diff options
Diffstat (limited to 'ChangeLog.txt')
-rw-r--r-- | ChangeLog.txt | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt index 32d689fc6..a4bb23b23 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,3 +1,42 @@ +Wed Dec 7 18:48:07 UTC 2022 +patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz: Upgraded. + This update fixes security issues: + gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 + (heap use-after-free). + gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio + related name resolution functions no longer involves a quadratic algorithm + to fix CVE-2022-45061. This prevents a potential CPU denial of service if an + out-of-spec excessive length hostname involving bidirectional characters were + decoded. Some protocols such as urllib http 3xx redirects potentially allow + for an attacker to supply such a name. + gh-100001: python -m http.server no longer allows terminal control characters + sent within a garbage request to be printed to the stderr server log. + gh-87604: Avoid publishing list of active per-interpreter audit hooks via the + gc module. + gh-97514: On Linux the multiprocessing module returns to using filesystem + backed unix domain sockets for communication with the forkserver process + instead of the Linux abstract socket namespace. Only code that chooses to use + the "forkserver" start method is affected. This prevents Linux CVE-2022-42919 + (potential privilege escalation) as abstract sockets have no permissions and + could allow any user on the system in the same network namespace (often the + whole system) to inject code into the multiprocessing forkserver process. + Filesystem based socket permissions restrict this to the forkserver process + user as was the default in Python 3.8 and earlier. + gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix + CVE-2022-37454. + gh-68966: The deprecated mailcap module now refuses to inject unsafe text + (filenames, MIME types, parameters) into shell commands to address + CVE-2015-20107. Instead of using such text, it will warn and act as if a + match was not found (or for test commands, as if the test failed). + For more information, see: + https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html + https://www.cve.org/CVERecord?id=CVE-2022-43680 + https://www.cve.org/CVERecord?id=CVE-2022-45061 + https://www.cve.org/CVERecord?id=CVE-2022-42919 + https://www.cve.org/CVERecord?id=CVE-2022-37454 + https://www.cve.org/CVERecord?id=CVE-2015-20107 + (* Security fix *) ++--------------------------+ Mon Dec 5 21:00:46 UTC 2022 patches/packages/ca-certificates-20221205-noarch-1_slack15.0.txz: Upgraded. This update provides the latest CA certificates to check for the |