From 7add5d2865572a0a23891756e58701a6c97c5965 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Wed, 7 Dec 2022 18:48:07 +0000 Subject: [PATCH] Wed Dec 7 18:48:07 UTC 2022 patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 (heap use-after-free). gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm to fix CVE-2022-45061. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name. gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module. gh-97514: On Linux the multiprocessing module returns to using filesystem backed unix domain sockets for communication with the forkserver process instead of the Linux abstract socket namespace. Only code that chooses to use the "forkserver" start method is affected. This prevents Linux CVE-2022-42919 (potential privilege escalation) as abstract sockets have no permissions and could allow any user on the system in the same network namespace (often the whole system) to inject code into the multiprocessing forkserver process. Filesystem based socket permissions restrict this to the forkserver process user as was the default in Python 3.8 and earlier. gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix CVE-2022-37454. gh-68966: The deprecated mailcap module now refuses to inject unsafe text (filenames, MIME types, parameters) into shell commands to address CVE-2015-20107. Instead of using such text, it will warn and act as if a match was not found (or for test commands, as if the test failed). For more information, see: https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html https://www.cve.org/CVERecord?id=CVE-2022-43680 https://www.cve.org/CVERecord?id=CVE-2022-45061 https://www.cve.org/CVERecord?id=CVE-2022-42919 https://www.cve.org/CVERecord?id=CVE-2022-37454 https://www.cve.org/CVERecord?id=CVE-2015-20107 (* Security fix *) --- ChangeLog.rss | 51 ++++++++++++++++++- ChangeLog.txt | 39 ++++++++++++++ FILELIST.TXT | 42 +++++++-------- ... => python3-3.9.16-x86_64-1_slack15.0.txt} | 0 4 files changed, 109 insertions(+), 23 deletions(-) rename patches/packages/{python3-3.9.15-x86_64-1_slack15.0.txt => python3-3.9.16-x86_64-1_slack15.0.txt} (100%) diff --git a/ChangeLog.rss b/ChangeLog.rss index 806c4cfff..14a6cf539 100644 --- a/ChangeLog.rss +++ b/ChangeLog.rss @@ -11,9 +11,56 @@ Tracking Slackware development in git. en-us urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f - Mon, 5 Dec 2022 21:00:46 GMT - Tue, 6 Dec 2022 12:30:22 GMT + Wed, 7 Dec 2022 18:48:07 GMT + Thu, 8 Dec 2022 12:30:17 GMT maintain_current_git.sh v 1.17 + + Wed, 7 Dec 2022 18:48:07 GMT + Wed, 7 Dec 2022 18:48:07 GMT + https://git.slackware.nl/current/tag/?h=20221207184807 + 20221207184807 + + +patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz: Upgraded. + This update fixes security issues: + gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 + (heap use-after-free). + gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio + related name resolution functions no longer involves a quadratic algorithm + to fix CVE-2022-45061. This prevents a potential CPU denial of service if an + out-of-spec excessive length hostname involving bidirectional characters were + decoded. Some protocols such as urllib http 3xx redirects potentially allow + for an attacker to supply such a name. + gh-100001: python -m http.server no longer allows terminal control characters + sent within a garbage request to be printed to the stderr server log. + gh-87604: Avoid publishing list of active per-interpreter audit hooks via the + gc module. + gh-97514: On Linux the multiprocessing module returns to using filesystem + backed unix domain sockets for communication with the forkserver process + instead of the Linux abstract socket namespace. Only code that chooses to use + the "forkserver" start