3.8
Name already in use
Commits on Dec 6, 2022
-
-
-
[3.8] gh-100001: Omit control characters in http.server stderr logs. (G…
…H-100002) (#100033) * gh-100001: Omit control characters in http.server stderr logs. (GH-100002) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4) Co-authored-by: Gregory P. Smith <[email protected]> * also escape \s (backport of PR #100038). * add versionadded and remove extraneous 'to' Co-authored-by: Gregory P. Smith <[email protected]>
Commits on Nov 21, 2022
-
[3.8] gh-87604: Avoid publishing list of active per-interpreter audit…
… hooks via the gc module (GH-99373) (GH-99661) (cherry picked from commit 7b98207) Co-authored-by: Steve Dower <[email protected]>
Commits on Nov 10, 2022
-
[3.8] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222)…
… (GH-99231) There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit d315722) (cherry picked from commit a6f6c3a) Co-authored-by: Miss Islington (bot) <[email protected]> Co-authored-by: Gregory P. Smith <[email protected]>
Commits on Oct 28, 2022
-
[3.8] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (#98527)
This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: XKCP/XKCP@fdc6fef [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <[email protected]> (cherry picked from commit 0e4e058) Co-authored-by: Theo Buehler <[email protected]>
-
[3.8] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98787)
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680. Co-authored-by: Shaun Walbridge <[email protected]> (cherry picked from commit 3e07f82)
Commits on Oct 11, 2022
-
[3.8] gh-68966: Make mailcap refuse to match unsafe filenames/types/p…
…arams (GH-91993) (#98192) gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (cherry picked from commit b9509ba) Co-authored-by: Petr Viktorin <[email protected]> Co-authored-by: Łukasz Langa <[email protected]>
-
[3.8] gh-96710: Make the test timing more lenient for the int/str DoS…
… regression test. (GH-96717) (#98197) gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717) A regression would still absolutely fail and even a flaky pass isn't harmful as it'd fail most of the time across our N system test runs. Windows has a low resolution timer and CI systems are prone to odd timing so this just gives more leeway to avoid flakiness. (cherry picked from commit 11e3548) Co-authored-by: Gregory P. Smith <[email protected]>
-
-
Commits on Oct 4, 2022
-
[3.8] gh-95778: Mention sys.set_int_max_str_digits() in error message (…
…GH-96874) (GH-96877) (GH-97835) [3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877) When ValueError is raised if an integer is larger than the limit, mention sys.set_int_max_str_digits() in the error message. (cherry picked from commit e841ffc) Co-authored-by: Ned Deily <[email protected]> (cherry picked from commit 4118813) Co-authored-by: Victor Stinner <[email protected]>
-
[3.8] gh-96848: Fix -X int_max_str_digits option parsing (GH-96988) (G…
…H-97575) Fix command line parsing: reject "-X int_max_str_digits" option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. (cherry picked from commit 4135166) Co-authored-by: Victor Stinner <[email protected]>
-
[3.8] gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96658
) gh-96577: Fixes buffer overrun in _msi module (GH-96633) (cherry picked from commit 4114bcc) Co-authored-by: Steve Dower <[email protected]>
-
[3.8] gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) (gh-97013
) gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) Co-authored-by: Gregory P. Smith [Google] <[email protected]> (cherry picked from commit 10e3d39) Co-authored-by: Dong-hee Na <[email protected]>
-
[3.8] gh-97616: list_resize() checks for integer overflow (GH-97617) (G…
…H-97628) gh-97616: list_resize() checks for integer overflow (GH-97617) Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. list_resize() now checks for integer overflow before multiplying the new allocated length by the list item size (sizeof(PyObject*)). (cherry picked from commit a5f092f) Co-authored-by: Victor Stinner <[email protected]>
-
[3.8] gh-97612: Fix shell injection in get-remote-certificate.py (GH-…
…97613) (GH-97633) Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run "openssl" commands. Issue reported and initial fix by Caleb Shortt. Remove the Windows code path to send "quit" on stdin to the "openssl s_client" command: use DEVNULL on all platforms instead. Co-authored-by: Caleb Shortt <[email protected]> (cherry picked from commit 83a0f44) Co-authored-by: Victor Stinner <[email protected]>
