Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to 3.8.17 #26

Merged
merged 27 commits into from
Jun 22, 2023
Merged

Upgrade to 3.8.17 #26

merged 27 commits into from
Jun 22, 2023

Conversation

carlosroman
Copy link

Merge upstream 3.8 branch into 3.8.x to upgrade to Python 3.8.17.

ambv and others added 26 commits December 6, 2022 20:33
@ambv
Post 3.8.16
266a502
@benjaminp @ned-deily
[3.8] Update copyright years to 2023. (pythongh-100852)
30afa75 
* [3.8] Update copyright years to 2023. (pythongh-100848).
(cherry picked from commit 11f9932)

Co-authored-by: Benjamin Peterson <benjamin@python.org>

* Update additional copyright years to 2023.

Co-authored-by: Ned Deily <nad@python.org>
@miss-islington @ned-deily @thunder-007
[3.8] Update copyright year in README (pythonGH-100863) (pythonGH-100867
6924cba 
)

(cherry picked from commit 30a6cc4)

Co-authored-by: Ned Deily <nad@python.org>
Co-authored-by: HARSHA VARDHAN <75431678+Thunder-007@users.noreply.github.com>
@gpshead @ucodery
[3.8] Correct CVE-2020-10735 documentation (pythonGH-100306) (python#…
594ba19 
…100698)

(cherry picked from commit 1cf3d78)
(cherry picked from commit 88fe8d7)

Co-authored-by: Jeremy Paige <ucodery@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@miss-islington @hugovk
[3.8] Bump Azure Pipelines to ubuntu-22.04 (pythonGH-101089) (python#…
e57a3c1 
…101215)

(cherry picked from commit c22a55c)

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
@zooba
[3.8] pythongh-100180: Update Windows installer to OpenSSL 1.1.1s (py…
be3b5f7 
…thonGH-100903) (python#101258)
@miss-islington @OTheDev
pythongh-101422: (docs) TarFile default errorlevel argument is 1, not…
db924a4 
… 0 (pythonGH-101424)

(cherry picked from commit ea23271)

Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com>
@merwok
[3.8] pythongh-95778: add doc missing in some places (pythonGH-100627) (
41d301a 
python#101630)

(cherry picked from commit 4652182)
@miss-islington @arhadthedev @zooba
[3.8] pythongh-101283: Improved fallback logic for subprocess with sh…
32a1a61 
…ell=True on Windows (pythonGH-101286) (python#101710)

Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Steve Dower <steve.dower@microsoft.com>
@corona10
[3.8] pythongh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1…
7a3db0c 
…) CI i… (python#102095)

[3.8] pythongh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI issue (pythongh-102079)
@ned-deily
[3.8] pythonGH-102306 Avoid GHA CI macOS test_posix failure by using …
4812813 
…the appropriate macOS SDK (pythonGH-102307)

[3.8] Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK.
@zooba @gpshead @ned-deily
[3.8] pythongh-101726: Update the OpenSSL version to 1.1.1t (pythonGH…
ddd495e 
…-101727) (pythonGH-101752)

Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Ned Deily <nad@python.org>
@miss-islington @Blind4Basics
@CAM-Gerlach @hugovk
[3.8] pythongh-102627: Replace address pointing toward malicious web …
045b252 
…page (pythonGH-102630) (pythonGH-102667)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com>
Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
@pradyunsg
[3.8] pythongh-101997: Update bundled pip version to 23.0.1 (pythonGH…
3205d1f 
…-101998). (python#102244)

(cherry picked from commit 89d9ff0)
@encukou
[3.8] pythongh-102950: Implement PEP 706 – Filter for tarfile.extract…
79e63e5 
…all (pythonGH-102953) (python#104548)

Backport of c8c3956
@miss-islington @samcarroll42
[3.8] pythongh-99889: Fix directory traversal security flaw in uu.dec…
47ec96a 
…ode() (pythonGH-104096) (python#104332)

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
@miss-islington @ethanfurman
@gpshead @JelleZijlstra
[3.8] pythongh-104049: do not expose on-disk location from SimpleHTTP…
2062fce 
…RequestHandler (pythonGH-104067) (python#104121)

Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)

(cherry picked from commit c7c3a60)

Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
@zooba @gaogaotiantian
[3.8] pythongh-103935: Use io.open_code() when executing code in tr…
9f89c47 
…ace and profile modules (pythonGH-103947) (python#103954)

Co-authored-by: Tian Gao <gaogaotiantian@hotmail.com>
@ned-deily
[3.8] pythongh-68966: fix versionchanged in docs (pythonGH-105299)
d958960
@ned-deily
[3.8] Update GitHub CI workflow for macOS. (pythonGH-105302)
b28acfa
@miss-islington @iritkatriel
[3.8] pythongh-105184: document that marshal functions can fail and n…
c43c50e 
…eed to be checked with PyErr_Occurred (pythonGH-105185) (python#105222)

(cherry picked from commit ee26ca1)

Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
@stratakis @miss-islington
@illia-v @gpshead
[3.8] pythongh-102153: Start stripping C0 control and space chars in …
9c2ff15 
…`urlsplit` (pythonGH-102508) (pythonGH-104575) (pythonGH-104592) (python#104593) (python#104895)

`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit pythonGH-25595.

This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).

I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport.  (people will see
that in the mainline /3/ docs)

(cherry picked from commit d7f8a5f)
(cherry picked from commit 2f630e1)
(cherry picked from commit 610cc0a)
(cherry picked from commit f48a96a)

Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
@ambv @gpshead @ned-deily
[3.8] pythongh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (
43eff24 
…pythonGH-105174) (pythonGH-105200) (pythonGH-105205) (python#105370)

Upgrade builds to OpenSSL 1.1.1u.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any
existing definitions in case those exist in some peoples builds and were
important (avoiding regressions during backporting).

(cherry picked from commit ede89af)
(cherry picked from commit e15de14)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Ned Deily <nad@python.org>
@ambv
Python 3.8.17
9a2d531
@ambv
Post 3.8.17
40ea37d
@carlosroman
Merge remote-tracking branch 'upstream/3.8' into carlosroman/python-3…
1d743c6 
….8.17-upgrade
@carlosroman carlosroman changed the title Carlosroman/python 3.8.17 upgrade Upgrade to 3.8.17 Jun 21, 2023
@carlosroman carlosroman force-pushed the carlosroman/python-3.8.17-upgrade branch from 28a1bba to 7a2b527 Compare June 21, 2023 13:31
remeh
remeh reviewed Jun 21, 2023
View reviewed changes
Copy link

@remeh remeh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure we want 40ea37d ? I don't know, I just compared to previous upgrade.

vickenty
vickenty previously approved these changes Jun 21, 2023
View reviewed changes
@carlosroman
Copy link
Author

carlosroman commented Jun 21, 2023
edited
Loading

Are we sure we want 40ea37d ? I don't know, I just compared to previous upgrade.

My follow up commit (7a2b527) changes the value back to 3.8.17. I thought it might be cleaner to do it in that commit rather than excluding the commit.

remeh
remeh approved these changes Jun 21, 2023
View reviewed changes
Copy link

@remeh remeh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@carlosroman carlosroman merged commit e0a363f into 3.8.x Jun 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@remeh remeh remeh approved these changes

@vickenty vickenty Awaiting requested review from vickenty

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.