Update python to 3.4.8
Update python 3.4.5 to 3.4.8 to address the following five security issues:
bpo-30657: Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158. Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok.
bpo-29591: Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more information.
bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including: CVE-2017-9233 (External entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718) and CVE-2012-0876 (Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os- specific entropy sources like getrandom) doesn’t impact Python, since Python already gets entropy from the OS to set the expat secret using XML_SetHashSalt().
bpo-27850: Remove 3DES from ssl module’s default cipher list to counter measure sweet32 attack (CVE-2016-2183).
bpo-27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode.
https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-8
Changelog
Python 3.4.8 final
Release date: 2018-02-04
There were no new changes in version 3.4.8.
Python 3.4.8 release candidate 1
Release date: 2018-01-23
Security
- bpo-30657: Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158. Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok.
- bpo-30947: Upgrade libexpat embedded copy from version 2.2.1 to 2.2.3 to get security fixes.
- bpo-29169: Update zlib from 1.2.8 to 1.2.11 to get security fixes.
Library
- bpo-32072: Fixed issues with binary plists: - Fixed saving bytearrays. - Identical objects will be saved only once. - Equal references will be load as identical objects. - Added support for saving and loading recursive data structures.
- bpo-31170: expat: Update libexpat from 2.2.3 to 2.2.4. Fix copying of partial characters for UTF-8 input (libexpat bug 115): https://github.com/libexpat/libexpat/issues/115
Build
- bpo-29572: Update Windows build and OS X installers to use OpenSSL 1.0.2k.
Python 3.4.7 final
Release date: 2017-08-09
Library
- bpo-30119: ftplib.FTP.putline() now throws ValueError on commands that contains CR or LF. Patch by Dong-hee Na.
Python 3.4.7 release candidate 1
Release date: 2017-07-23
Security
- bpo-29591: Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more information.
- bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including: CVE-2017-9233 (External entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718) and CVE-2012-0876 (Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os- specific entropy sources like getrandom) doesn’t impact Python, since Python already gets entropy from the OS to set the expat secret using XML_SetHashSalt().
- bpo-26657: Fix directory traversal vulnerability with http.server on Windows. This fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on patch by Philipp Hagemeister.
- bpo-30500: Fix urllib.parse.splithost() to correctly parse fragments. For example, splithost('//127.0.0.1#@evil.com/') now correctly returns the 127.0.0.1 host, instead of treating @evil.com as the host in an authentification (login@host).
- bpo-30730: Prevent environment variables injection in subprocess on Windows. Prevent passing other invalid environment variables and command arguments.
Core and Builtins
- bpo-26617: Fix crash when GC runs during weakref callbacks.
- bpo-27945: Fixed various segfaults with dict when input collections are mutated during searching, inserting or comparing. Based on patches by Duane Griffin and Tim Mitchell.
Library
- bpo-27850: Remove 3DES from ssl module’s default cipher list to counter measure sweet32 attack (CVE-2016-2183).
Documentation
- bpo-25008: Document smtpd.py as effectively deprecated and add a pointer to aiosmtpd, a third-party asyncio-based replacement.
Python 3.4.6 final
Release date: 2017-01-17
There were no changes between 3.4.6rc1 and 3.4.6 final.
Python 3.4.6 release candidate 1
Release date: 2017-01-02
Core and Builtins
- bpo-28648: Fixed crash in Py_DecodeLocale() in debug build on Mac OS X when decode astral characters. Patch by Xiang Zhang.
- bpo-28426: Fixed potential crash in PyUnicode_AsDecodedObject() in debug build.
Library
- bpo-28563: Fixed possible DoS and arbitrary code execution when handle plural form selections in the gettext module. The expression parser now supports exact syntax supported by GNU gettext.
- In the curses module, raise an error if window.getstr() or window.instr() is passed a negative value.
- bpo-27783: Fix possible usage of uninitialized memory in operator.methodcaller.
- bpo-27774: Fix possible Py_DECREF on unowned object in _sre.
- bpo-27760: Fix possible integer overflow in binascii.b2a_qp.
- bpo-27758: Fix possible integer overflow in the _csv module for large record lengths.
- bpo-27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode.
- bpo-27759: Fix selectors incorrectly retain invalid file descriptors. Patch by Mark Williams.
Build
- bpo-28248: Update Windows build to use OpenSSL 1.0.2j.
Tests
- bpo-27369: In test_pyexpat, avoid testing an error message detail that changed in Expat 2.2.0.