| 8b9a8e0 | Łukasz Langa | 06 September 2024, 20:34:30 UTC | Post 3.9.20. | 06 September 2024, 20:34:30 UTC |
| 8c3f794 | Łukasz Langa | 06 September 2024, 19:03:56 UTC | Python 3.9.20 | 06 September 2024, 19:03:56 UTC |
| ee953f2 | Petr Viktorin | 06 September 2024, 11:13:54 UTC | [3.9] [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (GH-111116) (#123769) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19) Co-authored-by: Victor Stinner <vstinner@python.org> Co-Authored-By: Thomas Dwyer <github@tomd.tel> | 06 September 2024, 11:13:54 UTC |
| c57c4a9 | Seth Michael Larson | 05 September 2024, 12:27:48 UTC | [3.9] gh-123678: Upgrade libexpat 2.6.3 (#123711) (cherry picked from commit fdc04ad75a410ed3af99edfc32c38b5fc3375f52) | 05 September 2024, 12:27:48 UTC |
| a5798d0 | Serhiy Storchaka | 05 September 2024, 12:05:43 UTC | [3.9] gh-67693: Fix urlunparse() and urlunsplit() for URIs with path starting with multiple slashes and no authority (GH-113563) (#119027) (cherry picked from commit e237b25a4fa5626fcd1b1848aa03f725f892e40e) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> | 05 September 2024, 12:05:43 UTC |
| 0152431 | Łukasz Langa | 04 September 2024, 20:41:03 UTC | [3.9] gh-112275: Fix HEAD_LOCK deadlock in child process after fork (GH-112336) (#123688) HEAD_LOCK is called from _PyEval_ReInitThreads->_PyThreadState_DeleteExcept before _PyRuntimeState_ReInitThreads reinit runtime->interpreters.mutex which might be locked before fork. (cherry picked from commit 522799a05e3e820339718151ac055af6d864d463) Co-authored-by: ChuBoning <102216855+ChuBoning@users.noreply.github.com> | 04 September 2024, 20:41:03 UTC |
| 9290419 | Miss Islington (bot) | 04 September 2024, 16:22:50 UTC | [3.9] gh-119690: Fixes buffer type confusion in _winapi.CreateFile and _winapi.CreateNamedPipe audit events (GH-119735) (#123679) (cherry picked from commit 2e861ac1cd4359463f6a13efd3d3578fce71e5ab) Co-authored-by: Steve Dower <steve.dower@python.org> | 04 September 2024, 16:22:50 UTC |
| d662e2d | Miss Islington (bot) | 04 September 2024, 15:49:40 UTC | [3.9] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) (#123107) This fixes CVE-2024-7592. (cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 04 September 2024, 15:49:40 UTC |
| 9620552 | Jason R. Coombs | 04 September 2024, 15:46:48 UTC | [3.9] gh-123270: Replaced SanitizedNames with a more surgical fix. (GH-123354) (#123432) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286d78d328c2f575e0b05b16fe447d1656d6) (cherry picked from commit 17b77bb41409259bad1cd6c74761c18b6ab1e860) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com> | 04 September 2024, 15:46:48 UTC |
| b4225ca | Seth Michael Larson | 04 September 2024, 15:46:01 UTC | [3.9] gh-121285: Remove backtracking when parsing tarfile headers (GH-121286) (#123641) * Remove backtracking when parsing tarfile headers * Rewrite PAX header parsing to be stricter * Optimize parsing of GNU extended sparse headers v0.0 (cherry picked from commit 34ddb64d088dd7ccc321f6103d23153256caa5d4) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Gregory P. Smith <greg@krypto.org> | 04 September 2024, 15:46:01 UTC |
| f7be505 | Łukasz Langa | 04 September 2024, 15:39:02 UTC | [3.9] gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) (#122610) Per RFC 2047: > [...] these encoding schemes allow the > encoding of arbitrary octet values, mail readers that implement this > decoding should also ensure that display of the decoded data on the > recipient's terminal will not cause unwanted side-effects It seems that the "quoted-word" scheme is a valid way to include a newline character in a header value, just like we already allow undecodable bytes or control characters. They do need to be properly quoted when serialized to text, though. This should fail for custom fold() implementations that aren't careful about newlines. (cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 04 September 2024, 15:39:02 UTC |
| 3f5d9d1 | Miss Islington (bot) | 02 August 2024, 13:10:52 UTC | [3.9] gh-122133: Rework pure Python socketpair tests to avoid use of importlib.reload. (GH-122493) (GH-122508) (cherry picked from commit f071f01b7b7e19d7d6b3a4b0ec62f820ecb14660) Co-authored-by: Russell Keith-Magee <russell@keith-magee.com> Co-authored-by: Gregory P. Smith <greg@krypto.org> | 02 August 2024, 13:10:52 UTC |
