Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
93 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
.. date: 2022-12-05-01-39-10 | ||
.. gh-issue: 100001 | ||
.. nonce: uD05Fc | ||
.. release date: 2022-12-06 | ||
.. section: Security | ||
``python -m http.server`` no longer allows terminal control characters sent | ||
within a garbage request to be printed to the stderr server log. | ||
|
||
This is done by changing the :mod:`http.server` | ||
:class:`BaseHTTPRequestHandler` ``.log_message`` method to replace control | ||
characters with a ``\xHH`` hex escape before printing. | ||
|
||
.. | ||
.. date: 2022-11-11-12-50-28 | ||
.. gh-issue: 87604 | ||
.. nonce: OtwH5L | ||
.. section: Security | ||
Avoid publishing list of active per-interpreter audit hooks via the | ||
:mod:`gc` module | ||
|
||
.. | ||
.. date: 2022-11-04-09-29-36 | ||
.. gh-issue: 98433 | ||
.. nonce: l76c5G | ||
.. section: Security | ||
The IDNA codec decoder used on DNS hostnames by :mod:`socket` or | ||
:mod:`asyncio` related name resolution functions no longer involves a | ||
quadratic algorithm. This prevents a potential CPU denial of service if an | ||
out-of-spec excessive length hostname involving bidirectional characters | ||
were decoded. Some protocols such as :mod:`urllib` http ``3xx`` redirects | ||
potentially allow for an attacker to supply such a name. | ||
|
||
.. | ||
.. date: 2022-10-26-21-04-23 | ||
.. gh-issue: 98739 | ||
.. nonce: keBWcY | ||
.. section: Security | ||
Update bundled libexpat to 2.5.0 | ||
|
||
.. | ||
.. date: 2022-10-21-13-31-47 | ||
.. gh-issue: 98517 | ||
.. nonce: SXXGfV | ||
.. section: Security | ||
Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). | ||
|
||
.. | ||
.. date: 2022-09-07-10-42-00 | ||
.. gh-issue: 97514 | ||
.. nonce: Yggdsl | ||
.. section: Security | ||
On Linux the :mod:`multiprocessing` module returns to using filesystem | ||
backed unix domain sockets for communication with the *forkserver* process | ||
instead of the Linux abstract socket namespace. Only code that chooses to | ||
use the :ref:`"forkserver" start method <multiprocessing-start-methods>` is | ||
affected. | ||
|
||
Abstract sockets have no permissions and could allow any user on the system | ||
in the same `network namespace | ||
<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often | ||
the whole system) to inject code into the multiprocessing *forkserver* | ||
process. This was a potential privilege escalation. Filesystem based socket | ||
permissions restrict this to the *forkserver* process user as was the | ||
default in Python 3.8 and earlier. | ||
|
||
This prevents Linux `CVE-2022-42919 | ||
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_. | ||
|
||
.. | ||
.. date: 2022-04-27-18-25-30 | ||
.. gh-issue: 68966 | ||
.. nonce: gjS8zs | ||
.. section: Security | ||
The deprecated mailcap module now refuses to inject unsafe text (filenames, | ||
MIME types, parameters) into shell commands. Instead of using such text, it | ||
will warn and act as if a match was not found (or for test commands, as if | ||
the test failed). |
4 changes: 0 additions & 4 deletions
4
Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
This file was deleted.
Oops, something went wrong.
15 changes: 0 additions & 15 deletions
15
Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
This file was deleted.
Oops, something went wrong.
1 change: 0 additions & 1 deletion
1
Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
This file was deleted.
Oops, something went wrong.
1 change: 0 additions & 1 deletion
1
Misc/NEWS.d/next/Security/2022-10-26-21-04-23.gh-issue-98739.keBWcY.rst
This file was deleted.
Oops, something went wrong.
6 changes: 0 additions & 6 deletions
6
Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
This file was deleted.
Oops, something went wrong.
2 changes: 0 additions & 2 deletions
2
Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst
This file was deleted.
Oops, something went wrong.
6 changes: 0 additions & 6 deletions
6
Misc/NEWS.d/next/Security/2022-12-05-01-39-10.gh-issue-100001.uD05Fc.rst
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters