Message ID | 20240827084331.252928-1-peter@korsgaard.com |
---|---|
State | Accepted |
Headers | show |
Series | [PATCH-2024.02.x] package/python3: security bump to version 3.11.9 | expand |
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issues: > - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral > (CVE-2023-52425) by adding five new methods: > xml.etree.ElementTree.XMLParser.flush() > xml.etree.ElementTree.XMLPullParser.flush() > xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() > xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() > xml.sax.expatreader.ExpatParser.flush() > - gh-115243: Fix possible crashes in collections.deque.index() when the > deque is concurrently modified. > - gh-114572: ssl.SSLContext.cert_store_stats() and > ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate > store, when the ssl.SSLContext is shared across multiple threads. > For more details, see the changelog: > https://docs.python.org/release/3.11.9/whatsnew/changelog.html#python-3-11-9 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2024.02.x, thanks.
diff --git a/package/python3/python3.hash b/package/python3/python3.hash index 962d32b5d9..c536c80e52 100644 --- a/package/python3/python3.hash +++ b/package/python3/python3.hash @@ -1,5 +1,5 @@ -# From https://www.python.org/downloads/release/python-3118/ -md5 b353b8433e560e1af2b130f56dfbd973 Python-3.11.8.tar.xz +# From https://www.python.org/downloads/release/python-3119/ +md5 22ea467e7d915477152e99d5da856ddc Python-3.11.9.tar.xz # Locally computed -sha256 9e06008c8901924395bc1da303eac567a729ae012baa182ab39269f650383bb3 Python-3.11.8.tar.xz +sha256 9b1e896523fc510691126c864406d9360a3d1e986acbda59cda57b5abda45b87 Python-3.11.9.tar.xz sha256 3b2f81fe21d181c499c59a256c8e1968455d6689d269aa85373bfb6af41da3bf LICENSE diff --git a/package/python3/python3.mk b/package/python3/python3.mk index 950006698b..5f61456a74 100644 --- a/package/python3/python3.mk +++ b/package/python3/python3.mk @@ -5,7 +5,7 @@ ################################################################################ PYTHON3_VERSION_MAJOR = 3.11 -PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).8 +PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).9 PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION) PYTHON3_LICENSE = Python-2.0, others
Fixes the following security issues: - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods: xml.etree.ElementTree.XMLParser.flush() xml.etree.ElementTree.XMLPullParser.flush() xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() xml.sax.expatreader.ExpatParser.flush() - gh-115243: Fix possible crashes in collections.deque.index() when the deque is concurrently modified. - gh-114572: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads. For more details, see the changelog: https://docs.python.org/release/3.11.9/whatsnew/changelog.html#python-3-11-9 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/python3/python3.hash | 6 +++--- package/python3/python3.mk | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-)