diff mbox series

[PATCH-2024.02.x] package/python3: security bump to version 3.11.9

Message ID 20240827084331.252928-1-peter@korsgaard.com
State Accepted
Headers show
Series [PATCH-2024.02.x] package/python3: security bump to version 3.11.9 | expand

Commit Message

Peter Korsgaard Aug. 27, 2024, 8:43 a.m. UTC 
Fixes the following security issues:

- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
  (CVE-2023-52425) by adding five new methods:

        xml.etree.ElementTree.XMLParser.flush()
        xml.etree.ElementTree.XMLPullParser.flush()
        xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
        xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
        xml.sax.expatreader.ExpatParser.flush()

- gh-115243: Fix possible crashes in collections.deque.index() when the
  deque is concurrently modified.

- gh-114572: ssl.SSLContext.cert_store_stats() and
  ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate
  store, when the ssl.SSLContext is shared across multiple threads.

For more details, see the changelog:
https://docs.python.org/release/3.11.9/whatsnew/changelog.html#python-3-11-9

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/python3/python3.hash | 6 +++---
 package/python3/python3.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

Comments

Peter Korsgaard Sept. 14, 2024, 3:20 p.m. UTC | #1 
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issues:
 > - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
 >   (CVE-2023-52425) by adding five new methods:

 >         xml.etree.ElementTree.XMLParser.flush()
 >         xml.etree.ElementTree.XMLPullParser.flush()
 >         xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
 >         xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
 >         xml.sax.expatreader.ExpatParser.flush()

 > - gh-115243: Fix possible crashes in collections.deque.index() when the
 >   deque is concurrently modified.

 > - gh-114572: ssl.SSLContext.cert_store_stats() and
 >   ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate
 >   store, when the ssl.SSLContext is shared across multiple threads.

 > For more details, see the changelog:
 > https://docs.python.org/release/3.11.9/whatsnew/changelog.html#python-3-11-9

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2024.02.x, thanks.
diff mbox series

Patch

diff --git a/package/python3/python3.hash b/package/python3/python3.hash
index 962d32b5d9..c536c80e52 100644
--- a/package/python3/python3.hash
+++ b/package/python3/python3.hash
@@ -1,5 +1,5 @@ 
-# From https://www.python.org/downloads/release/python-3118/
-md5  b353b8433e560e1af2b130f56dfbd973  Python-3.11.8.tar.xz
+# From https://www.python.org/downloads/release/python-3119/
+md5  22ea467e7d915477152e99d5da856ddc  Python-3.11.9.tar.xz
 # Locally computed
-sha256  9e06008c8901924395bc1da303eac567a729ae012baa182ab39269f650383bb3  Python-3.11.8.tar.xz
+sha256  9b1e896523fc510691126c864406d9360a3d1e986acbda59cda57b5abda45b87  Python-3.11.9.tar.xz
 sha256  3b2f81fe21d181c499c59a256c8e1968455d6689d269aa85373bfb6af41da3bf  LICENSE
diff --git a/package/python3/python3.mk b/package/python3/python3.mk
index 950006698b..5f61456a74 100644
--- a/package/python3/python3.mk
+++ b/package/python3/python3.mk
@@ -5,7 +5,7 @@ 
 ################################################################################
 
 PYTHON3_VERSION_MAJOR = 3.11
-PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).8
+PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).9
 PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz
 PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION)
 PYTHON3_LICENSE = Python-2.0, others