Opened 2 years ago

Closed 2 years ago

#5177 closed enhancement (fixed)

python3-3.11.1

Reported by: Bruce Dubbs Owned by: lfs-book
Priority: high Milestone: 11.3
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (5)

comment:1 by Douglas R. Reno, 2 years ago

Priority: normalhigh

5 security fixes

comment:2 by Bruce Dubbs, 2 years ago

Version 0, edited 2 years ago by Bruce Dubbs (next)

comment:3 by Bruce Dubbs, 2 years ago

Resolution: fixed
Status: newclosed

Fixed at commit c9aabf13a1e8e1fb57688a7dea2f2ca2f1a9e1ab

    Ensure a gawk hard link is updated in Chapter 8.
    Update to iana-etc-20221209.
    Update to vim-9.0.1060.
    Update to iproute2-6.1.0.
    Update to xz-5.4.0.
    Update to bash-5.2.15.
    Update to psmisc-23.6.
    Update to mpc-1.3.0.
    Update to python3-3.11.1.
    Update to procps-ng-4.0.2.

comment:4 by ken@…, 2 years ago

Resolution: fixed
Status: closedreopened

Security fixes: (note that the consolidated changelog is for all 3.11 releases and pre-releases.

    gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log.

    This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing.

    gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module

    gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.

    gh-98739: Update bundled libexpat to 2.5.0

    gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

gh-98433 is CVE-2022-4561, rated High

That is also fixed in Python-3.10.9 for people sticking to the 3.10 series to avoid rebuilding all the installed modules.

comment:5 by ken@…, 2 years ago

Resolution: fixed
Status: reopenedclosed

SA 11.2-060 created.

Note: See TracTickets for help on using tickets.