method is affected. This prevents Linux CVE-2022-42919 + (potential privilege escalation) as abstract sockets have no permissions and + could allow any user on the system in the same network namespace (often the + whole system) to inject code into the multiprocessing forkserver process. + Filesystem based socket permissions restrict this to the forkserver process + user as was the default in Python 3.8 and earlier. + gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix + CVE-2022-37454. + gh-68966: The deprecated mailcap module now refuses to inject unsafe text + (filenames, MIME types, parameters) into shell commands to address + CVE-2015-20107. Instead of using such text, it will warn and act as if a + match was not found (or for test commands, as if the test failed). + For more information, see: + https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html + https://www.cve.org/CVERecord?id=CVE-2022-43680 + https://www.cve.org/CVERecord?id=CVE-2022-45061 + https://www.cve.org/CVERecord?id=CVE-2022-42919 + https://www.cve.org/CVERecord?id=CVE-2022-37454 + https://www.cve.org/CVERecord?id=CVE-2015-20107 + (* Security fix *) + ]]> + + Mon, 5 Dec 2022 21:00:46 GMT Mon, 5 Dec 2022 21:00:46 GMT diff --git a/ChangeLog.txt b/ChangeLog.txt index 32d689fc6..a4bb23b23 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,3 +1,42 @@ +Wed Dec 7 18:48:07 UTC 2022 +patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz: Upgraded. + This update fixes security issues: + gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 + (heap use-after-free). + gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio + related name resolution functions no longer involves a quadratic algorithm + to fix CVE-2022-45061. This prevents a potential CPU denial of service if an + out-of-spec excessive length hostname involving bidirectional characters were + decoded. Some protocols such as urllib http 3xx redirects potentially allow + for an attacker to supply such a name. + gh-100001: python -m http.server no longer allows terminal control characters + sent within a garbage request to be printed to the stderr server log. + gh-87604: Avoid publishing list of active per-interpreter audit hooks via the + gc module. + gh-97514: On Linux the multiprocessing module returns to using filesystem + backed unix domain sockets for communication with the forkserver process + instead of the Linux abstract socket namespace. Only code that chooses to use + the "forkserver" start method is affected. This prevents Linux CVE-2022-42919 + (potential privilege escalation) as abstract sockets have no permissions and + could allow any user on the system in the same network namespace (often the + whole system) to inject code into the multiprocessing forkserver process. + Filesystem based socket permissions restrict this to the forkserver process + user as was the default in Python 3.8 and earlier. + gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix + CVE-2022-37454. + gh-68966: The deprecated mailcap module now refuses to inject unsafe text + (filenames, MIME types, parameters) into shell commands to address + CVE-2015-20107. Instead of using such text, it will warn and act as if a + match was not found (or for test commands, as if the test failed). + For more information, see: + https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html + https://www.cve.org/CVERecord?id=CVE-2022-43680 + https://www.cve.org/CVERecord?id=CVE-2022-45061 + https://www.cve.org/CVERecord?id=CVE-2022-42919 + https://www.cve.org/CVERecord?id=CVE-2022-37454 + https://www.cve.org/CVERecord?id=CVE-2015-20107 + (* Security fix *) ++--------------------------+ Mon Dec 5 21:00:46 UTC 2022 patches/packages/ca-certificates-20221205-noarch-1_slack15.0.txz: