ecd9946 | Ned Deily | 05 June 2023, 20:40:12 UTC | Python 3.7.17 | 05 June 2023, 20:45:13 UTC |
417ac32 | Ned Deily | 05 June 2023, 08:50:00 UTC | [3.7] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u. (GH-105308) | 05 June 2023, 08:50:00 UTC |
32590d5 | Miss Islington (bot) | 05 June 2023, 04:08:36 UTC | [3.7] gh-105184: document that marshal functions can fail and need to be checked with PyErr_Occurred (GH-105223) (cherry picked from commit ee26ca13a129da8cf549409d0a1b2e892ff2b4ec) Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com> | 05 June 2023, 04:08:36 UTC |
d28bafa | stratakis | 05 June 2023, 04:02:03 UTC | [3.7] gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-104896) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). (cherry picked from commit d7f8a5fe07b0ff3a419ccec434cc405b21a5a304) (cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10) (cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941) (cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Illia Volochii <illia.volochii@gmail.com> Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org> | 05 June 2023, 04:02:03 UTC |
de108bc | Ned Deily | 05 June 2023, 03:51:54 UTC | [3.7] gh-68966: fix versionchanged in docs (GH-105300) | 05 June 2023, 03:51:54 UTC |
1ce801b | Miss Islington (bot) | 27 May 2023, 07:04:28 UTC | [3.7] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104333) (cherry picked from commit 0aeda297931820436a50b78f4f7f0597274b5df4) Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com> | 27 May 2023, 07:04:28 UTC |
4e2dd0c | Miss Islington (bot) | 27 May 2023, 06:41:46 UTC | [3.7] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104122) Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) (cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a) Co-authored-by: Ethan Furman <ethan@stoneleaf.us> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> | 27 May 2023, 06:41:46 UTC |
e168f83 | Pradyun Gedam | 27 May 2023, 06:13:56 UTC | [3.7] gh-101997: Update bundled pip version to 23.0.1 (GH-102273) (cherry picked from commit 89d9ff0f48c51a85920c7372a7df4a2204e32ea5) | 27 May 2023, 06:13:56 UTC |
9e22e43 | Ned Deily | 27 May 2023, 05:18:05 UTC | [3.7] Workarounds to allow GitHub Actions macOS CI tests to run for 3.7. (GH-104998) Note that this is intended solely for the current GitHub Actions CI macOS environment, in particular, macOS 12 on Intel-64 only. Out of the box, 3.7.x does not fully support macOS 11 and later systems and does not fully support building or running on Apple Silicon Macs (which were first supported in macOS 11), all of which were released after 3.7 had reached the security-fix-only phase of its life cycle. | 27 May 2023, 05:18:05 UTC |
7522ff7 | Ned Deily | 10 April 2023, 00:13:44 UTC | [3.7] GH-102306 Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK. (GH-102427) Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> | 10 April 2023, 00:13:44 UTC |
00d1d32 | Miss Islington (bot) | 13 March 2023, 23:26:42 UTC | [3.7] gh-102627: Replace address pointing toward malicious web page (GH-102630) (GH-102668) (cherry picked from commit 61479d46848bc7a7f9b571b0b09c4a4b4436d839) Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com> Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM> Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> | 13 March 2023, 23:26:42 UTC |
cbd192b | Steve Dower | 09 February 2023, 19:57:59 UTC | [3.7] gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727) (GH-101753) Fixes CVE-2023-0286 (High) and a couple of Medium security issues. https://www.openssl.org/news/secadv/20230207.txt Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org> | 09 February 2023, 19:57:59 UTC |
c7fdc9c | Steve Dower | 09 February 2023, 10:34:52 UTC | [3.7] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) (#101713) Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Oleg Iarygin <dralife@yandex.ru> | 09 February 2023, 10:34:52 UTC |
ecfed4f | Éric | 07 February 2023, 15:21:12 UTC | [3.7] gh-95778: add doc missing in some places (GH-100627) (GH-101631) (cherry picked from commit 46521826cb1883e29e4640f94089dd92c57efc5b) | 07 February 2023, 15:21:12 UTC |
