Mailman 3 January 2020 - Python-announce-list

[ANN][SECURITY] Local Privilege Escalation in all Windows software frozen by PyInstaller in "onefile" mode
by Hartmut Goebel Jan. 9, 2020

Jan. 9, 2020

Severity: high: CVSSv3 score: 7.0 Packages: PyInstaller (Windows) Affected versions: <= 3.5 Patched versions: 3.6, available at https://pypi.org/project/PyInstaller/ CVE identifier: CVE-2019-16784 Impact *Local Privilege Escalation *in all *Windows software frozen by PyInstaller* in "onefile" mode, caused by insecure directory permissions of sys._MEIPATH. While PyInstaller itself was not vulnerable, *all Windows software frozen by PyInstaller in “onefile” mode is vulnerable.* The vulnerability is present only on Windows and in this particular case: If a /software frozen by PyInstaller in "onefile" mode/**is launched by a (privileged) user who has /his/her "TempPath" resolving to a world writable directory/. This is the case e.g. if the software is launched as a service or as a scheduled task using a system account (in which case TempPath will default to C:\Windows\Temp). In order to be exploitable the software has to be (re)started after the attacker has launched the exploit program. So for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade). While PyInstaller itself was not vulnerable, all Windows software frozen by PyInstaller in "onefile" mode is vulnerable. CVSSv3 score: 7.0 (High) CVSSv3 vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Patches The problem is patched in commits 42a67148b3bdf9 (fixed code) <https://github.com/pyinstaller/pyinstaller/commit/42a67148b3bdf9211fda8499f…> and be948cf09547 (recompiled bootloaders) <https://github.com/pyinstaller/pyinstaller/commit/be948cf0954707671aa499da1…>. Users should upgrade to PyInstaller version 3.6 and rebuild their software. The new version is available at https://pypi.org/project/PyInstaller/ Workarounds There is no known workaround: Users using PyInstaller to freeze their Windows software using "onefile" mode should upgrade PyInstaller and rebuild their software. The new version is available at https://pypi.org/project/PyInstaller/ Credits This vulnerability was discovered and reported by Farid AYOUJIL (@faridtsl), David HA, Florent LE NIGER and Yann GASCUEL (@lnv42) from Alter Solutions (@AlterSolutions) and fixed in collaboration with Hartmut Goebel (@htgoebel, maintainer of PyInstaller). Funding Development PyInstaller is in urgent need of funding to make future security fixes happen, see <https://github.com/pyinstaller/pyinstaller/issues/4404> for details. -- Schönen Gruß Hartmut Goebel Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer Information Security Management, Security Governance, Secure Software Development Goebel Consult, Landshut http://www.goebel-consult.de Blog: https://www.goe-con.de/blog/e-mails-weiterhin-verschlusseln Kolumne: https://www.goe-con.de/hartmut-goebel/cissp-gefluester/2010-11-it-sicherhei…

1 0

[ANN] PyInstaller 3.6
by Hartmut Goebel Jan. 9, 2020

Jan. 9, 2020

Hello, on behalf of the PyInstaller development team I'm happy to announce PyInstaller 3.6. This version fixes a Local Privilege Escalation vulnerability effecting all Windows software frozen by PyInstaller in "onefile" mode - no matter which version of PyInstaller was used. http://www.pyinstaller.org Thanks for all those who contributed questions, bug-reports or pull-requests. PyInstaller is in urgent need of funding to make future security fixes happen, see <https://github.com/pyinstaller/pyinstaller/issues/4404> for details. === What it is === PyInstaller bundles a Python application and all its dependencies into a single package. The user can run the packaged app without installing a Python interpreter or any modules. PyInstaller reads a Python script written by you. It analyzes your code to discover every other module and library your script needs in order to execute. Then it collects copies of all those files – including the active Python interpreter! – and puts them with your script in a single folder, or optionally in a single executable file. PyInstaller is tested against Windows, Mac OS X, and Linux. However, it is not a cross-compiler: to make a Windows app you run PyInstaller in Windows; to make a Linux app you run it in Linux, etc. PyInstaller has been used successfully with AIX, Solaris, and FreeBSD, but is not tested against them. === Help keeping PyInstaller alive === Maintaining PyInstaller is a huge amount of work. PyInstaller development can only continue if users and companies provide sustainable funding. Please consider recurring donations. See http://www.pyinstaller.org/funding.html for how to support PyInstaller. === Installation === PyInstaller can be installed from PyPi using pip install pyinstaller === Important Changes === * Fixes a Local Privilege Escalation vulnerability effecting all Windows software frozen vy PyInstaller in "onefile" mode. * More then 20 hooks added, more then 15 hooks fixed or improved. * More then 20 bugs fixed. * Python 3.4 is no longer tested, since this version is end-of-life already. The full changelog for this release can be found at: https://pyinstaller.readthedocs.io/en/v3.6/CHANGES.html === Feedback === We're eager to listen to your feedback on using PyInstaller: Bug tracker: https://github.com/pyinstaller/pyinstaller/issues Mailing list: http://groups.google.com/group/PyInstaller -- Schönen Gruß Hartmut Goebel Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer Information Security Management, Security Governance, Secure Software Development Goebel Consult, Landshut http://www.goebel-consult.de Blog: http://www.goebel-consult.de/blog/warum-sie-nicht-perl-programmiern-sollten Kolumne: http://www.cissp-gefluester.de/2012-02-bring-your-own-life-glosse

