Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12244 closed enhancement (fixed)

python3-3.7.4

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: high Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by Bruce Dubbs, 5 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 5 years ago

What's New in Python 3.7.4 final?

*Release date: 2019-07-08*

Core and Builtins

  • bpo-37500: Due to unintended side effects, revert the change introduced by :issue:1875 in 3.7.4rc1 to check for syntax errors in dead conditional code blocks.

Documentation

  • bpo-37149: Replace the dead link to the Tkinter 8.5 reference by John Shipman, New Mexico Tech, with a link to the archive.org copy.

What's New in Python 3.7.4 release candidate 2?

Security

  • bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with additional text after the address and only quad-dotted notation without trailing whitespaces. Some inet_aton() implementations ignore whitespace and all data after whitespace, e.g. '127.0.0.1 whatever'.

Core and Builtins

  • bpo-24214: Improved support of the surrogatepass error handler in the UTF-8 and UTF-16 incremental decoders.

Library

  • bpo-37440: http.client now enables TLS 1.3 post-handshake authentication for default context or if a cert_file is passed to HTTPSConnection.
  • bpo-37437: Update vendorized expat version to 2.2.7.
  • bpo-37428: SSLContext.post_handshake_auth = True no longer sets SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the option is documented as ignored for clients, OpenSSL implicitly enables cert chain validation when the flag is set.
  • bpo-32627: Fix compile error when _uuid headers conflicting included.

Windows

  • bpo-37369: Fixes path for :data:sys.executable when running from the Microsoft Store.
  • bpo-35360: Update Windows builds to use SQLite 3.28.0.

macOS

  • bpo-34602: Avoid test suite failures on macOS by no longer calling resource.setrlimit to increase the process stack size limit at runtime. The runtime change is no longer needed since the interpreter is being built with a larger default stack size.

What's New in Python 3.7.4 release candidate 1?

Security

  • bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of :mod:urllib.request.
  • bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit().
  • bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.
  • bpo-33529: Prevent fold function used in email header encoding from entering infinite loop when there are too many non-ASCII characters in a header.
  • bpo-35755: :func:shutil.which now uses os.confstr("CS_PATH") if available and if the :envvar:PATH environment variable is not set. Remove also the current directory from :data:posixpath.defpath. On Unix, :func:shutil.which and the :mod:subprocess module no longer search the executable in the current directory if the :envvar:PATH environment variable is not set.

Core and Builtins

  • bpo-37269: Fix a bug in the peephole optimizer that was not treating correctly constant conditions with binary operators. Patch by Pablo Galindo.
  • bpo-37219: Remove errorneous optimization for empty set differences.
  • bpo-26423: Fix possible overflow in wrap_lenfunc() when sizeof(long) < sizeof(Py_ssize_t) (e.g., 64-bit Windows).
  • bpo-36829: :c:func:`PyErr_WriteUnraisable` now displays the exception even if displaying the traceback failed. Moreover, hold a strong reference to :data:sys.stderr while using it. Document that an exception must be set when calling :c:func:`PyErr_WriteUnraisable`.
  • bpo-36907: Fix a crash when calling a C function with a keyword dict (f(kwargs)) and changing the dict kwargs while that function is running.
  • bpo-36946: Fix possible signed integer overflow when handling slices.
  • bpo-27987: PyGC_Head structure is aligned to long double. This is needed to ensure GC-ed objects are aligned properly. Patch by Inada Naoki.
  • bpo-1875: A :exc:SyntaxError is now raised if a code blocks that will be optimized away (e.g. if conditions that are always false) contains syntax errors. Patch by Pablo Galindo. (Reverted in 3.7.4 final by :issue:37500.)
  • bpo-28866: Avoid caching attributes of classes which type defines mro() to avoid a hard cache invalidation problem.
  • bpo-27639: Correct return type for UserList slicing operations. Patch by Michael Blahay, Erick Cervantes, and vaultah
  • bpo-32849: Fix Python Initialization code on FreeBSD to detect properly when stdin file descriptor (fd 0) is invalid.
  • bpo-27987: pymalloc returns memory blocks aligned by 16 bytes, instead of 8 bytes, on 64-bit platforms to conform x86-64 ABI. Recent compilers assume this alignment more often. Patch by Inada Naoki.
  • bpo-36504: Fix signed integer overflow in _ctypes.c's PyCArrayType_new().
  • bpo-20844: Fix running script with encoding cookie and LF line ending may fail on Windows.
  • bpo-24214: Fixed support of the surrogatepass error handler in the UTF-8 incremental decoder.
  • bpo-36459: Fix a possible double PyMem_FREE() due to tokenizer.c's tok_nextc().
  • bpo-36433: Fixed TypeError message in classmethoddescr_call.
  • bpo-36430: Fix a possible reference leak in :func:itertools.count.
  • bpo-36440: Include node names in ParserError messages, instead of numeric IDs. Patch by A. Skrobov.
  • bpo-36421: Fix a possible double decref in _ctypes.c's PyCArrayType_new().
  • bpo-36256: Fix bug in parsermodule when parsing a state in a DFA that has two or more arcs with labels of the same type. Patch by Pablo Galindo.
  • bpo-36236: At Python initialization, the current directory is no longer prepended to :data:sys.path if it has been removed.
  • bpo-36262: Fix an unlikely memory leak on conversion from string to float in the function _Py_dg_strtod() used by float(str), complex(str), :func:pickle.load, :func:marshal.load, etc.
  • bpo-36218: Fix a segfault occuring when sorting a list of heterogeneous values. Patch contributed by Rémi Lapeyre and Elliot Gorokhovsky.
  • bpo-36035: Added fix for broken symlinks in combination with pathlib
  • bpo-18372: Add missing :c:func:`PyObject_GC_Track` calls in the :mod:pickle module. Patch by Zackery Spytz.
  • bpo-34408: Prevent a null pointer dereference and resource leakage in PyInterpreterState_New().

More. See Misc/NEWS in tarball.

comment:3 by Bruce Dubbs, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 21823.

comment:4 by Douglas R. Reno, 5 years ago

Priority: normalhigh
bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised. 
bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of :mod:urllib.request. 

Retroactively promote to High

Note: See TracTickets for help on using tickets.