| 06fa244 | Miss Islington (bot) | 30 July 2024, 12:44:26 UTC | [3.9] gh-122133: Authenticate socket connection for `socket.socketpair()` fallback (GH-122134) (#122428) Authenticate socket connection for `socket.socketpair()` fallback when the platform does not have a native `socketpair` C API. We authenticate in-process using `getsocketname` and `getpeername` (thanks to Nathaniel J Smith for that suggestion). (cherry picked from commit 78df1043dbdce5c989600616f9f87b4ee72944e5) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Gregory P. Smith <greg@krypto.org> | 30 July 2024, 12:44:26 UTC |
| 9e9c71d | Łukasz Langa | 22 July 2024, 11:49:47 UTC | [3.9] gh-121957: Emit audit events for python -i and python -m asyncio (GH-122120) | 22 July 2024, 11:49:47 UTC |
| 54b5e9e | Ned Deily | 30 May 2024, 16:36:05 UTC | [3.9] gh-112769: test_zlib: test_zlib: Fix comparison of ZLIB_RUNTIME_VERSION with non-int suffix (GH-112771) (GH-119566) zlib-ng defines the version as "1.3.0.zlib-ng". (cherry picked from commit d384813) Co-authored-by: Miro Hrončok miro@hroncok.cz | 30 May 2024, 16:36:05 UTC |
| 5130731 | Steve Dower | 24 May 2024, 17:27:01 UTC | [3.9] gh-118486: Support mkdir(mode=0o700) on Windows (GH-118488) (GH-118741) Co-authored-by: Łukasz Langa <lukasz@langa.pl> | 24 May 2024, 17:27:01 UTC |
| b228655 | Seth Michael Larson | 10 May 2024, 11:46:12 UTC | [3.9] gh-114572: Fix locking in cert_store_stats and get_ca_certs (#118109) | 10 May 2024, 11:46:12 UTC |
| 22adf29 | Petr Viktorin | 07 May 2024, 09:57:58 UTC | [3.9] gh-113171: gh-65056: Fix "private" (non-global) IP address ranges (GH-113179) (GH-113186) (GH-118177) (GH-118472) The _private_networks variables, used by various is_private implementations, were missing some ranges and at the same time had overly strict ranges (where there are more specific ranges considered globally reachable by the IANA registries). This patch updates the ranges with what was missing or otherwise incorrect. 100.64.0.0/10 is left alone, for now, as it's been made special in [1]. The _address_exclude_many() call returns 8 networks for IPv4, 121 networks for IPv6. [1] https://github.com/python/cpython/issues/61602 In 3.10 and below, is_private checks whether the network and broadcast address are both private. In later versions (where the test wss backported from), it checks whether they both are in the same private network. For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private, but one is in 0.0.0.0/8 ("This network") and the other in 255.255.255.255/32 ("Limited broadcast"). --------- Co-authored-by: Jakub Stasiak <jakub@stasiak.at> | 07 May 2024, 09:57:58 UTC |
| 7db40cd | Seth Michael Larson | 07 May 2024, 08:50:48 UTC | [3.9] gh-116741: Upgrade libexpat to 2.6.2 (GH-117296) (GH-118187) (cherry picked from commit c9829eec0883a8991ea4d319d965e123a3cf6c20) | 07 May 2024, 08:50:48 UTC |
| 22ae383 | Miss Islington (bot) | 07 May 2024, 08:48:03 UTC | [3.9] gh-114539: Clarify implicit launching of shells by subprocess (GH-117996) (GH-118005) (cherry picked from commit a4b44d39cd6941cc03590fee7538776728bdfd0a) Co-authored-by: Steve Dower <steve.dower@python.org> | 07 May 2024, 08:48:03 UTC |
| 40d77b9 | jkriegshauser | 27 March 2024, 15:24:46 UTC | [3.9] gh-116773: Fix overlapped memory corruption crash (GH-116774) (GH-117080) Co-authored-by: Łukasz Langa <lukasz@langa.pl> | 27 March 2024, 15:24:46 UTC |
| f7c7e72 | Miss Islington (bot) | 27 March 2024, 13:45:22 UTC | [3.9] gh-117187: Fix XML tests for vanilla Expat <2.6.0 (GH-117203) (GH-117247) This fixes XML unittest fallout from the https://github.com/python/cpython/issues/115398 security fix. When configured using `--with-system-expat` on systems with older pre 2.6.0 versions of libexpat, our unittests were failing. (cherry picked from commit 9f74e86c78853c101a23e938f8e32ea838d8f62e) Co-authored-by: Sebastian Pipping <sebastian@pipping.org> | 27 March 2024, 13:45:22 UTC |
| a04a0f6 | Łukasz Langa | 19 March 2024, 16:18:11 UTC | Post 3.9.19 | 19 March 2024, 16:18:11 UTC |