d729c5c | Miss Islington (bot) | 30 January 2023, 18:08:15 UTC | gh-101422: (docs) TarFile default errorlevel argument is 1, not 0 (GH-101424) (cherry picked from commit ea232716d3de1675478db3a302629ba43194c967) Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com> | 30 January 2023, 18:08:15 UTC |
ae3dea3 | Steve Dower | 25 January 2023, 04:00:14 UTC | gh-100180: Update Windows installer to OpenSSL 1.1.1s (GH-100903) (GH-101259) | 25 January 2023, 04:00:14 UTC |
1c33891 | Hugo van Kemenade | 21 January 2023, 23:49:15 UTC | [3.7] Bump Azure Pipelines to ubuntu-20.04 (GH-101089). (GH-101226) Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> | 21 January 2023, 23:49:15 UTC |
a6b889e | Miss Islington (bot) | 09 January 2023, 03:09:41 UTC | [3.7] Update copyright year in README (GH-100863) (GH-100865) (#100868) (cherry picked from commit 30a6cc418a60fccb91ba574b552203425e594c47) Co-authored-by: Ned Deily <nad@python.org> Co-authored-by: HARSHA VARDHAN <75431678+Thunder-007@users.noreply.github.com> | 09 January 2023, 03:09:41 UTC |
fbda1c2 | Gregory P. Smith | 09 January 2023, 02:17:13 UTC | [3.7] Correct CVE-2020-10735 documentation (GH-100306). (GH-100699) Co-authored-by: Jeremy Paige <ucodery@gmail.com>. (cherry picked from commit 88fe8d701af3316c8869ea18ea1c7acec6f68c04) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 09 January 2023, 02:17:13 UTC |
798260f | Benjamin Peterson | 08 January 2023, 23:00:43 UTC | [3.7] Update copyright years to 2023. (gh-100853) * [3.7] Update copyright years to 2023. (gh-100848). (cherry picked from commit 11f99323c2ae0ec428c370a335695e3d8d4afc1d) Co-authored-by: Benjamin Peterson <benjamin@python.org> * Update additional copyright years to 2023. Co-authored-by: Ned Deily <nad@python.org> | 08 January 2023, 23:00:43 UTC |
91cdd75 | Ned Deily | 06 December 2022, 20:30:32 UTC | Post 3.7.16 | 06 December 2022, 20:30:32 UTC |
3f82aa7 | Ned Deily | 06 December 2022, 18:58:45 UTC | Python 3.7.16 | 06 December 2022, 19:00:00 UTC |
b5bdf6a | Miss Islington (bot) | 05 December 2022, 23:10:10 UTC | [3.7] gh-100001: Omit control characters in http.server stderr logs. (GH-100002) (GH-100034) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 05 December 2022, 23:10:10 UTC |
b0b590b | Miss Islington (bot) | 08 November 2022, 03:22:14 UTC | [3.7] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99232) There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org> | 08 November 2022, 03:22:14 UTC |
64e95f2 | Miss Islington (bot) | 28 October 2022, 10:06:50 UTC | [3.7] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98788) Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680. Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com> (cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299) | 28 October 2022, 10:06:50 UTC |
8088c90 | Miss Islington (bot) | 22 October 2022, 03:37:54 UTC | [3.7] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (GH-98528) This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com> | 22 October 2022, 03:37:54 UTC |
e7fe111 | Miss Islington (bot) | 11 October 2022, 21:14:05 UTC | [3.7] gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717) (#98195) gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717) A regression would still absolutely fail and even a flaky pass isn't harmful as it'd fail most of the time across our N system test runs. Windows has a low resolution timer and CI systems are prone to odd timing so this just gives more leeway to avoid flakiness. (cherry picked from commit 11e3548fd1d3445ccde971d613633b58d73c3016) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 11 October 2022, 21:14:05 UTC |
6e8e9e7 | Miss Islington (bot) | 11 October 2022, 20:27:14 UTC | [3.7] gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (GH-98191) gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (cherry picked from commit b9509ba7a9c668b984dab876c7926fe1dc5aa0ba) Co-authored-by: Petr Viktorin <encukou@gmail.com> | 11 October 2022, 20:27:14 UTC |
6d576a4 | Ned Deily | 11 October 2022, 07:36:35 UTC | Post release updates | 11 October 2022, 07:36:35 UTC |
9de83ce | Ned Deily | 10 October 2022, 12:34:53 UTC | 3.7.15 | 10 October 2022, 12:34:53 UTC |
