Accepting request 919259 from devel:languages:python:Factory

- bpo-44022 (bsc#1189241, CVE-2021-3737): http.client now
      avoids infinitely reading potential HTTP headers after
      a 100 Continue status response from the server.
    - bpo-43075 (CVE-2021-3733, bsc#1189287): Fix Regular
      Expression Denial of Service (ReDoS) vulnerability in
      urllib.request.AbstractBasicAuthHandler. The
      ReDoS-vulnerable regex has quadratic worst-case complexity
      and it allows cause a denial of service when identifying
      crafted invalid RFCs. This ReDoS issue is on the client
      side and needs remote attackers to control the HTTP server.

OBS-URL: https://build.opensuse.org/request/show/919259
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=22
This commit is contained in:
Dominique Leuenberger 2021-09-20 21:32:04 +00:00 committed by Git OBS Bridge
commit b3f4fa91cb

View File

@ -239,9 +239,9 @@ Mon Aug 9 11:14:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
- Update to 3.9.6: - Update to 3.9.6:
* Security * Security
- bpo-44022: mod:http.client now avoids infinitely reading - bpo-44022 (bsc#1189241, CVE-2021-3737): http.client now
potential HTTP headers after a 100 Continue status response avoids infinitely reading potential HTTP headers after
from the server. a 100 Continue status response from the server.
* Core and Builtins * Core and Builtins
- bpo-44168: Fix error message in the parser involving keyword - bpo-44168: Fix error message in the parser involving keyword
arguments with invalid expressions. Patch by Pablo Galindo arguments with invalid expressions. Patch by Pablo Galindo
@ -350,13 +350,13 @@ Wed May 5 15:16:58 UTC 2021 - Matej Cepl <mcepl@suse.com>
notatation. glibc implementation of modern inet_pton() does notatation. glibc implementation of modern inet_pton() does
not accept any leading zeros. For a while the ipaddress not accept any leading zeros. For a while the ipaddress
module used to accept ambiguous leading zeros. module used to accept ambiguous leading zeros.
- bpo-43075: Fix Regular Expression Denial of Service (ReDoS) - bpo-43075 (CVE-2021-3733, bsc#1189287): Fix Regular
vulnerability in urllib.request.AbstractBasicAuthHandler. Expression Denial of Service (ReDoS) vulnerability in
The ReDoS-vulnerable regex has quadratic worst-case urllib.request.AbstractBasicAuthHandler. The
complexity and it allows cause a denial of service when ReDoS-vulnerable regex has quadratic worst-case complexity
identifying crafted invalid RFCs. This ReDoS issue is on and it allows cause a denial of service when identifying
the client side and needs remote attackers to control the crafted invalid RFCs. This ReDoS issue is on the client
HTTP server. side and needs remote attackers to control the HTTP server.
- bpo-42800: Audit hooks are now fired for frame.f_code, - bpo-42800: Audit hooks are now fired for frame.f_code,
traceback.tb_frame, and generator code/frame attribute traceback.tb_frame, and generator code/frame attribute
access. access.