2024-10-09 22:00:30 by Adam Ciarcinski | Files touched by this commit (36) | |
Log message: python38 py38-html-docs: removed; end of life as of 2024-10-07 |
2024-03-20 16:39:02 by Adam Ciarcinski | Files touched by this commit (7) | |
Log message: python38 py38-html-docs: updated to 3.8.19 Python 3.8.19 Security gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) \ by adding five new methods: xml.etree.ElementTree.XMLParser.flush() xml.etree.ElementTree.XMLPullParser.flush() xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() xml.sax.expatreader.ExpatParser.flush() gh-115399: Update bundled libexpat to 2.6.0 gh-113659: Skip .pth files with names starting with a dot or hidden file attribute. Core and Builtins gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds Library gh-115197: urllib.request no longer resolves the hostname before checking it \ against the system’s proxy bypass list on macOS and Windows. gh-115133: Fix tests for XMLPullParser with Expat 2.6.0. gh-81194: Fix a crash in socket.if_indextoname() with specific value (UINT_MAX). \ Fix an integer overflow in socket.if_indextoname() on 64-bit non-Windows \ platforms. gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises \ BadZipFile when try to read an entry that overlaps with other entry or central \ directory. gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL \ instead of SSL_ERROR_SSL when a certification verification has failed, but the \ error parameters will still contain ERR_LIB_SSL and \ SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising \ the appropiate ssl.SSLCertVerificationError. Patch by Pablo Galindo gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, which now no longer \ dereferences symlinks when working around file system permission errors. Documentation gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML \ vulnerabilities”. Tests gh-108310: SSL tests for pre-handshake close were previously not enabled on \ Python 3.8 due to an incorrect backport. This is now fixed. Patch by Lumír \ Balhar. Windows gh-111239: Update Windows builds to use zlib v1.3.1. gh-109991: Windows builds now use OpenSSL 1.1.1w. Note that OpenSSL 1.1 has \ reached its end of life and no future fixes will be made, and this version of \ Python is no longer receiving maintenance fixes and will not be updated to \ OpenSSL 3.0. |
2023-08-25 10:25:28 by Adam Ciarcinski | Files touched by this commit (4) | |
Log message: python38 py38-html-docs: updated to 3.8.18 Python 3.8.18 Security gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a \ bypass of the TLS handshake and included protections (like certificate \ verification) and treating sent unencrypted data as if it were post-handshake \ TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. \ Patch by Gregory P. Smith. Library gh-107845: tarfile.data_filter() now takes the location of symlinks into account \ when determining their target, so it will no longer reject some valid tarballs \ with LinkOutsideDestinationError. Tools/Demos gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, \ 3.0.10, and 3.1.2. |
2023-06-07 15:25:09 by Adam Ciarcinski | Files touched by this commit (6) | |
Log message: python38 py38-html-docs: updated to 3.8.17 Python 3.8.17 Security gh-103142: The version of OpenSSL used in our binary builds has been upgraded to \ 1.1.1u to address several CVEs. gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory \ traversal based on the input if no out_file was specified. gh-104049: Do not expose the local on-disk location in directory indexes \ produced by http.client.SimpleHTTPRequestHandler. gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space \ characters following the specification for URLs defined by WHATWG in response to \ CVE-2023-24329. Patch by Illia Volochii. gh-101727: Updated the OpenSSL version used in Windows and macOS binary release \ builds to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per \ the OpenSSL 2023-02-07 security advisory. gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when \ launching with shell=True. Patch by Eryk Sun, based on a patch by Oleg Iarygin. Library gh-103935: Use io.open_code() for files to be executed instead of raw open() gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have \ a new a filter argument that allows limiting tar features than may be surprising \ or dangerous, such as creating files outside the destination directory. See \ Extraction filters for details. gh-101997: Upgrade pip wheel bundled with ensurepip (pip 23.0.1) Build gh-102306: [3.8] Avoid GHA CI macOS test_posix failure by using the appropriate \ macOS SDK. Windows gh-100180: Update Windows installer to OpenSSL 1.1.1s macOS gh-103142: Update macOS installer to use OpenSSL 1.1.1u. |
2022-12-07 12:52:00 by Adam Ciarcinski | Files touched by this commit (4) | |
Log message: python38 py38-html-docs: updated to 3.8.16 Python 3.8.16 final Security gh-100001: python -m http.server no longer allows terminal control characters \ sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message \ method to replace control characters with a \xHH hex escape before printing. gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc \ module gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio \ related name resolution functions no longer involves a quadratic algorithm. This \ prevents a potential CPU denial of service if an out-of-spec excessive length \ hostname involving bidirectional characters were decoded. Some protocols such as \ urllib http 3xx redirects potentially allow for an attacker to supply such a \ name. gh-98739: Update bundled libexpat to 2.5.0 gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454). gh-68966: The deprecated mailcap module now refuses to inject unsafe text \ (filenames, MIME types, parameters) into shell commands. Instead of using such \ text, it will warn and act as if a match was not found (or for test commands, as \ if the test failed). |
