2024-12-05 08:49:52 by Adam Ciarcinski | Files touched by this commit (5) | |
Log message: python39 py39-html-docs: updated to 3.9.21 Python 3.9.21 Tests gh-125041: Re-enable skipped tests for zlib on the s390x architecture: only skip \ checks of the compressed bytes, which can be different between zlib’s software \ implementation and the hardware-accelerated implementation. gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode. Use a longer key: FIPS \ mode requires at least of at least 112 bits. The previous key was only 32 bits. \ Patch by Victor Stinner. gh-100454: Fix SSL tests CI for OpenSSL 3.1+ Security gh-126623: Upgrade libexpat to 2.6.4 gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the \ mapped IPv4 address value for deciding properties. Properties which have their \ behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and \ is_unspecified. Library gh-124651: Properly quote template strings in venv activation scripts. gh-103848: Add checks to ensure that [ bracketed ] hosts found by \ urllib.parse.urlsplit() are of IPv6 or IPvFuture format. Documentation gh-95588: Clarified the conflicting advice given in the ast documentation about \ ast.literal_eval() being “safe” for use on untrusted input while at the same \ time warning that it can crash the process. The latter statement is true and is \ deemed unfixable without a large amount of work unsuitable for a bugfix. So we \ keep the warning and no longer claim that literal_eval is safe. |
2024-03-20 16:41:01 by Adam Ciarcinski | Files touched by this commit (6) | |
Log message: python39 py39-html-docs: updated to 3.9.19 Python 3.9.19 Security gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) \ by adding five new methods: xml.etree.ElementTree.XMLParser.flush() xml.etree.ElementTree.XMLPullParser.flush() xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() xml.sax.expatreader.ExpatParser.flush() gh-115399: Update bundled libexpat to 2.6.0 gh-113659: Skip .pth files with names starting with a dot or hidden file attribute. Core and Builtins gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds Library gh-115197: urllib.request no longer resolves the hostname before checking it \ against the system’s proxy bypass list on macOS and Windows. gh-115133: Fix tests for XMLPullParser with Expat 2.6.0. gh-81194: Fix a crash in socket.if_indextoname() with specific value (UINT_MAX). \ Fix an integer overflow in socket.if_indextoname() on 64-bit non-Windows \ platforms. gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises \ BadZipFile when try to read an entry that overlaps with other entry or central \ directory. gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL \ instead of SSL_ERROR_SSL when a certification verification has failed, but the \ error parameters will still contain ERR_LIB_SSL and \ SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising \ the appropiate ssl.SSLCertVerificationError. Patch by Pablo Galindo gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, which now no longer \ dereferences symlinks when working around file system permission errors. Documentation gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML \ vulnerabilities”. Windows gh-111239: Update Windows builds to use zlib v1.3.1. gh-109991: Windows builds now use OpenSSL 1.1.1w. Note that OpenSSL 1.1 has \ reached its end of life and no future fixes will be made, and this version of \ Python is no longer receiving maintenance fixes and will not be updated to \ OpenSSL 3.0. Tools/Demos gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 and multissltests to \ use 1.1.1w and 3.0.11. |
2023-08-25 10:26:13 by Adam Ciarcinski | Files touched by this commit (4) | |
Log message: python39 py39-html-docs: updated to 3.9.18 Python 3.9.18 Security gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a \ bypass of the TLS handshake and included protections (like certificate \ verification) and treating sent unencrypted data as if it were post-handshake \ TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. \ Patch by Gregory P. Smith. Library gh-107845: tarfile.data_filter() now takes the location of symlinks into account \ when determining their target, so it will no longer reject some valid tarballs \ with LinkOutsideDestinationError. Tools/Demos gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, \ 3.0.10, and 3.1.2. C API gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data: *consumed was \ not set. |
2023-06-07 15:25:53 by Adam Ciarcinski | Files touched by this commit (6) | |
Log message: python39 py39-html-docs: updated to 3.9.17 Python 3.9.17 Security gh-103142: The version of OpenSSL used in our binary builds has been upgraded to \ 1.1.1u to address several CVEs. gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory \ traversal based on the input if no out_file was specified. gh-104049: Do not expose the local on-disk location in directory indexes \ produced by http.client.SimpleHTTPRequestHandler. gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space \ characters following the specification for URLs defined by WHATWG in response to \ CVE-2023-24329. Patch by Illia Volochii. gh-101727: Updated the OpenSSL version used in Windows and macOS binary release \ builds to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per \ the OpenSSL 2023-02-07 security advisory. gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when \ launching with shell=True. Patch by Eryk Sun, based on a patch by Oleg Iarygin. Core and Builtins gh-102126: Fix deadlock at shutdown when clearing thread states if any finalizer \ tries to acquire the runtime head lock. Patch by Kumar Aditya. gh-100892: Fix race while iterating over thread states in clearing \ threading.local. Patch by Kumar Aditya. Library gh-103935: Use io.open_code() for files to be executed instead of raw open() gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have \ a new a filter argument that allows limiting tar features than may be surprising \ or dangerous, such as creating files outside the destination directory. See \ Extraction filters for details. gh-101997: Upgrade pip wheel bundled with ensurepip (pip 23.0.1) Windows gh-100180: Update Windows installer to OpenSSL 1.1.1s macOS gh-103142: Update macOS installer to use OpenSSL 1.1.1u. |
2022-12-07 12:52:44 by Adam Ciarcinski | Files touched by this commit (4) | |
Log message: python39 py39-html-docs: updated to 3.9.16 Python 3.9.16 final Security gh-100001: python -m http.server no longer allows terminal control characters \ sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message \ method to replace control characters with a \xHH hex escape before printing. gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc \ module gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio \ related name resolution functions no longer involves a quadratic algorithm. This \ prevents a potential CPU denial of service if an out-of-spec excessive length \ hostname involving bidirectional characters were decoded. Some protocols such as \ urllib http 3xx redirects potentially allow for an attacker to supply such a \ name. gh-98739: Update bundled libexpat to 2.5.0 gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454). gh-97514: On Linux the multiprocessing module returns to using filesystem backed \ unix domain sockets for communication with the forkserver process instead of the \ Linux abstract socket namespace. Only code that chooses to use the \ “forkserver” start method is affected. Abstract sockets have no permissions and could allow any user on the system in \ the same network namespace (often the whole system) to inject code into the \ multiprocessing forkserver process. This was a potential privilege escalation. \ Filesystem based socket permissions restrict this to the forkserver process user \ as was the default in Python 3.8 and earlier. This prevents Linux CVE-2022-42919. gh-68966: The deprecated mailcap module now refuses to inject unsafe text \ (filenames, MIME types, parameters) into shell commands. Instead of using such \ text, it will warn and act as if a match was not found (or for test commands, as \ if the test failed). |
2022-10-12 10:37:14 by Adam Ciarcinski | Files touched by this commit (4) | |
Log message: python39 py39-html-docs: updated to 3.9.15 Python 3.9.15 Security gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer \ overflow when the new allocated length is close to the maximum size. Issue \ reported by Jordan Limor. Patch by Victor Stinner. gh-97612: Fix a shell code injection vulnerability in the \ get-remote-certificate.py example script. The script no longer uses a shell to \ run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by \ Victor Stinner. Core and Builtins gh-96848: Fix command line parsing: reject -X int_max_str_digits option with no \ value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a \ valid limit. Patch by Victor Stinner. gh-95778: When ValueError is raised if an integer is larger than the limit, \ mention the sys.set_int_max_str_digits() function in the error message. Patch by \ Victor Stinner. Library gh-97005: Update bundled libexpat to 2.4.9 Windows gh-96577: Fixes a potential buffer overrun in msilib. macOS gh-97897: The macOS 13 SDK includes support for the mkfifoat and mknodat system \ calls. Using the dir_fd option with either os.mkfifo() or os.mknod() could \ result in a segfault if cpython is built with the macOS 13 SDK but run on an \ earlier version of macOS. Prevent this by adding runtime support for detection \ of these system calls (“weaklinking”) as is done for other newer syscalls on \ macOS. |
