Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also .
base repository: python/cpython
base: v3.9.15
Choose a base ref
head repository: python/cpython
compare: v3.9.16
Choose a head ref
  • 10 commits
  • 21 files changed
  • 6 contributors

Commits on Oct 11, 2022

  1. Post 3.9.15

    ambv committed Oct 11, 2022
  2. [3.9] gh-68966: Make mailcap refuse to match unsafe filenames/types/p…

    …arams (GH-91993) (#98190)
    
    gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
    (cherry picked from commit b9509ba)
    
    Co-authored-by: Petr Viktorin <encukou@gmail.com>
    miss-islington and encukou committed Oct 11, 2022
  3. [3.9] gh-96710: Make the test timing more lenient for the int/str DoS…

    … regression test. (GH-96717) (#98196)
    
    gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717)
    
    A regression would still absolutely fail and even a flaky pass isn't
    harmful as it'd fail most of the time across our N system test runs.
    
    Windows has a low resolution timer and CI systems are prone to odd
    timing so this just gives more leeway to avoid flakiness.
    (cherry picked from commit 11e3548)
    
    Co-authored-by: Gregory P. Smith <greg@krypto.org>
    miss-islington and gpshead committed Oct 11, 2022

Commits on Oct 28, 2022

  1. [3.9] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98786)

    Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.
    
    Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
    (cherry picked from commit 3e07f82)
    miss-islington committed Oct 28, 2022
  2. [3.9] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (#98526)

    This is a port of the applicable part of XKCP's fix [1] for
    CVE-2022-37454 and avoids the segmentation fault and the infinite
    loop in the test cases published in [2].
    
    [1]: XKCP/XKCP@fdc6fef
    [2]: https://mouha.be/sha-3-buffer-overflow/
    
    Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
    (cherry picked from commit 0e4e058)
    
    Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
    miss-islington and botovq committed Oct 28, 2022
  3. [3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (G…

    …H-98501) (#98504)
    
    Linux abstract sockets are insecure as they lack any form of filesystem
    permissions so their use allows anyone on the system to inject code into
    the process.
    
    This removes the default preference for abstract sockets in
    multiprocessing introduced in Python 3.9+ via
    #18866 while fixing
    #84031.
    
    Explicit use of an abstract socket by a user now generates a
    RuntimeWarning.  If we choose to keep this warning, it should be
    backported to the 3.7 and 3.8 branches.
    (cherry picked from commit 49f6106)
    
    Co-authored-by: Gregory P. Smith <greg@krypto.org>
    miss-islington and gpshead committed Oct 28, 2022

Commits on Nov 10, 2022

  1. [3.9] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222)…

    … (#99230)
    
    There was an unnecessary quadratic loop in idna decoding. This restores
    the behavior to linear.
    
    (cherry picked from commit d315722)
    (cherry picked from commit a6f6c3a)
    
    Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
    Co-authored-by: Gregory P. Smith <greg@krypto.org>
    miss-islington and gpshead committed Nov 10, 2022

Commits on Nov 21, 2022

  1. [3.9] gh-87604: Avoid publishing list of active per-interpreter audit…

    … hooks via the gc module (GH-99373) (GH-99493)
    zooba committed Nov 21, 2022

Commits on Dec 6, 2022

  1. [3.9] gh-100001: Omit control characters in http.server stderr logs. (G…

    …H-100002) (#100032)
    
    * gh-100001: Omit control characters in http.server stderr logs. (GH-100002)
    
    Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
    (cherry picked from commit d8ab0a4)
    
    Co-authored-by: Gregory P. Smith <greg@krypto.org>
    
    * also escape \s (backport of PR #100038).
    
    * add versionadded and remove extra 'to'
    
    Co-authored-by: Gregory P. Smith <greg@krypto.org>
    miss-islington and gpshead committed Dec 6, 2022
  2. Python 3.9.16

    ambv committed Dec 6, 2022