forked from pool/python39
- Update to 3.9.17:
- gh-103142: The version of OpenSSL used in Windows and
Mac installers has been upgraded to 1.1.1u to address
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
fixed previously in 1.1.1t (gh-101727).
- gh-102153: urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329
(bsc#1208471).
- gh-99889: Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- gh-104049: Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- gh-101283: subprocess.Popen now uses a safer approach to find
cmd.exe when launching with shell=True.
- gh-103935: trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details (fixing
CVE-2007-4559, bsc#1203750).
- gh-102126: Fixed a deadlock at shutdown when clearing thread
states if any finalizer tries to acquire the runtime head
lock.
- gh-100892: Fixed a crash due to a race while iterating over
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=147
This commit is contained in:
Git OBS Bridge
@@ -1,3 +1,41 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 28 19:12:12 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
||||
|
||||
- Update to 3.9.17:
|
||||
- gh-103142: The version of OpenSSL used in Windows and
|
||||
Mac installers has been upgraded to 1.1.1u to address
|
||||
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
|
||||
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
|
||||
fixed previously in 1.1.1t (gh-101727).
|
||||
- gh-102153: urllib.parse.urlsplit() now strips leading C0
|
||||
control and space characters following the specification for
|
||||
URLs defined by WHATWG in response to CVE-2023-24329
|
||||
(bsc#1208471).
|
||||
- gh-99889: Fixed a security in flaw in uu.decode() that could
|
||||
allow for directory traversal based on the input if no
|
||||
out_file was specified.
|
||||
- gh-104049: Do not expose the local on-disk
|
||||
location in directory indexes produced by
|
||||
http.client.SimpleHTTPRequestHandler.
|
||||
- gh-101283: subprocess.Popen now uses a safer approach to find
|
||||
cmd.exe when launching with shell=True.
|
||||
- gh-103935: trace.__main__ now uses io.open_code() for files
|
||||
to be executed instead of raw open().
|
||||
- gh-102953: The extraction methods in tarfile, and
|
||||
shutil.unpack_archive(), have a new filter argument that
|
||||
allows limiting tar features than may be surprising or
|
||||
dangerous, such as creating files outside the destination
|
||||
directory. See Extraction filters for details (fixing
|
||||
CVE-2007-4559, bsc#1203750).
|
||||
- gh-102126: Fixed a deadlock at shutdown when clearing thread
|
||||
states if any finalizer tries to acquire the runtime head
|
||||
lock.
|
||||
- gh-100892: Fixed a crash due to a race while iterating over
|
||||
thread states in clearing threading.local.
|
||||
- Remove upstreamed patches:
|
||||
- CVE-2023-24329-blank-URL-bypass.patch
|
||||
- CVE-2007-4559-filter-tarfile_extractall.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat May 6 17:31:35 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user