Overview
Request 1041730 accepted
- Update to 3.10.9:
- python -m http.server no longer allows terminal
control characters sent within a garbage request to be
printed to the stderr server lo This is done by changing
the http.server BaseHTTPRequestHandler .log_message method
to replace control characters with a \xHH hex escape before
printin
- Avoid publishing list of active per-interpreter
audit hooks via the gc module
- The IDNA codec decoder used on DNS hostnames by
socket or asyncio related name resolution functions no
longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive
length hostname involving bidirectional characters were
decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a name.
- Update bundled libexpat to 2.5.0
- Port XKCP’s fix for the buffer overflows in SHA-3
(CVE-2022-37454).
- On Linux the multiprocessing module returns
to using filesystem backed unix domain sockets for
communication with the forkserver process instead of the
Linux abstract socket namespace. Only code that chooses
to use the “forkserver” start method is affected Abstract
sockets have no permissions and could allow any user
on the system in the same network namespace (often the
whole system) to inject code into the multiprocessing
forkserver process. This was a potential privilege
escalation. Filesystem based socket permissions restrict
this to the forkserver process user as was the default in
Request History
mcepl created request
- Update to 3.10.9:
- python -m http.server no longer allows terminal
control characters sent within a garbage request to be
printed to the stderr server lo This is done by changing
the http.server BaseHTTPRequestHandler .log_message method
to replace control characters with a \xHH hex escape before
printin
- Avoid publishing list of active per-interpreter
audit hooks via the gc module
- The IDNA codec decoder used on DNS hostnames by
socket or asyncio related name resolution functions no
longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive
length hostname involving bidirectional characters were
decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a name.
- Update bundled libexpat to 2.5.0
- Port XKCP’s fix for the buffer overflows in SHA-3
(CVE-2022-37454).
- On Linux the multiprocessing module returns
to using filesystem backed unix domain sockets for
communication with the forkserver process instead of the
Linux abstract socket namespace. Only code that chooses
to use the “forkserver” start method is affected Abstract
sockets have no permissions and could allow any user
on the system in the same network namespace (often the
whole system) to inject code into the multiprocessing
forkserver process. This was a potential privilege
escalation. Filesystem based socket permissions restrict
this to the forkserver process user as was the default in
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
dimstar_suse set openSUSE:Factory:Staging:C as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:C"
dimstar_suse accepted review
Picked "openSUSE:Factory:Staging:C"
dimstar accepted review
dimstar_suse accepted review
Staging Project openSUSE:Factory:Staging:C got accepted.
dimstar_suse approved review
Staging Project openSUSE:Factory:Staging:C got accepted.
dimstar_suse accepted request
Staging Project openSUSE:Factory:Staging:C got accepted.
