884653 – <dev-lang/python-{3.12.0_alpha3,3.11.1,3.10.9,3.9.16,3.8.16}, <dev-python/pypy3-7.3.10: multiple vulnerabilities

Bug 884653 - <dev-lang/python-{3.12.0_alpha3,3.11.1,3.10.9,3.9.16,3.8.16}, <dev-python/pypy3-7.3.10: multiple vulnerabilities

Summary: <dev-lang/python-{3.12.0_alpha3,3.11.1,3.10.9,3.9.16,3.8.16}, <dev-python/pyp...

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://discuss.python.org/t/python-3...
Whiteboard:	A3 [glsa]
Keywords:

Depends on:	884645 884647 884649 884651 884699
Blocks:
	Show dependency tree

Reported:	2022-12-07 08:03 UTC by Michał Górny
Modified:	2024-04-27 09:20 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2022-12-07 08:03:20 UTC

From the upstream list, these seem applicable to our current releases:

3.7 - 3.12: gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log.
3.8 - 3.12: gh-87604 : Avoid publishing list of active per-interpreter audit hooks via the gc module.

The remaining are either irrelevant (because we're not using bundled Expat) or were backported already.

Comment 1 John Helmert III archtester

2022-12-08 03:02:34 UTC

Thanks for reporting!

Comment 2 Michał Górny archtester

2022-12-09 13:56:36 UTC

Cleanup done.

Comment 3 John Helmert III archtester

2022-12-10 01:49:55 UTC

Thanks!