Python官网安全更新（2022-12-06）

Python 3.11.1, 3.10.9, 3.9.16, 3.8.16, 3.7.16, and 3.12.0 alpha 3 are now available

Python 3.11.1, 3.10.9, 3.9.16, 3.8.16, 3.7.16, and 3.12.0 alpha 3 are now available Greetings! We bring you a slew of releases this fine Saint Nicholas /<br/> Sinterklaas day. Six simultaneous releases has got to be some record. <br/>There’s one more record we broke this time, you’ll see below.<br/>In any case, updating is recommended due to security content:<br/>3.7 - 3.12: gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 (heap use-after-free).3.7 - 3.12: gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm to fix CVE-2022-45061.<br/> This prevents a potential CPU denial of service if an out-of-spec <br/>excessive length hostname involving bidirectional characters were <br/>decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.3.7 - 3.12: gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log.3.8 - 3.12: gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.3.9 - 3.10 (already released in 3.11+ before): gh-97514: On Linux the multiprocessing<br/> module returns to using filesystem backed unix domain sockets for <br/>communication with the forkserver process instead of the Linux abstract <br/>socket namespace. Only code that chooses to use the “forkserver” start <br/>method is affected. This prevents Linux CVE-2022-42919<br/> (potential privilege escalation) as abstract sockets have no <br/>permissions and could allow any user on the system in the same network <br/>namespace (often the whole system) to inject code into the multiprocessing<br/> forkserver process. This was a potential privilege escalation. <br/>Filesystem based socket permissions restrict this to the forkserver <br/>process user as was the default in Python 3.8 and earlier.3.7 - 3.10: gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 to fix CVE-2022-37454.3.7 - 3.9 (already released in 3.10+ before): gh-68966:<br/> The deprecated mailcap module now refuses to inject unsafe text <br/>(filenames, MIME types, parameters) into shell commands to address CVE-2015-20107. Instead of using such text, it will warn and act as if a match was not found (or for test commands, as if the test failed). Python 3.12.0 alpha 3<br/>Get it here, read the change log, sing a GPT-3-generated Sinterklaas song:https://www.python.org/downloads/release/python-3120a3/ 216 new commits since 3.12.0 alpha 2 last month. Python 3.11.1<br/>Get it here, see the change log, read the recipe for quark soup:https://www.python.org/downloads/release/python-3111/ A whopping 495 new commits since 3.11.0. This is a <br/>massive increase of changes comparing to 3.10 at the same stage in the <br/>release cycle: there were “only” 339 commits between 3.10.0 and 3.10.1. Python 3.10.9<br/>Get it here, read the change log, see circular patterns:https://www.python.org/downloads/release/python-3109/ 165 new commits. Python 3.9.16<br/>Get it here, read the change log, consider upgrading to a newer version:https://www.python.org/downloads/release/python-3916/ Security-only release with no binaries. 10 commits. Python 3.8.16<br/>Get it here, see the change log, definitely upgrade to a newer version:https://www.python.org/downloads/release/python-3816/ Security-only release with no binaries. 9 commits. Python 3.7.16<br/>Get it here, read the change log, check PEP 537 to confirm EOL is coming to this version in June 2023:https://www.python.org/downloads/release/python-3716/ Security-only release with no binaries. 8 commits. We hope you enjoy the new releases!<br/>Thanks to all of the many volunteers who help make Python Development<br/> and these releases possible! Please consider supporting our efforts by <br/>volunteering yourself or through organization contributions to the <br/>Python Software Foundation.https://www.python.org/psf/ Your friendly release team,<br/>Ned Deily @nad<br/>Steve Dower @steve.dower<br/>Pablo Galindo Salgado @pablogsal<br/>Łukasz Langa @ambv<br/>Thomas Wouters @thomas        <br/>Posted by<br/>Łukasz Langa <br/>at<br/>5:58 PM <br/>Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest

Python是一种跨平台的计算机程序设计语言。是一种面向对象的动态类型语言,

<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43680">CVE-2022-43680</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919">CVE-2022-42919</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-20107">CVE-2015-20107</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37454">CVE-2022-37454</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45061">CVE-2022-45061</a></p>

暂无

暂无

https://blog.python.org/search?q=security&max-results=20&by-date=true