mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-07-07 19:35:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Python 3.9.23

Browse source
This commit is contained in:
Łukasz Langa 2025-06-03 20:47:52 +02:00
parent 920a1c30dd
commit 865270262a
No known key found for this signature in database
GPG key ID: B26995E310250568
12 changed files with 100 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Include/patchlevel.h
View file

@ -18,12 +18,12 @@
/*--start constants--*/
#define PY_MAJOR_VERSION 3
#define PY_MINOR_VERSION 9
#define PY_MICRO_VERSION 22
#define PY_MICRO_VERSION 23
#define PY_RELEASE_LEVEL PY_RELEASE_LEVEL_FINAL
#define PY_RELEASE_SERIAL 0
/* Version as a string */
#define PY_VERSION "3.9.22+"
#define PY_VERSION "3.9.23"
/*--end constants--*/
/* Version as a single 4-byte hex number, e.g. 0x010502B2 == 1.5.2b2.

97
Misc/NEWS.d/3.9.23.rst Normal file
View file

@ -0,0 +1,97 @@
.. date: 2025-06-02-11-32-23
.. gh-issue: 135034
.. nonce: RLGjbp
.. release date: 2025-06-03
.. section: Security
Fixes multiple issues that allowed ``tarfile`` extraction filters
(``filter="data"`` and ``filter="tar"``) to be bypassed using crafted
symlinks and hard links.
Addresses CVE 2024-12718, CVE 2025-4138, CVE 2025-4330, and CVE 2025-4517.
..
.. date: 2025-05-09-20-22-54
.. gh-issue: 133767
.. nonce: kN2i3Q
.. section: Security
Fix use-after-free in the "unicode-escape" decoder with a non-"strict" error
handler.
..
.. date: 2025-01-14-11-19-07
.. gh-issue: 128840
.. nonce: M1doZW
.. section: Security
Short-circuit the processing of long IPv6 addresses early in
:mod:`ipaddress` to prevent excessive memory consumption and a minor
denial-of-service.
..
.. date: 2024-08-06-11-43-08
.. gh-issue: 80222
.. nonce: wfR4BU
.. section: Security
Fix bug in the folding of quoted strings when flattening an email message
using a modern email policy. Previously when a quoted string was folded so
that it spanned more than one line, the surrounding quotes and internal
escapes would be omitted. This could theoretically be used to spoof header
lines using a carefully constructed quoted string if the resulting rendered
email was transmitted or re-parsed.
..
.. date: 2025-05-28-15-53-27
.. gh-issue: 128840
.. nonce: Nur2pB
.. section: Library
Fix parsing long IPv6 addresses with embedded IPv4 address.
..
.. date: 2025-05-15-14-27-01
.. gh-issue: 134062
.. nonce: fRbJet
.. section: Library
:mod:`ipaddress`: fix collisions in :meth:`~object.__hash__` for
:class:`~ipaddress.IPv4Network` and :class:`~ipaddress.IPv6Network` objects.
..
.. date: 2024-08-28-13-03-36
.. gh-issue: 123409
.. nonce: lW0YF-
.. section: Library
Fix :attr:`ipaddress.IPv6Address.reverse_pointer` output according to
:rfc:`RFC 3596, §2.5 <3596#section-2.5>`. Patch by Bénédikt Tran.
..
.. bpo: 43633
.. date: 2021-10-31-16-06-28
.. nonce: vflwXv
.. section: Library
Improve the textual representation of IPv4-mapped IPv6 addresses
(:rfc:`4291` Sections 2.2, 2.5.5.2) in :mod:`ipaddress`. Patch by Oleksandr
Pavliuk.
..
.. bpo: 25264
.. date: 2021-04-08-22-11-27
.. nonce: b33fa0
.. section: Library
:func:`os.path.realpath` now accepts a *strict* keyword-only argument. When
set to ``True``, :exc:`OSError` is raised if a path doesn't exist or a
symlink loop is encountered.

3
Misc/NEWS.d/next/Library/2021-04-08-22-11-27.bpo-25264.b33fa0.rst
View file

@ -1,3 +0,0 @@
:func:`os.path.realpath` now accepts a *strict* keyword-only argument.
When set to ``True``, :exc:`OSError` is raised if a path doesn't exist
or a symlink loop is encountered.

1
Misc/NEWS.d/next/Library/2021-10-31-16-06-28.bpo-43633.vflwXv.rst
View file

@ -1 +0,0 @@
Improve the textual representation of IPv4-mapped IPv6 addresses (:rfc:`4291` Sections 2.2, 2.5.5.2) in :mod:`ipaddress`. Patch by Oleksandr Pavliuk.

2
Misc/NEWS.d/next/Library/2024-08-28-13-03-36.gh-issue-123409.lW0YF-.rst
View file

@ -1,2 +0,0 @@
Fix :attr:`ipaddress.IPv6Address.reverse_pointer` output according to
:rfc:`RFC 3596, §2.5 <3596#section-2.5>`. Patch by Bénédikt Tran.

3
Misc/NEWS.d/next/Library/2025-05-15-14-27-01.gh-issue-134062.fRbJet.rst
View file

@ -1,3 +0,0 @@
:mod:`ipaddress`: fix collisions in :meth:`~object.__hash__` for
:class:`~ipaddress.IPv4Network` and :class:`~ipaddress.IPv6Network`
objects.

1
Misc/NEWS.d/next/Library/2025-05-28-15-53-27.gh-issue-128840.Nur2pB.rst
View file

@ -1 +0,0 @@
Fix parsing long IPv6 addresses with embedded IPv4 address.

6
Misc/NEWS.d/next/Security/2024-08-06-11-43-08.gh-issue-80222.wfR4BU.rst
View file

@ -1,6 +0,0 @@
Fix bug in the folding of quoted strings when flattening an email message using
a modern email policy. Previously when a quoted string was folded so that
it spanned more than one line, the surrounding quotes and internal escapes
would be omitted. This could theoretically be used to spoof header lines
using a carefully constructed quoted string if the resulting rendered email
was transmitted or re-parsed.

2
Misc/NEWS.d/next/Security/2025-01-14-11-19-07.gh-issue-128840.M1doZW.rst
View file

@ -1,2 +0,0 @@
Short-circuit the processing of long IPv6 addresses early in :mod:`ipaddress` to prevent excessive
memory consumption and a minor denial-of-service.

2
Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst
View file

@ -1,2 +0,0 @@
Fix use-after-free in the "unicode-escape" decoder with a non-"strict" error
handler.

6
Misc/NEWS.d/next/Security/2025-06-02-11-32-23.gh-issue-135034.RLGjbp.rst
View file

@ -1,6 +0,0 @@
Fixes multiple issues that allowed ``tarfile`` extraction filters
(``filter="data"`` and ``filter="tar"``) to be bypassed using crafted
symlinks and hard links.
Addresses CVE 2024-12718, CVE 2025-4138, CVE 2025-4330, and CVE 2025-4517.

2
README.rst
View file

@ -1,4 +1,4 @@
This is Python version 3.9.22
This is Python version 3.9.23
=============================
.. image:: https://travis-ci.org/python/cpython.svg?branch=3.9