From 79e0f644e04be4726c665e9e22e1c10c4ee0a531687aae9021a5e91cdda80c14 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 15 Sep 2021 14:31:29 +0000 Subject: [PATCH] Add references to security bugs to the changelog. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=84 --- python39.changes | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/python39.changes b/python39.changes index 3592243..2447691 100644 --- a/python39.changes +++ b/python39.changes @@ -239,9 +239,9 @@ Mon Aug 9 11:14:15 UTC 2021 - Fusion Future - Update to 3.9.6: * Security - - bpo-44022: mod:http.client now avoids infinitely reading - potential HTTP headers after a 100 Continue status response - from the server. + - bpo-44022 (bsc#1189241, CVE-2021-3737): http.client now + avoids infinitely reading potential HTTP headers after + a 100 Continue status response from the server. * Core and Builtins - bpo-44168: Fix error message in the parser involving keyword arguments with invalid expressions. Patch by Pablo Galindo @@ -350,13 +350,13 @@ Wed May 5 15:16:58 UTC 2021 - Matej Cepl notatation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros. - - bpo-43075: Fix Regular Expression Denial of Service (ReDoS) - vulnerability in urllib.request.AbstractBasicAuthHandler. - The ReDoS-vulnerable regex has quadratic worst-case - complexity and it allows cause a denial of service when - identifying crafted invalid RFCs. This ReDoS issue is on - the client side and needs remote attackers to control the - HTTP server. + - bpo-43075 (CVE-2021-3733, bsc#1189287): Fix Regular + Expression Denial of Service (ReDoS) vulnerability in + urllib.request.AbstractBasicAuthHandler. The + ReDoS-vulnerable regex has quadratic worst-case complexity + and it allows cause a denial of service when identifying + crafted invalid RFCs. This ReDoS issue is on the client + side and needs remote attackers to control the HTTP server. - bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access.