| 882f62b | Łukasz Langa | 19 March 2024, 15:48:02 UTC | Python 3.9.19 | 19 March 2024, 15:48:02 UTC |
| fc2c98f | Miss Islington (bot) | 19 March 2024, 10:53:42 UTC | [3.9] gh-115197: Stop resolving host in urllib.request proxy bypass (GH-115210) (GH-116068) Use of a proxy is intended to defer DNS for the hosts to the proxy itself, rather than a potential for information leak of the host doing DNS resolution itself for any reason. Proxy bypass lists are strictly name based. Most implementations of proxy support agree. (cherry picked from commit c43b26d02eaa103756c250e8d36829d388c5f3be) Co-authored-by: Weii Wang <weii.wang@canonical.com> | 19 March 2024, 10:53:42 UTC |
| 2007624 | Sebastian Pipping | 06 March 2024, 23:03:30 UTC | [3.9] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623) (GH-116272) Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods: - `xml.etree.ElementTree.XMLParser.flush` - `xml.etree.ElementTree.XMLPullParser.flush` - `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled` - `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled` - `xml.sax.expatreader.ExpatParser.flush` Based on the "flush" idea from https://github.com/python/cpython/pull/115138#issuecomment-1932444270 . Includes code suggested-by: Snild Dolkow <snild@sony.com> and by core dev Serhiy Storchaka. Co-authored-by: Gregory P. Smith <greg@krypto.org> | 06 March 2024, 23:03:30 UTC |
| 468ba95 | Miss Islington (bot) | 21 February 2024, 16:02:34 UTC | [3.9] gh-107077: Raise SSLCertVerificationError even if the error is set via SSL_ERROR_SYSCALL (GH-107586) (#107590) (cherry picked from commit 77e09192b5f1caf14cd5f92ccb53a4592e83e8bc) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com> Co-authored-by: T. Wouters <thomas@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 21 February 2024, 16:02:34 UTC |
| 4b68e5d | Seth Michael Larson | 21 February 2024, 12:48:13 UTC | [3.9] Upgrade bundled libexpat to 2.6.0 (GH-115399) (GH-115474) Manual backport due to code differences. (cherry picked from commit e071b0d558b2f5cddd5a9fc6afadb4ba109ec77e) Co-authored-by: Łukasz Langa <lukasz@langa.pl> | 21 February 2024, 12:48:13 UTC |
| 0397866 | Miss Islington (bot) | 21 February 2024, 11:45:14 UTC | [3.9] gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" (GH-115400) (GH-115763) Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities" (cherry picked from commit fbd40ce46e7335a5dbaf48a3aa841be22d7302ba) Co-authored-by: Sebastian Pipping <sebastian@pipping.org> | 21 February 2024, 11:45:14 UTC |
| dafb4f0 | Seth Michael Larson | 21 February 2024, 11:22:55 UTC | [3.9] Fix tests for XMLPullParser with Expat 2.6.0 (GH-115133) (GH-115535) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 21 February 2024, 11:22:55 UTC |
| c23f749 | Miss Islington (bot) | 21 February 2024, 11:17:44 UTC | [3.9] gh-97032: avoid test_squeezer crash on macOS buildbots (GH-115508) (#115655) (cherry picked from commit 17a6533dbf5ffdfd707c1514a61423d9ac59a9cb) Co-authored-by: Ned Deily <nad@python.org> | 21 February 2024, 11:17:44 UTC |
| 3fcea41 | Hugo van Kemenade | 13 February 2024, 12:56:59 UTC | [3.9] gh-115349: Pin theme to fix code snippets (GH-115351) Pin theme to fix code snippets | 13 February 2024, 12:56:59 UTC |
| fa1f564 | Miss Islington (bot) | 13 February 2024, 12:56:31 UTC | [3.9] Add missing sections to blurbs (GH-114553) (GH-115339) (cherry picked from commit dc8893af7df706138161d82ce7d1d2f9132d14f9) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> | 13 February 2024, 12:56:31 UTC |
| 24c6514 | Łukasz Langa | 06 February 2024, 15:08:31 UTC | [3.9] gh-111239: Update Windows build to use zlib 1.3.1 (GH-114877) (GH-115087) (cherry picked from commit 618d7256e78da8200f6e2c6235094a1ef885dca4) Co-authored-by: Zachary Ware <zach@python.org> | 06 February 2024, 15:08:31 UTC |
| 8fc8c45 | Serhiy Storchaka | 17 January 2024, 14:28:17 UTC | [3.9] gh-113659: Skip hidden .pth files (GH-113660) (GH-114146) (cherry picked from commit 74208ed0c440244fb809d8acc97cb9ef51e888e3) Co-authored-by: Łukasz Langa <lukasz@langa.pl> | 17 January 2024, 14:28:17 UTC |