1 0

ANN: Astropy v4.0 released
by Erik Tollerud Jan. 9, 2020

Jan. 9, 2020

Dear colleagues, We are very happy to announce the v4.0 release of the Astropy package, a core Python package for Astronomy: http://www.astropy.org Astropy is a community-driven Python package intended to contain much of the core functionality and common tools needed for astronomy and astrophysics. It is part of the Astropy Project, which aims to foster an ecosystem of interoperable astronomy packages for Python. New and improved major functionality in this release includes: * Support for Planck 2018 Cosmological Parameters * Improved Consistency of Physical Constants and Units * Scientific enhancements to the Galactocentric Frame * New ymdhms Time Format * New Context Manager for plotting time values * Dynamic and improved handling of leap second * Major Improvements in Compatibility of Quantity Objects with NumPy Functions * Multiple interface improvements to WCSAxes * Fitting of WCS to Pairs of Pixel/World Coordinates * Support for WCS Transformations between Pixel and Time Values * Improvements to Folding for Time Series * New Table Methods and significant performance improvements for Tables * Improved downloading and caching of remote files In addition, hundreds of smaller improvements and fixes have been made. An overview of the changes is provided at: http://docs.astropy.org/en/stable/whatsnew/4.0.html The Astropy v4.0.x series now replaces v2.0.x as the long term support release, and will be supported until the end of 2021. Also note that the Astropy 4.x series only supports Python 3. Python 2 users can continue to use the 2.x series but as of now it is no longer supported (as Python 2 itself is no longer supported). For assistance converting Python 2 code to Python 3, see the Python 3 for scientists conversion guide. Instructions for installing Astropy are provided on our website, and extensive documentation can be found at: http://docs.astropy.org If you make use of the Anaconda Python Distribution, you can update to Astropy v4.0 with: conda update astropy Whereas if you usually use pip, you can do: pip install astropy --upgrade Please report any issues, or request new features via our GitHub repository: https://github.com/astropy/astropy/issues Over 350 developers have contributed code to Astropy so far, and you can find out more about the team behind Astropy here: http://www.astropy.org/team.html If you use Astropy directly for your work, or as a dependency to another package, please remember to acknowledgment it by citing the appropriate Astropy paper. For the most up-to-date suggestions, see the acknowledgement page, but as of this release the recommendation is: This research made use of Astropy, a community-developed core Python package for Astronomy (Astropy Collaboration, 2018). Special thanks to the coordinator for this release: Brigitta Sipocz. We hope that you enjoy using Astropy as much as we enjoyed developing it! Erik Tollerud, Tom Robitaille, Kelle Cruz, and Tom Aldcroft on behalf of The Astropy Collaboration https://www.astropy.org/announcements/release-4.0.html

1 0

PyInstaller needs Funding by your Company
by Hartmut Goebel Jan. 7, 2020

Jan. 7, 2020

Hi, as some of you might already know: PyInstaller is in urgent need of funding. If you are working for a company using PyInstaller, please make them pay their share. For details see <https://github.com/pyinstaller/pyinstaller/issues/4404> *If reasonable funding is not achieved until end of January 2020, @htgoebel <https://github.com/htgoebel> will retire as an maintainer.* This basically means: Unless somebody else steps in, there will be nobody reviewing any pull-request, there will be not improvement and sooner or later you will not be able to use PyInstaller any more. P.S.: Many thanks for those who donated from their personal money. We really appreciate this! What is "sustainable funding"? Maintianing PyInstaller at a proper level requires about 4 to 5 days per month. Which means about 4,000 to 5,000 € per month and about 50,000 to 60,000 € per year. -- Schönen Gruß Hartmut Goebel Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer Information Security Management, Security Governance, Secure Software Development Goebel Consult, Landshut http://www.goebel-consult.de Blog: https://www.goe-con.de/blog/bin-offiziell-entdecker-einer-sicherheitslucke Kolumne: https://www.goe-con.de/hartmut-goebel/cissp-gefluester/2012-01-in-die-cloud…

1 0

NumPy 1.18.1 released
by Charles R Harris Jan. 6, 2020

Jan. 6, 2020

Hi All, On behalf of the NumPy team I am pleased to announce that NumPy 1.18.1 has been released. This release contains fixes for bugs reported against NumPy 1.18.0. Two bugs in particular that caused widespread problems downstream were: - The cython random extension test was not using a temporary directory for building, resulting in a permission violation. Fixed. - Numpy distutils was appending -std=c99 to all C compiler runs, leading to changed behavior and compile problems downstream. That flag is now only applied when building numpy C code. The Python versions supported in this release are 3.5-3.8. Downstream developers should use Cython >= 0.29.14 for Python 3.8 support and OpenBLAS >= 3.7 to avoid errors on the Skylake architecture. Wheels for this release can be downloaded from PyPI <https://pypi.org/project/numpy/1.18.1>, source archives and release notes are available from Github <https://github.com/numpy/numpy/releases/tag/v1.18.1>. *Contributors* A total of 7 people contributed to this release. People with a "+" by their names contributed a patch for the first time. - Charles Harris - Matti Picus - Maxwell Aladago - Pauli Virtanen - Ralf Gommers - Tyler Reddy - Warren Weckesser *Pull requests merged* A total of 13 pull requests were merged for this release. - `#15158 <https://github.com/numpy/numpy/pull/15158>`__: MAINT: Update pavement.py for towncrier. - `#15159 <https://github.com/numpy/numpy/pull/15159>`__: DOC: add moved modules to 1.18 release note - `#15161 <https://github.com/numpy/numpy/pull/15161>`__: MAINT, DOC: Minor backports and updates for 1.18.x - `#15176 <https://github.com/numpy/numpy/pull/15176>`__: TST: Add assert_array_equal test for big integer arrays - `#15184 <https://github.com/numpy/numpy/pull/15184>`__: BUG: use tmp dir and check version for cython test. - `#15220 <https://github.com/numpy/numpy/pull/15220>`__: BUG: distutils: fix msvc+gfortran openblas handling corner case - `#15221 <https://github.com/numpy/numpy/pull/15221>`__: BUG: remove -std=c99 for c++ compilation - `#15222 <https://github.com/numpy/numpy/pull/15222>`__: MAINT: unskip test on win32 - `#15223 <https://github.com/numpy/numpy/pull/15223>`__: TST: add BLAS ILP64 run in Travis & Azure - `#15245 <https://github.com/numpy/numpy/pull/15245>`__: MAINT: only add --std=c99 where needed - `#15246 <https://github.com/numpy/numpy/pull/15246>`__: BUG: lib: Fix handling of integer arrays by gradient. - `#15247 <https://github.com/numpy/numpy/pull/15247>`__: MAINT: Do not use private Python function in testing - `#15250 <https://github.com/numpy/numpy/pull/15250>`__: REL: Prepare for the NumPy 1.18.1 release. Cheers, Charles Harris