c7ec780 | Victor Stinner | 05 October 2022, 21:56:13 UTC | [3.7] gh-97612: Fix shell injection in get-remote-certificate.py (#97613) (#97634) Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run "openssl" commands. Issue reported and initial fix by Caleb Shortt. Remove the Windows code path to send "quit" on stdin to the "openssl s_client" command: use DEVNULL on all platforms instead. Co-authored-by: Caleb Shortt <caleb@rgauge.com> (cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341) | 05 October 2022, 21:56:13 UTC |
fd82f16 | Miss Islington (bot) | 05 October 2022, 21:55:53 UTC | [3.7] gh-97616: list_resize() checks for integer overflow (GH-97617) (#97629) Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. list_resize() now checks for integer overflow before multiplying the new allocated length by the list item size (sizeof(PyObject*)). (cherry picked from commit a5f092f3c469b674b8d9ccbd4e4377230c9ac7cf) Co-authored-by: Victor Stinner <vstinner@python.org> | 05 October 2022, 21:55:53 UTC |
98884f5 | Victor Stinner | 05 October 2022, 21:55:28 UTC | [3.7] gh-96848: Fix -X int_max_str_digits option parsing (#96988) (#97576) Fix command line parsing: reject "-X int_max_str_digits" option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. (cherry picked from commit 41351662bcd21672d8ccfa62fe44d72027e6bcf8) | 05 October 2022, 21:55:28 UTC |
46796ed | Miss Islington (bot) | 05 October 2022, 21:54:39 UTC | [3.7] gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) (#97014) Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org> (cherry picked from commit 10e3d398c31cc1695752fc52bc6ca2ce9ef6237e) Co-authored-by: Dong-hee Na <donghee.na@python.org> | 05 October 2022, 21:54:39 UTC |
7fcfa94 | Miss Islington (bot) | 04 October 2022, 18:59:43 UTC | [3.7] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877) (GH-97836) [3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877) When ValueError is raised if an integer is larger than the limit, mention sys.set_int_max_str_digits() in the error message. (cherry picked from commit e841ffc915e82e5ea6e3b473205417d63494808d) Co-authored-by: Ned Deily <nad@python.org> (cherry picked from commit 41188134bd2120f0cedd681ed88743c11c7f3742) Co-authored-by: Victor Stinner <vstinner@python.org> | 04 October 2022, 18:59:43 UTC |
8fc2635 | Miss Islington (bot) | 13 September 2022, 00:37:33 UTC | gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96659) (cherry picked from commit 4114bcc9ef7595a07196bcecf9c7d6d39f57f64d) Co-authored-by: Steve Dower <steve.dower@python.org> | 13 September 2022, 00:37:33 UTC |
086cca4 | Ned Deily | 07 September 2022, 02:26:28 UTC | Post releae updates | 07 September 2022, 02:26:28 UTC |
e1ebdc5 | roy reznik | 11 April 2022, 15:10:34 UTC | gh-91423: Remove bugs.python.org from bugs.rst (GH-91425) Co-authored-by: Inada Naoki <songofacandy@gmail.com> Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> | 06 September 2022, 07:11:33 UTC |
61e371a | Ned Deily | 06 September 2022, 06:57:17 UTC | 3.7.14 | 06 September 2022, 06:57:17 UTC |
8feefc2 | Ned Deily | 06 September 2022, 06:34:50 UTC | Move doc build dependencies to Doc/requirements.txt (GH-96607) This makes 3.7 doc builds similar to later releases, simplifying build tooling. | 06 September 2022, 06:34:50 UTC |
15ec1af | Gregory P. Smith | 06 September 2022, 05:24:36 UTC | [3.7] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (GH-96504) Converting between `int` and `str` in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a `ValueError` if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735). This new limit can be configured or disabled by environment variable, command line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length Limitation` documentation. The default limit is 4300 digits in string form. Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson. | 06 September 2022, 05:24:36 UTC |
d5fe995 | Gregory P. Smith | 02 September 2022, 03:53:11 UTC | bpo-35036: Remove empty log line in the suspicious.py tool (GH-10024) (GH-96498) Previous to commit ee171a2 the logline was working because of self.info() (now deprecated) defaults to an empty message. Co-authored-by: Xtreak <tirkarthi@users.noreply.github.com> | 02 September 2022, 03:53:11 UTC |
