From Newsgroup: comp.lang.python.announce
--Apple-Mail=_E88D634E-85ED-49D6-BC1E-183309686103
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Howdy!
Those are the boring security releases that aren=E2=80=99t supposed to =
bring anything new. But not this time! We do have a bit of news, =
actually. But first things first: go update your systems!
=
<
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-avai= lable/48993#python-31014-1>Python 3.10.14
Get it here: Python Release Python 3.10.14 = <
https://www.python.org/downloads/release/python-31014/>
26 commits since last release.
=
<
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-avai= lable/48993#python-3919-2>Python 3.9.19
Get it here: Python Release Python 3.9.19 = <
https://www.python.org/downloads/release/python-3919/>
26 commits since last release.
=
<
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-avai= lable/48993#python-3819-3>Python 3.8.19
Get it here: Python Release Python 3.8.19 = <
https://www.python.org/downloads/release/python-3819/>
28 commits since last release.
=
<
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-avai= lable/48993#security-content-in-this-release-4>Security content in this = release
gh-115399 <
https://github.com/python/cpython/issues/115399> & gh-115398 = <
https://github.com/python/cpython/issues/115398>: bundled libexpat was = updated to 2.6.0 to address CVE-2023-52425 = <
https://www.cve.org/CVERecord?id=3DCVE-2023-52425>, and control of the =
new reparse deferral functionality was exposed with new APIs. Thanks to = Sebastian Pipping, the maintainer of libexpat, who worked with us =
directly on incorporating those fixes!
gh-109858 <
https://github.com/python/cpython/issues/109858>: zipfile is =
now protected from the =E2=80=9Cquoted-overlap=E2=80=9D zipbomb to =
address CVE-2024-0450 <
https://www.cve.org/CVERecord?id=3DCVE-2024-0450>. =
It now raises BadZipFile when attempting to read an entry that overlaps =
with another entry or central directory
gh-91133 <
https://github.com/python/cpython/issues/91133>: = tempfile.TemporaryDirectory cleanup no longer dereferences symlinks when = working around file system permission errors to address CVE-2023-6597 = <
https://www.cve.org/CVERecord?id=3DCVE-2023-6597>
gh-115197 <
https://github.com/python/cpython/issues/115197>: =
urllib.request no longer resolves the hostname before checking it =
against the system=E2=80=99s proxy bypass list on macOS and Windows
gh-81194 <
https://github.com/python/cpython/issues/81194>: a crash in = socket.if_indextoname() with a specific value (UINT_MAX) was fixed. = Relatedly, an integer overflow in socket.if_indextoname() on 64-bit = non-Windows platforms was fixed
gh-113659 <
https://github.com/python/cpython/issues/113659>: .pth files =
with names starting with a dot or containing the hidden file attribute =
are now skipped
gh-102388 <
https://github.com/python/cpython/issues/102388>: =
iso2022_jp_3 and iso2022_jp_2004 codecs no longer read out of bounds
gh-114572 <
https://github.com/python/cpython/issues/114572>: = ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now = correctly lock access to the certificate store, when the ssl.SSLContext =
is shared across multiple threads
=
<
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-avai= lable/48993#stay-safe-and-upgrade-5>Stay safe and upgrade!
Upgrading is highly recommended to all users of affected versions.
=
<
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-avai= lable/48993#source-builds-are-moving-to-github-actions-6>Source builds =
are moving to GitHub Actions
It=E2=80=99s not something you will notice when downloading, but 3.10.14 =
here is the first release we=E2=80=99ve done were the source artifacts =
were built on GHA = <
https://github.com/python/release-tools/actions/runs/8350750234> and =
not on a local computer of one of the release managers. We have the =
Security Developer in Residence @sethmlarson = <
https://discuss.python.org/u/sethmlarson> to thank for that!
It=E2=80=99s a big deal since public builds allow for easier auditing =
and repeatability. It also helps with the so-called bus factor. In fact, =
to test this out, this build of 3.10.14 was triggered by me and not =
Pablo, who would usually release Python 3.10.
The artifacts are later still signed by the respective release manager, = ensuring integrity when put on the downloads server.
