https://mail.python.org/archives/list/python-announce-l...@python.org/thread/N6H2D7I752UM3VZ37AVSBOC3CAGAMUX6/ announces the release of new versions of python for the 3.8 through 3.13 trains, including the following security content:
gh-123678 <https://github.com/python/cpython/issues/123678> and gh-116741 <https://github.com/python/cpython/issues/116741>: Upgrade bundled libexpat to 2.6.3 to fix CVE-2024-28757 <https://github.com/advisories/GHSA-ch5v-h69f-mxc8>, CVE-2024-45490 <https://github.com/advisories/GHSA-4hvh-m426-wv8w>, CVE-2024-45491 <https://github.com/advisories/GHSA-784x-7qm2-gp97> and CVE-2024-45492 <https://github.com/advisories/GHSA-5qxm-qvmj-8v79>. gh-118486 <https://github.com/python/cpython/issues/118486>: os.mkdir() <https://docs.python.org/3/library/os.html#os.mkdir> on Windows now accepts mode of 0o700 to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting tempfile.mkdtemp() <https://docs.python.org/3/library/tempfile.html#tempfile.mkdtemp> in scenarios where the base temporary directory is more permissive than the default. gh-123067 <https://github.com/python/cpython/issues/123067>: Fix quadratic complexity in parsing "-quoted cookie values with backslashes by http.cookies <https://docs.python.org/3/library/http.cookies.html#module-http.cookies>. Fixes CVE-2024-7592. gh-113171 <https://github.com/python/cpython/issues/113171>: Fixed various false positives and false negatives in IPv4Address.is_private, IPv4Address.is_global, IPv6Address.is_private, IPv6Address.is_global. Fixes CVE-2024-4032. gh-67693 <https://github.com/python/cpython/issues/67693>: Fix urllib.parse.urlunparse() <https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlunparse> and urllib.parse.urlunsplit() <https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlunsplit> for URIs with path starting with multiple slashes and no authority. Fixes CVE-2015-2104. gh-121957 <https://github.com/python/cpython/issues/121957>: Fixed missing audit events around interactive use of Python, now also properly firing for python -i, as well as for python -m asyncio. The event in question is cpython.run_stdin. gh-122133 <https://github.com/python/cpython/issues/122133>: Authenticate the socket connection for the socket.socketpair() fallback on platforms where AF_UNIX is not available like Windows. gh-121285 <https://github.com/python/cpython/issues/121285>: Remove backtracking from tarfile header parsing for hdrcharset, PAX, and GNU sparse headers. That’s CVE-2024-6232. gh-114572 <https://github.com/python/cpython/issues/114572>: ssl.SSLContext.cert_store_stats() <https://docs.python.org/3/library/ssl.html#ssl.SSLContext.cert_store_stats> and ssl.SSLContext.get_ca_certs() <https://docs.python.org/3/library/ssl.html#ssl.SSLContext.get_ca_certs> now correctly lock access to the certificate store, when the ssl.SSLContext <https://docs.python.org/3/library/ssl.html#ssl.SSLContext> is shared across multiple threads. gh-102988 <https://github.com/python/cpython/issues/102988>: email.utils.getaddresses() <https://docs.python.org/3/library/email.utils.html#email.utils.getaddresses> and email.utils.parseaddr() <https://docs.python.org/3/library/email.utils.html#email.utils.parseaddr> now return ('', '') 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional strict parameter to these two functions: use strict=False to get the old behavior, accept malformed inputs. getattr(email.utils, 'supports_strict_parsing', False) can be use to check if the strict paramater is available. This improves the CVE-2023-27043 fix. gh-123270 <https://github.com/python/cpython/issues/123270>: Sanitize names in zipfile.Path <https://docs.python.org/3/library/zipfile.html#zipfile.Path> to avoid infinite loops (gh-122905 <https://github.com/python/cpython/issues/122905>) without breaking contents using legitimate characters. That’s CVE-2024-8088. gh-121650 <https://github.com/python/cpython/issues/121650>: email <https://docs.python.org/3/library/email.html#module-email> headers with embedded newlines are now quoted on output. The generator <https://docs.python.org/3/library/email.generator.html#module-email.generator> will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers <https://docs.python.org/3/library/email.policy.html#email.policy.Policy.verify_generated_headers>. That’s CVE-2024-6923. gh-119690 <https://github.com/python/cpython/issues/119690>: Fixes data type confusion in audit events raised by _winapi.CreateFile and _winapi.CreateNamedPipe. gh-116773 <https://github.com/python/cpython/issues/116773>: Fix instances of <_overlapped.Overlapped object at 0xXXX> still has pending operation at deallocation, the process may crash. gh-112275 <https://github.com/python/cpython/issues/112275>: A deadlock involving pystate.c’s HEAD_LOCK in posixmodule.c at fork is now fixed. Stay safe and upgrade! Upgrading is highly recommended to all users of affected versions.
