gh-100001: python -m rver no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log.Instead of using such text, it will warn and act as if a match was not found (or for test commands, as if the test failed). gh-68966: The deprecated mailcap module now refuses to inject unsafe text (filenames, MIME types, parameters) into shell commands to address CVE-2015-20107.Filesystem based socket permissions restrict this to the forkserver process user as was the default in Python 3.8 and earlier. This was a potential privilege escalation. This prevents Linux CVE-2022-42919 (potential privilege escalation) as abstract sockets have no permissions and could allow any user on the system in the same network namespace (often the whole system) to inject code into the multiprocessing forkserver process. Only code that chooses to use the “forkserver” start method is affected. gh-97514: On Linux the multiprocessing module returns to using filesystem backed unix domain sockets for communication with the forkserver process instead of the Linux abstract socket namespace.Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm to fix CVE-2022-45061.gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 to fix CVE-2022-37454.Python 3.11 is now the latest feature release series of Python 3. Note: The release you're looking at is Python 3.9.16, a security bugfix release for the legacy 3.9 series. 6, 2022 This is a security release of Python 3.9
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |