[Python-checkins] Python 3.9.16

ambv webhook-mailer at python.org
Tue Dec 6 13:51:27 EST 2022 

https://github.com/python/cpython/commit/595f9ccb0c059f2fb5bf13643bfc0cdd5b55a422
commit: 595f9ccb0c059f2fb5bf13643bfc0cdd5b55a422
branch: 3.9
author: Łukasz Langa <lukasz at langa.pl>
committer: ambv <lukasz at langa.pl>
date: 2022-12-06T18:59:46+01:00
summary:

Python 3.9.16

files:
A Misc/NEWS.d/3.9.16.rst
D Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
D Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
D Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
D Misc/NEWS.d/next/Security/2022-10-26-21-04-23.gh-issue-98739.keBWcY.rst
D Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
D Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst
D Misc/NEWS.d/next/Security/2022-12-05-01-39-10.gh-issue-100001.uD05Fc.rst
M Include/patchlevel.h
M README.rst

diff --git a/Include/patchlevel.h b/Include/patchlevel.h
index 8af690f9eded..e33d9a1d0170 100644
--- a/Include/patchlevel.h
+++ b/Include/patchlevel.h
@@ -18,12 +18,12 @@
 /*--start constants--*/
 #define PY_MAJOR_VERSION        3
 #define PY_MINOR_VERSION        9
-#define PY_MICRO_VERSION        15
+#define PY_MICRO_VERSION        16
 #define PY_RELEASE_LEVEL        PY_RELEASE_LEVEL_FINAL
 #define PY_RELEASE_SERIAL       0
 
 /* Version as a string */
-#define PY_VERSION              "3.9.15+"
+#define PY_VERSION              "3.9.16"
 /*--end constants--*/
 
 /* Version as a single 4-byte hex number, e.g. 0x010502B2 == 1.5.2b2.
diff --git a/Misc/NEWS.d/3.9.16.rst b/Misc/NEWS.d/3.9.16.rst
new file mode 100644
index 000000000000..408cd9ca300c
--- /dev/null
+++ b/Misc/NEWS.d/3.9.16.rst
@@ -0,0 +1,90 @@
+.. date: 2022-12-05-01-39-10
+.. gh-issue: 100001
+.. nonce: uD05Fc
+.. release date: 2022-12-06
+.. section: Security
+
+``python -m http.server`` no longer allows terminal control characters sent
+within a garbage request to be printed to the stderr server log.
+
+This is done by changing the :mod:`http.server`
+:class:`BaseHTTPRequestHandler` ``.log_message`` method to replace control
+characters with a ``\xHH`` hex escape before printing.
+
+..
+
+.. date: 2022-11-11-12-50-28
+.. gh-issue: 87604
+.. nonce: OtwH5L
+.. section: Security
+
+Avoid publishing list of active per-interpreter audit hooks via the
+:mod:`gc` module
+
+..
+
+.. date: 2022-11-04-09-29-36
+.. gh-issue: 98433
+.. nonce: l76c5G
+.. section: Security
+
+The IDNA codec decoder used on DNS hostnames by :mod:`socket` or
+:mod:`asyncio` related name resolution functions no longer involves a
+quadratic algorithm. This prevents a potential CPU denial of service if an
+out-of-spec excessive length hostname involving bidirectional characters
+were decoded. Some protocols such as :mod:`urllib` http ``3xx`` redirects
+potentially allow for an attacker to supply such a name.
+
+..
+
+.. date: 2022-10-26-21-04-23
+.. gh-issue: 98739
+.. nonce: keBWcY
+.. section: Security
+
+Update bundled libexpat to 2.5.0
+
+..
+
+.. date: 2022-10-21-13-31-47
+.. gh-issue: 98517
+.. nonce: SXXGfV
+.. section: Security
+
+Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
+
+..
+
+.. date: 2022-09-07-10-42-00
+.. gh-issue: 97514
+.. nonce: Yggdsl
+.. section: Security
+
+On Linux the :mod:`multiprocessing` module returns to using filesystem
+backed unix domain sockets for communication with the *forkserver* process
+instead of the Linux abstract socket namespace.  Only code that chooses to
+use the :ref:`"forkserver" start method <multiprocessing-start-methods>` is
+affected.
+
+Abstract sockets have no permissions and could allow any user on the system
+in the same `network namespace
+<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often
+the whole system) to inject code into the multiprocessing *forkserver*
+process. This was a potential privilege escalation. Filesystem based socket
+permissions restrict this to the *forkserver* process user as was the
+default in Python 3.8 and earlier.
+
+This prevents Linux `CVE-2022-42919
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
+
+..
+
+.. date: 2022-04-27-18-25-30
+.. gh-issue: 68966
+.. nonce: gjS8zs
+.. section: Security
+
+The deprecated mailcap module now refuses to inject unsafe text (filenames,
+MIME types, parameters) into shell commands. Instead of using such text, it
+will warn and act as if a match was not found (or for test commands, as if
+the test failed).
diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
deleted file mode 100644
index da81a1f6993d..000000000000
--- a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-The deprecated mailcap module now refuses to inject unsafe text (filenames,
-MIME types, parameters) into shell commands. Instead of using such text, it
-will warn and act as if a match was not found (or for test commands, as if
-the test failed).
diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
deleted file mode 100644
index 02d95b570520..000000000000
--- a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
+++ /dev/null
@@ -1,15 +0,0 @@
-On Linux the :mod:`multiprocessing` module returns to using filesystem backed
-unix domain sockets for communication with the *forkserver* process instead of
-the Linux abstract socket namespace.  Only code that chooses to use the
-:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
-
-Abstract sockets have no permissions and could allow any user on the system in
-the same `network namespace
-<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
-whole system) to inject code into the multiprocessing *forkserver* process.
-This was a potential privilege escalation. Filesystem based socket permissions
-restrict this to the *forkserver* process user as was the default in Python 3.8
-and earlier.
-
-This prevents Linux `CVE-2022-42919
-<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
deleted file mode 100644
index 2d23a6ad93c7..000000000000
--- a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+++ /dev/null
@@ -1 +0,0 @@
-Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
diff --git a/Misc/NEWS.d/next/Security/2022-10-26-21-04-23.gh-issue-98739.keBWcY.rst b/Misc/NEWS.d/next/Security/2022-10-26-21-04-23.gh-issue-98739.keBWcY.rst
deleted file mode 100644
index b63a54b3676c..000000000000
--- a/Misc/NEWS.d/next/Security/2022-10-26-21-04-23.gh-issue-98739.keBWcY.rst
+++ /dev/null
@@ -1 +0,0 @@
-Update bundled libexpat to 2.5.0
diff --git a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
deleted file mode 100644
index 5185fac2e29d..000000000000
--- a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
+++ /dev/null
@@ -1,6 +0,0 @@
-The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
-related name resolution functions no longer involves a quadratic algorithm.
-This prevents a potential CPU denial of service if an out-of-spec excessive
-length hostname involving bidirectional characters were decoded. Some protocols
-such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
-to supply such a name.
diff --git a/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst b/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst
deleted file mode 100644
index c931409b8171..000000000000
--- a/Misc/NEWS.d/next/Security/2022-11-11-12-50-28.gh-issue-87604.OtwH5L.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Avoid publishing list of active per-interpreter audit hooks via the
-:mod:`gc` module
diff --git a/Misc/NEWS.d/next/Security/2022-12-05-01-39-10.gh-issue-100001.uD05Fc.rst b/Misc/NEWS.d/next/Security/2022-12-05-01-39-10.gh-issue-100001.uD05Fc.rst
deleted file mode 100644
index a396e95cd83f..000000000000
--- a/Misc/NEWS.d/next/Security/2022-12-05-01-39-10.gh-issue-100001.uD05Fc.rst
+++ /dev/null
@@ -1,6 +0,0 @@
-``python -m http.server`` no longer allows terminal control characters sent
-within a garbage request to be printed to the stderr server log.
-
-This is done by changing the :mod:`http.server` :class:`BaseHTTPRequestHandler`
-``.log_message`` method to replace control characters with a ``\xHH`` hex escape
-before printing.
diff --git a/README.rst b/README.rst
index d78b6bc9e86f..4c804d677cf9 100644
--- a/README.rst
+++ b/README.rst
@@ -1,4 +1,4 @@
-This is Python version 3.9.15
+This is Python version 3.9.16
 =============================
 
 .. image:: https://travis-ci.org/python/cpython.svg?branch=3.9

More information about the Python-checkins mailing list