Commits on Sep 11, 2022
-
[3.8] Update bugs URL references in README and Docs/bugs.rst from bpo…
… to gh issues (GH-96728) Co-authored-by: roy reznik <[email protected]> Co-authored-by: Inada Naoki <[email protected]> Co-authored-by: Ezio Melotti <[email protected]>
Commits on Sep 6, 2022
Commits on Sep 5, 2022
-
[3.8] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96503)
* Correctly pre-check for int-to-str conversion Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =) The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact. The justification for the current check. The C code check is: ```c max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10 ``` In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is: $$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$ From this it follows that $$\frac{M}{3L} < \frac{s-1}{10}$$ hence that $$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$ So $$2^{L(s-1)} > 10^M.$$ But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check. <!-- gh-issue-number: gh-95778 --> * Issue: gh-95778 <!-- /gh-issue-number --> Co-authored-by: Gregory P. Smith [Google LLC] <[email protected]> Co-authored-by: Christian Heimes <[email protected]> Co-authored-by: Mark Dickinson <[email protected]>
Commits on Jul 27, 2022
-
[3.8] gh-94208: Add more TLS version/protocol checks for FreeBSD (GH-…
…94347) (GH-95313) Three test cases were failing on FreeBSD with latest OpenSSL. (cherry picked from commit 1bc86c2) Co-authored-by: Christian Heimes <[email protected]>
Commits on Jul 5, 2022
-
[3.8] gh-90355: Add isolated flag if currently isolated (GH-92857) (G…
…H-94571) Co-authored-by: Carter Dodd <[email protected]> Co-authored-by: Éric <[email protected]> Co-authored-by: Łukasz Langa <[email protected]> (cherry picked from commit c8556bc)
Commits on Jul 1, 2022
-
[3.8] gh-81054: Document that SimpleHTTPRequestHandler follows symbol…
…ic links (GH-94416) (GH-94495) (cherry picked from commit 80aaeab) Co-authored-by: Sam Ezeh <[email protected]>
Commits on Jun 22, 2022
-
gh-91172: Create a workflow for verifying bundled pip and setuptools (G…
…H-31885) (GH-94124) Co-authored-by: Hugo van Kemenade <[email protected]> Co-authored-by: Adam Turner <[email protected]> (cherry picked from commit d36954b) Co-authored-by: Illia Volochii <[email protected]>
-
gh-87389: Fix an open redirection vulnerability in http.server. (GH-9…
…3879) (GH-94094) Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google]. (cherry picked from commit 4abab6b) Co-authored-by: Gregory P. Smith <[email protected]>
Commits on Jun 6, 2022
-
gh-83728: Add hmac.new default parameter deprecation (GH-91939) (GH-9…
…3547) (cherry picked from commit 56b5daf) Co-authored-by: Stanley <[email protected]>
-
bpo-46114: Fix OpenSSL version check for 3.0.1 (GH-30170) (GH-92954)
(cherry picked from commit 2985fea) Co-authored-by: Christian Heimes <[email protected]>
Commits on May 24, 2022
-
[3.8] gh-93065: Fix HAMT to iterate correctly over 7-level deep trees (…
…GH-93066) (#93148) Also while there, clarify a few things about why we reduce the hash to 32 bits. Co-authored-by: Eli Libman <[email protected]> Co-authored-by: Yury Selivanov <[email protected]> Co-authored-by: Łukasz Langa <[email protected]> (cherry picked from commit c1f5c90)
Commits on May 16, 2022
-
[3.8] gh-80254: Disallow recursive usage of cursors in sqlite3 conver…
…ters (#92333) (cherry picked from commit c908dc5) Co-authored-by: Sergey Fedoseev <[email protected]> Co-authored-by: Jelle Zijlstra <[email protected]>
-
bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (
GH-32241) (GH-32250) (cherry picked from commit 6066739) Co-authored-by: Zachary Ware <[email protected]>
Commits on May 12, 2022
-
[3.8] gh-92448: Update the documentation builder to render the GitHub… (
GH-92605) (cherry picked from commit 45e1721) Co-authored-by: Dong-hee Na <[email protected]>
Commits on May 10, 2022
-
[3.8] Update Sphinx bpo role to use redirect URI. (#91892)
* Update Sphinx bpo role to use redirect URI. (GH-32342) * [3.8] Update Sphinx bpo role to use redirect URI. (GH-32342). (cherry picked from commit 08cfe07) Co-authored-by: Ezio Melotti <[email protected]>
-
Add redirects to Misc/NEWS bpo links (GH-91454) (#91895)
(cherry picked from commit 17dbb6b) Co-authored-by: Ezio Melotti <[email protected]> Co-authored-by: Ezio Melotti <[email protected]>