- gh-103142: The version of OpenSSL used in Windows and
Mac installers has been upgraded to 1.1.1u to address
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
fixed previously in 1.1.1t (gh-101727).
- gh-102153: urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329
(bsc#1208471).
- gh-99889: Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- gh-104049: Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- gh-101283: subprocess.Popen now uses a safer approach to find
cmd.exe when launching with shell=True.
- gh-103935: trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details (fixing
CVE-2007-4559, bsc#1203750).
- gh-102126: Fixed a deadlock at shutdown when clearing thread
states if any finalizer tries to acquire the runtime head
lock.
- gh-100892: Fixed a crash due to a race while iterating over
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=147
- python -m http.server no longer allows terminal control
characters sent within a garbage request to be printed to the
stderr server log.
This is done by changing the http.server
BaseHTTPRequestHandler .log_message method to replace control
characters with a \xHH hex escape before printing.
- Avoid publishing list of active per-interpreter audit hooks
via the gc module
- The IDNA codec decoder used on DNS hostnames by socket or
asyncio related name resolution functions no longer involves
a quadratic algorithm. This prevents a potential CPU denial
of service if an out-of-spec excessive length hostname
involving bidirectional characters were decoded. Some
protocols such as urllib http 3xx redirects potentially allow
for an attacker to supply such a name (CVE-2015-20107).
- Update bundled libexpat to 2.5.0
- Port XKCP’s fix for the buffer overflows in SHA-3
(CVE-2022-37454).
- On Linux the multiprocessing module returns to using
filesystem backed unix domain sockets for communication with
the forkserver process instead of the Linux abstract socket
namespace. Only code that chooses to use the “forkserver”
start method is affected.
Abstract sockets have no permissions and could allow any
user on the system in the same network namespace (often
the whole system) to inject code into the multiprocessing
forkserver process. This was a potential privilege
escalation. Filesystem based socket permissions restrict this
to the forkserver process user as was the default in Python
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=126
- Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close
to the maximum size.
- Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no
longer uses a shell to run openssl commands. (originally
filed as CVE-2022-37460, later withdrawn)
- Fix command line parsing: reject -X int_max_str_digits option
with no value (invalid) when the PYTHONINTMAXSTRDIGITS
environment variable is set to a valid limit.
- When ValueError is raised if an integer is larger than the
limit, mention the sys.set_int_max_str_digits() function in
the error message.
- Update bundled libexpat to 2.4.9
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=118
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Also other bug fixes:
- http.server: Fix an open redirection vulnerability in the
HTTP server when an URI path starts with //. Vulnerability
discovered, and initial fix proposed, by Hamza Avvan.
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix binding of unix socket to empty address on Linux to use
an available address from the abstract namespace, instead
of “0”.
- Suppress writing an XML declaration in open files
in ElementTree.write() with encoding='unicode' and
xml_declaration=None.
- Fix the formatting for await x and not x in the operator
precedence table when using the help() system.
- Fix ensurepip environment isolation for subprocess running
pip.
- Fix problem with test_ssl test_get_ciphers on systems that
require perfect forward secrecy (PFS) ciphers.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=116
- Core and Builtins
- gh-92311: Fixed a bug where setting frame.f_lineno to jump
over a list comprehension could misbehave or crash.
- gh-92112: Fix crash triggered by an evil custom mro() on
a metaclass.
- gh-92036: Fix a crash in subinterpreters related to the
garbage collector. When a subinterpreter is deleted,
untrack all objects tracked by its GC. To prevent a crash
in deallocator functions expecting objects to be tracked by
the GC, leak a strong reference to these objects on
purpose, so they are never deleted and their deallocator
functions are not called. Patch by Victor Stinner.
- gh-91421: Fix a potential integer overflow in
_Py_DecodeUTF8Ex.
- bpo-46775: Some Windows system error codes(>= 10000) are
now mapped into the correct errno and may now raise
a subclass of OSError. Patch by Dong-hee Na.
- bpo-46962: Classes and functions that unconditionally
declared their docstrings ignoring the
--without-doc-strings compilation flag no longer do so.
- The classes affected are pickle.PickleBuffer,
testcapi.RecursingInfinitelyError, and types.GenericAlias.
- The functions affected are 24 methods in ctypes.
- Patch by Oleg Iarygin.
- bpo-36819: Fix crashes in built-in encoders with error
handlers that return position less or equal than the
starting position of non-encodable characters.
- Library
- gh-91581: utcfromtimestamp() no longer attempts to resolve
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=98
- bpo-46968: Check for the existence of the “sys/auxv.h” header
in faulthandler to avoid compilation problems in systems
where this header doesn’t exist. Patch by Pablo Galindo
- bpo-47101: hashlib.algorithms_available now lists only
algorithms that are provided by activated crypto providers on
OpenSSL 3.0. Legacy algorithms are not listed unless the
legacy provider has been loaded into the default OSSL
context.
- bpo-23691: Protect the re.finditer() iterator from
re-entering.
- bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to
avoid a “zipfile.BadZipFile: Bad CRC-32 for file” exception
when reading a ZipFile from multiple threads.
- bpo-38256: Fix binascii.crc32() when it is compiled to use
zlib’c crc32 to work properly on inputs 4+GiB in length
instead of returning the wrong result. The workaround prior
to this was to always feed the function data in increments
smaller than 4GiB or to just call the zlib module function.
- bpo-39394: A warning about inline flags not at the start of
the regular expression now contains the position of the flag.
- bpo-47061: Deprecate the various modules listed by PEP 594:
- aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt,
imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd,
sndhdr, spwd, sunau, telnetlib, uu, xdrlib
- bpo-2604: Fix bug where doctests using globals would fail
when run multiple times.
- bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
- bpo-47022: The asynchat, asyncore and smtpd modules have been
deprecated since at least Python 3.6. Their documentation has
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=96
