From https://www.python.org/downloads/release/python-3921/ (most of them apply to other versions too): - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified. - gh-124651: Properly quote template strings in venv activation scripts. - gh-103848: Added checks to ensure that [ bracketed ] hosts found by urllib.parse.urlsplit() are of IPv6 or IPvFuture format. - gh-95588: Clarified the conflicting advice given in the ast documentation about ast.literal_eval() being “safe” for use on untrusted input while at the same time warning that it can crash the process. The latter statement is true and is deemed unfixable without a large amount of work unsuitable for a bugfix. So we keep the warning and no longer claim that literal_eval is safe.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8d345dfd9f4670b75e9b9bc1e4a583590c4fc8c commit b8d345dfd9f4670b75e9b9bc1e4a583590c4fc8c Author: Sam James <sam@gentoo.org> AuthorDate: 2024-12-07 11:24:18 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-12-07 11:26:46 +0000 profiles: mask =dev-lang/python-3.12.8 and =dev-lang/python-3.13.1 3.12.8 and 3.13.1 break Mozilla's build system `mach` which is used in firefox, thunderbird, and spidermonkey. It's not clear if it's a CPython bug or a Mozilla bug (I've informed both sides) but the CVEs fixed in these security releases are rather minor indeed, especially when weighed against those packages being unbuildable. LLVM 19 and Rust 1.82.0 got stabled last night together with a default change to LLVM 19 which means more users will hit this too as they have to rebuild FF and friends. Done as lesser of two evils after discussion w/ mgorny. Bug: https://bugs.gentoo.org/945857 Bug: https://bugs.gentoo.org/945882 Bug: https://bugs.gentoo.org/946002 Bug: https://bugs.gentoo.org/945850 Bug: https://bugs.gentoo.org/945849 Bug: https://bugs.gentoo.org/945845 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
I have changed the severity to B2 since the venv vulnerability does allow arbitrary code execution, but only in specific situations that are not the default for python itself.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc748f0c28bf1de31edeb0c62de5ce2c4662e2c1 commit dc748f0c28bf1de31edeb0c62de5ce2c4662e2c1 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2024-12-10 07:26:25 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-12-10 07:26:25 +0000 profiles: unmask =dev-lang/python-3.12.8 and =dev-lang/python-3.13.1 - Mozilla stack, both latest stable and unstable, is handled with an upstream patch for these python versions. Bug: https://bugs.gentoo.org/945857 Bug: https://bugs.gentoo.org/945882 Bug: https://bugs.gentoo.org/946002 Bug: https://bugs.gentoo.org/945850 Bug: https://bugs.gentoo.org/945849 Bug: https://bugs.gentoo.org/945845 Signed-off-by: Joonas Niilola <juippis@gentoo.org> profiles/package.mask | 10 ---------- 1 file changed, 10 deletions(-)