blob: 408cd9ca300cd3d8cda34e285c0fbbd89bc3defc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
.. date: 2022-12-05-01-39-10
.. gh-issue: 100001
.. nonce: uD05Fc
.. release date: 2022-12-06
.. section: Security
``python -m http.server`` no longer allows terminal control characters sent
within a garbage request to be printed to the stderr server log.
This is done by changing the :mod:`http.server`
:class:`BaseHTTPRequestHandler` ``.log_message`` method to replace control
characters with a ``\xHH`` hex escape before printing.
..
.. date: 2022-11-11-12-50-28
.. gh-issue: 87604
.. nonce: OtwH5L
.. section: Security
Avoid publishing list of active per-interpreter audit hooks via the
:mod:`gc` module
..
.. date: 2022-11-04-09-29-36
.. gh-issue: 98433
.. nonce: l76c5G
.. section: Security
The IDNA codec decoder used on DNS hostnames by :mod:`socket` or
:mod:`asyncio` related name resolution functions no longer involves a
quadratic algorithm. This prevents a potential CPU denial of service if an
out-of-spec excessive length hostname involving bidirectional characters
were decoded. Some protocols such as :mod:`urllib` http ``3xx`` redirects
potentially allow for an attacker to supply such a name.
..
.. date: 2022-10-26-21-04-23
.. gh-issue: 98739
.. nonce: keBWcY
.. section: Security
Update bundled libexpat to 2.5.0
..
.. date: 2022-10-21-13-31-47
.. gh-issue: 98517
.. nonce: SXXGfV
.. section: Security
Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
..
.. date: 2022-09-07-10-42-00
.. gh-issue: 97514
.. nonce: Yggdsl
.. section: Security
On Linux the :mod:`multiprocessing` module returns to using filesystem
backed unix domain sockets for communication with the *forkserver* process
instead of the Linux abstract socket namespace. Only code that chooses to
use the :ref:`"forkserver" start method <multiprocessing-start-methods>` is
affected.
Abstract sockets have no permissions and could allow any user on the system
in the same `network namespace
<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often
the whole system) to inject code into the multiprocessing *forkserver*
process. This was a potential privilege escalation. Filesystem based socket
permissions restrict this to the *forkserver* process user as was the
default in Python 3.8 and earlier.
This prevents Linux `CVE-2022-42919
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
..
.. date: 2022-04-27-18-25-30
.. gh-issue: 68966
.. nonce: gjS8zs
.. section: Security
The deprecated mailcap module now refuses to inject unsafe text (filenames,
MIME types, parameters) into shell commands. Instead of using such text, it
will warn and act as if a match was not found (or for test commands, as if
the test failed).
|
