Path to this page:
Subject: CVS commit: pkgsrc/lang
From: Adam Ciarcinski
Date: 2021-06-29 14:39:10
Message id: 20210629123910.A51C9FA95@cvs.NetBSD.org
Log Message:
python37: updated to 3.7.11
Python 3.7.11 final
Security
bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers \
after a 100 Continue status response from the server.
bpo-43882: The presence of newline or tab characters in parts of a URL could \
allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG \
urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such \
attacks.
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which \
could be abused to read arbitrary files on the disk (directory traversal \
vulnerability). Moreover, even source code of Python modules can contain \
sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server \
in response to the PASV command by default. This prevents a malicious FTP server \
from using the response to probe IPv4 address and port combinations on the \
client network.
Code that requires the former vulnerable behavior may set a \
trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True \
to re-enable it.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in \
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has \
quadratic worst-case complexity and it allows cause a denial of service when \
identifying crafted invalid RFCs. This ReDoS issue is on the client side and \
needs remote attackers to control the HTTP server.
Core and Builtins
bpo-43660: Fix crash that happens when replacing sys.stderr with a callable that \
can remove the object while an exception is being printed. Patch by Pablo \
Galindo.
Tests
bpo-41561: Add workaround for Ubuntu’s custom OpenSSL security level policy.
Files: