Wed Dec 7 18:48:07 UTC 2022

patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 (heap use-after-free). gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm to fix CVE-2022-45061. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name. gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module. gh-97514: On Linux the multiprocessing module returns to using filesystem backed unix domain sockets for communication with the forkserver process instead of the Linux abstract socket namespace. Only code that chooses to use the "forkserver" start method is affected. This prevents Linux CVE-2022-42919 (potential privilege escalation) as abstract sockets have no permissions and could allow any user on the system in the same network namespace (often the whole system) to inject code into the multiprocessing forkserver process. Filesystem based socket permissions restrict this to the forkserver process user as was the default in Python 3.8 and earlier. gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix CVE-2022-37454. gh-68966: The deprecated mailcap module now refuses to inject unsafe text (filenames, MIME types, parameters) into shell commands to address CVE-2015-20107. Instead of using such text, it will warn and act as if a match was not found (or for test commands, as if the test failed). For more information, see: https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html https://www.cve.org/CVERecord?id=CVE-2022-43680 https://www.cve.org/CVERecord?id=CVE-2022-45061 https://www.cve.org/CVERecord?id=CVE-2022-42919 https://www.cve.org/CVERecord?id=CVE-2022-37454 https://www.cve.org/CVERecord?id=CVE-2015-20107 (* Security fix *)
2024-12-27 09:59:16 +01:00 · 2022-12-07 18:48:07 +00:00 · 2022-12-07 18:48:07 +00:00 · 7add5d2865
commit 7add5d2865
parent c3b931c533
4 changed files with 109 additions and 23 deletions
--- a/ChangeLog.rss
+++ b/ChangeLog.rss
@ -11,9 +11,56 @@
      <description>Tracking Slackware development in git.</description>
      <language>en-us</language>
      <id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id>
-      <pubDate>Mon,  5 Dec 2022 21:00:46 GMT</pubDate>
-      <lastBuildDate>Tue,  6 Dec 2022 12:30:22 GMT</lastBuildDate>
+      <pubDate>Wed,  7 Dec 2022 18:48:07 GMT</pubDate>
+      <lastBuildDate>Thu,  8 Dec 2022 12:30:17 GMT</lastBuildDate>
      <generator>maintain_current_git.sh v 1.17</generator>
+      <item>
+         <title>Wed,  7 Dec 2022 18:48:07 GMT</title>
+         <pubDate>Wed,  7 Dec 2022 18:48:07 GMT</pubDate>
+         <link>https://git.slackware.nl/current/tag/?h=20221207184807</link>
+         <guid isPermaLink="false">20221207184807</guid>
+         <description>
+           <![CDATA[<pre>
+patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz:  Upgraded.
+  This update fixes security issues:
+  gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680
+  (heap use-after-free).
+  gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio
+  related name resolution functions no longer involves a quadratic algorithm
+  to fix CVE-2022-45061. This prevents a potential CPU denial of service if an
+  out-of-spec excessive length hostname involving bidirectional characters were
+  decoded. Some protocols such as urllib http 3xx redirects potentially allow
+  for an attacker to supply such a name.
+  gh-100001: python -m http.server no longer allows terminal control characters
+  sent within a garbage request to be printed to the stderr server log.
+  gh-87604: Avoid publishing list of active per-interpreter audit hooks via the
+  gc module.
+  gh-97514: On Linux the multiprocessing module returns to using filesystem
+  backed unix domain sockets for communication with the forkserver process
+  instead of the Linux abstract socket namespace. Only code that chooses to use
+  the "forkserver" start method is affected. This prevents Linux CVE-2022-42919
+  (potential privilege escalation) as abstract sockets have no permissions and
+  could allow any user on the system in the same network namespace (often the
+  whole system) to inject code into the multiprocessing forkserver process.
+  Filesystem based socket permissions restrict this to the forkserver process
+  user as was the default in Python 3.8 and earlier.
+  gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix
+  CVE-2022-37454.
+  gh-68966: The deprecated mailcap module now refuses to inject unsafe text
+  (filenames, MIME types, parameters) into shell commands to address
+  CVE-2015-20107. Instead of using such text, it will warn and act as if a
+  match was not found (or for test commands, as if the test failed).
+  For more information, see:
+    https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html
+    https://www.cve.org/CVERecord?id=CVE-2022-43680
+    https://www.cve.org/CVERecord?id=CVE-2022-45061
+    https://www.cve.org/CVERecord?id=CVE-2022-42919
+    https://www.cve.org/CVERecord?id=CVE-2022-37454
+    https://www.cve.org/CVERecord?id=CVE-2015-20107
+  (* Security fix *)
+           </pre>]]>
+         </description>
+      </item>
      <item>
         <title>Mon,  5 Dec 2022 21:00:46 GMT</title>
         <pubDate>Mon,  5 Dec 2022 21:00:46 GMT</pubDate>
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -1,3 +1,42 @@
+Wed Dec  7 18:48:07 UTC 2022
+patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz:  Upgraded.
+  This update fixes security issues:
+  gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680
+  (heap use-after-free).
+  gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio
+  related name resolution functions no longer involves a quadratic algorithm
+  to fix CVE-2022-45061. This prevents a potential CPU denial of service if an
+  out-of-spec excessive length hostname involving bidirectional characters were
+  decoded. Some protocols such as urllib http 3xx redirects potentially allow
+  for an attacker to supply such a name.
+  gh-100001: python -m http.server no longer allows terminal control characters
+  sent within a garbage request to be printed to the stderr server log.
+  gh-87604: Avoid publishing list of active per-interpreter audit hooks via the
+  gc module.
+  gh-97514: On Linux the multiprocessing module returns to using filesystem
+  backed unix domain sockets for communication with the forkserver process
+  instead of the Linux abstract socket namespace. Only code that chooses to use
+  the "forkserver" start method is affected. This prevents Linux CVE-2022-42919
+  (potential privilege escalation) as abstract sockets have no permissions and
+  could allow any user on the system in the same network namespace (often the
+  whole system) to inject code into the multiprocessing forkserver process.
+  Filesystem based socket permissions restrict this to the forkserver process
+  user as was the default in Python 3.8 and earlier.
+  gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix
+  CVE-2022-37454.
+  gh-68966: The deprecated mailcap module now refuses to inject unsafe text
+  (filenames, MIME types, parameters) into shell commands to address
+  CVE-2015-20107. Instead of using such text, it will warn and act as if a
+  match was not found (or for test commands, as if the test failed).
+  For more information, see:
+    https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html
+    https://www.cve.org/CVERecord?id=CVE-2022-43680
+    https://www.cve.org/CVERecord?id=CVE-2022-45061
+    https://www.cve.org/CVERecord?id=CVE-2022-42919
+    https://www.cve.org/CVERecord?id=CVE-2022-37454
+    https://www.cve.org/CVERecord?id=CVE-2015-20107
+  (* Security fix *)
+--------------------------+
 Mon Dec  5 21:00:46 UTC 2022
 patches/packages/ca-certificates-20221205-noarch-1_slack15.0.txz:  Upgraded.
  This update provides the latest CA certificates to check for the
--- a/FILELIST.TXT
+++ b/FILELIST.TXT
@ -1,20 +1,20 @@
-Mon Dec  5 21:05:38 UTC 2022
+Wed Dec  7 18:50:38 UTC 2022

 Here is the file list for this directory.  If you are using a 
 mirror site and find missing or extra files in the disk 
 subdirectories, please have the archive administrator refresh
 the mirror.

-drwxr-xr-x 12 root root      4096 2022-12-05 21:00 .
+drwxr-xr-x 12 root root      4096 2022-12-07 18:48 .
 -rw-r--r--  1 root root      5767 2022-02-02 22:44 ./ANNOUNCE.15.0
 -rw-r--r--  1 root root     16609 2022-03-30 19:03 ./CHANGES_AND_HINTS.TXT
-rw-r--r--  1 root root   1161998 2022-12-02 21:02 ./CHECKSUMS.md5
-rw-r--r--  1 root root       163 2022-12-02 21:02 ./CHECKSUMS.md5.asc
+-rw-r--r--  1 root root   1161998 2022-12-05 21:05 ./CHECKSUMS.md5
+-rw-r--r--  1 root root       163 2022-12-05 21:05 ./CHECKSUMS.md5.asc
 -rw-r--r--  1 root root     17976 1994-06-10 02:28 ./COPYING
 -rw-r--r--  1 root root     35147 2007-06-30 04:21 ./COPYING3
 -rw-r--r--  1 root root     19573 2016-06-23 20:08 ./COPYRIGHT.TXT
 -rw-r--r--  1 root root       616 2006-10-02 04:37 ./CRYPTO_NOTICE.TXT
-rw-r--r--  1 root root   1958986 2022-12-05 21:00 ./ChangeLog.txt
+-rw-r--r--  1 root root   1961368 2022-12-07 18:48 ./ChangeLog.txt
 drwxr-xr-x  3 root root      4096 2013-03-20 22:17 ./EFI
 drwxr-xr-x  2 root root      4096 2022-02-02 08:21 ./EFI/BOOT
 -rw-r--r--  1 root root   1187840 2021-06-15 19:16 ./EFI/BOOT/bootx64.efi
@ -25,7 +25,7 @@ drwxr-xr-x  2 root root      4096 2022-02-02 08:21 ./EFI/BOOT
 -rwxr-xr-x  1 root root      2504 2019-07-05 18:54 ./EFI/BOOT/make-grub.sh
 -rw-r--r--  1 root root     10722 2013-09-21 19:02 ./EFI/BOOT/osdetect.cfg
 -rw-r--r--  1 root root      1273 2013-08-12 21:08 ./EFI/BOOT/tools.cfg
-rw-r--r--  1 root root   1517981 2022-12-02 21:01 ./FILELIST.TXT
+-rw-r--r--  1 root root   1517981 2022-12-05 21:05 ./FILELIST.TXT
 -rw-r--r--  1 root root      1572 2012-08-29 18:27 ./GPG-KEY
 -rw-r--r--  1 root root    864745 2022-02-02 08:25 ./PACKAGES.TXT
 -rw-r--r--  1 root root      8034 2022-02-02 03:36 ./README.TXT
@ -738,13 +738,13 @@ drwxr-xr-x  2 root root      4096 2008-05-07 05:21 ./pasture/source/php/pear
 -rwxr-xr-x  1 root root      9448 2018-05-16 22:38 ./pasture/source/php/php.SlackBuild
 -rw-r--r--  1 root root       775 2017-07-07 19:25 ./pasture/source/php/php.ini-development.diff.gz
 -rw-r--r--  1 root root       830 2005-12-09 05:18 ./pasture/source/php/slack-desc
-drwxr-xr-x  4 root root      4096 2022-12-05 21:05 ./patches
-rw-r--r--  1 root root     56953 2022-12-05 21:05 ./patches/CHECKSUMS.md5
-rw-r--r--  1 root root       163 2022-12-05 21:05 ./patches/CHECKSUMS.md5.asc
-rw-r--r--  1 root root     77037 2022-12-05 21:05 ./patches/FILE_LIST
-rw-r--r--  1 root root  11823139 2022-12-05 21:05 ./patches/MANIFEST.bz2
-rw-r--r--  1 root root     41760 2022-12-05 21:05 ./patches/PACKAGES.TXT
-drwxr-xr-x  3 root root     16384 2022-12-05 21:05 ./patches/packages
+drwxr-xr-x  4 root root      4096 2022-12-07 18:50 ./patches
+-rw-r--r--  1 root root     56953 2022-12-07 18:50 ./patches/CHECKSUMS.md5
+-rw-r--r--  1 root root       163 2022-12-07 18:50 ./patches/CHECKSUMS.md5.asc
+-rw-r--r--  1 root root     77037 2022-12-07 18:50 ./patches/FILE_LIST
+-rw-r--r--  1 root root  11825028 2022-12-07 18:50 ./patches/MANIFEST.bz2
+-rw-r--r--  1 root root     41760 2022-12-07 18:50 ./patches/PACKAGES.TXT
+drwxr-xr-x  3 root root     16384 2022-12-07 18:50 ./patches/packages
 -rw-r--r--  1 root root       327 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txt
 -rw-r--r--  1 root root     10716 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txz
 -rw-r--r--  1 root root       163 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txz.asc
@ -881,9 +881,9 @@ drwxr-xr-x  2 root root      4096 2022-11-29 21:00 ./patches/packages/linux-5.15
 -rw-r--r--  1 root root       533 2022-09-01 18:45 ./patches/packages/poppler-21.12.0-x86_64-2_slack15.0.txt
 -rw-r--r--  1 root root   1746808 2022-09-01 18:45 ./patches/packages/poppler-21.12.0-x86_64-2_slack15.0.txz
 -rw-r--r--  1 root root       163 2022-09-01 18:45 ./patches/packages/poppler-21.12.0-x86_64-2_slack15.0.txz.asc
-rw-r--r--  1 root root       663 2022-10-13 18:24 ./patches/packages/python3-3.9.15-x86_64-1_slack15.0.txt
-rw-r--r--  1 root root  19190048 2022-10-13 18:24 ./patches/packages/python3-3.9.15-x86_64-1_slack15.0.txz
-rw-r--r--  1 root root       163 2022-10-13 18:24 ./patches/packages/python3-3.9.15-x86_64-1_slack15.0.txz.asc
+-rw-r--r--  1 root root       663 2022-12-07 17:35 ./patches/packages/python3-3.9.16-x86_64-1_slack15.0.txt
+-rw-r--r--  1 root root  19185720 2022-12-07 17:35 ./patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz
+-rw-r--r--  1 root root       163 2022-12-07 17:35 ./patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz.asc
 -rw-r--r--  1 root root       260 2022-03-20 22:36 ./patches/packages/qt5-5.15.3_20220318_e507d3e5-x86_64-1_slack15.0.txt
 -rw-r--r--  1 root root  99025556 2022-03-20 22:36 ./patches/packages/qt5-5.15.3_20220318_e507d3e5-x86_64-1_slack15.0.txz
 -rw-r--r--  1 root root       163 2022-03-20 22:36 ./patches/packages/qt5-5.15.3_20220318_e507d3e5-x86_64-1_slack15.0.txz.asc
@ -944,7 +944,7 @@ drwxr-xr-x  2 root root      4096 2022-11-29 21:00 ./patches/packages/linux-5.15
 -rw-r--r--  1 root root       388 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txt
 -rw-r--r--  1 root root    105356 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txz
 -rw-r--r--  1 root root       163 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txz.asc
-drwxr-xr-x 58 root root      4096 2022-12-05 21:00 ./patches/source
+drwxr-xr-x 58 root root      4096 2022-12-07 18:16 ./patches/source
 drwxr-xr-x  2 root root      4096 2022-01-16 05:07 ./patches/source/aaa_base
 -rw-r--r--  1 root root     11041 2022-02-15 04:49 ./patches/source/aaa_base/_aaa_base.tar.gz
 -rwxr-xr-x  1 root root      3894 2022-02-15 05:07 ./patches/source/aaa_base/aaa_base.SlackBuild
@ -1371,11 +1371,11 @@ drwxr-xr-x  2 root root      4096 2022-09-01 18:42 ./patches/source/poppler
 -rw-r--r--  1 root root   1798780 2021-12-26 19:51 ./patches/source/poppler/poppler-21.12.0.tar.xz
 -rwxr-xr-x  1 root root      4628 2022-09-01 18:43 ./patches/source/poppler/poppler.SlackBuild
 -rw-r--r--  1 root root       988 2018-02-27 06:12 ./patches/source/poppler/slack-desc
-drwxr-xr-x  2 root root      4096 2022-10-13 18:22 ./patches/source/python3
-rw-r--r--  1 root root  19712208 2022-10-11 15:49 ./patches/source/python3/Python-3.9.15.tar.xz
-rw-r--r--  1 root root       833 2022-10-11 15:49 ./patches/source/python3/Python-3.9.15.tar.xz.asc
+drwxr-xr-x  2 root root      4096 2022-12-07 17:33 ./patches/source/python3
+-rw-r--r--  1 root root  19738796 2022-12-06 18:42 ./patches/source/python3/Python-3.9.16.tar.xz
+-rw-r--r--  1 root root       833 2022-12-06 18:42 ./patches/source/python3/Python-3.9.16.tar.xz.asc
 -rw-r--r--  1 root root       890 2017-01-12 20:00 ./patches/source/python3/README
-rw-r--r--  1 root root   2543729 2022-10-11 15:49 ./patches/source/python3/python-3.9.15-docs-text.tar.bz2
+-rw-r--r--  1 root root   2545722 2022-12-06 18:41 ./patches/source/python3/python-3.9.16-docs-text.tar.bz2
 -rw-r--r--  1 root root       372 2021-11-20 19:27 ./patches/source/python3/python.sysconfig.py.x86_64.diff.gz
 -rwxr-xr-x  1 root root      6380 2022-03-18 19:40 ./patches/source/python3/python3.SlackBuild
 -rw-r--r--  1 root root       495 2020-10-24 22:31 ./patches/source/python3/python3.distutils.x86_64.diff.gz
--- a/patches/packages/python3-3.9.16-x86_64-1_slack15.0.txt
+++ b/patches/packages/python3-3.9.16-x86_64-1_slack15.0.txt