python-interpreters/python39
SHA256
6
0
Fork 0
forked from pool/python39
Code Pull Requests Activity
261 Commits 1 Branch 0 Tags
a7506e8af6d39dd8adb9f84b7698617e0bbb624557e80e751a991674eef48c5c
Commit Graph

4 Commits

Author SHA256 Message Date
Matěj Cepl
a7506e8af6 Update to 3.9.25 
Security
    - gh-137836: Add support of the “plaintext” element, RAWTEXT
      elements “xmp”, “iframe”, “noembed” and “noframes”, and
      optionally RAWTEXT element “noscript” in
      html.parser.HTMLParser.
    - gh-136063: email.message: ensure linear complexity for
      legacy HTTP parameters parsing. Patch by Bénédikt Tran.
    - gh-136065: Fix quadratic complexity in
      os.path.expandvars() (CVE-2025-6075, bsc#1252974).
Library
    - gh-98793: Fix argument typechecks in
      _overlapped.WSAConnect() and
      _overlapped.Overlapped.WSASendTo() functions. bpo-44817:
      Ignore WinError 53 (ERROR_BAD_NETPATH), 65
      (ERROR_NETWORK_ACCESS_DENIED) and 161 (ERROR_BAD_PATHNAME)
      when using ntpath.realpath().
Core and Builtins
    - gh-120384: Fix an array out of bounds crash in
      list_ass_subscript, which could be invoked via some
      specificly tailored input: including concurrent
      modification of a list object, where one thread assigns
      a slice and another clears it.
    - gh-120298: Fix use-after free in list_richcompare_impl
      which can be invoked via some specificly tailored evil
      input.
 2025-12-11 22:48:48 +01:00
Matěj Cepl
6d41ecb4ad Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple 
quadratic complexity vulnerabilities of os.path.expandvars()
(CVE-2025-6075, bsc#1252974).
 2025-11-15 19:27:49 +01:00
Matěj Cepl
69e885b9cf Mark the upgrade to 3.9.24 as fixing CVE-2025-8291, bsc#1251305. 2025-11-15 12:22:45 +01:00
Matej Cepl
379872e378 - Update to 3.9.24: 
- Security
    - gh-139700: Check consistency of the zip64 end of central
      directory record. Support records with “zip64 extensible data”
      if there are no bytes prepended to the ZIP file.
    - gh-139400: xml.parsers.expat: Make sure that parent Expat
      parsers are only garbage-collected once they are no longer
      referenced by subparsers created by
      ExternalEntityParserCreate(). Patch by Sebastian Pipping.
    - gh-121227: Raise an SSL.SSLError if an empty protocols argument
      is passed to ssl.SSLContext.set_npn_protocols() to fix
      CVE-2024-5642.
    - gh-135661: Fix parsing start and end tags in
      html.parser.HTMLParser according to the HTML5 standard.
      * Whitespaces no longer accepted between </ and the tag name.
        E.g. </ script> does not end the script section.
      * Vertical tabulation (\v) and non-ASCII whitespaces no longer
        recognized as whitespaces. The only whitespaces are \t\n\r\f
        and space.
      * Null character (U+0000) no longer ends the tag name.
      * Attributes and slashes after the tag name in end tags are now
        ignored, instead of terminating after the first > in quoted
        attribute value. E.g. </script/foo=">"/>.
      * Multiple slashes and whitespaces between the last attribute
        and closing > are now ignored in both start and end tags. E.g.
        <a foo=bar/ //>.
      * Multiple = between attribute name and value are no longer
        collapsed. E.g. <a foo==bar> produces attribute “foo” with
        value “=bar”.
    - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=245
 2025-10-16 16:28:18 +00:00