Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 884653

Summary: <dev-lang/python-{3.12.0_alpha3,3.11.1,3.10.9,3.9.16,3.8.16}, <dev-python/pypy3-7.3.10: multiple vulnerabilities
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://discuss.python.org/t/python-3-11-1-3-10-9-3-9-16-3-8-16-3-7-16-and-3-12-0-alpha-3-are-now-available/21724
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 884645, 884647, 884649, 884651, 884699    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-12-07 08:03:20 UTC 
From the upstream list, these seem applicable to our current releases:

3.7 - 3.12: gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log.
3.8 - 3.12: gh-87604 : Avoid publishing list of active per-interpreter audit hooks via the gc module.

The remaining are either irrelevant (because we're not using bundled Expat) or were backported already.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 03:02:34 UTC 
Thanks for reporting!
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-12-09 13:56:36 UTC 
Cleanup done.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-10 01:49:55 UTC 
Thanks!
Comment 4 Larry the Git Cow gentoo-dev 2024-05-04 06:00:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=665ec86173a28118d28182d8381d593988f1adac

commit 665ec86173a28118d28182d8381d593988f1adac
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-04 05:59:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-04 06:00:31 +0000

    [ GLSA 202405-01 ] Python, PyPy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/884653
    Bug: https://bugs.gentoo.org/897958
    Bug: https://bugs.gentoo.org/908018
    Bug: https://bugs.gentoo.org/912976
    Bug: https://bugs.gentoo.org/919475
    Bug: https://bugs.gentoo.org/927299
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-01.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)