Will investigate applicable versions shortly. 1. bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. 2. bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099) Reverts commit e653d4d8e820a7a004ad399530af0135b45db27a and makes parsing even more strict. Like socket.inet_pton() any leading zero is now treated as invalid input. 3. bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778) The ssl module now has more secure default settings. Ciphers without forward secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits weak RSA, DH, and ECC keys with less than 112 bits of security. :class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2. Settings are based on Hynek Schlawack's research. and possibly: 4. bpo-43650: Fix MemoryError on zip.read in shutil._unpack_zipfile for large files (GH-25058) `shutil.unpack_archive()` tries to read the whole file into memory, making no use of any kind of smaller buffer. Process crashes for really large files: I.e. archive: ~1.7G, unpacked: ~10G. Before the crash it can easily take away all available RAM on smaller systems. Had to pull the code form `zipfile.Zipfile.extractall()` to fix this
Applicable: 3.10.0b2: (none) 3.9.5_p1: 1 3 4 3.8.10_p1: 1 3 4 3.7.10_p4: 1 2* 3 4 [to be continued] * the 'bigger' regression in IPv4 addr parsing was added in 3.8 but I've backported making it even more strict now I'm working on patches for 3.7 now; also need to wait for 3.7 cleanup on my system to complete as leftover packages break CPython's test suite x_x.
3.6.13_p4: 1 2* 3+ 4 2.7.18_p10: 1+ 3+ pypy3 7.3.5_rc3: 1 2* 3+ 4 pypy 7.3.5_rc3: 1+ 3+ + I am not going to backport this patch as it's too much effort for little gain
Let's skip the earlier revision where applicable and stabilize newest revisions for all versions.
arm done
arm64 done
sparc stable
hppa stable
ppc done
amd64 done
x86 done
ppc64 done all arches done
Thank you! Please cleanup.
Cleanups pushed.
So I've eventually backported it to Python 2.7, and I'm testing it now. Once done, should I reuse this bug to stabilize Python 2.7 and PyPy, or file another one?
Sam said to reuse!
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
sparc done
ppc64 done
stabilized
Unable to check for sanity: > no match for package: dev-python/pypy-7.3.4_p1
Unable to check for sanity: > no match for package: dev-lang/python-2.7.18_p11
GLSA requested
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1 commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 09:12:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 09:31:45 +0000 [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/787260 Bug: https://bugs.gentoo.org/793833 Bug: https://bugs.gentoo.org/811165 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/835443 Bug: https://bugs.gentoo.org/838250 Bug: https://bugs.gentoo.org/864747 Bug: https://bugs.gentoo.org/876815 Bug: https://bugs.gentoo.org/877851 Bug: https://bugs.gentoo.org/878385 Bug: https://bugs.gentoo.org/880629 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+)