Python官网安全更新（2021-04-04）

Python 3.9.4 hotfix is now available

Python 3.9.4 hotfix is now available Python 3.9.3 was released two days ago on Friday, April 2nd. It <br/>contains important security content listed below for reference. <br/>Unfortunately, it also introduced an unintentional ABI incompatibility, <br/>making some C extensions built with Python 3.9.0 - 3.9.2 crash with <br/>Python 3.9.3 on 32-bit systems. To minimize disruption, I decided to <br/>recall 3.9.3 and introduce this hotfix release: 3.9.4.<br/>We highly recommend upgrading your Python 3.9 installations to 3.9.4 at your earliest convenience.<br/>Get it here:https://www.python.org/downloads/release/python-394/What is “ABI compatibility”?<br/>Python guarantees that within a given language series (like the <br/>current 3.9) binary extensions written in C or C++ and compiled against headers of one release <br/>(like 3.9.0) will be importable from other versions in the same series <br/>(like 3.9.3). If this weren’t the case, library authors would have to <br/>ship separate binary wheels on PyPI for every single bugfix release of <br/>Python. That would be very inconvenient. What broke in Python 3.9.3?<br/>In a fix for a corner-case crash around recursion limits and exceptions, the PyThreadState struct needed to change. While PyThreadState’s only documented public member is the *interp field, it’s not uncommon for C extensions to access other fields in this struct as well.<br/>When I approved the backport of this fix, I missed the fact that the <br/>variable size change would change the memory layout of said struct on <br/>32-bit systems (on 64-bit systems alignment rules made the size change <br/>backwards compatible). Merging the backport was a mistake, and so 3.9.4 <br/>reverts it to restore compatibility with binary extensions built against Python 3.9.0 - 3.9.2. Details in bpo-43710. Security Content in Python 3.9.3 bpo-43631: <br/>high-severity CVE-2021-3449 and CVE-2021-3450 were published for <br/>OpenSSL, it’s been upgraded to 1.1.1k in CI, and macOS and Windows <br/>installers.<br/>bpo-42988: <br/>CVE-2021-3426: Remove the getfile feature of the pydoc module which <br/>could be abused to read arbitrary files on the disk (directory traversal<br/> vulnerability). Moreover, even source code of Python modules can <br/>contain sensitive data like passwords. Vulnerability reported by David <br/>SchwÃrer.<br/>bpo-43285: ftplib no <br/>longer trusts the IP address value returned from the server in response <br/>to the PASV command by default. This prevents a malicious FTP server <br/>from using the response to probe IPv4 address and port combinations on <br/>the client network. Code that requires the former vulnerable behavior <br/>may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP <br/>instances to True to re-enable it.<br/>bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo. Release Calendar<br/>Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.5 planned for May 3rd 2021 as well. What’s new?<br/>The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 ” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.3 specifically.<br/>Detailed information about all changes made in version 3.8.9 can be found in its respective changelog. We hope you enjoy those new releases!<br/>Thanks to all of the many volunteers who help make Python Development<br/> and these releases possible! Please consider supporting our efforts by <br/>volunteering yourself or through organization contributions to the <br/>Python Software Foundation.<br/>Your friendly release team,Łukasz Langa @ambvNed Deily @nad<br/>Steve Dower @steve.dower  <br/>Posted by<br/>Łukasz Langa <br/>at<br/>3:19 PM <br/>Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest

Python是一种跨平台的计算机程序设计语言。是一种面向对象的动态类型语言,

<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450">CVE-2021-3450</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3426">CVE-2021-3426</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449">CVE-2021-3449</a></p>

暂无

暂无

https://blog.python.org/search?q=security&max-results=20&by-date=true