diff options
| author |   Łukasz Langa <lukasz@langa.pl> | 2022-09-06 19:23:34 +0200 |
|---|---|---|
| committer | Łukasz Langa <lukasz@langa.pl> | 2022-09-06 19:26:16 +0200 |
| commit | 816066f497ab89abcdb3c4f2d34462c750d23713 (patch) | |
| tree | f340bfbf7d27c7535b82678a8279ddb25a75da8f | |
| parent | [3.9] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96502) (diff) | |
| download | cpython-816066f497ab89abcdb3c4f2d34462c750d23713.tar.gz cpython-816066f497ab89abcdb3c4f2d34462c750d23713.tar.bz2 cpython-816066f497ab89abcdb3c4f2d34462c750d23713.zip | |
Python 3.9.14v3.9.14
14 files changed, 121 insertions, 66 deletions
diff --git a/Include/patchlevel.h b/Include/patchlevel.h index 8b3aa91b088..3d48e977038 100644 --- a/Include/patchlevel.h +++ b/Include/patchlevel.h @@ -18,12 +18,12 @@ /*--start constants--*/ #define PY_MAJOR_VERSION 3 #define PY_MINOR_VERSION 9 -#define PY_MICRO_VERSION 13 +#define PY_MICRO_VERSION 14 #define PY_RELEASE_LEVEL PY_RELEASE_LEVEL_FINAL #define PY_RELEASE_SERIAL 0 /* Version as a string */ -#define PY_VERSION "3.9.13+" +#define PY_VERSION "3.9.14" /*--end constants--*/ /* Version as a single 4-byte hex number, e.g. 0x010502B2 == 1.5.2b2. diff --git a/Lib/pydoc_data/topics.py b/Lib/pydoc_data/topics.py index 318e85660d9..bfb5db0f917 100644 --- a/Lib/pydoc_data/topics.py +++ b/Lib/pydoc_data/topics.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -# Autogenerated by Sphinx on Tue May 17 12:57:36 2022 +# Autogenerated by Sphinx on Tue Sep 6 19:25:22 2022 topics = {'assert': 'The "assert" statement\n' '**********************\n' '\n' @@ -7319,7 +7319,7 @@ topics = {'assert': 'The "assert" statement\n' '| "x(arguments...)", "x.attribute" | ' 'attribute reference |\n' '+-------------------------------------------------+---------------------------------------+\n' - '| "await" "x" | ' + '| "await x" | ' 'Await expression |\n' '+-------------------------------------------------+---------------------------------------+\n' '| "**" | ' @@ -7355,7 +7355,7 @@ topics = {'assert': 'The "assert" statement\n' '| ">=", "!=", "==" | ' 'tests and identity tests |\n' '+-------------------------------------------------+---------------------------------------+\n' - '| "not" "x" | ' + '| "not x" | ' 'Boolean NOT |\n' '+-------------------------------------------------+---------------------------------------+\n' '| "and" | ' @@ -8044,31 +8044,7 @@ topics = {'assert': 'The "assert" statement\n' ' still alive. The list is in definition order. Example:\n' '\n' ' >>> int.__subclasses__()\n' - " [<class 'bool'>]\n" - '\n' - '-[ Footnotes ]-\n' - '\n' - '[1] Additional information on these special methods may be ' - 'found in\n' - ' the Python Reference Manual (Basic customization).\n' - '\n' - '[2] As a consequence, the list "[1, 2]" is considered equal ' - 'to "[1.0,\n' - ' 2.0]", and similarly for tuples.\n' - '\n' - '[3] They must have since the parser can’t tell the type of ' - 'the\n' - ' operands.\n' - '\n' - '[4] Cased characters are those with general category ' - 'property being\n' - ' one of “Lu” (Letter, uppercase), “Ll” (Letter, ' - 'lowercase), or “Lt”\n' - ' (Letter, titlecase).\n' - '\n' - '[5] To format only a tuple you should therefore provide a ' - 'singleton\n' - ' tuple whose only element is the tuple to be formatted.\n', + " [<class 'bool'>]\n", 'specialnames': 'Special method names\n' '********************\n' '\n' diff --git a/Misc/NEWS.d/3.9.14.rst b/Misc/NEWS.d/3.9.14.rst new file mode 100644 index 00000000000..d2e823c5eb5 --- /dev/null +++ b/Misc/NEWS.d/3.9.14.rst @@ -0,0 +1,114 @@ +.. date: 2022-08-07-16-53-38 +.. gh-issue: 95778 +.. nonce: ch010gps +.. release date: 2022-09-06 +.. section: Security + +Converting between :class:`int` and :class:`str` in bases other than 2 +(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) +now raises a :exc:`ValueError` if the number of digits in string form is +above a limit to avoid potential