2022-09-07 17:33:20 by Adam Ciarcinski | Files touched by this commit (6) | |
Log message: python39 py39-html-docs: updated to 3.9.14 Python 3.9.14 Security gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 \ (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a \ ValueError if the number of digits in string form is above a limit to avoid \ potential denial of service attacks due to the algorithmic complexity. This is a \ mitigation for CVE-2020-10735. This new limit can be configured or disabled by environment variable, command \ line flag, or sys APIs. See the integer string conversion length limitation \ documentation. The default limit is 4300 digits in string form. Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback \ from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson. gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server \ when an URI path starts with //. Vulnerability discovered, and initial fix \ proposed, by Hamza Avvan. Core and Builtins gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees. The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for \ more details. Library gh-94821: Fix binding of unix socket to empty address on Linux to use an \ available address from the abstract namespace, instead of “0”. gh-91810: Suppress writing an XML declaration in open files in \ ElementTree.write() with encoding='unicode' and xml_declaration=None. bpo-45393: Fix the formatting for await x and not x in the operator precedence \ table when using the help() system. bpo-46197: Fix ensurepip environment isolation for subprocess running pip. Tests gh-95280: Fix problem with test_ssl test_get_ciphers on systems that require \ perfect forward secrecy (PFS) ciphers. gh-94208: test_ssl is now checking for supported TLS version and protocols in \ more tests. bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and \ setuptools. Patch by Illia Volochii and Adam Turner. |
2022-05-18 10:07:32 by Adam Ciarcinski | Files touched by this commit (5) | |
Log message: python39 py39-html-docs: updated to 3.9.13 Python 3.9.13 Core and Builtins gh-92311: Fixed a bug where setting frame.f_lineno to jump over a list \ comprehension could misbehave or crash. gh-92112: Fix crash triggered by an evil custom mro() on a metaclass. gh-92036: Fix a crash in subinterpreters related to the garbage collector. When \ a subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a \ crash in deallocator functions expecting objects to be tracked by the GC, leak a \ strong reference to these objects on purpose, so they are never deleted and \ their deallocator functions are not called. Patch by Victor Stinner. gh-91421: Fix a potential integer overflow in _Py_DecodeUTF8Ex. bpo-46775: Some Windows system error codes(>= 10000) are now mapped into the \ correct errno and may now raise a subclass of OSError. Patch by Dong-hee Na. bpo-46962: Classes and functions that unconditionally declared their docstrings \ ignoring the --without-doc-strings compilation flag no longer do so. The classes affected are pickle.PickleBuffer, testcapi.RecursingInfinitelyError, \ and types.GenericAlias. The functions affected are 24 methods in ctypes. Patch by Oleg Iarygin. bpo-36819: Fix crashes in built-in encoders with error handlers that return \ position less or equal than the starting position of non-encodable characters. Library gh-91581: utcfromtimestamp() no longer attempts to resolve fold in the pure \ Python implementation, since the fold is never 1 in UTC. In addition to being \ slightly faster in the common case, this also prevents some errors when the \ timestamp is close to datetime.min. Patch by Paul Ganssle. gh-92530: Fix an issue that occurred after interrupting threading.Condition.notify(). gh-92049: Forbid pickling constants re._constants.SUCCESS etc. Previously, \ pickling did not fail, but the result could not be unpickled. bpo-47029: Always close the read end of the pipe used by multiprocessing.Queue \ after the last write of buffered data to the write end of the pipe to avoid \ BrokenPipeError at garbage collection and at multiprocessing.Queue.close() \ calls. Patch by Géry Ogam. gh-91910: Add missing f prefix to f-strings in error messages from the \ multiprocessing and asyncio modules. gh-91810: ElementTree method write() and function tostring() now use the text \ file’s encoding (“UTF-8” if not available) instead of locale encoding in \ XML declaration when encoding="unicode" is specified. gh-91832: Add required attribute to argparse.Action repr output. gh-91734: Fix OSS audio support on Solaris. gh-91700: Compilation of regular expression containing a conditional expression \ (?