summaryrefslogtreecommitdiffstats
path: root/ChangeLog.txt
diff options
context:
space:
mode:
Diffstat (limited to 'ChangeLog.txt')
-rw-r--r--ChangeLog.txt39
1 files changed, 39 insertions, 0 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt
index 32d689fc6..a4bb23b23 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,3 +1,42 @@
+Wed Dec 7 18:48:07 UTC 2022
+patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz: Upgraded.
+ This update fixes security issues:
+ gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680
+ (heap use-after-free).
+ gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio
+ related name resolution functions no longer involves a quadratic algorithm
+ to fix CVE-2022-45061. This prevents a potential CPU denial of service if an
+ out-of-spec excessive length hostname involving bidirectional characters were
+ decoded. Some protocols such as urllib http 3xx redirects potentially allow
+ for an attacker to supply such a name.
+ gh-100001: python -m http.server no longer allows terminal control characters
+ sent within a garbage request to be printed to the stderr server log.
+ gh-87604: Avoid publishing list of active per-interpreter audit hooks via the
+ gc module.
+ gh-97514: On Linux the multiprocessing module returns to using filesystem
+ backed unix domain sockets for communication with the forkserver process
+ instead of the Linux abstract socket namespace. Only code that chooses to use
+ the "forkserver" start method is affected. This prevents Linux CVE-2022-42919
+ (potential privilege escalation) as abstract sockets have no permissions and
+ could allow any user on the system in the same network namespace (often the
+ whole system) to inject code into the multiprocessing forkserver process.
+ Filesystem based socket permissions restrict this to the forkserver process
+ user as was the default in Python 3.8 and earlier.
+ gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix
+ CVE-2022-37454.
+ gh-68966: The deprecated mailcap module now refuses to inject unsafe text
+ (filenames, MIME types, parameters) into shell commands to address
+ CVE-2015-20107. Instead of using such text, it will warn and act as if a
+ match was not found (or for test commands, as if the test failed).
+ For more information, see:
+ https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html
+ https://www.cve.org/CVERecord?id=CVE-2022-43680
+ https://www.cve.org/CVERecord?id=CVE-2022-45061
+ https://www.cve.org/CVERecord?id=CVE-2022-42919
+ https://www.cve.org/CVERecord?id=CVE-2022-37454
+ https://www.cve.org/CVERecord?id=CVE-2015-20107
+ (* Security fix *)
++--------------------------+
Mon Dec 5 21:00:46 UTC 2022
patches/packages/ca-certificates-20221205-noarch-1_slack15.0.txz: Upgraded.
This update provides the latest CA certificates to check for the
generated by cgit v1.2.3-65-gdbad (git 2.45.1) at 2024-06-21 17:46:16 +0000