denial of service attacks due to the +algorithmic complexity. This is a mitigation for `CVE-2020-10735 +<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_. + +This new limit can be configured or disabled by environment variable, +command line flag, or :mod:`sys` APIs. See the :ref:`integer string +conversion length limitation <int_max_str_digits>` documentation. The +default limit is 4300 digits in string form. + +Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with +feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and +Mark Dickinson. + +.. + +.. date: 2022-06-15-20-09-23 +.. gh-issue: 87389 +.. nonce: QVaC3f +.. section: Security + +:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server +when an URI path starts with ``//``. Vulnerability discovered, and initial +fix proposed, by Hamza Avvan. + +.. + +.. date: 2022-05-21-23-21-37 +.. gh-issue: 93065 +.. nonce: 5I18WC +.. section: Core and Builtins + +Fix contextvars HAMT implementation to handle iteration over deep trees. + +The bug was discovered and fixed by Eli Libman. See +`MagicStack/immutables#84 +<https://github.com/MagicStack/immutables/issues/84>`_ for more details. + +.. + +.. date: 2022-07-14-00-43-52 +.. gh-issue: 94821 +.. nonce: e17ghU +.. section: Library + +Fix binding of unix socket to empty address on Linux to use an available +address from the abstract namespace, instead of "\0". + +.. + +.. date: 2022-06-02-08-40-58 +.. gh-issue: 91810 +.. nonce: Gtk44w +.. section: Library + +Suppress writing an XML declaration in open files in ``ElementTree.write()`` +with ``encoding='unicode'`` and ``xml_declaration=None``. + +.. + +.. bpo: 45393 +.. date: 2022-02-09-23-44-27 +.. nonce: 9v5Y8U +.. section: Library + +Fix the formatting for ``await x`` and ``not x`` in the operator precedence +table when using the :func:`help` system. + +.. + +.. bpo: 46197 +.. date: 2022-01-03-15-07-06 +.. nonce: Z0djv6 +.. section: Library + +Fix :mod:`ensurepip` environment isolation for subprocess running ``pip``. + +.. + +.. date: 2022-07-26-15-22-19 +.. gh-issue: 95280 +.. nonce: h8HvbP +.. section: Tests + +Fix problem with ``test_ssl`` ``test_get_ciphers`` on systems that require +perfect forward secrecy (PFS) ciphers. + +.. + +.. date: 2022-06-27-21-27-20 +.. gh-issue: 94208 +.. nonce: VR6HX- +.. section: Tests + +``test_ssl`` is now checking for supported TLS version and protocols in more +tests. + +.. + +.. bpo: 47016 +.. date: 2022-03-14-23-28-17 +.. nonce: K-t2QX +.. section: Tests + +Create a GitHub Actions workflow for verifying bundled pip and setuptools. +Patch by Illia Volochii and Adam Turner. diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-05-21-23-21-37.gh-issue-93065.5I18WC.rst b/Misc/NEWS.d/next/Core and Builtins/2022-05-21-23-21-37.gh-issue-93065.5I18WC.rst deleted file mode 100644 index ea801653f75..00000000000 --- a/Misc/NEWS.d/next/Core and Builtins/2022-05-21-23-21-37.gh-issue-93065.5I18WC.rst +++ /dev/null @@ -1,5 +0,0 @@ -Fix contextvars HAMT implementation to handle iteration over deep trees. - -The bug was discovered and fixed by Eli Libman. See -`MagicStack/immutables#84 <https://github.com/MagicStack/immutables/issues/84>`_ -for more details. diff --git a/Misc/NEWS.d/next/Library/2022-01-03-15-07-06.bpo-46197.Z0djv6.rst b/Misc/NEWS.d/next/Library/2022-01-03-15-07-06.bpo-46197.Z0djv6.rst deleted file mode 100644 index 7a3b2d59dfa..00000000000 --- a/Misc/NEWS.d/next/Library/2022-01-03-15-07-06.bpo-46197.Z0djv6.rst +++ /dev/null @@ -1 +0,0 @@ -Fix :mod:`ensurepip` environment isolation for subprocess running ``pip``. diff --git a/Misc/NEWS.d/next/Library/2022-02-09-23-44-27.bpo-45393.9v5Y8U.rst b/Misc/NEWS.d/next/Library/2022-02-09-23-44-27.bpo-45393.9v5Y8U.rst deleted file mode 100644 index 0a239b07d76..00000000000 --- a/Misc/NEWS.d/next/Library/2022-02-09-23-44-27.bpo-45393.9v5Y8U.