6fde293 | Gregory P. Smith | 02 September 2022, 03:46:48 UTC | [3.7] fix CI on macOS due to infrastructure changes (GH-96493) * Add ABI and generated files checks to CI. This includes checking in an initial Abigail ABI definition for 3.7. * Backport ctypes test_macholib fix from b29d0a5a7811418c0a1082ca188fd4850185e290. This is required for the 3.7 tree to pass on modern macOS. * annotate test_bad_password @requires_zlib. I don't know why, but macOS in 3.7 CI is failing to build the zlib module these days so it's exposing this test that didn't have the proper `@requires_zlib` annotation. Getting it to build with zlib and other things that are now wrongly "missing" in the 3.7 CI setup would be nice, but probably involves invasive backporting of parts of https://github.com/python/cpython/commit/b29d0a5a7811418c0a1082ca188fd4850185e290 by a macOS domain expert. Not worth it. * disable MachOTest.test_find unless macOS 11+ support is backported. This test also appears to require changes to Lib/ctypes/macholib/dyld.py to work in the existing macOS CI config. I'm just skipping it, backporting that would be a feature. Not going to happen in 3.7. There may be a way to configure macOS CI to use an older macOS and toolchain instead as an alternate option. Someone else can figure that out if so. This branch only lives for another 9 months per https://peps.python.org/pep-0537/ * LOL at my typo Co-authored-by: Ned Deily <nad@python.org> | 02 September 2022, 03:46:48 UTC |
9d58933 | Miss Islington (bot) | 02 September 2022, 03:28:11 UTC | bpo-40548: Fix "Check for source changes (pull_request)" GH Action job (GH-21806) (GH-92342) On Git 2.28, "git diff master..." (3 dots) no longer works when "fetch --depth=1" is used, whereas it works on Git 2.26. Replace "..." (3 dots) with ".." (2 dots) in the "git diff" command computing the list of modified files between the base branch and the PR branch. (cherry picked from commit eaa551702d80fd67219c48ee6a13ffb571ca360b) Co-authored-by: Victor Stinner <vstinner@python.org> | 02 September 2022, 03:28:11 UTC |
9da3502 | Gregory P. Smith | 01 September 2022, 22:17:14 UTC | [3.7] Fix the Windows CI config. (GH-96490) * Add ABI and generated files checks to CI. * Fix the Windows CI config. This matches what 3.8 did in 899eb4167264a17ba703677814d69d4f7dcaea41. | 01 September 2022, 22:17:14 UTC |
bb8e49b | Miss Islington (bot) | 01 September 2022, 19:23:27 UTC | bpo-41306: Allow scale value to not be rounded (GH-21715) (GH-96484) This fixes the test failure with Tk 6.8.10 which is caused by changes to how Tk rounds the `from`, `to` and `tickinterval` arguments. This PR uses `noconv` if the patchlevel is greater than or equal to 8.6.10 (credit to Serhiy for this idea as it is much simpler than what I previously proposed). Going into more detail for those who want it, the Tk change was made in [commit 591f68c](https://github.com/tcltk/tk/commit/591f68cb382525b72664c6fecaab87742b6cc87a) and means that the arguments listed above are rounded relative to the value of `from`. However, when rounding the `from` argument ([line 623](https://github.com/tcltk/tk/blob/591f68cb382525b72664c6fecaab87742b6cc87a/generic/tkScale.cGH-L623)), it is rounded relative to itself (i.e. rounding `0`) and therefore the assigned value for `from` is always what is given (no matter what values of `from` and `resolution`). Automerge-Triggered-By: @pablogsal (cherry picked from commit aecf036738a404371303e770f4ce4fd9f7d43de7) Co-authored-by: E-Paine <63801254+E-Paine@users.noreply.github.com> | 01 September 2022, 19:23:27 UTC |
c199831 | Łukasz Langa | 27 July 2022, 21:45:05 UTC | [3.7] gh-94208: Add more TLS version/protocol checks for FreeBSD (GH-94347) (GH-95314) Three test cases were failing on FreeBSD with latest OpenSSL. (cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c) Co-authored-by: Christian Heimes <christian@python.org> | 27 July 2022, 21:45:05 UTC |
dfc5e45 | Dong-hee Na | 14 July 2022, 19:33:14 UTC | [3.7] gh-90359: Update documentation to follow PEP 495. (gh-94800). (gh-94833) (cherry picked from commit 07374cce52abb7fd39729dc1b646ca3029b64c64) Co-authored-by: Dong-hee Na <donghee.na@python.org> | 14 July 2022, 19:33:14 UTC |
