation
gh-91888: Add a new gh role to the documentation to link to GitHub issues.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.3.1.
Tests
gh-94208: test_ssl is now checking for supported TLS version and protocols in \
more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and \
setuptools. Patch by Illia Volochii and Adam Turner.
bpo-41306: Fixed a failure in test_tk.test_widgets.ScaleTest happening when \
executing the test with Tk 8.6.10.
Windows
bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
|
2022-03-19 19:55:44 by Adam Ciarcinski | Files touched by this commit (6) | |
Log message:
python37 py37-html-docs: updated to 3.7.13
Python 3.7.13 final
Library
bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
bpo-46932: Update bundled libexpat to 2.4.7
bpo-46811: Make test suite support Expat >=2.4.5
bpo-46784: Fix libexpat symbols collisions with user dynamically loaded or \
statically linked libexpat in embedded Python.
bpo-46756: Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and \
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to \
bypass authorization. For example, access to URI example.org/foobar was allowed \
if the user was authorized for URI example.org/foo.
Build
bpo-47024: Update Windows builds and macOS installer build to use OpenSSL 1.1.1n.
bpo-45405: Prevent internal configure error when running configure with recent \
versions of clang. Patch by David Bohman.
Windows
bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and \
CVE-2019-12900
bpo-46948: Prevent CVE-2022-26488 by ensuring the Add to PATH option in the \
Windows installer uses the correct path when being repaired.
|
2021-10-26 12:51:59 by Nia Alarie | Files touched by this commit (260) |
Log message:
lang: Replace RMD160 checksums with BLAKE2s checksums
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
The following distfiles could not be fetched (possibly fetched
conditionally?):
./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-aarch64-unknown-linux-gnu.tar.gz
./lang/rust-bin/distinfo \
rust-bin-1.54.0/rust-1.54.0-aarch64-unknown-linux-musl.tar.gz
./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-aarch64-unknown-netbsd.tar.gz
./lang/rust-bin/distinfo \
rust-bin-1.54.0/rust-1.54.0-armv7-unknown-netbsd-eabihf.tar.gz
./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-i686-unknown-linux-gnu.tar.gz
./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-powerpc-unknown-netbsd90.tar.gz
./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-sparc64-unknown-netbsd.tar.gz
./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-x86_64-apple-darwin.tar.gz
./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-x86_64-unknown-freebsd.tar.gz
./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-x86_64-unknown-linux-gnu.tar.gz
./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-x86_64-unknown-linux-musl.tar.gz
./lang/smlnj/distinfo smlnj-110.73/boot.ppc-unix.tgz
./lang/smlnj/distinfo smlnj-110.73/boot.sparc-unix.tgz
./lang/oracle-jre8/distinfo jce_policy-8.zip
./lang/oracle-jre8/distinfo jre-8u202-linux-i586.tar.gz
./lang/oracle-jre8/distinfo jre-8u202-linux-x64.tar.gz
./lang/oracle-jre8/distinfo jre-8u202-macosx-x64.tar.gz
