|
| 1 | +.. date: 2022-12-05-01-39-10 |
| 2 | +.. gh-issue: 100001 |
| 3 | +.. nonce: uD05Fc |
| 4 | +.. release date: 2022-12-06 |
| 5 | +.. section: Security |
| 6 | +
|
| 7 | +``python -m http.server`` no longer allows terminal control characters sent |
| 8 | +within a garbage request to be printed to the stderr server log. |
| 9 | + |
| 10 | +This is done by changing the :mod:`http.server` |
| 11 | +:class:`BaseHTTPRequestHandler` ``.log_message`` method to replace control |
| 12 | +characters with a ``\xHH`` hex escape before printing. |
| 13 | + |
| 14 | +.. |
| 15 | +
|
| 16 | +.. date: 2022-11-11-12-50-28 |
| 17 | +.. gh-issue: 87604 |
| 18 | +.. nonce: OtwH5L |
| 19 | +.. section: Security |
| 20 | +
|
| 21 | +Avoid publishing list of active per-interpreter audit hooks via the |
| 22 | +:mod:`gc` module |
| 23 | + |
| 24 | +.. |
| 25 | +
|
| 26 | +.. date: 2022-11-04-09-29-36 |
| 27 | +.. gh-issue: 98433 |
| 28 | +.. nonce: l76c5G |
| 29 | +.. section: Security |
| 30 | +
|
| 31 | +The IDNA codec decoder used on DNS hostnames by :mod:`socket` or |
| 32 | +:mod:`asyncio` related name resolution functions no longer involves a |
| 33 | +quadratic algorithm. This prevents a potential CPU denial of service if an |
| 34 | +out-of-spec excessive length hostname involving bidirectional characters |
| 35 | +were decoded. Some protocols such as :mod:`urllib` http ``3xx`` redirects |
| 36 | +potentially allow for an attacker to supply such a name. |
| 37 | + |
| 38 | +.. |
| 39 | +
|
| 40 | +.. date: 2022-10-26-21-04-23 |
| 41 | +.. gh-issue: 98739 |
| 42 | +.. nonce: keBWcY |
| 43 | +.. section: Security |
| 44 | +
|
| 45 | +Update bundled libexpat to 2.5.0 |
| 46 | + |
| 47 | +.. |
| 48 | +
|
| 49 | +.. date: 2022-10-21-13-31-47 |
| 50 | +.. gh-issue: 98517 |
| 51 | +.. nonce: SXXGfV |
| 52 | +.. section: Security |
| 53 | +
|
| 54 | +Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). |
| 55 | + |
| 56 | +.. |
| 57 | +
|
| 58 | +.. date: 2022-09-07-10-42-00 |
| 59 | +.. gh-issue: 97514 |
| 60 | +.. nonce: Yggdsl |
| 61 | +.. section: Security |
| 62 | +
|
| 63 | +On Linux the :mod:`multiprocessing` module returns to using filesystem |
| 64 | +backed unix domain sockets for communication with the *forkserver* process |
| 65 | +instead of the Linux abstract socket namespace. Only code that chooses to |
| 66 | +use the :ref:`"forkserver" start method <multiprocessing-start-methods>` is |
| 67 | +affected. |
| 68 | + |
| 69 | +Abstract sockets have no permissions and could allow any user on the system |
| 70 | +in the same `network namespace |
| 71 | +<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often |
| 72 | +the whole system) to inject code into the multiprocessing *forkserver* |
| 73 | +process. This was a potential privilege escalation. Filesystem based socket |
| 74 | +permissions restrict this to the *forkserver* process user as was the |
| 75 | +default in Python 3.8 and earlier. |
| 76 | + |
| 77 | +This prevents Linux `CVE-2022-42919 |
| 78 | +<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_. |
| 79 | + |
| 80 | +.. |
| 81 | +
|
| 82 | +.. date: 2022-04-27-18-25-30 |
| 83 | +.. gh-issue: 68966 |
| 84 | +.. nonce: gjS8zs |
| 85 | +.. section: Security |
| 86 | +
|
| 87 | +The deprecated mailcap module now refuses to inject unsafe text (filenames, |
| 88 | +MIME types, parameters) into shell commands. Instead of using such text, it |
| 89 | +will warn and act as if a match was not found (or for test commands, as if |
| 90 | +the test failed). |
0 commit comments