| dd068ea | Miss Islington (bot) | 17 January 2024, 14:10:35 UTC | [3.9] gh-107888: Fix test_mmap.test_access_parameter() on macOS 14 (GH-109928) (GH-114184) (cherry picked from commit 9dbfe2dc8e7bba25e52f9470ae6969821a365297) Co-authored-by: Victor Stinner <vstinner@python.org> | 17 January 2024, 14:10:35 UTC |
| 2613df8 | Adam Turner | 17 January 2024, 13:48:31 UTC | [3.9] gh-114021: Pin various sphinxcontrib extensions to older versions (GH-114022) (GH-114039) (cherry picked from commit 94b1d1fa38ada8cf7d196184a04a195c152eed75) Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com> | 17 January 2024, 13:48:31 UTC |
| a2c5999 | Miss Islington (bot) | 17 January 2024, 13:48:06 UTC | [3.9] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) (GH-113915) Raise BadZipFile when try to read an entry that overlaps with other entry or central directory. (cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 17 January 2024, 13:48:06 UTC |
| d54e22a | Serhiy Storchaka | 17 January 2024, 13:47:47 UTC | [3.9] gh-91133: tempfile.TemporaryDirectory: fix symlink bug in cleanup (GH-99930) (GH-112842) (cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d) Co-authored-by: Søren Løvborg <sorenl@unity3d.com> | 17 January 2024, 13:47:47 UTC |
| a6f73f6 | Miss Islington (bot) | 17 January 2024, 13:47:26 UTC | [3.9] bpo-37013: Fix the error handling in socket.if_indextoname() (GH-13503) (GH-112600) * Fix a crash when pass UINT_MAX. * Fix an integer overflow on 64-bit non-Windows platforms. (cherry picked from commit 0daf555c6fb3feba77989382135a58215e1d70a5) Co-authored-by: Zackery Spytz <zspytz@gmail.com> | 17 January 2024, 13:47:26 UTC |
| 75da506 | Zachary Ware | 17 January 2024, 13:47:09 UTC | [3.9] gh-109991: Update Windows build to use OpenSSL 1.1.1w (GH-111265) (cherry picked from commit dcb16c98be61630369227f0d893f8d9262d25cac) Co-authored-by: Steve Dower <steve.dower@python.org> | 17 January 2024, 13:47:09 UTC |
| f4118e9 | Ned Deily | 17 January 2024, 13:46:46 UTC | [3.9] gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11 and multissltests to use 1.1.1w and 3.0.11. (GH-110008) (cherry picked from commit c88037d137a98d7c399c7bd74d5117b5bcae1543) | 17 January 2024, 13:46:46 UTC |
| f86e20e | Maciej Olko | 10 January 2024, 09:35:38 UTC | [3.9] Fix documentation build by pinning Alabaster version to 0.7.13 (#113815) Alabaster is Sphinx's dependency. Alabaster 0.7.14 released on 2024-01-08 dropped support for Sphinx 3.3 and earlier. https://alabaster.readthedocs.io/en/latest/changelog.html | 10 January 2024, 09:35:38 UTC |
| 300d315 | Seth Michael Larson | 06 December 2023, 23:26:24 UTC | [3.9] gh-112160: Add 'regen-configure' make target (#112164) Add 'regen-configure' make target | 06 December 2023, 23:26:24 UTC |
| 08b640e | Łukasz Langa | 06 November 2023, 17:44:50 UTC | [3.9] gh-101180: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds (gh-111695) (gh-111780) (cherry picked from commit c8faa3568afd255708096f6aa8df0afa80cf7697) Co-authored-by: Masayuki Moriyama <masayuki.moriyama@miraclelinux.com> | 06 November 2023, 17:44:50 UTC |
| 43a6e4f | Miss Islington (bot) | 06 September 2023, 18:01:05 UTC | [3.9] gh-109002: Ensure only one wheel for each vendored package (GH-109003) (#109008) Output with one wheel: ``` ❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py Verifying checksum for /Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl. Expected digest: 7ccf472345f20d35bdc9d1841ff5f313260c2c33fe417f48c30ac46cccabf5be Actual digest: 7ccf472345f20d35bdc9d1841ff5f313260c2c33fe417f48c30ac46cccabf5be ::notice file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl::Successfully verified the checksum of the pip wheel. ``` Output with two wheels: ``` ❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py ::error file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-22.0.4-py3-none-any.whl::Found more than one wheel for package pip. ::error file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl::Found more than one wheel for package pip. ``` Output without wheels: ``` ❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py ::error file=::Could not find a pip wheel on disk. ``` (cherry picked from commit f8a047941f2e4a1848700c21d58a08c9ec6a9c68) Co-authored-by: Łukasz Langa <lukasz@langa.pl> | 06 September 2023, 18:01:05 UTC |
