- CVE-2022-40674: bundled libexpat was upgraded from 2.4.7 to 2.4.9 which fixes a heap use-after-free vulnerability in function doContent - gh-97616: a fix for a possible buffer overflow in list *= int - gh-97612: a fix for possible shell injection in the example script get-remote-certificate.py (this issue originally had a CVE assigned to it, which its author withdrew) - gh-96577: a fix for a potential buffer overrun in msilib
3.11 is also affected but upstream didn't make a release, so I'll just cherry-pick fixes.
Thanks!
Cleanup done. It's possible that 2.7 is affected too but providing more security support for it is beyond my capabilities.
Indeed, thanks! I suppose we'll GLSA Python itself but leave off pypy for bug 868150
GLSA requested
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1 commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 09:12:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 09:31:45 +0000 [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/787260 Bug: https://bugs.gentoo.org/793833 Bug: https://bugs.gentoo.org/811165 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/835443 Bug: https://bugs.gentoo.org/838250 Bug: https://bugs.gentoo.org/864747 Bug: https://bugs.gentoo.org/876815 Bug: https://bugs.gentoo.org/877851 Bug: https://bugs.gentoo.org/878385 Bug: https://bugs.gentoo.org/880629 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+)