=
<
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-avai= lable/48993#python-now-manages-its-own-cves-7>Python now manages its own =
CVEs
The security releases you=E2=80=99re looking at are the first after the =
PSF became a CVE Numbering Authority = <
https://www.cve.org/Media/News/item/news/2023/08/29/Python-Software-Found= ation-Added-as-CNA>. That=E2=80=99s also thanks to @sethmlarson = <
https://discuss.python.org/u/sethmlarson>. What being our own CNA =
allows us to ensure the quality of the vulnerability reports is high, =
and the severity estimate is accurate. Seth summarized it best in his = announcement here = <
https://discuss.python.org/t/the-python-software-foundation-has-been-auth= orized-by-the-cve-program-as-a-cve-numbering-authority-cna/32561>.
What this also allows us to do is to combine announcement of CVEs with =
the release of patched versions of Python. This is in fact the case with =
two of the CVEs listed above (CVE-2023-6597 = <
https://www.cve.org/CVERecord?id=3DCVE-2023-6597> and CVE-2024-0450 = <
https://www.cve.org/CVERecord?id=3DCVE-2024-0450>). And since Seth is =
now traveling, this announcement duty was fulfilled by the PSF=E2=80=99s = Director of Infrastructure @EWDurbin =
<
https://discuss.python.org/u/ewdurbin>. Thanks!
I=E2=80=99m happy to see us successfully testing bus factor resilience =
on multiple fronts with this round of releases.
=
<
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-avai= lable/48993#thank-you-for-your-support-8>Thank you for your support
Thanks to all of the many volunteers who help make Python Development =
and these releases possible! Please consider supporting our efforts by = volunteering yourself or through organization contributions to the =
Python Software Foundation.
Python.org <
http://python.org/> - the official home of the Python =
Programming Language.
=E2=80=93
=C5=81ukasz Langa @ambv <
https://discuss.python.org/u/ambv>
on behalf of your friendly release team,
Ned Deily @nad <
https://discuss.python.org/u/nad>
Steve Dower @steve.dower <
https://discuss.python.org/u/steve.dower>
Pablo Galindo Salgado @pablogsal =
<
https://discuss.python.org/u/pablogsal>
=C5=81ukasz Langa @ambv <
https://discuss.python.org/u/ambv>
Thomas Wouters @thomas <
https://discuss.python.org/u/thomas>
--Apple-Mail=_E88D634E-85ED-49D6-BC1E-183309686103
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmX6LyYACgkQsmmV4xAl BWgzfA//Tvr5SiSDVCuit6D1kJHYwPficlYHDB5crF8W99jAlNSZHJ8ZjzVS2EQu ZxbSFYcTrwk93s1x18JuIiD/sxqr4pFdYSBNstAw0MSapUNMh8tHJhZZ8yQ6dh61 6wS5SRGrcoKdCljfDMKlGygr2JSy/GTpKbPlPQLvPtFbjPYcRx6pv4+vIYLGesA+ xOTR307vNRAZJGUwZhG1gREdAmhngvUP2ZPZlv8JwUAUrt9kSc7QtQB+tfW97ykI WgVG1PBdsmiJQoNkdDeAuJIuJpfo/ceOgcSUR2x6US2ZhIBALKj7GVA3EmzZ+w0V C8hyTmMohSvpb+8MWXXnl9D/Q5gcdtlXHO405zr1ONlJCW5hCoNuSJKPuvrzFnBm f2M71eiRymsjyoiZofD/QtZkkxn6U0ZYJGGW6R5mvB7TBTAHU+0ZkegZfy650Xyt jDyZNkvrCwyvmn0+6COKdwvAIX27Cqn/DhfjvqvqNxHzbQuvvQ1ouDegQiUOzrLZ tS00HcThoi0qv5Mc+ZCBuDSWc9XVfJyJBVL5fJJIHw+avb1tgSN1QMp75fDdUwSy pswWPruqocOtA9z39j7mv8L/ii2gbUFBt/KG3QUJldTHmD3n3O55reaS6jnanrU8 KKb4tG6E0X1FFHtRPew3Lnl/xw8EFRnQkWn3ICPXZESz9n37zKo=
=Kvmv
-----END PGP SIGNATURE-----
--Apple-Mail=_E88D634E-85ED-49D6-BC1E-183309686103--
--- Synchronet 3.20a-Linux NewsLink 1.114