[Buildroot] [PATCH] package/python3: security bump to version 3.9.7

[Buildroot] [PATCH] package/python3: security bump to version 3.9.7

[Peter Korsgaard]

Fixes the following security issues:

- bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to
  avoid a potential race condition.

- bpo-41180: Add auditing events to the marshal module, and stop raising
  code.__init__ events for every unmarshalled code object.  Directly
  instantiated code objects will continue to raise an event, and audit event
  handlers should inspect or collect the raw marshal data.  This reduces a
  significant performance overhead when loading from .pyc files.

- bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to
  get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability.  This
  copy is most used on Windows and macOS.

- bpo-43124: Made the internal putcmd function in smtplib sanitize input for
  presence of \r and \n characters to avoid (unlikely) command injection.

https://www.python.org/downloads/release/python-397/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/python3/python3.hash | 6 +++---
 package/python3/python3.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/python3/python3.hash b/package/python3/python3.hash
index 36e89a0678..444dbd982a 100644
--- a/package/python3/python3.hash
+++ b/package/python3/python3.hash
@@ -1,5 +1,5 @@
-# From https://www.python.org/downloads/release/python-396/
-md5  ecc29a7688f86e550d29dba2ee66cf80  Python-3.9.6.tar.xz
+# From https://www.python.org/downloads/release/python-397/
+md5  fddb060b483bc01850a3f412eea1d954  Python-3.9.7.tar.xz
 # Locally computed
-sha256  397920af33efc5b97f2e0b57e91923512ef89fc5b3c1d21dbfc8c4828ce0108a  Python-3.9.6.tar.xz
+sha256  f8145616e68c00041d1a6399b76387390388f8359581abc24432bb969b5e3c57  Python-3.9.7.tar.xz
 sha256  599826df92bfdcd2702eac691072498bb096c55af04ee984cf90f70ed77b5a70  LICENSE
diff --git a/package/python3/python3.mk b/package/python3/python3.mk
index d491a4c800..3e88bc0ff4 100644
--- a/package/python3/python3.mk
+++ b/package/python3/python3.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 PYTHON3_VERSION_MAJOR = 3.9
-PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).6
+PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).7
 PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz
 PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION)
 PYTHON3_LICENSE = Python-2.0, others
-- 
2.20.1

_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/python3: security bump to version 3.9.7

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issues:
 > - bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to
 >   avoid a potential race condition.

 > - bpo-41180: Add auditing events to the marshal module, and stop raising
 >   code.__init__ events for every unmarshalled code object.  Directly
 >   instantiated code objects will continue to raise an event, and audit event
 >   handlers should inspect or collect the raw marshal data.  This reduces a
 >   significant performance overhead when loading from .pyc files.

 > - bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to
 >   get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability.  This
 >   copy is most used on Windows and macOS.

 > - bpo-43124: Made the internal putcmd function in smtplib sanitize input for
 >   presence of \r and \n characters to avoid (unlikely) command injection.

 > https://www.python.org/downloads/release/python-397/

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/python3: security bump to version 3.9.7

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
 >> Fixes the following security issues:
 >> - bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to
 >> avoid a potential race condition.

 >> - bpo-41180: Add auditing events to the marshal module, and stop raising
 >> code.__init__ events for every unmarshalled code object.  Directly
 >> instantiated code objects will continue to raise an event, and audit event
 >> handlers should inspect or collect the raw marshal data.  This reduces a
 >> significant performance overhead when loading from .pyc files.

 >> - bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to
 >> get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability.  This
 >> copy is most used on Windows and macOS.

 >> - bpo-43124: Made the internal putcmd function in smtplib sanitize input for
 >> presence of \r and \n characters to avoid (unlikely) command injection.

 >> https://www.python.org/downloads/release/python-397/

 >> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2021.02.x and 2021.05.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot