[Bug 1899159] Re: SRU: backport Python 3.9.5 to 20.04 LTS, 20.10 and 21.04

Launchpad Bug Tracker 1899159 at bugs.launchpad.net
Thu May 27 10:49:05 UTC 2021 

This bug was fixed in the package python3.9 - 3.9.5-3~20.10.1

---------------
python3.9 (3.9.5-3~20.10.1) groovy; urgency=medium

  * SRU: LP: #1899159: Backport Python 3.9.5 to 20.10.
  * Adjust python3-tk autopkg test dependency to the version found
    in the release.

python3.9 (3.9.5-3) experimental; urgency=medium

  * Tighten python3-tk autopkg test dependency.
  * Try to detect whether python3-venv is missing (Stefano Rivera).
    Closes: #977887.

python3.9 (3.9.5-2) experimental; urgency=medium

  * Re-add the dependency on libdb-dev.  With Python 3.10, building
    the _dbm extension using libgdbm-compat-dev, and moving the _dbm
    extension into the python3-gdbm package.
  * Call python with -S when checking the minimal set of modules.

python3.9 (3.9.5-1) experimental; urgency=medium

  * Python 3.9.5 release.
  * Refresh patches.
  * Drop the unused build dependency on libdb-dev.

python3.9 (3.9.4-1) experimental; urgency=medium

  * Python 3.9.4 release.

python3.9 (3.9.3-2) experimental; urgency=high

  * Fix flags substitutions for _sysconfigdata.
  * Revert the fix for issue #42500, breaking ABI on 32bit architectures.

python3.9 (3.9.3-1) experimental; urgency=medium

  * Python 3.9.3 release.
    - Fix issue #42988: CVE-2021-3426: Remove the getfile feature of the
      pydoc module which could be abused to read arbitrary files on the
      disk (directory traversal vulnerability).
    - Other security issues without a CVE.
    - Other fixes. See the NEWS file.
  * Move zlib1g-dev dependency to libpython3.9-dev. Closes: #984580.
  * Configure with --libdir=/usr/lib/$(DEB_HOST_MULTIARCH), recording the
    correct LIBDIR in _sysconfigdata.  Also adjust DESTSHARED to install
    lib-dynload into the same location as before the configure change.
    See issue #43229.

python3.9 (3.9.2-1) unstable; urgency=medium

  * Python 3.9.2 release. No changes since 3.9.2~rc1-1.
  * Build idlelib/help.html from source, don't ship the pre-generated file.
  * Autopkg tests:
    - Run testsuite{,-dbg} autopkg tests with allow-stderr. Closes: #983305.
    - Run again in testsuite instead of failing-tests: test_ftplib,
      test_httplib test_imaplib test_nntplib test_poplib test_ssl.
    - Run test_distutils and test_site tests again.

python3.9 (3.9.2~rc1-1) experimental; urgency=medium

  * Python 3.9.2 release candidate 1. Changes since 3.9.1-4:
    - Fix issue #42967, web cache poisoning vulnerability.
    - Fix issue #42938, explicitly disable bracketed paste in the interactive
      interpreter. Closes: #979154.
  * Fix permissions and group for local directories. Closes: #962422.
  * Build a python3.9-full package.
  * idle-python3.9: Drop dependency on libjs-mathjax, unused in 3.8 and 3.9.
  * python3.9-doc: Fix links to the documentation in /usr/share/doc/python3.9.
  * Refresh patches.

python3.9 (3.9.1-4) unstable; urgency=medium

  * Update to the 3.9 branch 2021-02-04.
  * Fix issue #43030, compiler warning in Py_UNICODE_ISSPACE with
    signed wchar_t. Closes: #961396.
  * Depend on media-types instead of mime-support. Closes: #981016.
  * Fix permissions and group for local directories. Closes: #962422.

python3.9 (3.9.1-3) unstable; urgency=medium

  * Update to the 3.9 branch 2021-01-20.
  * Configure again --with-system-libmpdec.
  * Update symbols files.

python3.9 (3.9.1-2) unstable; urgency=medium

  * Update to the 3.9 branch 2021-01-10.

python3.9 (3.9.1-1) unstable; urgency=medium

  * Python 3.9.1 release.

python3.9 (3.9.1~rc1-2) unstable; urgency=medium

  * Don't expect the test_ttk_textonly test to pass.

python3.9 (3.9.1~rc1-1) unstable; urgency=medium

  * Python 3.9.1 release candidate 1.
  * libpython3.9-stdlib: Depend on tzdata, recommend ca-certificates.
  * libpython3.9-stdlib: Depend on media-types | mime-support instead of
    mime-support.
  * Update VCS attributes.
  * Add python3-tk test dependency for the failing-tests* autopkg tests.
  * Bump standards version.
  * Add build conflict with git, or else the git information of the packaging
    is encoded in the upstream version information.
  * Build with -fno-inline-small-functions on hppa and sh4.
    Closes: #972458, #972202.

 -- Matthias Klose <doko at ubuntu.com>  Wed, 19 May 2021 13:32:47 +0200

** Changed in: python3.9 (Ubuntu Groovy)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3426

** Changed in: python3-stdlib-extensions (Ubuntu Groovy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3-stdlib-extensions in
Ubuntu.
https://bugs.launchpad.net/bugs/1899159

Title:
  SRU: backport Python 3.9.5 to 20.04 LTS, 20.10 and 21.04

Status in python3-stdlib-extensions package in Ubuntu:
  Invalid
Status in python3.9 package in Ubuntu:
  Invalid
Status in python3-stdlib-extensions source package in Focal:
  Fix Committed
Status in python3.9 source package in Focal:
  Fix Committed
Status in python3-stdlib-extensions source package in Groovy:
  Fix Released
Status in python3.9 source package in Groovy:
  Fix Released
Status in python3-stdlib-extensions source package in Hirsute:
  Fix Released
Status in python3.9 source package in Hirsute:
  Fix Released

Bug description:
  Backport python 3.9.5 to groovy and focal.

  Regression potential: ...

  Validation: Test results show no regressions, and the archive test
  rebuild doesn't show any regressions.

  Acceptance criteria:
   - 21.04: 3.9 is the default version. check test suite and autopkg test results
   - 20.04 LTS and 20.10: not used in the archive, just check test suite

  It's a minor upstream update, consisting of:

  Security
  --------

  - bpo-43434: Creating a :class:`sqlite3.Connection` object now also produces
    a ``sqlite3.connect`` :ref:`auditing event <auditing>`. Previously this
    event was only produced by :func:`sqlite3.connect` calls. Patch by Erlend
    E. Aasland.

  - bpo-43882: The presence of newline or tab characters in parts of a URL
    could allow some forms of attacks.

    Following the controlling specification for URLs defined by WHATWG
    :func:`urllib.parse` now removes ASCII newlines and tabs from URLs,
    preventing such attacks.

  - bpo-43472: Ensures interpreter-level audit hooks receive the
    ``cpython.PyInterpreterState_New`` event when called through the
    ``_xxsubinterpreters`` module.

  - bpo-36384: :mod:`ipaddress` module no longer accepts any leading zeros in
    IPv4 address strings. Leading zeros are ambiguous and interpreted as octal
    notation by some libraries. For example the legacy function
    :func:`socket.inet_aton` treats leading zeros as octal notatation. glibc
    implementation of modern :func:`~socket.inet_pton` does not accept any
    leading zeros. For a while the :mod:`ipaddress` module used to accept
    ambiguous leading zeros.

  - bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability
    in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable
    regex has quadratic worst-case complexity and it allows cause a denial of
    service when identifying crafted invalid RFCs. This ReDoS issue is on the
    client side and needs remote attackers to control the HTTP server.

  - bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
    and generator code/frame attribute access.

  Core and Builtins
  -----------------

  - bpo-43105: Importlib now resolves relative paths when creating module spec
    objects from file locations.

