* [Buildroot] [PATCH] package/python3: security bump to version 3.9.7
@ 2021-09-03 6:53 Peter Korsgaard
2021-09-03 15:08 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Peter Korsgaard @ 2021-09-03 6:53 UTC (permalink / raw)
To: buildroot; +Cc: Thomas Petazzoni, Asaf Kahlon
Fixes the following security issues:
- bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to
avoid a potential race condition.
- bpo-41180: Add auditing events to the marshal module, and stop raising
code.__init__ events for every unmarshalled code object. Directly
instantiated code objects will continue to raise an event, and audit event
handlers should inspect or collect the raw marshal data. This reduces a
significant performance overhead when loading from .pyc files.
- bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to
get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This
copy is most used on Windows and macOS.
- bpo-43124: Made the internal putcmd function in smtplib sanitize input for
presence of \r and \n characters to avoid (unlikely) command injection.
https://www.python.org/downloads/release/python-397/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python3/python3.hash | 6 +++---
package/python3/python3.mk | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python3/python3.hash b/package/python3/python3.hash
index 36e89a0678..444dbd982a 100644
--- a/package/python3/python3.hash
+++ b/package/python3/python3.hash
@@ -1,5 +1,5 @@
-# From https://www.python.org/downloads/release/python-396/
-md5 ecc29a7688f86e550d29dba2ee66cf80 Python-3.9.6.tar.xz
+# From https://www.python.org/downloads/release/python-397/
+md5 fddb060b483bc01850a3f412eea1d954 Python-3.9.7.tar.xz
# Locally computed
-sha256 397920af33efc5b97f2e0b57e91923512ef89fc5b3c1d21dbfc8c4828ce0108a Python-3.9.6.tar.xz
+sha256 f8145616e68c00041d1a6399b76387390388f8359581abc24432bb969b5e3c57 Python-3.9.7.tar.xz
sha256 599826df92bfdcd2702eac691072498bb096c55af04ee984cf90f70ed77b5a70 LICENSE
diff --git a/package/python3/python3.mk b/package/python3/python3.mk
index d491a4c800..3e88bc0ff4 100644
--- a/package/python3/python3.mk
+++ b/package/python3/python3.mk
@@ -5,7 +5,7 @@
################################################################################
PYTHON3_VERSION_MAJOR = 3.9
-PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).6
+PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).7
PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz
PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION)
PYTHON3_LICENSE = Python-2.0, others
--
2.20.1
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/python3: security bump to version 3.9.7
2021-09-03 6:53 [Buildroot] [PATCH] package/python3: security bump to version 3.9.7 Peter Korsgaard
@ 2021-09-03 15:08 ` Peter Korsgaard
2021-09-10 9:59 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Peter Korsgaard @ 2021-09-03 15:08 UTC (permalink / raw)
To: buildroot; +Cc: Thomas Petazzoni, Asaf Kahlon
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> - bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to
> avoid a potential race condition.
> - bpo-41180: Add auditing events to the marshal module, and stop raising
> code.__init__ events for every unmarshalled code object. Directly
> instantiated code objects will continue to raise an event, and audit event
> handlers should inspect or collect the raw marshal data. This reduces a
> significant performance overhead when loading from .pyc files.
> - bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to
> get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This
> copy is most used on Windows and macOS.
> - bpo-43124: Made the internal putcmd function in smtplib sanitize input for
> presence of \r and \n characters to avoid (unlikely) command injection.
> https://www.python.org/downloads/release/python-397/
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/python3: security bump to version 3.9.7
2021-09-03 15:08 ` Peter Korsgaard
@ 2021-09-10 9:59 ` Peter Korsgaard
0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-09-10 9:59 UTC (permalink / raw)
To: buildroot; +Cc: Asaf Kahlon, Thomas Petazzoni
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
>> Fixes the following security issues:
>> - bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to
>> avoid a potential race condition.
>> - bpo-41180: Add auditing events to the marshal module, and stop raising
>> code.__init__ events for every unmarshalled code object. Directly
>> instantiated code objects will continue to raise an event, and audit event
>> handlers should inspect or collect the raw marshal data. This reduces a
>> significant performance overhead when loading from .pyc files.
>> - bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to
>> get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This
>> copy is most used on Windows and macOS.
>> - bpo-43124: Made the internal putcmd function in smtplib sanitize input for
>> presence of \r and \n characters to avoid (unlikely) command injection.
>> https://www.python.org/downloads/release/python-397/
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2021.02.x and 2021.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-10 10:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-03 6:53 [Buildroot] [PATCH] package/python3: security bump to version 3.9.7 Peter Korsgaard
2021-09-03 15:08 ` Peter Korsgaard
2021-09-10 9:59 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.