(group)...) now raises an appropriate re.error if the group number refers to \ not defined group. Previously an internal RuntimeError was raised. gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown the per test event \ loop executor before returning from its run method so that a not yet stopped or \ garbage collected executor state does not persist beyond the test. gh-90568: Parsing \N escapes of Unicode Named Character Sequences in a regular \ expression raises now re.error instead of TypeError. gh-91595: Fix the comparison of character and integer inside \ Tools.gdb.libpython.write_repr(). Patch by Yu Liu. gh-90622: Worker processes for concurrent.futures.ProcessPoolExecutor are no \ longer spawned on demand (a feature added in 3.9) when the multiprocessing \ context start method is "fork" as that can lead to deadlocks in the \ child processes due to a fork happening while threads are running. gh-91575: Update case-insensitive matching in the re module to the latest \ Unicode version. gh-91581: Remove an unhandled error case in the C implementation of calls to \ datetime.fromtimestamp with no time zone (i.e. getting a local time from an \ epoch timestamp). This should have no user-facing effect other than giving a \ possibly more accurate error message when called with timestamps that fall on \ 10000-01-01 in the local time. Patch by Paul Ganssle. bpo-34480: Fix a bug where _markupbase raised an UnboundLocalError when an \ invalid keyword was found in marked section. Patch by Marek Suscak. bpo-27929: Fix asyncio.loop.sock_connect() to only resolve names for \ socket.AF_INET or socket.AF_INET6 families. Resolution may not make sense for \ other families, like socket.AF_BLUETOOTH and socket.AF_UNIX. bpo-43323: Fix errors in the email module if the charset itself contains \ undecodable/unencodable characters. bpo-46787: Fix concurrent.futures.ProcessPoolExecutor exception memory leak bpo-46415: Fix ipaddress.ip_{address,interface,network} raising TypeError \ instead of ValueError if given invalid tuple as address parameter. bpo-44911: IsolatedAsyncioTestCase will no longer throw an exception while \ cancelling leaked tasks. Patch by Bar Harel. bpo-44493: Add missing terminated NUL in sockaddr_un’s length This was potentially observable when using non-abstract AF_UNIX datagram sockets \ to processes written in another programming language. bpo-42627: Fix incorrect parsing of Windows registry proxy settings bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of \ cursors in sqlite3 converters. Patch by Sergey Fedoseev. Documentation gh-91888: Add a new gh role to the documentation to link to GitHub issues. gh-91783: Document security issues concerning the use of the function \ shutil.unpack_archive() gh-91547: Remove “Undocumented modules” page. bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of shutil.copytree(). bpo-38668: Update the introduction to documentation for os.path to remove \ warnings that became irrelevant after the implementations of PEP 383 and PEP \ 529. bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4. bpo-46962: All docstrings in code snippets are now wrapped into PyDoc_STR() to \ follow the guideline of PEP 7’s Documentation Strings paragraph. Patch by Oleg \ Iarygin. bpo-26792: Improve the docstrings of runpy.run_module() and runpy.run_path(). \ Original patch by Andrew Brezovsky. bpo-45790: Adjust inaccurate phrasing in Defining Extension Types: Tutorial \ about the ob_base field and the macros used to access its contents. bpo-42340: Document that in some circumstances KeyboardInterrupt may cause the \ code to enter an inconsistent state. Provided a sample workaround to avoid it if \ needed. bpo-41233: Link the errnos referenced in Doc/library/exceptions.rst to their \ respective section in Doc/library/errno.rst, and vice versa. Previously this was \ only done for EINTR and InterruptedError. Patch by Yan “yyyyyyyan” Orestes. bpo-38056: Overhaul the Error Handlers documentation in codecs. bpo-13553: Document tkinter.Tk args. Tests gh-91607: Fix test_concurrent_futures to test the correct multiprocessing start \ method context in several cases where the test logic mixed this up. bpo-47205: Skip test for sched_getaffinity() and sched_setaffinity() error case \ on FreeBSD. bpo-29890: Add tests for ipaddress.IPv4Interface and ipaddress.IPv6Interface \ construction with tuple arguments. Original patch and tests by louisom. Build bpo-47103: Windows PGInstrument builds now copy a required DLL into the output \ directory, making it easier to run the profile stage of a PGO build. Windows bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032. bpo-46785: Fix race condition between os.stat() and unlinking a file on Windows, \ by using errors codes returned by FindFirstFileW() when appropriate in \ win32_xstat_impl. bpo-40859: Update Windows build to use xz-5.2.5 Tools/Demos gh-91583: Fix regression in the code generated by Argument Clinic for functions \ with the defining_class parameter. |