python-interpreters/python311
SHA256
6
0
Fork 0
forked from pool/python311
Code Pull Requests Activity
Files
factory
python311/Python-3.11.15.tar.xz.sigstore
Matěj Cepl 861a23080f Update to 3.11.15: 
- Security
    - gh-144125: BytesGenerator will now refuse to serialize
      (write) headers that are unsafely folded or delimited; see
      verify_generated_headers. (Contributed by Bas Bloemsaat and
      Petr Viktorin in gh-121650).
    - gh-143935: Fixed a bug in the folding of comments when
      flattening an email message using a modern email policy.
      Comments consisting of a very long sequence of non-foldable
      characters could trigger a forced line wrap that omitted
      the required leading space on the continuation line,
      causing the remainder of the comment to be interpreted as
      a new header field. This enabled header injection with
      carefully crafted inputs (bsc#1257029 CVE-2025-11468).
    - gh-143925: Reject control characters in data: URL media
      types (bsc#1257046, CVE-2025-15282).
    - gh-143919: Reject control characters in http.cookies.Morsel
      fields and values (bsc#1257031, CVE-2026-0672).
    - gh-143916: Reject C0 control characters within
      wsgiref.headers.Headers fields, values, and parameters
      (bsc#1257042, CVE-2026-0865).
    - gh-142145: Remove quadratic behavior in xml.minidom node ID
      cache clearing. In order to do this without breaking
      existing users, we also add the ownerDocument attribute to
      xml.dom.minidom elements and attributes created by directly
      instantiating the Element or Attr class. Note that this way
      of creating nodes is not supported; creator functions like
      xml.dom.Document.documentElement() should be used instead
      (bsc#1254997, CVE-2025-12084).
    - gh-137836: Add support of the “plaintext” element, RAWTEXT
      elements “xmp”, “iframe”, “noembed” and “noframes”, and
      optionally RAWTEXT element “noscript” in
      html.parser.HTMLParser.
    - gh-136063: email.message: ensure linear complexity for
      legacy HTTP parameters parsing. Patch by Bénédikt Tran.
    - gh-136065: Fix quadratic complexity in
      os.path.expandvars() (bsc#1252974, CVE-2025-6075).
    - gh-119451: Fix a potential memory denial of service in the
      http.client module. When connecting to a malicious server,
      it could cause an arbitrary amount of memory to be
      allocated. This could have led to symptoms including
      a MemoryError, swapping, out of memory (OOM) killed
      processes or containers, or even system crashes
      (CVE-2025-13836, bsc#1254400).
    - gh-119452: Fix a potential memory denial of service in the
      http.server module. When a malicious user is connected to
      the CGI server on Windows, it could cause an arbitrary
      amount of memory to be allocated. This could have led to
      symptoms including a MemoryError, swapping, out of memory
      (OOM) killed processes or containers, or even system
      crashes.
    - gh-119342: Fix a potential memory denial of service in the
      plistlib module. When reading a Plist file received from
      untrusted source, it could cause an arbitrary amount of
      memory to be allocated. This could have led to symptoms
      including a MemoryError, swapping, out of memory (OOM)
      killed processes or containers, or even system crashes
      (bsc#1254401, CVE-2025-13837).
  - Library
    - gh-144833: Fixed a use-after-free in ssl when SSL_new()
      returns NULL in newPySSLSocket(). The error was reported
      via a dangling pointer after the object had already been
      freed.
    - gh-144363: Update bundled libexpat to 2.7.4
    - gh-90949: Add SetAllocTrackerActivationThreshold() and
      SetAllocTrackerMaximumAmplification() to xmlparser objects
      to prevent use of disproportional amounts of dynamic memory
      from within an Expat parser. Patch by Bénédikt Tran.
  - Core and Builtins
    - gh-120384: Fix an array out of bounds crash in
      list_ass_subscript, which could be invoked via some
      specificly tailored input: including concurrent
      modification of a list object, where one thread assigns
      a slice and another clears it.
    - gh-120298: Fix use-after free in list_richcompare_impl
      which can be invoked via some specificly tailored evil
      input.