1 0

[ANN] PyYAML-5.3: YAML parser and emitter for Python
by Tina Müller Jan. 6, 2020

Jan. 6, 2020

======================= Announcing PyYAML-5.3 ======================= A new release of PyYAML is now available: https://pypi.org/project/PyYAML/ This release contains some bugfixes (handling of slots, enable unicode for maxunicode < 0xffff, enable large files), enhancements (create timezone aware datetimes) and some other small enhancements. Changes ======= * https://github.com/yaml/pyyaml/pull/290 -- Use `is` instead of equality for comparing with `None` * https://github.com/yaml/pyyaml/pull/270 -- fix typos and stylistic nit * https://github.com/yaml/pyyaml/pull/309 -- Fix up small typo * https://github.com/yaml/pyyaml/pull/161 -- Fix handling of __slots__ * https://github.com/yaml/pyyaml/pull/358 -- Allow calling add_multi_constructor with None * https://github.com/yaml/pyyaml/pull/285 -- Add use of safe_load() function in README * https://github.com/yaml/pyyaml/pull/351 -- Fix reader for Unicode code points over 0xFFFF * https://github.com/yaml/pyyaml/pull/360 -- Enable certain unicode tests when maxunicode not > 0xffff * https://github.com/yaml/pyyaml/pull/359 -- Use full_load in yaml-highlight example * https://github.com/yaml/pyyaml/pull/244 -- Document that PyYAML is implemented with Cython * https://github.com/yaml/pyyaml/pull/329 -- Fix for Python 3.10 * https://github.com/yaml/pyyaml/pull/310 -- increase size of index, line, and column fields * https://github.com/yaml/pyyaml/pull/260 -- remove some unused imports * https://github.com/yaml/pyyaml/pull/163 -- Create timezone-aware datetimes when parsed as such * https://github.com/yaml/pyyaml/pull/363 -- Add tests for timezone Resources ========= PyYAML IRC Channel: #pyyaml on irc.freenode.net PyYAML homepage: https://github.com/yaml/pyyaml PyYAML documentation: http://pyyaml.org/wiki/PyYAMLDocumentation Source and binary installers: https://pypi.org/project/PyYAML/ GitHub repository: https://github.com/yaml/pyyaml/ Bug tracking: https://github.com/yaml/pyyaml/issues YAML homepage: http://yaml.org/ YAML-core mailing list: http://lists.sourceforge.net/lists/listinfo/yaml-core About PyYAML ============ YAML is a data serialization format designed for human readability and interaction with scripting languages. PyYAML is a YAML parser and emitter for Python. PyYAML features a complete YAML 1.1 parser, Unicode support, pickle support, capable extension API, and sensible error messages. PyYAML supports standard YAML tags and provides Python-specific tags that allow to represent an arbitrary Python object. PyYAML is applicable for a broad range of tasks from complex configuration files to object serialization and persistence. Example ======= >>> import yaml >>> yaml.full_load(""" ... name: PyYAML ... description: YAML parser and emitter for Python ... homepage: https://github.com/yaml/pyyaml ... keywords: [YAML, serialization, configuration, persistence, pickle] ... """) {'keywords': ['YAML', 'serialization', 'configuration', 'persistence', 'pickle'], 'homepage': 'https://github.com/yaml/pyyaml', 'description': 'YAML parser and emitter for Python', 'name': 'PyYAML'} >>> print(yaml.dump(_)) name: PyYAML homepage: https://github.com/yaml/pyyaml description: YAML parser and emitter for Python keywords: [YAML, serialization, configuration, persistence, pickle] Maintainers =========== The following people are currently responsible for maintaining PyYAML: * Ingy döt Net * Tina Mueller * Matt Davis and many thanks to all who have contribributed! See: https://github.com/yaml/pyyaml/pulls Copyright ========= Copyright (c) 2017-2019 Ingy döt Net <ingy(a)ingy.net> Copyright (c) 2006-2016 Kirill Simonov <xi(a)resolvent.net> The PyYAML module was written by Kirill Simonov <xi(a)resolvent.net>. It is currently maintained by the YAML and Python communities. PyYAML is released under the MIT license. See the file LICENSE for more details.

1 0

Announcing Numexpr 2.7.1
by Robert McLeod Jan. 5, 2020

Jan. 5, 2020

Hi everyone, This is a version bump to add support for Python 3.8 and NumPy 1.18. We are also removing support for Python 3.4. Project documentation is available at: http://numexpr.readthedocs.io/ Changes from 2.7.0 to 2.7.1 ---------------------------- - Python 3.8 support has been added. - Python 3.4 support is discontinued. - The tests are now compatible with NumPy 1.18. - `site.cfg.example` was updated to use the `libraries` tag instead of `mkl_libs`, which is recommended for newer version of NumPy. What's Numexpr? --------------- Numexpr is a fast numerical expression evaluator for NumPy. With it, expressions that operate on arrays (like "3*a+4*b") are accelerated and use less memory than doing the same calculation in Python. It has multi-threaded capabilities, as well as support for Intel's MKL (Math Kernel Library), which allows an extremely fast evaluation of transcendental functions (sin, cos, tan, exp, log...) while squeezing the last drop of performance out of your multi-core processors. Look here for a some benchmarks of numexpr using MKL: https://github.com/pydata/numexpr/wiki/NumexprMKL Its only dependency is NumPy (MKL is optional), so it works well as an easy-to-deploy, easy-to-use, computational engine for projects that don't want to adopt other solutions requiring more heavy dependencies. Where I can find Numexpr? ------------------------- The project is hosted at GitHub in: https://github.com/pydata/numexpr You can get the packages from PyPI as well (but not for RC releases): http://pypi.python.org/pypi/numexpr Documentation is hosted at: http://numexpr.readthedocs.io/en/latest/ Share your experience --------------------- Let us know of any bugs, suggestions, gripes, kudos, etc. you may have. Enjoy data! -- Robert McLeod robbmcleod(a)gmail.com robert.mcleod(a)hitachi-hhtc.ca

