Path to this page:
Subject: CVS commit: pkgsrc/lang/python36
From: Adam Ciarcinski
Date: 2019-07-03 22:10:41
Message id: 20190703201042.1919CFBF4@cvs.NetBSD.org
Log Message:
python36: updated to 3.6.9
Python 3.6.9 final
Library
bpo-37437: Update vendorized expat version to 2.2.7.
macOS
bpo-34602: Avoid test suite failures on macOS by no longer calling \
resource.setrlimit to increase the process stack size limit at runtime. The \
runtime change is no longer needed since the interpreter is being built with a \
larger default stack size.
Python 3.6.9 release candidate 1
Security
bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and \
local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of \
urllib.request.
bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit().
bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded \
whitespace or control characters through into the underlying http client \
request. Such potentially malicious header injection URLs now cause an \
http.client.InvalidURL exception to be raised.
bpo-36216: Changes urlsplit() to raise ValueError when the URL contains \
characters that decompose under IDNA encoding (NFKC-normalization) into \
characters that affect how the URL is parsed.
bpo-33529: Prevent fold function used in email header encoding from entering \
infinite loop when there are too many non-ASCII characters in a header.
bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert \
parser did not handle CRL distribution points with empty DP or URI correctly. A \
malicious or buggy certificate can result into segfault. Vulnerability \
(TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco.
bpo-35121: Don’t send cookies of domain A without Domain attribute to domain B \
when domain A is a suffix match of domain B while using a cookiejar with \
http.cookiejar.DefaultCookiePolicy policy. Patch by Karthikeyan Singaravelan.
Library
bpo-35643: Fixed a SyntaxWarning: invalid escape sequence in \
Modules/_sha3/cleanup.py. Patch by Mickaël Schoentgen.
bpo-35121: Don’t set cookie for a request when the request path is a prefix \
match of the cookie’s path attribute but doesn’t end with “/”. Patch by \
Karthikeyan Singaravelan.
Documentation
bpo-35605: Fix documentation build for sphinx<1.6. Patch by Anthony Sottile.
bpo-35564: Explicitly set master_doc variable in conf.py for compliance with \
Sphinx 2.0
Tests
bpo-36816: Update Lib/test/selfsigned_pythontestdotnet.pem to match \
self-signed.pythontest.net’s new TLS certificate.
bpo-35925: Skip specific nntplib and ssl networking tests when they would \
otherwise fail due to a modern OS or distro with a default OpenSSL policy of \
rejecting connections to servers with weak certificates or disabling TLS below \
TLSv1.2.
bpo-27313: Avoid test_ttk_guionly ComboboxTest failure with macOS Cocoa Tk.
bpo-32947: test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1.
macOS
bpo-34602: Avoid failures setting macOS stack resource limit with \
resource.setrlimit. This reverts an earlier fix for bpo-18075 which forced a \
non-default stack size when building the interpreter executable on macOS.
Files: