Category: Open Source

Hi Ruby friends, I’ve pushed up the latest batch of updates to the 2024 edition of Everyday Rails Testing with RSpec, including:

Hi there!
A big joint release today. Mostly security fixes but we also have the final release candidate of 3.13 so let’s start with that!

Python 3.13.0RC2

Final opportunity to test and find any show-stopper bugs before we bless and release 3.13.0 final on October 1st.

Get it here: Python Release Python 3.13.0rc2 | Python.org

Call to action

We strongly encourage maintainers of third-party Python projects to
prepare their projects for 3.13 compatibilities during this phase, and
where necessary publish Python 3.13 wheels on PyPI to be ready for the
final release of 3.13.0. Any binary wheels built against Python
3.13.0rc2 will work with future versions of Python 3.13. As always,
report any issues to the Python bug tracker.

Please keep in mind that this is a preview release and while it’s as close to the final release as we can get it, its use is not recommended for production environments.

Core developers: time to work on documentation now

• Are all your changes properly documented?
• Are they mentioned in What’s New?
• Did you notice other changes you know of to have insufficient documentation?

As a reminder, until the final release of 3.13.0, the 3.13 branch is set up so that the Release Manager (@thomas) has to merge the changes. Please add him (@Yhg1s
on GitHub) to any changes you think should go into 3.13.0. At this
point, unless something critical comes up, it should really be documentation only. Other changes (including tests) will be pushed to 3.13.1.

New features in Python 3.13

• A new and improved interactive interpreter, based on PyPy’s, featuring multi-line editing and color support, as well as colorized exception tracebacks.
• An experimental free-threaded build mode,
  which disables the Global Interpreter Lock, allowing threads to run
  more concurrently. The build mode is available as an experimental
  feature in the Windows and macOS installers as well.
• A preliminary, experimental JIT, providing the ground work for significant performance improvements.
• The locals() builtin function (and its C equivalent) now has well-defined semantics when mutating the returned mapping, which allows debuggers to operate more consistently.
• The (cyclic) garbage collector is now incremental, which should mean shorter pauses for collection in programs with a lot of objects.
• A modified version of mimalloc is now included, optional but enabled by default if supported by the platform, and required for the free-threaded build mode.
• Docstrings now have their leading indentation stripped, reducing memory use and the size of .pyc files. (Most tools handling docstrings already strip leading indentation.)
• The dbm module has a new dbm.sqlite3 backend that is used by default when creating new files.
• The minimum supported macOS version was changed from 10.9 to 10.13 (High Sierra). Older macOS versions will not be supported going forward.
• WASI is now a Tier 2 supported platform. Emscripten is no longer an officially supported platform (but Pyodide continues to support Emscripten).
• iOS is now a Tier 3 supported platform, with Android on the way as well.

Python 3.12.6

This is an expedited release for 3.12 due to security content. The schedule returns back to regular programming in October.

One notable change for macOS users: as mentioned in the previous release of 3.12, this release drops support for macOS versions 10.9 through 10.12.
Versions of macOS older than 10.13 haven’t been supported by Apple
since 2019, and maintaining support for them has become too difficult.
(All versions of Python 3.13 have already dropped support for them.)

Get it here: Python Release Python 3.12.6 | Python.org

92 commits.

Python 3.11.10

Python 3.11 joins the elite club of security-only versions with no binary installers.

Get it here: Python Release Python 3.11.10 | Python.org

28 commits.

Python 3.10.15

Get it here: Python Release Python 3.10.15 | Python.org

24 commits.

Python 3.9.20

Get it here: Python Release Python 3.9.20 | Python.org

22 commits.

Python 3.8.20

Python 3.8 is very close to End of Life (see the Release Schedule). Will this be the last release of 3.8 ever? We’ll see… but now I think I jinxed it.

Get it here: Python Release Python 3.8.20 | Python.org

22 commits.

Security content in today’s releases

• gh-123678 and gh-116741: Upgrade bundled libexpat to 2.6.3 to fix CVE-2024-28757, CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492.
• gh-118486: os.mkdir() on Windows now accepts mode of 0o700 to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting tempfile.mkdtemp() in scenarios where the base temporary directory is more permissive than the default.
• gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes by http.cookies. Fixes CVE-2024-7592.
• gh-113171:
  Fixed various false positives and false negatives in
  IPv4Address.is_private, IPv4Address.is_global, IPv6Address.is_private,
  IPv6Address.is_global. Fixes CVE-2024-4032.
• gh-67693: Fix urllib.parse.urlunparse() and urllib.parse.urlunsplit() for URIs with path starting with multiple slashes and no authority. Fixes CVE-2015-2104.
• gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for python -i, as well as for python -m asyncio. The event in question is cpython.run_stdin.
• gh-122133: Authenticate the socket connection for the socket.socketpair() fallback on platforms where AF_UNIX is not available like Windows.
• gh-121285: Remove backtracking from tarfile header parsing for hdrcharset, PAX, and GNU sparse headers. That’s CVE-2024-6232.
• gh-114572: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads.
• gh-102988: email.utils.getaddresses() and email.utils.parseaddr() now return ('', '')
  2-tuples in more situations where invalid email addresses are
  encountered instead of potentially inaccurate values. Add optional strict parameter to these two functions: use strict=False to get the old behavior, accept malformed inputs. getattr(email.utils, 'supports_strict_parsing', False) can be use to check if the strict paramater is available. This improves the CVE-2023-27043 fix.
• gh-123270: Sanitize names in zipfile.Path to avoid infinite loops (gh-122905) without breaking contents using legitimate characters. That’s CVE-2024-8088.
• gh-121650: email headers with embedded newlines are now quoted on output. The generator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. That’s CVE-2024-6923.
• gh-119690: Fixes data type confusion in audit events raised by _winapi.CreateFile and _winapi.CreateNamedPipe.
• gh-116773: Fix instances of <_overlapped.Overlapped object at 0xXXX> still has pending operation at deallocation, the process may crash.
• gh-112275: A deadlock involving pystate.c’s HEAD_LOCK in posixmodule.c at fork is now fixed.

