Log Message:
python37: updated to 3.7.11

Python 3.7.11 final

Security

bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers \ 
after a 100 Continue status response from the server.
bpo-43882: The presence of newline or tab characters in parts of a URL could \ 
allow some forms of attacks.

Following the controlling specification for URLs defined by WHATWG \ 
urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such \ 
attacks.
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which \ 
could be abused to read arbitrary files on the disk (directory traversal \ 
vulnerability). Moreover, even source code of Python modules can contain \ 
sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server \ 
in response to the PASV command by default. This prevents a malicious FTP server \ 
from using the response to probe IPv4 address and port combinations on the \ 
client network.

Code that requires the former vulnerable behavior may set a \ 
trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True \ 
to re-enable it.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in \ 
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has \ 
quadratic worst-case complexity and it allows cause a denial of service when \ 
identifying crafted invalid RFCs. This ReDoS issue is on the client side and \ 
needs remote attackers to control the HTTP server.

Core and Builtins

bpo-43660: Fix crash that happens when replacing sys.stderr with a callable that \ 
can remove the object while an exception is being printed. Patch by Pablo \ 
Galindo.

Tests

bpo-41561: Add workaround for Ubuntu’s custom OpenSSL security level policy.