From the release notes: bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer. bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo. ========================= I'm going to backport the patches to the latest releases to fast-stabilize them.
(In reply to Michał Górny from comment #0) > bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and > gc.get_referents(). Patch by Pablo Galindo. This one's applicable to py3.8+ only. The remaining two are applicable to all versions around, most likely including 2.7.
I will not be backporting this to py2.7 tonight, so I'll open a separate bug to track it.
Unable to check for sanity: > no match for package: dev-lang/python-3.6.13_p1
All sanity-check issues have been resolved
sparc stable
x86 stable
hppa stable
ppc done
arm64 done
ppc64 done
amd64 stable
arm done all arches done
Please cleanup.
Resetting sanity check; package list is empty or all packages are done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=834f7d0e6ec7cc60835539a4114edbc4bd0e8930 commit 834f7d0e6ec7cc60835539a4114edbc4bd0e8930 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-04-12 20:23:04 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-04-12 20:26:05 +0000 dev-lang/python: Remove old Bug: https://bugs.gentoo.org/779841 Bug: https://bugs.gentoo.org/779844 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 11 - dev-lang/python/python-2.7.18_p7.ebuild | 358 ------------------------- dev-lang/python/python-3.10.0_alpha6-r2.ebuild | 350 ------------------------ dev-lang/python/python-3.6.13.ebuild | 341 ----------------------- dev-lang/python/python-3.7.10.ebuild | 333 ----------------------- dev-lang/python/python-3.8.8.ebuild | 339 ----------------------- dev-lang/python/python-3.9.2.ebuild | 348 ------------------------ dev-lang/python/python-3.9.3.ebuild | 348 ------------------------ 8 files changed, 2428 deletions(-)
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 202104-04 at https://security.gentoo.org/glsa/202104-04 by GLSA coordinator Thomas Deutschmann (whissi).