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix the formatting for ``await x`` and ``not x`` in the operator precedence -table when using the :func:`help` system. diff --git a/Misc/NEWS.d/next/Library/2022-06-02-08-40-58.gh-issue-91810.Gtk44w.rst b/Misc/NEWS.d/next/Library/2022-06-02-08-40-58.gh-issue-91810.Gtk44w.rst deleted file mode 100644 index e40005886af..00000000000 --- a/Misc/NEWS.d/next/Library/2022-06-02-08-40-58.gh-issue-91810.Gtk44w.rst +++ /dev/null @@ -1,2 +0,0 @@ -Suppress writing an XML declaration in open files in ``ElementTree.write()`` -with ``encoding='unicode'`` and ``xml_declaration=None``. diff --git a/Misc/NEWS.d/next/Library/2022-07-14-00-43-52.gh-issue-94821.e17ghU.rst b/Misc/NEWS.d/next/Library/2022-07-14-00-43-52.gh-issue-94821.e17ghU.rst deleted file mode 100644 index bf7885aef8c..00000000000 --- a/Misc/NEWS.d/next/Library/2022-07-14-00-43-52.gh-issue-94821.e17ghU.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix binding of unix socket to empty address on Linux to use an available -address from the abstract namespace, instead of "\0". diff --git a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst deleted file mode 100644 index 029d437190d..00000000000 --- a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst +++ /dev/null @@ -1,3 +0,0 @@ -:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server -when an URI path starts with ``//``. Vulnerability discovered, and initial -fix proposed, by Hamza Avvan. diff --git a/Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst b/Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst deleted file mode 100644 index 8eb8a34884d..00000000000 --- a/Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst +++ /dev/null @@ -1,14 +0,0 @@ -Converting between :class:`int` and :class:`str` in bases other than 2 -(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now -raises a :exc:`ValueError` if the number of digits in string form is above a -limit to avoid potential denial of service attacks due to the algorithmic -complexity. This is a mitigation for `CVE-2020-10735 -<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_. - -This new limit can be configured or disabled by environment variable, command -line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion length -limitation <int_max_str_digits>` documentation. The default limit is 4300 -digits in string form. - -Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback -from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson. diff --git a/Misc/NEWS.d/next/Tests/2022-03-14-23-28-17.bpo-47016.K-t2QX.rst b/Misc/NEWS.d/next/Tests/2022-03-14-23-28-17.bpo-47016.K-t2QX.rst deleted file mode 100644 index 774bfafc021..00000000000 --- a/Misc/NEWS.d/next/Tests/2022-03-14-23-28-17.bpo-47016.K-t2QX.rst +++ /dev/null @@ -1,2 +0,0 @@ -Create a GitHub Actions workflow for verifying bundled pip and setuptools. -Patch by Illia Volochii and Adam Turner. diff --git a/Misc/NEWS.d/next/Tests/2022-06-27-21-27-20.gh-issue-94208.VR6HX-.rst b/Misc/NEWS.d/next/Tests/2022-06-27-21-27-20.gh-issue-94208.VR6HX-.rst deleted file mode 100644 index d0f970ad286..00000000000 --- a/Misc/NEWS.d/next/Tests/2022-06-27-21-27-20.gh-issue-94208.VR6HX-.rst +++ /dev/null @@ -1,2 +0,0 @@ -``test_ssl`` is now checking for supported TLS version and protocols in more -tests. diff --git a/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst b/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst deleted file mode 100644 index 523d9d5f2f8..00000000000 --- a/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst +++ /dev/null @@ -1,2 +0,0 @@ -Fix problem with ``test_ssl`` ``test_get_ciphers`` on systems that require -perfect forward secrecy (PFS) ciphers. diff --git a/README.rst b/README.rst index 7a842390b03..ae3e983b5fe 100644 --- a/README.rst +++ b/README.rst @@ -1,4 +1,4 @@ -This is Python version 3.9.13 +This is Python version 3.9.14 ============================= .. image:: https://travis-ci.org/python/cpython.svg?branch=3.9 |