./lang/oracle-jre8/distinfo jre-8u202-solaris-x64.tar.gz
./lang/oracle-jdk8/distinfo jdk-8u202-linux-i586.tar.gz
./lang/oracle-jdk8/distinfo jdk-8u202-linux-x64.tar.gz
./lang/oracle-jdk8/distinfo jdk-8u202-solaris-x64.tar.gz
./lang/ghc80/distinfo ghc-7.10.3-boot-x86_64-unknown-solaris2.tar.xz
./lang/ghc80/distinfo ghc-8.0.2-boot-i386-unknown-freebsd.tar.xz
./lang/ghc80/distinfo ghc-8.0.2-boot-x86_64-unknown-freebsd.tar.xz
./lang/gcc5-aux/distinfo ada-bootstrap.i386.freebsd.100B.tar.bz2
./lang/gcc5-aux/distinfo ada-bootstrap.i386.freebsd.84.tar.bz2
./lang/gcc5-aux/distinfo ada-bootstrap.x86_64.dragonfly.41.tar.bz2
./lang/gcc5-aux/distinfo ada-bootstrap.x86_64.freebsd.100B.tar.bz2
./lang/gcc5-aux/distinfo ada-bootstrap.x86_64.freebsd.84.tar.bz2
./lang/gcc5-aux/distinfo ada-bootstrap.x86_64.solaris.511.tar.bz2
./lang/rust/distinfo rust-1.53.0-aarch64-apple-darwin.tar.gz
./lang/rust/distinfo rust-1.53.0-aarch64-unknown-linux-gnu.tar.gz
./lang/rust/distinfo rust-1.53.0-aarch64-unknown-netbsd.tar.gz
./lang/rust/distinfo rust-1.53.0-aarch64_be-unknown-netbsd.tar.gz
./lang/rust/distinfo rust-1.53.0-arm-unknown-linux-gnueabihf.tar.gz
./lang/rust/distinfo rust-1.53.0-armv7-unknown-linux-gnueabihf.tar.gz
./lang/rust/distinfo rust-1.53.0-i686-unknown-linux-gnu.tar.gz
./lang/rust/distinfo rust-1.53.0-powerpc-unknown-netbsd.tar.gz
./lang/rust/distinfo rust-1.53.0-powerpc-unknown-netbsd90.tar.gz
./lang/rust/distinfo rust-1.53.0-sparc64-unknown-netbsd.tar.gz
./lang/rust/distinfo rust-1.53.0-x86_64-apple-darwin.tar.gz
./lang/rust/distinfo rust-1.53.0-x86_64-unknown-freebsd.tar.gz
./lang/rust/distinfo rust-1.53.0-x86_64-unknown-illumos.tar.gz
./lang/rust/distinfo rust-1.53.0-x86_64-unknown-linux-gnu.tar.gz
./lang/rust/distinfo rust-std-1.53.0-aarch64-apple-darwin.tar.gz
./lang/rust/distinfo rust-std-1.53.0-aarch64-unknown-linux-gnu.tar.gz
./lang/rust/distinfo rust-std-1.53.0-aarch64-unknown-netbsd.tar.gz
./lang/rust/distinfo rust-std-1.53.0-aarch64_be-unknown-netbsd.tar.gz
./lang/rust/distinfo rust-std-1.53.0-arm-unknown-linux-gnueabihf.tar.gz
./lang/rust/distinfo rust-std-1.53.0-armv7-unknown-linux-gnueabihf.tar.gz
./lang/rust/distinfo rust-std-1.53.0-i686-unknown-linux-gnu.tar.gz
./lang/rust/distinfo rust-std-1.53.0-powerpc-unknown-netbsd.tar.gz
./lang/rust/distinfo rust-std-1.53.0-powerpc-unknown-netbsd90.tar.gz
./lang/rust/distinfo rust-std-1.53.0-sparc64-unknown-netbsd.tar.gz
./lang/rust/distinfo rust-std-1.53.0-x86_64-apple-darwin.tar.gz
./lang/rust/distinfo rust-std-1.53.0-x86_64-unknown-freebsd.tar.gz
./lang/rust/distinfo rust-std-1.53.0-x86_64-unknown-linux-gnu.tar.gz
./lang/smlnj11072/distinfo smlnj-110.72/boot.ppc-unix.tgz
./lang/smlnj11072/distinfo smlnj-110.72/boot.sparc-unix.tgz
./lang/ghc84/distinfo ghc-8.0.2-boot-x86_64-unknown-solaris2.tar.xz
./lang/ghc84/distinfo ghc-8.4.4-boot-i386-unknown-freebsd.tar.xz
./lang/ghc84/distinfo ghc-8.4.4-boot-x86_64-apple-darwin.tar.xz
./lang/ghc84/distinfo ghc-8.4.4-boot-x86_64-unknown-freebsd.tar.xz
./lang/ghc7/distinfo ghc-7.10.3-boot-i386-unknown-freebsd.tar.xz
./lang/ghc7/distinfo ghc-7.6.3-boot-i386-unknown-solaris2.tar.xz
./lang/ghc7/distinfo ghc-7.6.3-boot-powerpc-apple-darwin.tar.xz