| 13905c9 | Hugo van Kemenade | 05 September 2023, 20:39:06 UTC | [3.9] CI: Bump GitHub Actions (GH-108879) (#108893) Co-authored-by: Łukasz Langa <lukasz@langa.pl> | 05 September 2023, 20:39:06 UTC |
| e4b971c | Miss Islington (bot) | 05 September 2023, 15:37:59 UTC | [3.9] [3.10] Add a dummy .rtfd.yml file to silence invalid failing webhooks (GH-108908) (#108925) (cherry picked from commit 5970435b26fc85c83490bc915c894ea7dd0fbf21) Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com> | 05 September 2023, 15:37:59 UTC |
| cf69231 | Łukasz Langa | 24 August 2023, 19:18:58 UTC | Post 3.9.18 | 24 August 2023, 19:18:58 UTC |
| 376d66e | Łukasz Langa | 24 August 2023, 17:51:41 UTC | Python 3.9.18 | 24 August 2023, 17:59:28 UTC |
| 92f9ce7 | Łukasz Langa | 24 August 2023, 17:44:27 UTC | Fix invalid string escape | 24 August 2023, 17:44:27 UTC |
| d2cd0a3 | Łukasz Langa | 24 August 2023, 10:09:11 UTC | [3.9] gh-108342: Make ssl TestPreHandshakeClose more reliable (GH-108370) (#108407) * In preauth tests of test_ssl, explicitly break reference cycles invoving SingleConnectionTestServerThread to make sure that the thread is deleted. Otherwise, the test marks the environment as altered because the threading module sees a "dangling thread" (SingleConnectionTestServerThread). This test leak was introduced by the test added for the fix of issue gh-108310. * Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds timeout. * SingleConnectionTestServerThread.run() catchs TimeoutError * Fix a race condition (missing synchronization) in test_preauth_data_to_tls_client(): the server now waits until the client connect() completed in call_after_accept(). * test_https_client_non_tls_response_ignored() calls server.join() explicitly. * Replace "localhost" with server.listener.getsockname()[0]. (cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47) Co-authored-by: Victor Stinner <vstinner@python.org> | 24 August 2023, 10:09:11 UTC |
| b8058b3 | Miss Islington (bot) | 23 August 2023, 10:10:49 UTC | [3.9] gh-108342: Break ref cycle in SSLSocket._create() exc (GH-108344) (#108351) Explicitly break a reference cycle when SSLSocket._create() raises an exception. Clear the variable storing the exception, since the exception traceback contains the variables and so creates a reference cycle. This test leak was introduced by the test added for the fix of GH-108310. (cherry picked from commit 64f99350351bc46e016b2286f36ba7cd669b79e3) Co-authored-by: Victor Stinner <vstinner@python.org> | 23 August 2023, 10:10:49 UTC |
| d31ae21 | Ned Deily | 22 August 2023, 18:28:57 UTC | [3.9] gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2. (#108123) [3.9] gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2. (cherry picked from commit 441797d4ffb12acda257370b9e5e19ed8d6e8a71) | 22 August 2023, 18:28:57 UTC |
| 42deeab | Petr Viktorin | 22 August 2023, 18:28:10 UTC | [3.9] gh-107845: Fix symlink handling for tarfile.data_filter (GH-107846) (#108274) (cherry picked from commit acbd3f9c5c5f23e95267714e41236140d84fe962) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com> | 22 August 2023, 18:28:10 UTC |
| 4a79328 | Serhiy Storchaka | 22 August 2023, 18:25:15 UTC | [3.9] gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data (GH-99613) (GH-107224) (#107231) Previously *consumed was not set in this case. (cherry picked from commit f08e52ccb027f6f703302b8c1a82db9fd3934270). (cherry picked from commit b8b3e6afc0a48c3cbb7c36d2f73e332edcd6058c) | 22 August 2023, 18:25:15 UTC |
| 264b1da | Łukasz Langa | 22 August 2023, 17:57:10 UTC | [3.9] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108320) gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org> | 22 August 2023, 17:57:10 UTC |
| 38b489b | Erlend E. Aasland | 05 July 2023, 11:20:44 UTC | [3.9] CI: Bump macOS build to use OpenSSL v3.0 (GH-105538) (#105871) (cherry picked from commit 34e93d3998bab8acd651c50724eb1977f4860a08) Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com> | 05 July 2023, 11:20:44 UTC |
