Python官网安全更新（2023-06-07）

Python 3.11.4, 3.10.12, 3.9.17, 3.8.17, 3.7.17, and 3.12.0 beta 2 are now available

Python 3.11.4, 3.10.12, 3.9.17, 3.8.17, 3.7.17, and 3.12.0 beta 2 are now available Greetings! Time for another combined release of six separate versions of Python! Before you scroll away to the download links<br/>Please test the 3.12 beta! Downloading it and trying it out helps us a<br/> lot in ensuring Python 3.12.0 will be as polished as possible.<br/>We welcome 3.10 to the prestigious club of security-only releases. <br/>It’s officially an old version of Python now! If you haven’t rewritten <br/>all your if:elif:else:s with pattern matching yet, are you even still writing Python?<br/>At the same time, it looks like 3.7 is reaching end-of-life. Unless <br/>another security release happens in June, 3.7.17 will be the final <br/>release of Python 3.7. I mean, now that I typed it out for all you to <br/>read, I’m sure I jinxed it. But in case I didn’t, I would like to thank <br/>Ned Deily for serving as the release manager of Python 3.6 and Python <br/>3.7. He was my mentor as Release Manager, and continues serving Python <br/>as the provider of Mac installers for new releases. Thank you, Ned!<br/>Speaking of installers, Steve Dower used to be the sole provider of <br/>Windows installers for Python releases for years now. His secret was a <br/>well-automated Azure pipeline that let him build, sign, and publish <br/>releases with minimal manual effort. Now he extended the power to press <br/>the blue “Run pipeline” button to more members of the team. Thank you, <br/>Steve! This is an important bus factor increment. In fact, the Windows <br/>installers for both 3.12.0b2 and 3.11.4 were made by me initiated by me. If there’s anything wrong with them, well, I guess that means I pressed the button wrong. Security fixes in today’s releases<br/>Updating is recommended due to security content:<br/>3.7 - 3.12: gh-103142:<br/> The version of OpenSSL used in Windows and Mac installers has been <br/>upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, <br/>CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, <br/>and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).3.7 - 3.11: gh-102153: urllib.parse.urlsplit()<br/> now strips leading C0 control and space characters following the <br/>specification for URLs defined by WHATWG in response to CVE-2023-24329.3.7 - 3.11: gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified.3.7 - 3.11: gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler.3.7 - 3.11: gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with shell=True.3.8 - 3.11: gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().3.8 - 3.11: gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details.3.9: gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to acquire the runtime head lock.3.9: gh-100892: Fixed a crash due to a race while iterating over thread states in clearing threading.local.Python 3.12.0 beta 2<br/>Get it here: 3.12.0b2<br/>116 new commits since 3.12.0 beta 1.<br/>Python 3.11.4<br/>Get it here: 3.11.4<br/>233 new commits.<br/>Python 3.10.12<br/>Get it here: 3.10.12<br/>Security-only release with no binaries. 20 new commits.<br/>Python 3.9.17<br/>Get it here: 3.9.17<br/>Security-only release with no binaries. 26 commits.<br/>Python 3.8.17<br/>Get it here: 3.8.17<br/>Security-only release with no binaries. 24 commits.<br/>Python 3.7.17<br/>Get it here as it might be the last release of 3.7 ever: 3.7.17<br/>Security-only release with no binaries. 21 commits.<br/>We hope you enjoy the new releases!<br/>Thanks to all of the many volunteers who help make Python Development<br/> and these releases possible! Please consider supporting our efforts by <br/>volunteering yourself or through organization contributions to the Python Software Foundation.<br/>–<br/>Łukasz Langa @ambv<br/>on behalf of your friendly release team,<br/>Ned Deily @nad<br/>Steve Dower @steve.dower<br/>Pablo Galindo Salgado @pablogsal<br/>Łukasz Langa @ambv<br/>Thomas Wouters @thomas  <br/>Posted by<br/>Łukasz Langa <br/>at<br/>2:56 AM <br/>Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest

Python是一种跨平台的计算机程序设计语言。是一种面向对象的动态类型语言,

<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24329">CVE-2023-24329</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0466">CVE-2023-0466</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0465">CVE-2023-0465</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464">CVE-2023-0464</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286">CVE-2023-0286</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4303">CVE-2022-4303</a></p><p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2650">CVE-2023-2650</a></p>

暂无

暂无

https://blog.python.org/search?q=security&max-results=20&by-date=true