Author: Łukasz Langa
Source
Howdy!
Those are the boring security releases that aren’t supposed to bring
anything new. But not this time! We do have a bit of news, actually. But
first things first: go update your systems!
Python 3.10.14
Get it here: Python Release Python 3.10.14
26 commits since the last release.
Python 3.9.19
Get it here: Python Release Python 3.9.19
26 commits since the last release.
Python 3.8.19
Get it here: Python Release Python 3.8.19
28 commits since the last release.
Security content in this release
- gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0 to address CVE-2023-52425,
and control of the new reparse deferral functionality was exposed with
new APIs. Thanks to Sebastian Pipping, the maintainer of libexpat, who
worked with us directly on incorporating those fixes! - gh-109858:
zipfileis now protected from the “quoted-overlap” zipbomb to address CVE-2024-0450. It now raisesBadZipFilewhen attempting to read an entry that overlaps with another entry or central directory - gh-91133:
tempfile.TemporaryDirectorycleanup no longer dereferences symlinks when working around file system permission errors to address CVE-2023-6597 - gh-115197:
urllib.requestno longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows - gh-81194: a crash in
socket.if_indextoname()with a specific value (UINT_MAX) was fixed. Relatedly, an integer overflow insocket.if_indextoname()on 64-bit non-Windows platforms was fixed - gh-113659:
.pthfiles with names starting with a dot or containing the hidden file attribute are now skipped - gh-102388:
iso2022_jp_3andiso2022_jp_2004codecs no longer read out of bounds - gh-114572:
ssl.SSLContext.cert_store_stats()andssl.SSLContext.get_ca_certs()now correctly lock access to the certificate store, when thessl.SSLContextis shared across multiple threads
Stay safe and upgrade!
Upgrading is highly recommended to all users of affected versions.
Source builds are moving to GitHub Actions
It’s not something you will notice when downloading, but 3.10.14 here is the first release we’ve done where the source artifacts were built on GHA and not on a local computer of one of the release managers. We have the Security Developer in Residence @sethmlarson to thank for that!
It’s a big deal since public builds allow for easier auditing and
repeatability. It also helps with the so-called bus factor. In fact, to
test this out, this build of 3.10.14 was triggered by me and not Pablo,
who would usually release Python 3.10.
The artifacts are later still signed by the respective release manager, ensuring integrity when put on the downloads server.
Python now manages its own CVEs
The security releases you’re looking at are the first after the PSF became a CVE Numbering Authority. That’s also thanks to @sethmlarson.
What being our own CNA allows us is to ensure the quality of the
vulnerability reports is high, and that the severity estimates are accurate.
Seth summarized it best in his announcement here.
What this also allows us to do is to combine announcement of CVEs
with the release of patched versions of Python. This is in fact the case
with two of the CVEs listed above (CVE-2023-6597 and CVE-2024-0450). And since Seth is now traveling, this announcement duty was fulfilled by the PSF’s Director of Infrastructure @EWDurbin. Thanks!
I’m happy to see us successfully testing bus factor resilience on multiple fronts with this round of releases.
Thank you for your support
Thanks to all of the many volunteers who help make Python Development
and these releases possible! Please consider supporting our efforts by
volunteering yourself or through organization contributions to the
Python Software Foundation.
–
Łukasz Langa @ambv
on behalf of your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Pablo Galindo Salgado @pablogsal
Łukasz Langa @ambv
Thomas Wouters @thomas