| ce93371 | Miss Islington (bot) | 05 July 2023, 11:18:49 UTC | [3.9] [3.11] Add single value `agen.athrow(value)` signature to the 3.11 docs gh-105269 (GH-105468) (#105477) (cherry picked from commit acf3916e84158308660ed07c474a564e045d6884) Co-authored-by: Federico Caselli <CaselIT@users.noreply.github.com> | 05 July 2023, 11:18:49 UTC |
| 1528b42 | Łukasz Langa | 06 June 2023, 12:17:01 UTC | Post 3.9.17 | 06 June 2023, 12:17:01 UTC |
| 0d3cd4e | Łukasz Langa | 06 June 2023, 09:32:53 UTC | Python 3.9.17 | 06 June 2023, 09:32:53 UTC |
| e1c396d | Miss Islington (bot) | 05 June 2023, 15:42:16 UTC | [3.9] gh-105184: document that marshal functions can fail and need to be checked with PyErr_Occurred (GH-105185) (#105221) (cherry picked from commit ee26ca13a129da8cf549409d0a1b2e892ff2b4ec) Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com> | 05 June 2023, 15:42:16 UTC |
| e15de14 | Gregory P. Smith | 05 June 2023, 15:41:51 UTC | [3.9] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) (GH-105200) (#105205) Upgrade builds to OpenSSL 1.1.1u. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af) Co-authored-by: Ned Deily <nad@python.org> | 05 June 2023, 15:41:51 UTC |
| c9bf00b | Ned Deily | 05 June 2023, 06:23:32 UTC | [3.9] Update GitHub CI workflow for macOS. (GH-105303) | 05 June 2023, 06:23:32 UTC |
| 89507d5 | Ned Deily | 05 June 2023, 03:56:15 UTC | [3.9] gh-68966: fix versionchanged in docs (GH-105298) | 05 June 2023, 03:56:15 UTC |
| d7f8a5f | Miss Islington (bot) | 22 May 2023, 10:42:37 UTC | [3.9] gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (GH-104575) (GH-104592) (#104593) gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). I simplified the docs by eliding the state of the world explanatory paragraph in this security release only backport. (people will see that in the mainline /3/ docs) (cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10) (cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941) (cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946) Co-authored-by: Illia Volochii <illia.volochii@gmail.com> Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org> | 22 May 2023, 10:42:37 UTC |
| 3d5dd1e | Miss Islington (bot) | 22 May 2023, 10:41:30 UTC | [3.9] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) (#104331) (cherry picked from commit 0aeda297931820436a50b78f4f7f0597274b5df4) Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com> | 22 May 2023, 10:41:30 UTC |
| b53d0ff | Miss Islington (bot) | 22 May 2023, 10:40:50 UTC | [3.9] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) (#104120) Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) (cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a) Co-authored-by: Ethan Furman <ethan@stoneleaf.us> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> | 22 May 2023, 10:40:50 UTC |
| d1645ce | Steve Dower | 22 May 2023, 10:40:30 UTC | [3.9] gh-103935: Use `io.open_code()` when executing code in trace and profile modules (GH-103947) (#103953) Co-authored-by: Tian Gao <gaogaotiantian@hotmail.com> | 22 May 2023, 10:40:30 UTC |
| 98016f7 | Petr Viktorin | 15 May 2023, 16:53:58 UTC | [3.9] gh-102950: Implement PEP 706 – Filter for tarfile.extractall (GH-102953) (#104382) Backport of c8c3956d905e019101038b018129a4c90c9c9b8f | 15 May 2023, 16:53:58 UTC |
| 7cb3a44 | Kumar Aditya | 28 March 2023, 08:55:36 UTC | [3.9] GH-102126: fix deadlock at shutdown when clearing thread states (GH-102222) (#102236) (cherry picked from commit 5f11478ce7fda826d399530af4c5ca96c592f144) | 28 March 2023, 08:55:36 UTC |
| b5a9430 | Pradyun Gedam | 28 March 2023, 08:52:56 UTC | [3.9] gh-101997: Update bundled pip version to 23.0.1 (GH-101998). (#102243) (cherry picked from commit 89d9ff0f48c51a85920c7372a7df4a2204e32ea5) | 28 March 2023, 08:52:56 UTC |
| cb0b009 | Miss Islington (bot) | 13 March 2023, 23:28:36 UTC | [3.9] gh-102627: Replace address pointing toward malicious web page (GH-102630) (GH-102666) (cherry picked from commit 61479d46848bc7a7f9b571b0b09c4a4b4436d839) Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com> Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM> Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> | 13 March 2023, 23:28:36 UTC |
