[Buildroot] [PATCH] package/python3: security bump to version 3.9.5
Peter Korsgaard
peter at korsgaard.com
Sat May 8 14:39:45 UTC 2021
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> - bpo-43434: Creating a sqlite3.Connection object now also produces a
> sqlite3.connect auditing event. Previously this event was only produced
> by sqlite3.connect() calls. Patch by Erlend E. Aasland.
> - bpo-43882: The presence of newline or tab characters in parts of a URL
> could allow some forms of attacks.
> Following the controlling specification for URLs defined by WHATWG
> urllib.parse() now removes ASCII newlines and tabs from URLs, preventing
> such attacks.
> - bpo-43472: Ensures interpreter-level audit hooks receive the
> cpython.PyInterpreterState_New event when called through the
> _xxsubinterpreters module.
> - bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4
> address strings. Leading zeros are ambiguous and interpreted as octal
> notation by some libraries. For example the legacy function
> socket.inet_aton() treats leading zeros as octal notatation. glibc
> implementation of modern inet_pton() does not accept any leading zeros.
> For a while the ipaddress module used to accept ambiguous leading zeros.
> - bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability
> in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
> has quadratic worst-case complexity and it allows cause a denial of
> service when identifying crafted invalid RFCs. This ReDoS issue is on the
> client side and needs remote attackers to control the HTTP server.
> - bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
> and generator code/frame attribute access.
> https://www.python.org/downloads/release/python-395/
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2021.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list