2022-10-12 10:37:53 by Adam Ciarcinski | Files touched by this commit (4) | |
Log message: python38 py38-html-docs: updated to 3.8.15 Python 3.8.15 Security gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer \ overflow when the new allocated length is close to the maximum size. Issue \ reported by Jordan Limor. Patch by Victor Stinner. gh-97612: Fix a shell code injection vulnerability in the \ get-remote-certificate.py example script. The script no longer uses a shell to \ run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by \ Victor Stinner. Core and Builtins gh-96848: Fix command line parsing: reject -X int_max_str_digits option with no \ value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a \ valid limit. Patch by Victor Stinner. gh-95778: When ValueError is raised if an integer is larger than the limit, \ mention the sys.set_int_max_str_digits() function in the error message. Patch by \ Victor Stinner. Library gh-97005: Update bundled libexpat to 2.4.9 Windows gh-96577: Fixes a potential buffer overrun in msilib. |
2022-09-07 17:32:34 by Adam Ciarcinski | Files touched by this commit (5) | |
Log message: python38 py38-html-docs: updated to 3.8.14 Python 3.8.14 Security gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 \ (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a \ ValueError if the number of digits in string form is above a limit to avoid \ potential denial of service attacks due to the algorithmic complexity. This is a \ mitigation for CVE-2020-10735. This new limit can be configured or disabled by environment variable, command \ line flag, or sys APIs. See the integer string conversion length limitation \ documentation. The default limit is 4300 digits in string form. Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback \ from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson. gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server \ when an URI path starts with //. Vulnerability discovered, and initial fix \ proposed, by Hamza Avvan. Core and Builtins gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees. The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for \ more details. Library bpo-46197: Fix ensurepip environment isolation for subprocess running pip. bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of \ cursors in sqlite3 converters. Patch by Sergey Fedoseev. Documentation gh-91888: Add a new gh role to the documentation to link to GitHub issues. bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4. Tests gh-94208: test_ssl is now checking for supported TLS version and protocols in \ more tests. bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and \ setuptools. Patch by Illia Volochii and Adam Turner. bpo-46114: Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses 0xMNN00PP0L. Windows bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032. |
2022-03-19 19:56:44 by Adam Ciarcinski | Files touched by this commit (7) | |
Log message: python38 py38-html-docs: updated to 3.8.13 Python 3.8.13 final Core and Builtins bpo-46794: Bump up the libexpat version into 2.4.6 Library bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4) bpo-46932: Update bundled libexpat to 2.4.7 bpo-46811: Make test suite support Expat >=2.4.5 bpo-46784: Fix libexpat symbols collisions with user dynamically loaded or \ statically linked libexpat in embedded Python. bpo-46756: Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and \ urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to \ bypass authorization. For example, access to URI example.org/foobar was allowed \ if the user was authorized for URI example.org/foo. bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4 bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid potential REDoS by \ limiting ambiguity in consecutive whitespace. bpo-44849: Fix the os.set_inheritable() function on FreeBSD 14 for file \ descriptor opened with the O_PATH flag: ignore the EBADF error on ioctl(), \ fallback on the fcntl() implementation. Patch by Victor Stinner. Documentation bpo-41028: Language and version switchers, previously maintained in every \ cpython branches, are now handled by docsbuild-script. Tests bpo-45195: Fix test_readline.test_nonascii(): sometimes, the newline character \ is not written at the end, so don’t expect it in the output. Patch by Victor \ Stinner. bpo-44949: Fix auto history tests of test_readline: sometimes, the newline \ character is not written at the end, so don’t expect it in the output. Build bpo-47024: Update Windows builds and macOS installer build to use OpenSSL 1.1.1n. bpo-45405: Prevent internal configure error when running configure with recent \ versions of clang. Patch by David Bohman. bpo-45220: Avoid building with the Windows 11 SDK previews automatically. This \ may be overridden by setting the DefaultWindowsSDKVersion environment variable \ before building. Windows bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and \ CVE-2019-12900 bpo-46948: Prevent CVE-2022-26488 by ensuring the Add to PATH option in the \ Windows installer uses the correct path when being repaired. macOS bpo-44828: Avoid tkinter file dialog failure on macOS 12 Monterey when using the \ Tk 8.6.11 provided by python.org macOS installers. Patch by Marc Culler of the \ Tk project. |