- Update to 3.8.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- (CVE-2021-28861, bsc#1202624) http.server: Fix an open
redirection vulnerability in the HTTP server when an URI path
starts with //. Vulnerability discovered, and initial fix
proposed, by Hamza Avvan.
- Also other bugfixes:
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix ensurepip environment isolation for subprocess running
pip.
- Raise ProgrammingError instead of segfaulting on recursive
usage of cursors in sqlite3 converters. Patch by Sergey
Fedoseev.
- Add a new gh role to the documentation to link to GitHub
issues.
- Pin Jinja to a version compatible with Sphinx version
2.4.4.
- test_ssl is now checking for supported TLS version and
protocols in more tests.
- Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses
0xMNN00PP0L.
- Removed upstreamed patches:
- CVE-2021-28861-double-slash-path.patch
- Readjusted patches:
- bpo-31046_ensurepip_honours_prefix.patch
- sphinx-update-removed-function.patch
- (bsc#1196784, CVE-2022-25236) Add patch
support-expat-CVE-2022-25236-patched.patch to allow working
with different versions of libexpat.