- Security¶
- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
(CVE-2023-52425, bsc#1219559) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
- gh-115399: Update bundled libexpat to 2.6.0 (bsc#1222075)
- gh-115243: Fix possible crashes in
collections.deque.index() when the deque is concurrently
modified.
- gh-114572: ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to
the certificate store, when the ssl.SSLContext is shared
across multiple threads.
- Core and Builtins
- gh-109120: Added handle of incorrect star expressions, e.g
f(3, *). Patch by Grigoryev Semyon
- gh-99108: Updated the hashlib built-in HACL* project C code
from upstream that we use for many implementations when
they are not present via OpenSSL in a given build. This
also avoids the rare potential for a C symbol name one
definition rule linking issue.
- gh-116735: For INSTRUMENTED_CALL_FUNCTION_EX, set arg0 to
sys.monitoring.MISSING instead of None for CALL event.
- gh-113964: Starting new threads and process creation
through os.fork() are now only prevented once all
non-daemon threads exit.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=43
CVE-2023-27043-email-parsing-errors.patch, which rejects
malformed addresses in email.parseaddr() (gh#python/cpython!111116)
Detect email address parsing errors and return empty tuple to
indicate the parsing error (old API). Add an optional 'strict'
parameter to getaddresses() and parseaddr() functions. Patch by
Thomas Dwyer.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=33