fbe6c566a9
Fixes the following security issues:
- bpo-40121: Fixes audit events raised on creating a new socket
- bpo-38576: Disallow control characters in hostnames in http.client,
addressing CVE-2019-18348. Such potentially malicious header injection
URLs now cause a InvalidURL to be raised.
- bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the
urllib.request module uses an inefficient regular expression which can be
exploited by an attacker to cause a denial of service. Fix the regex to
prevent the catastrophic backtracking. Vulnerability reported by Ben
Caller and Matt Schwager.
For more details, see the changelog:
https://docs.python.org/release/3.8.3/whatsnew/changelog.html#security
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5ff01eb31f)
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
31 lines
894 B
Diff
31 lines
894 B
Diff
From 47f9caca90e6c8c18736e5dfd0acf47aae27eefb Mon Sep 17 00:00:00 2001
|
|
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Date: Wed, 23 Dec 2015 11:50:27 +0100
|
|
Subject: [PATCH] Add an option to disable unicodedata
|
|
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
---
|
|
configure.ac | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 20f326db46..99bbc37b07 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -3263,6 +3263,12 @@ AC_ARG_ENABLE(nis,
|
|
DISABLED_EXTENSIONS="${DISABLED_EXTENSIONS} nis"
|
|
fi])
|
|
|
|
+AC_ARG_ENABLE(unicodedata,
|
|
+ AS_HELP_STRING([--disable-unicodedata], [disable unicodedata]),
|
|
+ [ if test "$enableval" = "no"; then
|
|
+ DISABLED_EXTENSIONS="${DISABLED_EXTENSIONS} unicodedata"
|
|
+ fi])
|
|
+
|
|
AC_SUBST(TK)
|
|
AC_ARG_ENABLE(tk,
|
|
AS_HELP_STRING([--disable-tk], [disable tk]),
|
|
--
|
|
2.20.1
|
|
|