| bf99e19 | Steve Dower | 07 March 2023, 23:01:22 UTC | [3.9] gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727) (GH-101751) Fixes CVE-2023-0286 (High) and a couple of Medium security issues. https://www.openssl.org/news/secadv/20230207.txt Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org> | 07 March 2023, 23:01:22 UTC |
| c25b484 | Dong-hee Na | 21 February 2023, 16:33:23 UTC | [3.9] gh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI i… (#102094) [3.9] gh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI issue (gh-102079) | 21 February 2023, 16:33:23 UTC |
| 04cc427 | Miss Islington (bot) | 09 February 2023, 09:59:40 UTC | [3.9] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) (#101709) Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> Co-authored-by: Steve Dower <steve.dower@microsoft.com> | 09 February 2023, 09:59:40 UTC |
| c33aaa9 | Miss Islington (bot) | 30 January 2023, 18:21:08 UTC | gh-101422: (docs) TarFile default errorlevel argument is 1, not 0 (GH-101424) (cherry picked from commit ea232716d3de1675478db3a302629ba43194c967) Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com> | 30 January 2023, 18:21:08 UTC |
| 044fb4f | Miss Islington (bot) | 21 January 2023, 19:38:52 UTC | [3.9] Bump Azure Pipelines to ubuntu-22.04 (GH-101089) (#101214) (cherry picked from commit c22a55c8b4f142ff679880ec954691d5920b7845) Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> | 21 January 2023, 19:38:52 UTC |
| fcfa505 | Steve Dower | 20 January 2023, 22:22:50 UTC | [3.9] gh-100180: Update Windows installer to OpenSSL 1.1.1s (GH-100903) (#100904) | 20 January 2023, 22:22:50 UTC |
| 6954203 | Kumar Aditya | 20 January 2023, 22:21:40 UTC | [3.9] GH-100892: Fix race in clearing `threading.local` (GH-100922) (#100939) [3.9] [3.10] GH-100892: Fix race in clearing `threading.local` (GH-100922). (cherry picked from commit 762745a124cbc297cf2fe6f3ec9ca1840bb2e873) Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>. (cherry picked from commit 683e9fe30ecd024f5508b2a33316752870100a96) Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com> | 20 January 2023, 22:21:40 UTC |
| 6be2e0e | Éric | 20 January 2023, 22:21:00 UTC | [3.9] gh-95778: add doc missing in some places (GH-100627). (#101066) (cherry picked from commit 46521826cb1883e29e4640f94089dd92c57efc5b) Co-authored-by: Éric <earaujo@caravan.coop> | 20 January 2023, 22:21:00 UTC |
| cf71e19 | Gregory P. Smith | 20 January 2023, 22:20:32 UTC | [3.9] Correct CVE-2020-10735 documentation (GH-100306). (#100697) (cherry picked from commit 1cf3d78c92eb07dc09d15cc2e773b0b1b9436825) (cherry picked from commit 88fe8d701af3316c8869ea18ea1c7acec6f68c04) Co-authored-by: Jeremy Paige <ucodery@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org> | 20 January 2023, 22:20:32 UTC |
| 5ef90ee | Miss Islington (bot) | 09 January 2023, 03:11:49 UTC | [3.9] Update copyright year in README (GH-100863) (GH-100865) (GH-100866) (cherry picked from commit 30a6cc418a60fccb91ba574b552203425e594c47) Co-authored-by: Ned Deily <nad@python.org> Co-authored-by: HARSHA VARDHAN <75431678+Thunder-007@users.noreply.github.com> | 09 January 2023, 03:11:49 UTC |
| 08210c6 | Benjamin Peterson | 08 January 2023, 23:00:10 UTC | [3.9] Update copyright years to 2023. (gh-100851) * [3.9] Update copyright years to 2023. (gh-100848). (cherry picked from commit 11f99323c2ae0ec428c370a335695e3d8d4afc1d) Co-authored-by: Benjamin Peterson <benjamin@python.org> * Update additional copyright years to 2023. Co-authored-by: Ned Deily <nad@python.org> | 08 January 2023, 23:00:10 UTC |
| e8f61ed | Miss Islington (bot) | 20 December 2022, 11:57:08 UTC | Clarify that every thread has its own default context in contextvars (GH-99246) (cherry picked from commit cb60b6131bc2bb11c48a15f808914d8b242b9fc5) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com> | 20 December 2022, 11:57:08 UTC |
| db577e2 | Łukasz Langa | 06 December 2022, 18:50:26 UTC | Post 3.9.16 | 06 December 2022, 18:50:26 UTC |
| 595f9cc | Łukasz Langa | 06 December 2022, 17:59:46 UTC | Python 3.9.16 | 06 December 2022, 17:59:46 UTC |
