…ecs read out of bounds (gh-111695) (gh-111780)

(cherry picked from commit c8faa35)

Co-authored-by: Masayuki Moriyama <[email protected]>

…109003) (#109008)

Output with one wheel:
```
❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py
Verifying checksum for /Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl.
Expected digest: 7ccf472345f20d35bdc9d1841ff5f313260c2c33fe417f48c30ac46cccabf5be
Actual digest:   7ccf472345f20d35bdc9d1841ff5f313260c2c33fe417f48c30ac46cccabf5be
::notice file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl::Successfully verified the checksum of the pip wheel.
```

Output with two wheels:
```
❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py
::error file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-22.0.4-py3-none-any.whl::Found more than one wheel for package pip.

::error file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl::Found more than one wheel for package pip.
```

Output without wheels:
```
❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py
::error file=::Could not find a pip wheel on disk.
```
(cherry picked from commit f8a0479)

Co-authored-by: Łukasz Langa <[email protected]>

Co-authored-by: Łukasz Langa <[email protected]>

…bhooks (GH-108908) (#108925)

(cherry picked from commit 5970435)

Co-authored-by: Łukasz Langa <[email protected]>
Co-authored-by: Alex Waygood <[email protected]>

) (#108407)

* In preauth tests of test_ssl, explicitly break reference cycles
  invoving SingleConnectionTestServerThread to make sure that the
  thread is deleted. Otherwise, the test marks the environment as
  altered because the threading module sees a "dangling thread"
  (SingleConnectionTestServerThread). This test leak was introduced
  by the test added for the fix of issue gh-108310.
* Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds
  timeout.
* SingleConnectionTestServerThread.run() catchs TimeoutError
* Fix a race condition (missing synchronization) in
  test_preauth_data_to_tls_client(): the server now waits until the
  client connect() completed in call_after_accept().
* test_https_client_non_tls_response_ignored() calls server.join()
  explicitly.
* Replace "localhost" with server.listener.getsockname()[0].
(cherry picked from commit 592bacb)

Co-authored-by: Victor Stinner <[email protected]>

… (#108351)

Explicitly break a reference cycle when SSLSocket._create() raises an
exception. Clear the variable storing the exception, since the
exception traceback contains the variables and so creates a reference
cycle.

This test leak was introduced by the test added for the fix of GH-108310.
(cherry picked from commit 64f9935)

Co-authored-by: Victor Stinner <[email protected]>

…OpenSSL 1.1.1v, 3.0.10, and 3.1.2. (#108123)

[3.9] gh-107565: Update multissltests and GitHub CI workflows to use  OpenSSL 1.1.1v, 3.0.10, and 3.1.2.

(cherry picked from commit 441797d)

) (#108274)

(cherry picked from commit acbd3f9)

Co-authored-by: Petr Viktorin <[email protected]>
Co-authored-by: Victor Stinner <[email protected]>
Co-authored-by: Lumír 'Frenzy' Balhar <[email protected]>

GH-99613) (GH-107224) (#107231)

Previously *consumed was not set in this case.
(cherry picked from commit f08e52c).
(cherry picked from commit b8b3e6a)

…ose flaw (#108320)

gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw

Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers’ TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.

Co-authored-by: Gregory P. Smith [Google LLC] <[email protected]>

(cherry picked from commit 34e93d3)

Co-authored-by: Erlend E. Aasland <[email protected]>

….11 docs gh-105269  (GH-105468) (#105477)

(cherry picked from commit acf3916)

Co-authored-by: Federico Caselli <[email protected]>

… be checked with PyErr_Occurred (GH-105185) (#105221)

(cherry picked from commit ee26ca1)

Co-authored-by: Irit Katriel <[email protected]>

…05174) (GH-105200) (#105205)

Upgrade builds to OpenSSL 1.1.1u.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any
existing definitions in case those exist in some peoples builds and were
important (avoiding regressions during backporting).

(cherry picked from commit ede89af)

Co-authored-by: Ned Deily <[email protected]>

…lit` (GH-102508) (GH-104575) (GH-104592) (#104593)

gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)

`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.

This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).

I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport.  (people will see
that in the mainline /3/ docs)

(cherry picked from commit 2f630e1)
(cherry picked from commit 610cc0a)
(cherry picked from commit f48a96a)

Co-authored-by: Illia Volochii <[email protected]>
Co-authored-by: Gregory P. Smith [Google] <[email protected]>

…H-104096) (#104331)

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll <[email protected]>

…tHandler (GH-104067) (#104120)

Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)

(cherry picked from commit c7c3a60)

Co-authored-by: Ethan Furman <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>
Co-authored-by: Jelle Zijlstra <[email protected]>

…d profile modules (GH-103947) (#103953)

Co-authored-by: Tian Gao <[email protected]>

…H-102953) (#104382)

Backport of c8c3956

…GH-102222) (#102236)

(cherry picked from commit 5f11478)

…102243)

(cherry picked from commit 89d9ff0)

…H-102630) (GH-102666)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics <[email protected]>
Co-authored-by: C.A.M. Gerlach <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>

…-101751)

Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt

Co-authored-by: Gregory P. Smith <[email protected]>
Co-authored-by: Ned Deily <[email protected]>

#102094)

[3.9] gh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI issue (gh-102079)

…ue on Windows (GH-101286) (#101709)

Co-authored-by: Oleg Iarygin <[email protected]>
Co-authored-by: Steve Dower <[email protected]>

…-101424)

(cherry picked from commit ea23271)

Co-authored-by: Owain Davies <[email protected]>

(cherry picked from commit c22a55c)

Co-authored-by: Hugo van Kemenade <[email protected]>

… (#100904)