239b2d9 | Łukasz Langa | 01 July 2022, 16:50:36 UTC | [3.7] gh-81054: Document that SimpleHTTPRequestHandler follows symbolic links (GH-94416) (GH-94496) (cherry picked from commit 80aaeabb8bd1e6b49598a7e23e0f8d99b3fcecaf) Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com> | 01 July 2022, 16:50:36 UTC |
8a34afd | Miss Islington (bot) | 22 June 2022, 22:05:00 UTC | gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) (GH-94095) Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google]. (cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 22 June 2022, 22:05:00 UTC |
9b13df4 | Miss Islington (bot) | 22 June 2022, 14:26:43 UTC | gh-91172: Create a workflow for verifying bundled pip and setuptools (GH-31885) (GH-94126) Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> (cherry picked from commit d36954b7ead06daead3dcf9b0dd9f8002eab508f) Co-authored-by: Illia Volochii <illia.volochii@gmail.com> | 22 June 2022, 14:26:43 UTC |
3a4ca49 | Łukasz Langa | 23 May 2022, 21:11:19 UTC | [3.7] gh-93065: Fix HAMT to iterate correctly over 7-level deep trees (GH-93149) Also while there, clarify a few things about why we reduce the hash to 32 bits. Co-authored-by: Eli Libman <eli@hyro.ai> Co-authored-by: Yury Selivanov <yury@edgedb.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit c1f5c903a7e4ed27190488f4e33b00d3c3d952e5) | 23 May 2022, 21:11:19 UTC |
2a353b2 | Erlend Egeberg Aasland | 23 May 2022, 21:09:12 UTC | [3.7] gh-80254: Disallow recursive usage of cursors in sqlite3 converters (GH-92334) (cherry picked from commit c908dc5b4798c311981bd7e1f7d92fb623ee448b) Co-authored-by: Sergey Fedoseev <fedoseev.sergey@gmail.com> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> | 23 May 2022, 21:09:12 UTC |
aebbd75 | Ned Deily | 10 May 2022, 04:37:43 UTC | gh-92448: Update the documentation builder to render the GitHub issue (GH-92600) | 10 May 2022, 04:37:43 UTC |
73317e3 | Ezio Melotti | 10 May 2022, 04:15:41 UTC | [3.7] gh-91888: add a `:gh:` role to the documentation (GH-91889) (GH-91937) Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>. Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> (cherry picked from commit f7641a2ffec243e5f600028a84debe9028a9ee44) | 10 May 2022, 04:15:41 UTC |
5da1197 | Miss Islington (bot) | 10 May 2022, 04:05:14 UTC | Add redirects to Misc/NEWS bpo links (GH-91454) (GH-91894) (cherry picked from commit 17dbb6bc10ca8a8b602335414c047294f00afcbe) Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> | 10 May 2022, 04:05:14 UTC |
6fd61c9 | Ezio Melotti | 10 May 2022, 04:04:07 UTC | [3.7] Update Sphinx bpo role to use redirect URI. (GH-91893) (cherry picked from commit 08cfe079503ffd19d8b7ab324f0fdb1c6b150ca8) Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> | 10 May 2022, 04:04:07 UTC |
5adef3d | Miss Islington (bot) | 06 May 2022, 17:02:47 UTC | bpo-42773: fix tests not being run on pushes (GH-24004) (GH-92341) There was a typo, we were checking if the "GITHUB_BASE_REF" string literal was empty instead of the $GITHUB_BASE_REF value. When $GITHUB_BASE_REF is empty, the action that triggered the run was not a pull request, so we always run the full test suite. Signed-off-by: Filipe Laíns <lains@riseup.net> (cherry picked from commit 4ac923f2756f835f512339ee181348cc535ab07f) | 06 May 2022, 17:02:47 UTC |
387f93c | Miss Islington (bot) | 04 April 2022, 03:27:22 UTC | bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241) (GH-32251) (cherry picked from commit 6066739ff7794e54c98c08b953a699cbc961cd28) Co-authored-by: Zachary Ware <zach@python.org> | 04 April 2022, 03:27:22 UTC |
d97497b | Steve Dower | 29 March 2022, 19:10:57 UTC | bpo-47138: Ensure Windows docs build uses the same pinned version as other platforms (GH-32182) | 29 March 2022, 19:10:57 UTC |
25f00bf | m-aciek | 28 March 2022, 17:05:01 UTC | bpo-47138: Fix documentation build by pinning Jinja version to 3.0.3 (GH-32111) | 28 March 2022, 17:05:01 UTC |
d4a93e4 | Ned Deily | 16 March 2022, 15:30:13 UTC | Post release updates | 16 March 2022, 15:30:13 UTC |
000593c | Ned Deily | 16 March 2022, 13:27:21 UTC | 3.7.13 | 16 March 2022, 13:27:21 UTC |