Upgraded. This update provides the latest CA certificates to check for the diff --git a/FILELIST.TXT b/FILELIST.TXT index 3d0c8c6e1..8d9752e7a 100644 --- a/FILELIST.TXT +++ b/FILELIST.TXT @@ -1,20 +1,20 @@ -Mon Dec 5 21:05:38 UTC 2022 +Wed Dec 7 18:50:38 UTC 2022 Here is the file list for this directory. If you are using a mirror site and find missing or extra files in the disk subdirectories, please have the archive administrator refresh the mirror. -drwxr-xr-x 12 root root 4096 2022-12-05 21:00 . +drwxr-xr-x 12 root root 4096 2022-12-07 18:48 . -rw-r--r-- 1 root root 5767 2022-02-02 22:44 ./ANNOUNCE.15.0 -rw-r--r-- 1 root root 16609 2022-03-30 19:03 ./CHANGES_AND_HINTS.TXT --rw-r--r-- 1 root root 1161998 2022-12-02 21:02 ./CHECKSUMS.md5 --rw-r--r-- 1 root root 163 2022-12-02 21:02 ./CHECKSUMS.md5.asc +-rw-r--r-- 1 root root 1161998 2022-12-05 21:05 ./CHECKSUMS.md5 +-rw-r--r-- 1 root root 163 2022-12-05 21:05 ./CHECKSUMS.md5.asc -rw-r--r-- 1 root root 17976 1994-06-10 02:28 ./COPYING -rw-r--r-- 1 root root 35147 2007-06-30 04:21 ./COPYING3 -rw-r--r-- 1 root root 19573 2016-06-23 20:08 ./COPYRIGHT.TXT -rw-r--r-- 1 root root 616 2006-10-02 04:37 ./CRYPTO_NOTICE.TXT --rw-r--r-- 1 root root 1958986 2022-12-05 21:00 ./ChangeLog.txt +-rw-r--r-- 1 root root 1961368 2022-12-07 18:48 ./ChangeLog.txt drwxr-xr-x 3 root root 4096 2013-03-20 22:17 ./EFI drwxr-xr-x 2 root root 4096 2022-02-02 08:21 ./EFI/BOOT -rw-r--r-- 1 root root 1187840 2021-06-15 19:16 ./EFI/BOOT/bootx64.efi @@ -25,7 +25,7 @@ drwxr-xr-x 2 root root 4096 2022-02-02 08:21 ./EFI/BOOT -rwxr-xr-x 1 root root 2504 2019-07-05 18:54 ./EFI/BOOT/make-grub.sh -rw-r--r-- 1 root root 10722 2013-09-21 19:02 ./EFI/BOOT/osdetect.cfg -rw-r--r-- 1 root root 1273 2013-08-12 21:08 ./EFI/BOOT/tools.cfg --rw-r--r-- 1 root root 1517981 2022-12-02 21:01 ./FILELIST.TXT +-rw-r--r-- 1 root root 1517981 2022-12-05 21:05 ./FILELIST.TXT -rw-r--r-- 1 root root 1572 2012-08-29 18:27 ./GPG-KEY -rw-r--r-- 1 root root 864745 2022-02-02 08:25 ./PACKAGES.TXT -rw-r--r-- 1 root root 8034 2022-02-02 03:36 ./README.TXT @@ -738,13 +738,13 @@ drwxr-xr-x 2 root root 4096 2008-05-07 05:21 ./pasture/source/php/pear -rwxr-xr-x 1 root root 9448 2018-05-16 22:38 ./pasture/source/php/php.SlackBuild -rw-r--r-- 1 root root 775 2017-07-07 19:25 ./pasture/source/php/php.ini-development.diff.gz -rw-r--r-- 1 root root 830 2005-12-09 05:18 ./pasture/source/php/slack-desc -drwxr-xr-x 4 root root 4096 2022-12-05 21:05 ./patches --rw-r--r-- 1 root root 56953 2022-12-05 21:05 ./patches/CHECKSUMS.md5 --rw-r--r-- 1 root root 163 2022-12-05 21:05 ./patches/CHECKSUMS.md5.asc --rw-r--r-- 1 root root 77037 2022-12-05 21:05 ./patches/FILE_LIST --rw-r--r-- 1 root root 11823139 2022-12-05 21:05 ./patches/MANIFEST.bz2 --rw-r--r-- 1 root root 41760 2022-12-05 21:05 ./patches/PACKAGES.TXT -drwxr-xr-x 3 root root 16384 2022-12-05 21:05 ./patches/packages +drwxr-xr-x 4 root root 4096 2022-12-07 18:50 ./patches +-rw-r--r-- 1 root root 56953 2022-12-07 18:50 ./patches/CHECKSUMS.md5 +-rw-r--r-- 1 root root 163 2022-12-07 18:50 ./patches/CHECKSUMS.md5.asc +-rw-r--r-- 1 root root 77037 2022-12-07 18:50 ./patches/FILE_LIST +-rw-r--r-- 1 root root 11825028 2022-12-07 18:50 ./patches/MANIFEST.bz2 +-rw-r--r-- 1 root root 41760 2022-12-07 18:50 ./patches/PACKAGES.TXT +drwxr-xr-x 3 root root 16384 2022-12-07 18:50 ./patches/packages -rw-r--r-- 1 root root 327 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txt -rw-r--r-- 1 root root 10716 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txz -rw-r--r-- 1 root root 163 2022-02-15 05:07 ./patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txz.asc @@ -881,9 +881,9 @@ drwxr-xr-x 2 root root 4096 2022-11-29 21:00 ./patches/packages/linux-5.15 -rw-r--r-- 1 root root 533 