Stay safe and upgrade!

Upgrading is highly recommended to all users of affected versions.

Thank you for your support

Thanks to all of the many volunteers who help make Python Development
and these releases possible! Please consider supporting our efforts by
volunteering yourself or through organization contributions to the
Python Software Foundation.

–
Łukasz Langa @ambv
on behalf of your friendly release team,

Ned Deily @nad
Steve Dower @steve.dower
Pablo Galindo Salgado @pablogsal
Łukasz Langa @ambv
Thomas Wouters @thomas

 

 

The third Release Candidate build for the FreeBSD 13.4 release cycle is now available. ISO images for the amd64, i386, powerpc, powerpc64, powerpc64le, powerpcspe, armv6, armv7, aarch64, and riscv64 architectures are FreeBSD mirror sites.

We have released version 7.1.1 of Texinfo, the GNU documentation format. This is a minor bug-fix release.

It’s available via a mirror (xz is much smaller than gz, but gz is available too just in case):

http://ftpmirror.gnu.org/texinfo/texinfo-7.1.1.tar.xz

http://ftpmirror.gnu.org/texinfo/texinfo-7.1.1.tar.gz

Please send any comments to bug-texinfo@gnu.org.

Full announcement:

https://lists.gnu.org/archive/html/bug-texinfo/2024-09/msg00041.html

The MAS project, a group of people working on an open source Windows and Office activator featuring HWID, Ohook, KMS38, and Online KMS activation methods, discovered quite a neat and interesting bug in the code responsible for licensing in Windows. In our ongoing work to bypass Windows licensing checks, we occasionally stumble upon bugs that we choose to keep secret. This decision allows us to preserve potential future activation methods by avoiding bug fixes, while also giving us valuable tools for testing or developing new methods. One such discovery, which we’ve named “Keyhole”, turned out to be a highly effective DRM bypass. It gave users the ability to license any Microsoft Store app or any modern Windows edition with ease. ↫ The MAS project There were quite a number of roadblocks to overcome here, such as Microsoft’s code obfuscation tool, called Warbird, which was already done by someone else, after which they could really start digging into the code responsible for handling Microsoft Store and Windows licenses. They then discovered that circumventing the license blocks that hold the actual license information was dead simple – every license block is followed by a signature block covering all the data that comes before it. It turns out that messing with the licensing system was as simple as… Adding data after that signature block. That was it. As it turns out, data after the signature block isnt checked at all… and it can even override data that came before it. Whenever two blocks of the same type are stored together, the last one overrides all the others before it. So, if we want to change any license data, we can just make a block for it and put it after the signature block! This method lets us make licenses for anything sold on the Microsoft Store, including Windows, from any other Microsoft Store license. And since there are so many free apps with licenses, we now had the ability to make as many as we wanted for whatever we wanted. This bug essentially punched a hole straight through CLiP’s DRM, so we decided to name it “Keyhole”. ↫ The MAS project This opened up a massive hole in Microsoft’s licensing tools and DRM, and allowed the MAS project to pretty much do whatever they wanted. They could even do things that used to be impossible, such as “activating Enterprise LTSC with a digital license, or even activating a legitimate KMS server with a generic key”. Sadly, the fun didn’t last long, as right around the same time, Cisco TALOS discovered this same bug, reported it to Microsoft, who then proceeded to fix it. the MAS project also discovered something else incredibly interesting, something which further highlights the seemingly terrible lack of quality assurance and code quality inside Microsoft. They noted that the kernel driver responsible for licensing looked incredibly shoddy, full of what they call “odd choices and compromises”. In fact, they soon realised that they had seen this code before: it was a straight-up copy/paste job from the licensing DRM found on the Xbox One. And there’s the same bug that’s in CLiP, but in Xbox code. In fact, we weren’t too surprised to find this, as we found that almost all of CLiP, from the XML format of the licenses to the TLV-based license blocks, is copy-pasted straight from the Xbox One’s DRM system. ↫ The MAS project Code reuse obviously makes sense in some situations, but the fact Microsoft even copy/pasted entire sections of code from the Xbox One straight into the Windows kernel as a kernel driver seems rather irresponsible. Shouldn’t code added to the Windows kernel and installed on billions of devices be vetted a little better than this?