[3.8] bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099)

[achraf-mer]

https://bugs.python.org/issue36384

[the-knights-who-say-ni]

Hello, and thanks for your contribution!

I'm a bot set up to make sure that the project can legally accept this contribution by verifying everyone involved has signed the PSF contributor agreement (CLA).

Recognized GitHub username

We couldn't find a bugs.python.org (b.p.o) account corresponding to the following GitHub usernames:

@achraf-mer

This might be simply due to a missing "GitHub Name" entry in one's b.p.o account settings. This is necessary for legal reasons before we can look at this contribution. Please follow the steps outlined in the CPython devguide to rectify this issue.

You can check yourself to see if the CLA has been received.

Thanks again for the contribution, we look forward to reviewing it!

[ambv]

See: https://bugs.python.org/issue36384#msg392684

Due to the relative obscurity of the bug and potential disruption of the fix, I decided not to include it in 3.8.

[achraf-mer]

See: https://bugs.python.org/issue36384#msg392684

Due to the relative obscurity of the bug and potential disruption of the fix, I decided not to include it in 3.8.

@ambv please take note of my reply here, on why I think this is needed still: https://bugs.python.org/issue36384#msg399801 thx

[ambv]

Thank you for the backport. We need two more things. The first is mentioned in an inline comment. And the second is about "What's New". See how GH-25099 also touches Doc/whatsnew/3.9.rst? This backport will need to do the same for Doc/whatsnew/3.8.rst, adding "Notable Changes in Python 3.8.12". You can copy the text verbatim from the respective whatsnew edit in GH-25099.

[bedevere-bot]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

[achraf-mer]

I have made the requested changes; please review again.

[bedevere-bot]

Thanks for making the requested changes!

@ambv: please review the changes made to this pull request.

[achraf-mer]

@ambv I am pretty new with this workflow, would you mind helping me understand what the next step is, or perhaps the timeline of when this PR can get merged, and how it would be possible for us to start using the new python version, (let's say from conda since that's what we use).
Thanks

[ambv]

@achraf-mer, assuming all tests pass on this PR, I will merge it. It will be released as Python 3.8.12 on August 30th alongside Python 3.9.7. I will also make pull requests to the 3.9, 3.10, and main (3.11) branches to amend the .. versionchanged:: 3.8.12 information you provide here in the docs of those respective branches, to make this information easier to find.

This PR is currently the only fix slated for 3.8.12 (there are literally only 3 other commits on the branch, two are doc updates and one is a test improvement).

Not sure how soon conda will release 3.8.12. Looking at 3.8.11, it took them 37 days from release (2021-06-28) to availability on https://anaconda.org/anaconda/python/files (2021-08-04).

[ambv]

@achraf-mer, thank you for taking your time reporting and contributing the backport. You likely saved us a lot of grief we'd otherwise face due to the overblown severity mark on the CVE.

[achraf-mer]

@achraf-mer, thank you for taking your time reporting and contributing the backport. You likely saved us a lot of grief we'd otherwise face due to the overblown severity mark on the CVE.

@ambv 👍 thanks for the prompt reply+review.