Page MenuHomeSolus

python3: Update to 3.7.11, Update pip to 21.1.3

Authored by ReillyBrogan on Jun 28 2021, 9:00 PM.



Python 3.7.11 Release Notes:

  • mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.
  • The presence of newline or tab characters in parts of a URL could allow some forms of attacks. Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks.
  • ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
  • Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

Core and Builtins:

  • Fix crash that happens when replacing sys.stderr with a callable that can remove the object while an exception is being printed. Patch by Pablo Galindo.

Pip 21.1.3 Release Notes:

  • Remove unused optional tornado import in vendored tenacity to prevent old versions of Tornado from breaking pip.
  • Require setup.cfg-only projects to be built via PEP 517, by requiring an explicit dependency on setuptools declared in pyproject.toml.
Test Plan
  • Rebuilt a few revdeps
  • Ran syncthing-gtk, virtualbox and checked that nothing obviously was broken
  • Rebooted and checked that system came up
  • Created venv and installed a requirements.txt

Diff Detail

R2527 python3
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

ReillyBrogan created this revision.Jun 28 2021, 9:00 PM
ReillyBrogan requested review of this revision.Jun 28 2021, 9:00 PM
JoshStrobl requested changes to this revision.EditedJun 30 2021, 8:05 AM
JoshStrobl added a subscriber: JoshStrobl.

You don't need to provide the info about CVE-2021-3426, we autolink to mitre. Honestly, it could probably be omitted entirely, as we already patched it and thus not a concern for users.

This revision now requires changes to proceed.Jun 30 2021, 8:05 AM
ReillyBrogan requested review of this revision.Jun 30 2021, 5:11 PM
ReillyBrogan edited the summary of this revision. (Show Details)
JoshStrobl accepted this revision.Jun 30 2021, 7:00 PM

LGTM, thanks!

This revision is now accepted and ready to land.Jun 30 2021, 7:00 PM
This revision was automatically updated to reflect the committed changes.