  - bpo-42924: Fix ``bytearray`` repetition incorrectly copying data from the
    start of the buffer, even if the data is offset within the buffer (e.g.
    after reassigning a slice at the start of the ``bytearray`` to a shorter
    byte string).

  Library
  -------

  - bpo-43993: Update bundled pip to 21.1.1.

  - bpo-43937: Fixed the :mod:`turtle` module working with non-default root
    window.

  - bpo-43930: Update bundled pip to 21.1 and setuptools to 56.0.0

  - bpo-43920: OpenSSL 3.0.0: :meth:`~ssl.SSLContext.load_verify_locations`
    now returns a consistent error message when cadata contains no valid
    certificate.

  - bpo-43607: :mod:`urllib` can now convert Windows paths with ``\\?\``
    prefixes into URL paths.

  - bpo-43284: platform.win32_ver derives the windows version from
    sys.getwindowsversion().platform_version which in turn derives the version
    from kernel32.dll (which can be of a different version than Windows
    itself). Therefore change the platform.win32_ver to determine the version
    using the platform module's _syscmd_ver private function to return an
    accurate version.

  - bpo-42248: [Enum] ensure exceptions raised in ``_missing__`` are
  released

  - bpo-43799: OpenSSL 3.0.0: define ``OPENSSL_API_COMPAT`` 1.1.1 to suppress
    deprecation warnings. Python requires OpenSSL 1.1.1 APIs.

  - bpo-43794: Add :data:`ssl.OP_IGNORE_UNEXPECTED_EOF` constants (OpenSSL
    3.0.0)

  - bpo-43789: OpenSSL 3.0.0: Don't call the password callback function a
    second time when first call has signaled an error condition.

  - bpo-43788: The header files for :mod:`ssl` error codes are now OpenSSL
    version-specific. Exceptions will now show correct reason and library
    codes. The ``make_ssl_data.py`` script has been rewritten to use OpenSSL's
    text file with error codes.

  - bpo-43655: :mod:`tkinter` dialog windows are now recognized as dialogs by
    window managers on macOS and X Window.

  - bpo-43534: :func:`turtle.textinput` and :func:`turtle.numinput` create now
    a transient window working on behalf of the canvas window.

  - bpo-43522: Fix problem with
    :attr:`~ssl.SSLContext.hostname_checks_common_name`. OpenSSL does not copy
    hostflags from *struct SSL_CTX* to *struct SSL*.

  - bpo-42967: Allow :class:`bytes` ``separator`` argument in
    ``urllib.parse.parse_qs`` and ``urllib.parse.parse_qsl`` when parsing
    :class:`str` query strings. Previously, this raised a ``TypeError``.

  - bpo-43176: Fixed processing of a dataclass that inherits from a frozen
    dataclass with no fields. It is now correctly detected as an error.

  - bpo-41735: Fix thread locks in zlib module may go wrong in rare case.
    Patch by Ma Lin.

  - bpo-36470: Fix dataclasses with ``InitVar``\s and
    :func:`~dataclasses.replace()`. Patch by Claudiu Popa.

  - bpo-32745: Fix a regression in the handling of ctypes'
    :data:`ctypes.c_wchar_p` type: embedded null characters would cause a
    :exc:`ValueError` to be raised. Patch by Zackery Spytz.

  Documentation
  -------------

  - bpo-43959: The documentation on the PyContextVar C-API was
  clarified.

  - bpo-43938: Update dataclasses documentation to express that
    FrozenInstanceError is derived from AttributeError.

  - bpo-43755: Update documentation to reflect that unparenthesized lambda
    expressions can no longer be the expression part in an ``if`` clause in
    comprehensions and generator expressions since Python 3.9.

  - bpo-43739: Fixing the example code in Doc/extending/extending.rst to
    declare and initialize the pmodule variable to be of the right type.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3-stdlib-extensions/+bug/1899159/+subscriptions

More information about the foundations-bugs mailing list