Subject: CVS commit: pkgsrc/lang/python37
From: Nikita
Date: 2023-05-02 18:06:59
Message id:

Log Message:
python37: update to version 3.7.16


Python 3.7.16

Release Date: Dec. 6, 2022
This is a security release of Python 3.7

Note: The release you're looking at is Python 3.7.16, a security bugfix release \ 
for the legacy 3.7 series. Python 3.11 is now the latest feature release series \ 
of Python 3. Get the latest release of 3.11.x here.
Security content in this release

    gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 (heap \ 
    gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 to fix \ 
    gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio \ 
related name resolution functions no longer involves a quadratic algorithm to \ 
fix CVE-2022-45061. This prevents a potential CPU denial of service if an \ 
out-of-spec excessive length hostname involving bidirectional characters were \ 
decoded. Some protocols such as urllib http 3xx redirects potentially allow for \ 
an attacker to supply such a name.
    gh-68966: The deprecated mailcap module now refuses to inject unsafe text \ 
(filenames, MIME types, parameters) into shell commands to address \ 
CVE-2015-20107. Instead of using such text, it will warn and act as if a match \ 
was not found (or for test commands, as if the test failed).
    gh-100001: python -m http.server no longer allows terminal control \ 
characters sent within a garbage request to be printed to the stderr server log.

No installers

According to the release calendar specified in PEP 537, Python 3.7 is now in the \ 
"security fixes only" stage of its life cycle: 3.7 branch only accepts \ 
security fixes and releases of those are made irregularly in source-only form \ 
until June 2023. Python 3.7 does not receive regular bug fixes anymore, and \ 
binary installers are no longer provided for it. Python 3.7.9 was the last full \ 
bugfix release of Python 3.7 with binary installers.