2022-09-01 18:45 ./patches/packages/poppler-21.12.0-x86_64-2_slack15.0.txt -rw-r--r-- 1 root root 1746808 2022-09-01 18:45 ./patches/packages/poppler-21.12.0-x86_64-2_slack15.0.txz -rw-r--r-- 1 root root 163 2022-09-01 18:45 ./patches/packages/poppler-21.12.0-x86_64-2_slack15.0.txz.asc --rw-r--r-- 1 root root 663 2022-10-13 18:24 ./patches/packages/python3-3.9.15-x86_64-1_slack15.0.txt --rw-r--r-- 1 root root 19190048 2022-10-13 18:24 ./patches/packages/python3-3.9.15-x86_64-1_slack15.0.txz --rw-r--r-- 1 root root 163 2022-10-13 18:24 ./patches/packages/python3-3.9.15-x86_64-1_slack15.0.txz.asc +-rw-r--r-- 1 root root 663 2022-12-07 17:35 ./patches/packages/python3-3.9.16-x86_64-1_slack15.0.txt +-rw-r--r-- 1 root root 19185720 2022-12-07 17:35 ./patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz +-rw-r--r-- 1 root root 163 2022-12-07 17:35 ./patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz.asc -rw-r--r-- 1 root root 260 2022-03-20 22:36 ./patches/packages/qt5-5.15.3_20220318_e507d3e5-x86_64-1_slack15.0.txt -rw-r--r-- 1 root root 99025556 2022-03-20 22:36 ./patches/packages/qt5-5.15.3_20220318_e507d3e5-x86_64-1_slack15.0.txz -rw-r--r-- 1 root root 163 2022-03-20 22:36 ./patches/packages/qt5-5.15.3_20220318_e507d3e5-x86_64-1_slack15.0.txz.asc @@ -944,7 +944,7 @@ drwxr-xr-x 2 root root 4096 2022-11-29 21:00 ./patches/packages/linux-5.15 -rw-r--r-- 1 root root 388 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txt -rw-r--r-- 1 root root 105356 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txz -rw-r--r-- 1 root root 163 2022-10-15 04:05 ./patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txz.asc -drwxr-xr-x 58 root root 4096 2022-12-05 21:00 ./patches/source +drwxr-xr-x 58 root root 4096 2022-12-07 18:16 ./patches/source drwxr-xr-x 2 root root 4096 2022-01-16 05:07 ./patches/source/aaa_base -rw-r--r-- 1 root root 11041 2022-02-15 04:49 ./patches/source/aaa_base/_aaa_base.tar.gz -rwxr-xr-x 1 root root 3894 2022-02-15 05:07 ./patches/source/aaa_base/aaa_base.SlackBuild @@ -1371,11 +1371,11 @@ drwxr-xr-x 2 root root 4096 2022-09-01 18:42 ./patches/source/poppler -rw-r--r-- 1 root root 1798780 2021-12-26 19:51 ./patches/source/poppler/poppler-21.12.0.tar.xz -rwxr-xr-x 1 root root 4628 2022-09-01 18:43 ./patches/source/poppler/poppler.SlackBuild -rw-r--r-- 1 root root 988 2018-02-27 06:12 ./patches/source/poppler/slack-desc -drwxr-xr-x 2 root root 4096 2022-10-13 18:22 ./patches/source/python3 --rw-r--r-- 1 root root 19712208 2022-10-11 15:49 ./patches/source/python3/Python-3.9.15.tar.xz --rw-r--r-- 1 root root 833 2022-10-11 15:49 ./patches/source/python3/Python-3.9.15.tar.xz.asc +drwxr-xr-x 2 root root 4096 2022-12-07 17:33 ./patches/source/python3 +-rw-r--r-- 1 root root 19738796 2022-12-06 18:42 ./patches/source/python3/Python-3.9.16.tar.xz +-rw-r--r-- 1 root root 833 2022-12-06 18:42 ./patches/source/python3/Python-3.9.16.tar.xz.asc -rw-r--r-- 1 root root 890 2017-01-12 20:00 ./patches/source/python3/README --rw-r--r-- 1 root root 2543729 2022-10-11 15:49 ./patches/source/python3/python-3.9.15-docs-text.tar.bz2 +-rw-r--r-- 1 root root 2545722 2022-12-06 18:41 ./patches/source/python3/python-3.9.16-docs-text.tar.bz2 -rw-r--r-- 1 root root 372 2021-11-20 19:27 ./patches/source/python3/python.sysconfig.py.x86_64.diff.gz -rwxr-xr-x 1 root root 6380 2022-03-18 19:40 ./patches/source/python3/python3.SlackBuild -rw-r--r-- 1 root root 495 2020-10-24 22:31 ./patches/source/python3/python3.distutils.x86_64.diff.gz diff --git a/patches/packages/python3-3.9.15-x86_64-1_slack15.0.txt b/patches/packages/python3-3.9.16-x86_64-1_slack15.0.txt similarity index 100% rename from patches/packages/python3-3.9.15-x86_64-1_slack15.0.txt rename to patches/packages/python3-3.9.16-x86_64-1_slack15.0.txt