4a1d65f | Miss Islington (bot) | 16 March 2022, 02:00:23 UTC | bpo-46948: Fix launcher installer build failure due to first part of fix (GH-31920) (GH-31925) (cherry picked from commit 708812085355c92f32e547d1f1d1f29aefbbc27e) Co-authored-by: Steve Dower <steve.dower@python.org> | 16 March 2022, 02:00:23 UTC |
b620446 | Ned Deily | 15 March 2022, 19:30:49 UTC | bpo-47024: Update Windows builds and macOS installer build to use OpenSSL 1.1.1n. (GH-31911) | 15 March 2022, 19:30:49 UTC |
5263afe | Ned Deily | 15 March 2022, 15:32:37 UTC | Tidy changelog by removing redundant intermediate expat update items. (GH-31907) | 15 March 2022, 15:32:37 UTC |
720bb45 | Ned Deily | 15 March 2022, 07:18:39 UTC | bpo-45405: Prevent internal configure error when running configure with recent versions of clang. (GH-28845) (GH-31890) Change the configure logic to function properly on macOS when the compiler outputs a platform triplet for option --print-multiarch. The Apple Clang included with Xcode 13.3 now supports --print-multiarch causing configure to fail without this change. Co-authored-by: Ned Deily <nad@python.org> (cherry picked from commit 9c4766772cda67648184f8ddba546a5fc0167f91) Co-authored-by: David Bohman <debohman@gmail.com> | 15 March 2022, 07:18:39 UTC |
80cc10f | Ned Deily | 14 March 2022, 21:01:11 UTC | Revert "bpo-46986: Upgrade bundled setuptools to 60.9.3 (GH-31820)" (GH-31882) This reverts commit 0fbab8a593dcd94cfc788700dd9bf67a73f85920 as it breaks test_bdb and test_distutils with installed Pythons. | 14 March 2022, 21:01:11 UTC |
0fbab8a | Ned Deily | 13 March 2022, 21:39:58 UTC | bpo-46986: Upgrade bundled setuptools to 60.9.3 (GH-31820) (GH-31861) (cherry picked from commit c99ac3c364ee21be72263791b71ee8b55f64de08) Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net> | 13 March 2022, 21:39:58 UTC |
5a8e968 | Ned Deily | 13 March 2022, 19:58:02 UTC | bpo-46985: Upgrade bundled pip to 22.0.4 (GH-31819) (GH-31852) (cherry picked from commit d87f1b787ed38dfd307d82452f2efe9dc5b93942) Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net> | 13 March 2022, 19:58:02 UTC |
f656bc1 | Miss Islington (bot) | 07 March 2022, 23:11:09 UTC | bpo-46932: Update bundled libexpat to 2.4.7 (GH-31736) (GH-31741) (cherry picked from commit 176835c3d5c70f4c1b152cc2062b549144e37094) Co-authored-by: Steve Dower <steve.dower@python.org> | 07 March 2022, 23:11:09 UTC |
4a3c610 | Steve Dower | 07 March 2022, 19:34:46 UTC | bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) (GH-31735) | 07 March 2022, 19:34:46 UTC |
9747627 | Steve Dower | 07 March 2022, 17:37:20 UTC | bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair (GH-31730) | 07 March 2022, 17:37:20 UTC |
31fef7e | Miss Islington (bot) | 25 February 2022, 17:49:43 UTC | bpo-46756: Fix authorization check in urllib.request (GH-31353) (GH-31573) Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e72567a1c94c548868f6ee5329363e6036057a) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 25 February 2022, 17:49:43 UTC |
15d7594 | Miss Islington (bot) | 23 February 2022, 21:51:08 UTC | bpo-46794: Bump up the libexpat version into 2.4.6 (GH-31487) (GH-31521) (cherry picked from commit 1935e1cc284942bec8006287c939e295e1a7bf13) Co-authored-by: Dong-hee Na <donghee.na@python.org> | 23 February 2022, 21:51:08 UTC |
24a549f | Miss Islington (bot) | 21 February 2022, 19:44:49 UTC | Update copyright year to 2022. (GH-30335) (GH-31477) Automerge-Triggered-By: GH:benjaminp (cherry picked from commit ba00f0d93a4aea85ae8089f139856a7c450584d7) Co-authored-by: Benjamin Peterson <benjamin@python.org> | 21 February 2022, 19:44:49 UTC |
61f3c30 | Miss Islington (bot) | 21 February 2022, 19:18:26 UTC | bpo-46784: Add newly exported expat symbols to the namespace. (GH-31397) (GH-31418) The libexpat 2.4.1 upgrade from introduced the following new exported symbols: * `testingAccountingGetCountBytesDirect` * `testingAccountingGetCountBytesIndirect` * `unsignedCharToPrintable` * `XML_SetBillionLaughsAttackProtectionActivationThreshold` * `XML_SetBillionLaughsAttackProtectionMaximumAmplification` We need to adjust [Modules/expat/pyexpatns.h](https://github.com/python/cpython/blob/master/Modules/expat/pyexpatns.h) (The newer libexpat upgrade has no new symbols). Automerge-Triggered-By: GH:gpshead (cherry picked from commit 6312c1052c0186b4596fc45c42fd3ade9f8f5911) Co-authored-by: Yilei "Dolee" Yang <yileiyang@google.com> | 21 February 2022, 19:18:26 UTC |
