- python -m http.server no longer allows terminal control
characters sent within a garbage request to be printed
to the stderr server lo This is done by changing the
http.server BaseHTTPRequestHandler .log_message method to
replace control characters with a \xHH hex escape before
printin
- Avoid publishing list of active per-interpreter audit hooks
via the gc module
- The IDNA codec decoder used on DNS hostnames by socket or
asyncio related name resolution functions no longer involves
a quadratic algorithm. This prevents a potential CPU denial
of service if an out-of-spec excessive length hostname
involving bidirectional characters were decoded. Some
protocols such as urllib http 3xx redirects potentially allow
for an attacker to supply such a name (CVE-2022-45061).
- Update bundled libexpat to 2.5.0
- Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no
longer uses a shell to run openssl commands. Issue reported
and initial fix by Caleb Shortt. Patch by Victor Stinner.
- Fix a crash when an object which does not have a dictionary
frees its instance values.
- Fix a bug in the tokenizer that could cause infinite
recursion when showing syntax warnings that happen in the
first line of the source. Patch by Pablo Galindo
- Fix an issue that could cause frames to be visible to Python
code as they are being torn down, possibly leading to memory
corruption or hard crashes of the interpreter.
- Fix a reference bug in _imp.create_builtin() after the
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=40
