====================================================================

                                CERT-Renater

                     Note d'Information No. 2024/VULN376
_____________________________________________________________________

DATE                : 18/09/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Python versions prior           to 
3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20.

=====================================================================
https://pythoninsider.blogspot.com/2024/09/python-3130rc2-3126-31110-31015-3920.html
_____________________________________________________________________


Saturday, September 7, 2024
Python 3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20 are
now available!

Hi there!
A big joint release today. Mostly security fixes but we also have the
final release candidate of 3.13 so let’s start with that!
Python 3.13.0RC2

Final opportunity to test and find any show-stopper bugs before we
bless and release 3.13.0 final on October 1st.

Get it here: Python Release Python 3.13.0rc2 | Python.org


Call to action

We strongly encourage maintainers of third-party Python projects to
prepare their projects for 3.13 compatibilities during this phase,
and where necessary publish Python 3.13 wheels on PyPI to be ready
for the final release of 3.13.0. Any binary wheels built against
Python 3.13.0rc2 will work with future versions of Python 3.13.
As always, report any issues to the Python bug tracker.

Please keep in mind that this is a preview release and while it’s
as close to the final release as we can get it, its use is not
recommended for production environments.


Core developers: time to work on documentation now

     Are all your changes properly documented?
     Are they mentioned in What’s New?
     Did you notice other changes you know of to have insufficient
documentation?

As a reminder, until the final release of 3.13.0, the 3.13 branch
is set up so that the Release Manager (@thomas) has to merge the
changes. Please add him (@Yhg1s on GitHub) to any changes you
think should go into 3.13.0. At this point, unless something
critical comes up, it should really be documentation only. Other
changes (including tests) will be pushed to 3.13.1.


New features in Python 3.13

     A new and improved interactive interpreter, based on PyPy’s,
featuring multi-line editing and color support, as well as
colorized exception tracebacks.

     An experimental free-threaded build mode, which disables the
Global Interpreter Lock, allowing threads to run more
concurrently. The build mode is available as an experimental
feature in the Windows and macOS installers as well.

     A preliminary, experimental JIT, providing the ground work
for significant performance improvements.

     The locals() builtin function (and its C equivalent) now has
well-defined semantics when mutating the returned mapping, which
allows debuggers to operate more consistently.

     The (cyclic) garbage collector is now incremental, which
should mean shorter pauses for collection in programs with a lot
of objects.

     A modified version of mimalloc is now included, optional but
enabled by default if supported by the platform, and required for
the free-threaded build mode.

     Docstrings now have their leading indentation stripped,
reducing memory use and the size of .pyc files. (Most tools
handling docstrings already strip leading indentation.)

     The dbm module has a new dbm.sqlite3 backend that is used
by default when creating new files.

     The minimum supported macOS version was changed from 10.9
to 10.13 (High Sierra). Older macOS versions will not be
supported going forward.

     WASI is now a Tier 2 supported platform. Emscripten is no
longer an officially supported platform (but Pyodide continues
to support Emscripten).

     iOS is now a Tier 3 supported platform, with Android on
the way as well.


Python 3.12.6

This is an expedited release for 3.12 due to security content.
The schedule returns back to regular programming in October.

One notable change for macOS users: as mentioned in the previous
release of 3.12, this release drops support for macOS versions
10.9 through 10.12. Versions of macOS older than 10.13 haven’t
been supported by Apple since 2019, and maintaining support for
them has become too difficult. (All versions of Python 3.13
have already dropped support for them.)

Get it here: Python Release Python 3.12.6 | Python.org

92 commits.


Python 3.11.10

Python 3.11 joins the elite club of security-only versions
with no binary installers.

Get it here: Python Release Python 3.11.10 | Python.org

28 commits.


Python 3.10.15

Get it here: Python Release Python 3.10.15 | Python.org

24 commits.


Python 3.9.20

Get it here: Python Release Python 3.9.20 | Python.org

22 commits.


Python 3.8.20

Python 3.8 is very close to End of Life (see the Release Schedule).
Will this be the last release of 3.8 ever? We’ll see… but now I
think I jinxed it.

Get it here: Python Release Python 3.8.20 | Python.org

22 commits.


Security content in today’s releases

     gh-123678 and gh-116741: Upgrade bundled libexpat to 2.6.3 to
fix CVE-2024-28757, CVE-2024-45490, CVE-2024-45491 and
CVE-2024-45492.
     gh-118486: os.mkdir() on Windows now accepts mode of 0o700 to
restrict the new directory to the current user. This fixes
CVE-2024-4030 affecting tempfile.mkdtemp() in scenarios where
the base temporary directory is more permissive than the default.

     gh-123067: Fix quadratic complexity in parsing "-quoted cookie
values with backslashes by http.cookies. Fixes CVE-2024-7592.

     gh-113171: Fixed various false positives and false negatives
in IPv4Address.is_private, IPv4Address.is_global,
IPv6Address.is_private, IPv6Address.is_global. Fixes CVE-2024-4032.

     gh-67693: Fix urllib.parse.urlunparse() and
urllib.parse.urlunsplit() for URIs with path starting with multiple
slashes and no authority. Fixes CVE-2015-2104.

     gh-121957: Fixed missing audit events around interactive use of
Python, now also properly firing for python -i, as well as for
python -m asyncio. The event in question is cpython.run_stdin.

     gh-122133: Authenticate the socket connection for the
socket.socketpair() fallback on platforms where AF_UNIX is not
available like Windows.

     gh-121285: Remove backtracking from tarfile header parsing for
hdrcharset, PAX, and GNU sparse headers. That’s CVE-2024-6232.
     gh-114572: ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to the
certificate store, when the ssl.SSLContext is shared across
multiple threads.

     gh-102988: email.utils.getaddresses() and email.utils.parseaddr()
now return ('', '') 2-tuples in more situations where invalid email
addresses are encountered instead of potentially inaccurate values.
Add optional strict parameter to these two functions: use strict=False
to get the old behavior, accept
malformed inputs. getattr(email.utils, 'supports_strict_parsing', False)
can be use to check if the strict paramater is available. This
improves the CVE-2023-27043 fix.

     gh-123270: Sanitize names in zipfile.Path to avoid infinite loops
(gh-122905) without breaking contents using legitimate characters.
That’s CVE-2024-8088.

     gh-121650: email headers with embedded newlines are now quoted on
output. The generator will now refuse to serialize (write) headers that
are unsafely folded or delimited; see verify_generated_headers.
That’s CVE-2024-6923.

     gh-119690: Fixes data type confusion in audit events raised by
_winapi.CreateFile and _winapi.CreateNamedPipe.

     gh-116773: Fix instances of <_overlapped.Overlapped object at
0xXXX> still has pending operation at deallocation, the process may
crash.

     gh-112275: A deadlock involving pystate.c’s HEAD_LOCK in
posixmodule.c at fork is now fixed.


Stay safe and upgrade!

Upgrading is highly recommended to all users of affected versions.
Thank you for your support

Thanks to all of the many volunteers who help make Python
Development and these releases possible! Please consider supporting
our efforts by volunteering yourself or through organization
contributions to the Python Software Foundation.

–
Łukasz Langa @ambv
on behalf of your friendly release team,

Ned Deily @nad
Steve Dower @steve.dower
Pablo Galindo Salgado @pablogsal
Łukasz Langa @ambv
Thomas Wouters @thomas

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================