forked from python/cpython
-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Reword NEWS for the bugfix/security release.
(mentions the assigned CVE number)
- Loading branch information
Showing
1 changed file
with
7 additions
and
8 deletions.
There are no files selected for viewing
15 changes: 7 additions & 8 deletions
15
Misc/NEWS.d/next/Library/2023-12-01-21-05-46.gh-issue-112334.DmNXKh.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,10 @@ | ||
Fixed a performance regression in 3.12's :mod:`subprocess` on Linux where it | ||
would no longer use the fast-path ``vfork()`` system call when it could have | ||
due to a logic bug, instead falling back to the safe but slower ``fork()``. | ||
would no longer use the fast-path ``vfork()`` system call when it should have | ||
due to a logic bug, instead always falling back to the safe but slower ``fork()``. | ||
|
||
Also fixed a second 3.12.0 potential security bug. If a value of | ||
``extra_groups=[]`` was passed to :mod:`subprocess.Popen` or related APIs, | ||
the underlying ``setgroups(0, NULL)`` system call to clear the groups list | ||
would not be made in the child process prior to ``exec()``. | ||
Also fixed a related 3.12 security regression: If a value of ``extra_groups=[]`` | ||
was passed to :mod:`subprocess.Popen` or related APIs, the underlying | ||
``setgroups(0, NULL)`` system call to clear the groups list would not be made | ||
in the child process prior to ``exec()``. This has been assigned CVE-2023-6507. | ||
|
||
This was identified via code inspection in the process of fixing the first | ||
bug. | ||
This was identified via code inspection in the process of fixing the first bug. |