| 3b81c13 | Miss Islington (bot) | 06 December 2022, 10:22:12 UTC | [3.9] gh-100001: Omit control characters in http.server stderr logs. (GH-100002) (#100032) * gh-100001: Omit control characters in http.server stderr logs. (GH-100002) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828) Co-authored-by: Gregory P. Smith <greg@krypto.org> * also escape \s (backport of PR #100038). * add versionadded and remove extra 'to' Co-authored-by: Gregory P. Smith <greg@krypto.org> | 06 December 2022, 10:22:12 UTC |
| 7b98207 | Steve Dower | 21 November 2022, 18:13:33 UTC | [3.9] gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module (GH-99373) (GH-99493) | 21 November 2022, 18:13:33 UTC |
| c09dba5 | Miss Islington (bot) | 10 November 2022, 15:57:41 UTC | [3.9] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) (#99230) There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d) (cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org> | 10 November 2022, 15:57:41 UTC |
| b43496c | Miss Islington (bot) | 28 October 2022, 10:08:30 UTC | [3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) (#98504) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via https://github.com/python/cpython/pull/18866 while fixing https://github.com/python/cpython/issues/84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 28 October 2022, 10:08:30 UTC |
| 857efee | Miss Islington (bot) | 28 October 2022, 10:08:06 UTC | [3.9] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (#98526) This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com> | 28 October 2022, 10:08:06 UTC |
| 71a075a | Miss Islington (bot) | 28 October 2022, 10:07:32 UTC | [3.9] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98786) Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680. Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com> (cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299) | 28 October 2022, 10:07:32 UTC |
| 157a8b8 | Miss Islington (bot) | 11 October 2022, 21:13:54 UTC | [3.9] gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717) (#98196) gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717) A regression would still absolutely fail and even a flaky pass isn't harmful as it'd fail most of the time across our N system test runs. Windows has a low resolution timer and CI systems are prone to odd timing so this just gives more leeway to avoid flakiness. (cherry picked from commit 11e3548fd1d3445ccde971d613633b58d73c3016) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 11 October 2022, 21:13:54 UTC |
| c59a16e | Miss Islington (bot) | 11 October 2022, 21:13:18 UTC | [3.9] gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (#98190) gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (cherry picked from commit b9509ba7a9c668b984dab876c7926fe1dc5aa0ba) Co-authored-by: Petr Viktorin <encukou@gmail.com> | 11 October 2022, 21:13:18 UTC |
| bd4e532 | Łukasz Langa | 11 October 2022, 15:38:29 UTC | Post 3.9.15 | 11 October 2022, 15:38:29 UTC |
| 7e28154 | Łukasz Langa | 11 October 2022, 14:48:37 UTC | Python 3.9.15 | 11 October 2022, 14:48:37 UTC |
| 1db2d95 | Miss Islington (bot) | 07 October 2022, 20:53:39 UTC | [3.9] gh-91708: Revert params note in urllib.parse.urlparse table (GH-96699) (#98054) Revert params note in urllib.parse.urlparse table (cherry picked from commit eed80458e8e776d15fa862da71dcce58c47e2ca7) Co-authored-by: Stanley <46876382+slateny@users.noreply.github.com> | 07 October 2022, 20:53:39 UTC |
| da1fe38 | Łukasz Langa | 07 October 2022, 18:49:28 UTC | [3.9] gh-94208: Add even more TLS version/protocol checks for FreeBSD (#98037) Otherwise, buildbot builds would fail since there's no TLS 1.0/1.1 support. | 07 October 2022, 18:49:28 UTC |
| 77796d0 | Miss Islington (bot) | 06 October 2022, 19:14:32 UTC | [3.9] gh-97897: Prevent os.mkfifo and os.mknod segfaults with macOS 13 SDK (GH-97944) (#97968) The macOS 13 SDK includes support for the `mkfifoat` and `mknodat` system calls. Using the `dir_fd` option with either `os.mkfifo` or `os.mknod` could result in a segfault if cpython is built with the macOS 13 SDK but run on an earlier version of macOS. Prevent this by adding runtime support for detection of these system calls ("weaklinking") as is done for other newer syscalls on macOS. (cherry picked from commit 6d0a0191a4e5477bd843e62c24d7f3bcad4fd5fc) Co-authored-by: Ned Deily <nad@python.org> | 06 October 2022, 19:14:32 UTC |
