Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to Python 3.10.13 #4010

Merged
merged 1 commit into from
Oct 16, 2023
Merged

Update to Python 3.10.13 #4010

merged 1 commit into from
Oct 16, 2023

Conversation

jwhitlock
Copy link
Member

Update from Python 3.10.11 to 3.10.13.

Python 3.10.12

Released June 6, 2023. Security release, no more binary installers.

  • gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).
  • gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329.
  • gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified.
  • gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler.
  • gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().
  • gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details.

Python 3.10.13

Released Aug. 24, 2023. Security release, no more binary installers.

  • gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith.

Released Aug. 24, 2023
@jwhitlock jwhitlock requested a review from say-yawn October 16, 2023 15:34
Copy link
Contributor

@say-yawn say-yawn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Found the issues and fixes for urllib.parse.urlsplit() and uu.decode() interesting.

@say-yawn say-yawn added this pull request to the merge queue Oct 16, 2023
Merged via the queue into main with commit 7085e06 Oct 16, 2023
@say-yawn say-yawn deleted the python-3-10-13 branch October 16, 2023 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants