Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 884653

Summary: <dev-lang/python-{3.12.0_alpha3,3.11.1,3.10.9,3.9.16,3.8.16}, <dev-python/pypy3-7.3.10: multiple vulnerabilities
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://discuss.python.org/t/python-3-11-1-3-10-9-3-9-16-3-8-16-3-7-16-and-3-12-0-alpha-3-are-now-available/21724
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 884645, 884647, 884649, 884651, 884699    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-12-07 08:03:20 UTC 
From the upstream list, these seem applicable to our current releases:

3.7 - 3.12: gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log.
3.8 - 3.12: gh-87604 : Avoid publishing list of active per-interpreter audit hooks via the gc module.

The remaining are either irrelevant (because we're not using bundled Expat) or were backported already.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 03:02:34 UTC 
Thanks for reporting!
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-12-09 13:56:36 UTC 
Cleanup done.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-10 01:49:55 UTC 
Thanks!