1 0

cx_Freeze 6.1
by Anthony Tuininga Jan. 4, 2020

Jan. 4, 2020

What is cx_Freeze? cx_Freeze is a set of scripts and modules for freezing Python scripts into executables, in much the same way that py2exe and py2app do. Unlike these two tools, cx_Freeze is cross platform and should work on any platform that Python itself works on. It supports Python 3.5 or higher. For Python 2.7, use version 5. More information can be found at the web site: https://anthony-tuininga.github.io/cx_Freeze What's new? cx_Freeze 6.1 adds support for Python 3.8 and makes a lot of small improvements, particularly to hooks for commonly used packages. The full release notes can be read here: https://cx-freeze.readthedocs.io/en/latest/releasenotes.html#version-6-1-ja… Thanks once again to Marcelo Duarte for his help in making this release happen in a timely fashion! To install, use the following command: python -m pip install cx_Freeze --upgrade

1 0

pytest 4.6.9 released!
by Anthony Sottile Jan. 4, 2020

Jan. 4, 2020

*note* this release marks the beginning of "community supported 4.6 maintenance" Until January 2020, the pytest core team ported many bug-fixes from the main release into the `4.6-maintenance` branch, with several 4.6.X releases being made along the year. From now on, the core team will *no longer actively backport patches*, but the `4.6-maintenance` branch will continue to exist so the community itself can contribute patches. The core team will be happy to accept those patches, and make new 4.6.X releases *until mid-2020* (but consider that date as a ballpark, after that date the team might still decide to make new releases for critical bugs). pytest-4.6.9 ======================================= pytest 4.6.9 has just been released to PyPI. This is a bug-fix release, being a drop-in replacement. To upgrade:: pip install --upgrade pytest The full changelog is available at https://docs.pytest.org/en/latest/changelog.html. Thanks to all who contributed to this release, among them: * Anthony Sottile * Bruno Oliveira * Felix Yan * Hugo Happy testing, The pytest Development Team

1 0

NumPy 1.17.5 Released
by Charles R Harris Jan. 1, 2020

Jan. 1, 2020

Hi All, On behalf of the NumPy team I am pleased to announce that NumPy 1.17.5 has been released. This release fixes bugs reported against the 1.17.4 release. The supported Python versions are 3.5-3.7. This is the last planned release that supports Python 3.5. Wheels for this release can be downloaded from PyPI <https://pypi.org/project/numpy/1.17.5>, source archives and release notes are available from Github <https://github.com/numpy/numpy/releases/tag/v1.17.5>. Downstream developers building this release should use Cython >= 0.29.14 and, if using OpenBLAS, OpenBLAS >= v0.3.7. It is recommended that developers interested in the new random bit generators upgrade to the NumPy 1.18.x series, as it has updated documentation and many small improvements. *Highlights* - The ``np.testing.utils`` functions have been updated from 1.19.0-dev0. This improves the function documentation and error messages as well extending the ``assert_array_compare`` function to additional types. *Contributors* A total of 6 people contributed to this release. People with a "+" by their names contributed a patch for the first time. - Charles Harris - Eric Wieser - Ilhan Polat - Matti Picus - Michael Hudson-Doyle - Ralf Gommers *Pull requests merged* A total of 8 pull requests were merged for this release. - `#14593 <https://github.com/numpy/numpy/pull/14593>`__: MAINT: backport Cython API cleanup to 1.17.x, remove docs - `#14937 <https://github.com/numpy/numpy/pull/14937>`__: BUG: fix integer size confusion in handling array's ndmin argument - `#14939 <https://github.com/numpy/numpy/pull/14939>`__: BUILD: remove SSE2 flag from numpy.random builds - `#14993 <https://github.com/numpy/numpy/pull/14993>`__: MAINT: Added Python3.8 branch to dll lib discovery - `#15038 <https://github.com/numpy/numpy/pull/15038>`__: BUG: Fix refcounting in ufunc object loops - `#15067 <https://github.com/numpy/numpy/pull/15067>`__: BUG: Exceptions tracebacks are dropped - `#15175 <https://github.com/numpy/numpy/pull/15175>`__: ENH: Backport improvements to testing functions. - `#15213 <https://github.com/numpy/numpy/pull/15213>`__: REL: Prepare for the NumPy 1.17.5 release. Cheers, Charles Harris

1 0