[Buildroot] [PATCH] package/python3: security bump to version 3.9.4

Peter Korsgaard peter at korsgaard.com
Tue Apr 6 09:32:32 UTC 2021


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > - bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module
 >   which could be abused to read arbitrary files on the disk (directory
 >   traversal vulnerability).  Moreover, even source code of Python modules
 >   can contain sensitive data like passwords.  Vulnerability reported by
 >   David Schwörer.

 > - bpo-43285: ftplib no longer trusts the IP address value returned from the
 >   server in response to the PASV command by default.  This prevents a
 >   malicious FTP server from using the response to probe IPv4 address and
 >   port combinations on the client network.

 >   Code that requires the former vulnerable behavior may set a
 >   trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to
 >   True to re-enable it.

 > - bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and
 >   gc.get_referents().  Patch by Pablo Galindo.

 > Note: 3.9.3 was recalled due to introducing unintentional ABI
 > incompatibility, and fixes re-released as 3.9.4:

 > https://www.python.org/downloads/release/python-394/

 > Add host-autoreconf-archive, as it is needed for autoreconf since:
 > https://github.com/python/cpython/commit/064bc07f241dceec2fc577cbf5c31fa6d63fe320

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2021.02.x, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list