./lang/ghc7/distinfo ghc-7.6.3-boot-x86_64-unknown-solaris2.tar.xz
./lang/ghc90/distinfo ghc-8.10.4-boot-x86_64-unknown-solaris2.tar.xz
./lang/ghc90/distinfo ghc-9.0.1-boot-aarch64-unknown-netbsd.tar.xz
./lang/ghc90/distinfo ghc-9.0.1-boot-i386-unknown-freebsd.tar.xz
./lang/ghc90/distinfo ghc-9.0.1-boot-x86_64-apple-darwin.tar.xz
./lang/ghc90/distinfo ghc-9.0.1-boot-x86_64-unknown-freebsd.tar.xz
./lang/openjdk8/distinfo \
openjdk7/bootstrap-jdk-1.7.76-freebsd-10-amd64-20150301.tar.xz
./lang/openjdk8/distinfo \
openjdk7/bootstrap-jdk-1.7.76-netbsd-7-sparc64-20150301.tar.xz
./lang/openjdk8/distinfo \
openjdk7/bootstrap-jdk-1.8.181-netbsd-8-aarch64-20180917.tar.xz
./lang/openjdk8/distinfo \
openjdk7/bootstrap-jdk7u60-bin-dragonfly-3.6-amd64-20140719.tar.bz2
./lang/openjdk8/distinfo \
openjdk7/bootstrap-jdk7u60-bin-dragonfly-3.8-amd64-20140719.tar.bz2
./lang/go-bin/distinfo go1.14.2.darwin-amd64.tar.gz
./lang/go-bin/distinfo go1.14.2.linux-386.tar.gz
./lang/go-bin/distinfo go1.14.2.linux-amd64.tar.gz
./lang/go-bin/distinfo go1.14.2.linux-arm64.tar.gz
./lang/go-bin/distinfo go1.14.2.linux-armv6l.tar.gz
./lang/go-bin/distinfo go1.14.2.netbsd-arm64.tar.gz
./lang/go-bin/distinfo go1.16beta1.darwin-arm64.tar.gz
./lang/gcc6-aux/distinfo ada-bootstrap.i386.freebsd.100B.tar.bz2
./lang/gcc6-aux/distinfo ada-bootstrap.x86_64.dragonfly.41.tar.bz2
./lang/gcc6-aux/distinfo ada-bootstrap.x86_64.freebsd.100B.tar.bz2
./lang/gcc6-aux/distinfo ada-bootstrap.x86_64.freebsd.84.tar.bz2
./lang/gcc6-aux/distinfo ada-bootstrap.x86_64.solaris.511.tar.bz2
./lang/ghc810/distinfo ghc-8.8.4-boot-x86_64-unknown-solaris2.tar.xz
./lang/sun-jre7/distinfo UnlimitedJCEPolicyJDK7.zip
./lang/sun-jre7/distinfo jre-7u80-linux-x64.tar.gz
./lang/sun-jre7/distinfo jre-7u80-solaris-i586.tar.gz
./lang/sun-jre7/distinfo jre-7u80-solaris-x64.tar.gz
./lang/ghc88/distinfo ghc-8.4.4-boot-i386-unknown-freebsd.tar.xz
./lang/ghc88/distinfo ghc-8.4.4-boot-x86_64-apple-darwin.tar.xz
./lang/ghc88/distinfo ghc-8.4.4-boot-x86_64-unknown-freebsd.tar.xz
./lang/ghc88/distinfo ghc-8.4.4-boot-x86_64-unknown-solaris2.tar.xz
./lang/gcc-aux/distinfo ada-bootstrap.i386.dragonfly.36A.tar.bz2
./lang/gcc-aux/distinfo ada-bootstrap.i386.freebsd.100B.tar.bz2
./lang/gcc-aux/distinfo ada-bootstrap.i386.freebsd.84.tar.bz2
./lang/gcc-aux/distinfo ada-bootstrap.x86_64.dragonfly.36A.tar.bz2
./lang/gcc-aux/distinfo ada-bootstrap.x86_64.freebsd.100B.tar.bz2
./lang/gcc-aux/distinfo ada-bootstrap.x86_64.freebsd.84.tar.bz2
./lang/gcc-aux/distinfo ada-bootstrap.x86_64.solaris.511.tar.bz2
./lang/gcc6/distinfo ecj-4.5.jar
./lang/openjdk11/distinfo bootstrap-jdk-1.11.0.7.10-netbsd-9-aarch64-20200509.tar.xz
./lang/sun-jdk7/distinfo jdk-7u80-linux-x64.tar.gz
./lang/sun-jdk7/distinfo jdk-7u80-solaris-i586.tar.gz
./lang/sun-jdk7/distinfo jdk-7u80-solaris-x64.tar.gz
|
2021-10-07 16:21:17 by Nia Alarie | Files touched by this commit (282) |
Log message:
lang: Remove SHA1 hashes for distfiles
|
2021-06-29 14:39:10 by Adam Ciarcinski | Files touched by this commit (4) | |
Log message:
python37: updated to 3.7.11
Python 3.7.11 final
Security
bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers \
after a 100 Continue status response from the server.