Remove upstreamed patches:
  - CVE-2025-11468-email-hdr-fold-comment.patch
  - CVE-2025-12084-minidom-quad-search.patch
  - CVE-2025-13836-http-resp-cont-len.patch
  - CVE-2025-13837-plistlib-mailicious-length.patch
  - CVE-2025-6075-expandvars-perf-degrad.patch
  - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
  - CVE-2026-0865-wsgiref-ctrl-chars.patch
  - CVE-2025-15282-urllib-ctrl-chars.patch
2026-03-06 20:06:11 +01:00

2 lines
6.8 KiB
Plaintext
Raw Permalink Blame History

{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"certificate":{"rawBytes":"MIICzTCCAlKgAwIBAgIUVyVRcqXdAMuxUSVZptJ+6eZKm0swCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjYwMzAzMDEwNDIyWhcNMjYwMzAzMDExNDIyWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4bCrrwAl9ojG/jCXyN/sWSVcTvPDsHgafrczoZrmhM4YBXKoJwhhI8HHiNjKdjK/gcelYfNzm3kdGwZnEWhnHaOCAXEwggFtMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU9I5aI9ujXF6sITbCk2vxbdoUoD4wHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wIgYDVR0RAQH/BBgwFoEUcGFibG9nc2FsQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGcsTmFPQAABAMARjBEAiAfKV4932gZgbat/glNz5FraTeDrCcEq03ta3E3tF4NBQIgFYG9TJYERGOBzl1x+MOcd+zB47NNHlAoCmILfTSdiKgwCgYIKoZIzj0EAwMDaQAwZgIxAOSxxc6G21MJac3dkN55PLRH53dyjObpwTTykZFGpTpjuUo2O3ft9QEPZitkA6Nm4wIxAPCQecOoqRnP6OEP51arhHdtMVknBJMaJ26wfyRSVsnKyi3DHF30nTOuVetJ2Fam4w=="},"tlogEntries":[{"logIndex":"1013496923","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"hashedrekord","version":"0.0.1"},"integratedTime":"1772499863","inclusionPromise":{"signedEntryTimestamp":"MEYCIQD9btJM4z88Jjs+dnFQPNitVE00joL/V0oaZYH6gxGMZgIhAKXx4hnuI60kDzRtvSOt1jZnggLTyiQF0LnSiqa4qk0D"},"inclusionProof":{"logIndex":"891592661","rootHash":"JK+1Umj5tvwdPhfBBbYD5UpiZA4fGUrt4GwehHKIcNI=","treeSize":"891592665","hashes":["s5AxwJ+t2gq0HIqW+ns8u59lldXwfv+yc2A3BGSrPis=","PAtZZmfHY9yavnppNM9Gmk+WqCJp68j2DVyB1/9QZ7w=","YpXdu4vbBuO+tHi1rd5gt5zbNu1csURZQROlGGw8StI=","oHenKqg2Pax643jd6J9plud+zRvWWr4XylTQ7ZuGesc=","2Fgbz1TsPBrhhyJNzNlf97xasPVWvjTRnxCIdVO85ZY=","BAVTdfJ//YgqqbF5CC5ly+o4KGLRQAapZTb7z0bEFFU=","vkI1W3s2WTouxaKvL+oEa85gPCaXFne20armi9bsfOw=","Kr1IZBtxX03UsOZdo6rsM2EPV0/q75toGqzT+3K/ri8=","Kjof0zMo+Hb6JNPs/Yoxt0ZOVOTDkBVzPDvA14+ONiM=","ZtgvM2m+592JolIGliHZ1mgjph/xHOzG6lmyNtQuw8o=","yaLcjLp9ldnUTWyy/PouoOddMS22Et9RPJrGE7WCDYc=","50BdkX7nkRgG4UrWoLVyZogLPlcHZQP2khTmOteFbho=","UFjcw2ByTVPBmHuBXkpFOLynDtU0JPa0rs1lvSVm9ns=","UfqWnx1YuXWnR6tQB8LboYpg7AuaUmwROEn7wJBVDjM=","HU7296NTl8Wek0AyCPeTMXdik0fZbtCiBDPDqVeye0E=","Xo5tam8gxbsWohATkFEqn5hvHpPFwBJ0SDjNE5DiI2A=","ZleKYeRKwUF3HP3HO0kxHMVeJgY3N/euGinVhlVWaq0=","fLAvE46NqCVV86EpB2pKkwJlFjjFk7ntX3lC+PiZuIo=","T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="],"checkpoint":{"envelope":"rekor.sigstore.dev - 1193050959916656506\n891592665\nJK+1Umj5tvwdPhfBBbYD5UpiZA4fGUrt4GwehHKIcNI=\n\n— rekor.sigstore.dev wNI9ajBEAiAltxt+A0tLVa+o0H/ajiGUgmqyTo4EnQ61UY0mMB8GewIgaNKdAMRpHkk9y09X1pjyH++ayq8uM37PI8q8rJNEYYg=\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIyNzIxNzlkZGQ5YTJlNDFhMGZjOGU0MmUzM2RmYmRjYTBiMzcxMWFhNWFiZjM3MmQzZjJkNTE1NDNkMDliNjI1In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURlTUZ3ZHVwZ0lKaWxJWHJ6SWtTS0dhcXV1dlRNS3BYZnJZZ25qbzNpbXl3SWhBTzVxdzRTMkI5WW9WbkpxOGhMTUdUakk0Uk1VL3hYdTlCZWxVenRXQlRiSiIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZWRU5EUVd4TFowRjNTVUpCWjBsVlZubFdVbU54V0dSQlRYVjRWVk5XV25CMFNpczJaVnBMYlRCemQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFpkMDE2UVhwTlJFVjNUa1JKZVZkb1kwNU5hbGwzVFhwQmVrMUVSWGhPUkVsNVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVUwWWtOeWNuZEJiRGx2YWtjdmFrTlllVTR2YzFkVFZtTlVkbEJFYzBobllXWnlZM29LYjFweWJXaE5ORmxDV0V0dlNuZG9hRWs0U0VocFRtcExaR3BMTDJkalpXeFpaazU2YlROclpFZDNXbTVGVjJodVNHRlBRMEZZUlhkblowWjBUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlU1U1RWaENrazVkV3BZUmpaelNWUmlRMnN5ZG5oaVpHOVZiMFEwZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBsbldVUldVakJTUVZGSUwwSkNaM2RHYjBWVlkwZEdhV0pIT1c1ak1rWnpVVWhDTldSSGFIWmlhVFYyWTIxamQwdFJXVXRMZDFsQ1FrRkhSQXAyZWtGQ1FWRlJZbUZJVWpCalNFMDJUSGs1YUZreVRuWmtWelV3WTNrMWJtSXlPVzVpUjFWMVdUSTVkRTFEYzBkRGFYTkhRVkZSUW1jM09IZEJVV2RGQ2toUmQySmhTRkl3WTBoTk5reDVPV2haTWs1MlpGYzFNR041Tlc1aU1qbHVZa2RWZFZreU9YUk5TVWRLUW1kdmNrSm5SVVZCWkZvMVFXZFJRMEpJYzBVS1pWRkNNMEZJVlVFelZEQjNZWE5pU0VWVVNtcEhValJqYlZkak0wRnhTa3RZY21wbFVFc3pMMmcwY0hsblF6aHdOMjgwUVVGQlIyTnpWRzFHVUZGQlFRcENRVTFCVW1wQ1JVRnBRV1pMVmpRNU16Sm5XbWRpWVhRdloyeE9lalZHY21GVVpVUnlRMk5GY1RBemRHRXpSVE4wUmpST1FsRkpaMFpaUnpsVVNsbEZDbEpIVDBKNmJERjRLMDFQWTJRcmVrSTBOMDVPU0d4QmIwTnRTVXhtVkZOa2FVdG5kME5uV1VsTGIxcEplbW93UlVGM1RVUmhVVUYzV21kSmVFRlBVM2dLZUdNMlJ6SXhUVXBoWXpOa2EwNDFOVkJNVWtnMU0yUjVhazlpY0hkVVZIbHJXa1pIY0ZSd2FuVlZiekpQTTJaME9WRkZVRnBwZEd0Qk5rNXROSGRKZUFwQlVFTlJaV05QYjNGU2JsQTJUMFZRTlRGaGNtaElaSFJOVm10dVFrcE5ZVW95Tm5kbWVWSlRWbk51UzNscE0wUklSak13YmxSUGRWWmxkRW95Um1GdENqUjNQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}],"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIE6jADAgEAMIIE4QYJKoZIhvcNAQcCoIIE0jCCBM4CAQMxDTALBglghkgBZQMEAgEwgcIGCyqGSIb3DQEJEAEEoIGyBIGvMIGsAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgBlVGEfl0/jl+NOiYqgPhx9Y6GPmDU/KL9fvcf0aNr44CFQCQB7SaN05xLwMMLTF9PcntJo4EyRgPMjAyNjAzMDMwMTA0MjNaMAMCAQECCHfOPhf2vU81oDKkMDAuMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxFTATBgNVBAMTDHNpZ3N0b3JlLXRzYaCCAhQwggIQMIIBlqADAgECAhQ6E1QvDJBh7rzBQy/Lio6LKiOLDDAKBggqhkjOPQQDAzA5MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxIDAeBgNVBAMTF3NpZ3N0b3JlLXRzYS1zZWxmc2lnbmVkMB4XDTI1MDQwODA2NTk0M1oXDTM1MDQwNjA2NTk0M1owLjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MRUwEwYDVQQDEwxzaWdzdG9yZS10c2EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATitrZnyEo2KDZP2QWMIBOgYbfSOTL5ZC/cHMv6Yq+HVIo1H9TC7Cx80KDiyvKhgB3wTqKyi9UDczhqg12b1AOLnRnydMTK+qB8M+1MjBci1+Jb8AV/VXu7CRuQCiPTHFyjajBoMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUif15Q4fP0GVGwwJGxyxzW3206wMwHwYDVR0jBBgwFoAUmOwB73+7Uf/UlR5vioiYUweJzr8wFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwCgYIKoZIzj0EAwMDaAAwZQIwO2mxX/opo7SrIX9QyxfZpJRcpAV2gZOm1AZzR+2rVyy6Uc8Ybp2ybIw13ckH4bcRAjEA5qO8FyOkmYpvg2/7ZNqiPxRzn5vqKHoVcIIqtpKq6l7TvOqzAxxclN7VwTG8e++XMYIB2zCCAdcCAQEwUTA5MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxIDAeBgNVBAMTF3NpZ3N0b3JlLXRzYS1zZWxmc2lnbmVkAhQ6E1QvDJBh7rzBQy/Lio6LKiOLDDALBglghkgBZQMEAgGggfwwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNjAzMDMwMTA0MjNaMC8GCSqGSIb3DQEJBDEiBCD5NBdRMWFs/yHd18Ieiy21PmhCfG+jo/7KrvIcHwYoWzCBjgYLKoZIhvcNAQkQAi8xfzB9MHsweQQghfknvAerYsrDtENWwQ78gbLGiD/aernm2HDZ0TrNBbcwVTA9pDswOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZAIUOhNULwyQYe68wUMvy4qOiyojiwwwCgYIKoZIzj0EAwIEZzBlAjEAxklFvFksLU54DXUFBzPyV5IkH+rmD2qd366o3p93HRUEGuCrd7vbH1NFjLm3TVh8AjAjU0CW80Ez9El7s3R06h1VqONDo8mmkV/j2Mo1D93iHMk7Sn2uaQhe5N6EK4diBII="}]}},"messageSignature":{"messageDigest":{"algorithm":"SHA2_256","digest":"JyF53dmi5BoPyOQuM9+9ygs3EapavzctPy1RVD0JtiU="},"signature":"MEYCIQDeMFwdupgIJilIXrzIkSKGaquuvTMKpXfrYgnjo3imywIhAO5qw4S2B9YoVnJq8hLMGTjI4RMU/xXu9BelUztWBTbJ"}}
View Git Blame Copy Permalink