Subject: CVS commit: pkgsrc/lang
From: Adam Ciarcinski
Date: 2024-03-20 16:39:02
Message id: 20240320153902.8826EFA2C@cvs.NetBSD.org
Log Message:
python38 py38-html-docs: updated to 3.8.19

Python 3.8.19

Security

gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) \ 
by adding five new methods:

xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
gh-115399: Update bundled libexpat to 2.6.0
gh-113659: Skip .pth files with names starting with a dot or hidden file attribute.

Core and Builtins

gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds

Library

gh-115197: urllib.request no longer resolves the hostname before checking it \ 
against the system’s proxy bypass list on macOS and Windows.
gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
gh-81194: Fix a crash in socket.if_indextoname() with specific value (UINT_MAX). \ 
Fix an integer overflow in socket.if_indextoname() on 64-bit non-Windows \ 
platforms.
gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises \ 
BadZipFile when try to read an entry that overlaps with other entry or central \ 
directory.
gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL \ 
instead of SSL_ERROR_SSL when a certification verification has failed, but the \ 
error parameters will still contain ERR_LIB_SSL and \ 
SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising \ 
the appropiate ssl.SSLCertVerificationError. Patch by Pablo Galindo
gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, which now no longer \ 
dereferences symlinks when working around file system permission errors.

Documentation

gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML \ 
vulnerabilities”.

Tests

gh-108310: SSL tests for pre-handshake close were previously not enabled on \ 
Python 3.8 due to an incorrect backport. This is now fixed. Patch by Lumír \ 
Balhar.

Windows

gh-111239: Update Windows builds to use zlib v1.3.1.
gh-109991: Windows builds now use OpenSSL 1.1.1w. Note that OpenSSL 1.1 has \ 
reached its end of life and no future fixes will be made, and this version of \ 
Python is no longer receiving maintenance fixes and will not be updated to \ 
OpenSSL 3.0.
Files:
RevisionActionfile
1.20modifypkgsrc/lang/py38-html-docs/Makefile
1.11modifypkgsrc/lang/py38-html-docs/PLIST
1.22modifypkgsrc/lang/py38-html-docs/distinfo
1.39modifypkgsrc/lang/python38/Makefile
1.16modifypkgsrc/lang/python38/PLIST
1.20modifypkgsrc/lang/python38/dist.mk
1.34modifypkgsrc/lang/python38/distinfo