bpo-43882: The presence of newline or tab characters in parts of a URL could \
allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG \
urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such \
attacks.
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which \
could be abused to read arbitrary files on the disk (directory traversal \
vulnerability). Moreover, even source code of Python modules can contain \
sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server \
in response to the PASV command by default. This prevents a malicious FTP server \
from using the response to probe IPv4 address and port combinations on the \
client network.
Code that requires the former vulnerable behavior may set a \
trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True \
to re-enable it.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in \
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has \
quadratic worst-case complexity and it allows cause a denial of service when \
identifying crafted invalid RFCs. This ReDoS issue is on the client side and \
needs remote attackers to control the HTTP server.
Core and Builtins
bpo-43660: Fix crash that happens when replacing sys.stderr with a callable that \
can remove the object while an exception is being printed. Patch by Pablo \
Galindo.
Tests
bpo-41561: Add workaround for Ubuntu’s custom OpenSSL security level policy.
|
2021-02-16 20:40:34 by Adam Ciarcinski | Files touched by this commit (5) | |
Log message:
python37 py37-html-docs: updated to 3.7.10
Python 3.7.10
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args \
separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and \
ctypes.c_longdouble values.
bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when \
processing malformed Apple Property List files in binary format.
bpo-42051: The plistlib module no longer accepts entity declarations in XML \
plist files to avoid XML vulnerabilities. This should not affect users as entity \
declarations are not used in regular plist files.
bpo-40791: Add volatile to the accumulator variable in hmac.compare_digest, \
making constant-time-defeating optimizations less likely.
Library
bpo-42103: InvalidFileException and RecursionError are now the only errors \
caused by loading malformed binary Plist file (previously ValueError and \
TypeError could be raised in some specific cases).
bpo-41976: Fixed a bug that was causing ctypes.util.find_library() to return \
None when triying to locate a library in an environment when gcc>=9 is \
available and ldconfig is not. Patch by Pablo Galindo
Documentation
bpo-17140: Add documentation for the multiprocessing.pool.ThreadPool class.
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for \
testing. Patch by Dong-hee Na.
bpo-41944: Tests for CJK codecs no longer call eval() on content received via HTTP.
|
2020-08-19 09:08:34 by Adam Ciarcinski | Files touched by this commit (8) | |
Log message:
python37 py37-html-docs: updated to 3.7.9
Python 3.7.9 final
Security
bpo-41304: Fixes python3x._pth being ignored on Windows, caused by the fix for \
bpo-29778 (CVE-2020-15801).
bpo-29778: Ensure python3.dll is loaded from correct locations when Python is \
embedded (CVE-2020-15523).
bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and \
ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 \
respectively. This resulted in always causing hash collisions. The fix uses \
hash() to generate hash values for the tuple of (address, mask length, network \
address).
bpo-39603: Prevent http header injection by rejecting control characters in \
http.client.putrequest(…).
Core and Builtins
bpo-33786: Fix asynchronous generators to handle GeneratorExit in athrow() correctly
Library
bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the C implementation raises \
now UnpicklingError instead of crashing.
bpo-39017: Avoid infinite loop when reading specially crafted TAR files using \
the tarfile module (CVE-2019-20907).
bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
macOS
bpo-41100: Additional fixes for testing on macOS 11 Big Sur Intel. Note: macOS \
11 is not yet released, this release of Python is not fully supported on 11.0, \
and not all tests pass.
|