d4f5bb9 | Miss Islington (bot) | 21 February 2022, 19:03:08 UTC | bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) (GH-31471) Curly brackets were never allowed in namespace URIs according to RFC 3986, and so-called namespace-validating XML parsers have the right to reject them a invalid URIs. libexpat >=2.4.5 has become strcter in that regard due to related security issues; with ET.XML instantiating a namespace-aware parser under the hood, this test has no future in CPython. References: - https://datatracker.ietf.org/doc/html/rfc3968 - https://www.w3.org/TR/xml-names/ Also, test_minidom.py: Support Expat >=2.4.5 (cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e) Co-authored-by: Sebastian Pipping <sebastian@pipping.org> | 21 February 2022, 19:03:08 UTC |
5fdacac | Dong-hee Na | 21 February 2022, 18:45:55 UTC | bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31298) Co-authored-by: Cyril Jouve <jv.cyril@gmail.com> | 21 February 2022, 18:45:55 UTC |
7a58509 | Ned Deily | 21 February 2022, 17:58:35 UTC | bpo-45618: Fix documentation build by pinning Docutils version to 0.17.1 (GH-31476) | 21 February 2022, 17:58:35 UTC |
811f65b | Ned Deily | 28 December 2021, 07:08:54 UTC | bpo-41028: use generic version links in Docs index. | 02 January 2022, 22:55:22 UTC |
d5650a1 | Ned Deily | 04 September 2021, 21:58:07 UTC | Post release updates | 04 September 2021, 21:58:07 UTC |
1f97973 | Ned Deily | 04 September 2021, 03:49:21 UTC | 3.7.12 | 04 September 2021, 03:49:21 UTC |
79101b8 | Łukasz Langa | 31 August 2021, 05:11:53 UTC | [3.7] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042) Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl>. (cherry picked from commit 3fc5d84046ddbd66abac5b598956ea34605a4e5d) | 31 August 2021, 05:11:53 UTC |
d2cc04c | Miss Islington (bot) | 30 August 2021, 19:16:24 UTC | [3.7] bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) (GH-28037) Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit 0897253f426068ea6a6fbe0ada01689af9ef1019) | 30 August 2021, 19:16:24 UTC |
e9b85af | Miss Islington (bot) | 30 August 2021, 18:48:04 UTC | bpo-45001: Make email date parsing more robust against malformed input (GH-27946) (GH-27975) Various date parsing utilities in the email module, such as email.utils.parsedate(), are supposed to gracefully handle invalid input, typically by raising an appropriate exception or by returning None. The internal email._parseaddr._parsedate_tz() helper used by some of these date parsing routines tries to be robust against malformed input, but unfortunately it can still crash ungracefully when a non-empty but whitespace-only input is passed. This manifests as an unexpected IndexError. In practice, this can happen when parsing an email with only a newline inside a ‘Date:’ header, which unfortunately happens occasionally in the real world. Here's a minimal example: $ python Python 3.9.6 (default, Jun 30 2021, 10:22:16) [GCC 11.1.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import email.utils >>> email.utils.parsedate('foo') >>> email.utils.parsedate(' ') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.9/email/_parseaddr.py", line 176, in parsedate t = parsedate_tz(data) File "/usr/lib/python3.9/email/_parseaddr.py", line 50, in parsedate_tz res = _parsedate_tz(data) File "/usr/lib/python3.9/email/_parseaddr.py", line 72, in _parsedate_tz if data[0].endswith(',') or data[0].lower() in _daynames: IndexError: list index out of range The fix is rather straight-forward: guard against empty lists, after splitting on whitespace, but before accessing the first element. (cherry picked from commit 989f6a3800f06b2bd31cfef7c3269a443ad94fac) Co-authored-by: wouter bolsterlee <wouter@bolsterl.ee> | 30 August 2021, 18:48:04 UTC |
041bfaf | Ned Deily | 05 July 2021, 23:46:32 UTC | Fix Sphinx directive typo in 3.7.11 changelog. | 05 July 2021, 23:46:32 UTC |
16ef0f9 | Ned Deily | 28 June 2021, 18:33:52 UTC | Post release updates | 28 June 2021, 18:33:52 UTC |
9da28d2 | Ned Deily | 28 June 2021, 16:51:36 UTC | 3.7.11 | 28 June 2021, 16:51:36 UTC |
fee9642 | Miss Islington (bot) | 03 June 2021, 04:23:40 UTC | bpo-44022: Improve the regression test. (GH-26503) (GH-26507) It wasn't actually detecting the regression due to the assertion being too lenient. (cherry picked from commit e60ab843cbb016fb6ff8b4f418641ac05a9b2fcc) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 03 June 2021, 04:23:40 UTC |
c723d51 | Senthil Kumaran | 20 May 2021, 20:15:01 UTC | [3.7] bpo-43882 - Mention urllib.parse changes in Whats New section for 3.7.11 (GH-26267) Co-authored-by: Gregory P. Smith <greg@krypto.org> | 20 May 2021, 20:15:01 UTC |
1beae7e | Zachary Ware | 07 May 2021, 19:36:32 UTC | [3.7] bpo-40297: Fix test_socket.CANTest.testSendFrame (GH-25960) | 07 May 2021, 19:36:32 UTC |
078b146 | Miss Islington (bot) | 06 May 2021, 17:10:13 UTC | bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916) (GH-25934) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d) Co-authored-by: Gen Xu <xgbarry@gmail.com> | 06 May 2021, 17:10:13 UTC |
f4dac7e | Miss Islington (bot) | 06 May 2021, 16:52:36 UTC | [3.7] bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25923) Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> (cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4) Co-authored-by: Senthil Kumaran <senthil@uthcode.com> (cherry picked from commit 515a7bc4e13645d0945b46a8e1d9102b918cd407) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 06 May 2021, 16:52:36 UTC |
ada1499 | Miss Islington (bot) | 04 May 2021, 12:46:40 UTC | bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (#25249) Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. (cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1) Co-authored-by: Yeting Li <liyt@ios.ac.cn> | 04 May 2021, 12:46:40 UTC |
512742d | Miss Islington (bot) | 03 May 2021, 20:26:18 UTC | bpo-41561: Fix testing with OpenSSL 1.0.2 (GH-25355) (GH-25858) Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 3447750073aff229b049e4ccd6217db2811dcfd1) Co-authored-by: Christian Heimes <christian@python.org> | 03 May 2021, 20:26:18 UTC |
64be96a | Christian Heimes | 03 May 2021, 19:58:38 UTC | [3.7] bpo-41561: Add workaround for Ubuntu's custom security level (GH-24915) (GH-24928) Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level 2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow TLS 1.0 and 1.1 on security level 2. See: See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit f6c6b5821bff815bdc810de53992fd1fbdb2edd4) Co-authored-by: Christian Heimes <christian@python.org> | 03 May 2021, 19:58:38 UTC |
2f01c56 | Pablo Galindo | 29 March 2021, 23:24:17 UTC | [3.7] bpo-43660: Fix crash when displaying exceptions with custom values for sys.stderr (GH-25075). (GH-25085) (cherry picked from commit 09b90a037d18f5d4acdf1b14082e57bda78e85d3) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> | 29 March 2021, 23:24:17 UTC |
7c2284f | Miss Islington (bot) | 29 March 2021, 15:39:05 UTC | bpo-42988: Remove the pydoc getfile feature (GH-25015) (#25066) CVE-2021-3426: Remove the "getfile" feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer. (cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048) Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Victor Stinner <vstinner@python.org> | 29 March 2021, 15:39:05 UTC |
7937395 | Miss Islington (bot) | 16 March 2021, 21:19:55 UTC | [3.7] bpo-43285 Make ftplib not trust the PASV response. (GH-24838) (GH-24881) (GH-24883) The IPv4 address value returned from the server in response to the PASV command should not be trusted. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Instead of using the returned address, we use the IP address we're already connected to. This is the strategy other ftp clients adopted, and matches the only strategy available for the modern IPv6 EPSV command where the server response must return a port number and nothing else. For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to True.. (cherry picked from commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e) Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 664d1d16274b47eea6ec92572e1ebf3939a6fa0c) | 16 March 2021, 21:19:55 UTC |