Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

In order to dial out, it is necessary to broaden one's dimension.


devel / comp.lang.python.announce / [Python-announce] [RELEASE] Python 3.10.14, 3.9.19, and 3.8.19 is now available

SubjectAuthor
o [Python-announce] [RELEASE] Python 3.10.14, 3.9.19, and 3.8.19 is now availableŁukasz Langa

1
[Python-announce] [RELEASE] Python 3.10.14, 3.9.19, and 3.8.19 is now available

<6CA8C58A-3ABD-4F75-9357-D48FFCBFFDFC@langa.pl>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=10167&group=comp.lang.python.announce#10167

  copy link   Newsgroups: comp.lang.python.announce
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: luk...@langa.pl (Łukasz Langa)
Newsgroups: comp.lang.python.announce
Subject: [Python-announce] [RELEASE] Python 3.10.14, 3.9.19, and 3.8.19 is now available
Date: Wed, 20 Mar 2024 01:34:46 +0100
Lines: 175
Approved: python-announce-list@python.org
Message-ID: <6CA8C58A-3ABD-4F75-9357-D48FFCBFFDFC@langa.pl>
Reply-To: python-list@python.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
Content-Type: multipart/signed;
boundary="Apple-Mail=_E88D634E-85ED-49D6-BC1E-183309686103";
protocol="application/pgp-signature";
micalg=pgp-sha256
X-Trace: news.uni-berlin.de qNvFLHtK77aSuoj6wtWy/QtQ5ZI2yXOo3vYKGe3vLRUw==
Cancel-Lock: sha1:mpqWQ3rjGEYpP7srGlUzotWhy/o= sha256:/ZI76B+4/Vr6Mx6Z0eWhsaY5CiR6VaSijHFCNVr0v5o=
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=langa.pl header.i=@langa.pl header.b=tu3Zpn06;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.001
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'psf': 0.02; 'url-
ip:140.82/16': 0.03; 'containing': 0.05; 'content-
type:multipart/signed': 0.05; 'volunteers': 0.05; 'url:downloads':
0.07; 'python.': 0.08; '<>,': 0.09; 'content-type:application/pgp-
signature': 0.09; 'fact,': 0.09; 'filename:fname piece:asc': 0.09;
'filename:fname piece:signature': 0.09;
'filename:fname:signature.asc': 0.09; 'macos': 0.09; 'manages':
0.09; 'ned': 0.09; 'pablo': 0.09; 'threads': 0.09; 'upgrading':
0.09; 'url-ip:151.101.0.223/32': 0.09; 'url-
ip:151.101.128.223/32': 0.09; 'url-ip:151.101.192.223/32': 0.09;
'url-ip:151.101.64.223/32': 0.09; 'url-ip:184.105/16': 0.09;
'url:discuss': 0.09; 'url:release': 0.09; 'subject:Python': 0.12;
'url:github': 0.14; 'url-ip:140/8': 0.15; '<>:': 0.16;
'artifacts': 0.16; 'boring': 0.16; 'bus': 0.16; 'bypass': 0.16;
'cve': 0.16; 'deily': 0.16; 'ensuring': 0.16; 'first:': 0.16;
'galindo': 0.16; 'howdy!': 0.16; 'integer': 0.16; 'possible!':
0.16; 'psf\xe2\x80\x99s': 0.16; 'received:10.202': 0.16;
'received:10.202.2': 0.16; 'received:internal': 0.16;
'received:messagingengine.com': 0.16; 'releases': 0.16;
'respective': 0.16; 'salgado': 0.16; 'so-called': 0.16;
'triggered': 0.16; 'url:cpython': 0.16; 'wouters': 0.16;
'\xc5\x81ukasz': 0.16; 'python': 0.16; 'developer': 0.16;
'github': 0.17; 'round': 0.19; 'server.': 0.19; 'to:addr:python-
list': 0.20; 'subject:] ': 0.21; 'to:no real name:2**1': 0.22;
'thanks!': 0.24; 'anything': 0.25; 'programming': 0.25;
'certificate': 0.26; 'manager,': 0.26; 'local': 0.27; 'bit': 0.27;
'done': 0.28; 'fact': 0.28; 'foundation.': 0.28; 'computer': 0.29;
'sfxlen:2': 0.31; 'official': 0.32; 'actions': 0.32; 'downloads':
0.32; 'language.': 0.32; 'but': 0.32; 'windows': 0.34; 'release':
0.34; 'files': 0.36; 'built': 0.36; 'errors': 0.36; 'source':
0.36; 'those': 0.36; 'subject:[': 0.37; 'directory': 0.37; 'file':
0.38; 'put': 0.38; 'read': 0.38; 'thanks': 0.38; 'above': 0.62;
'python.org': 0.62; 'url-ip:151.101.0/24': 0.62; 'url-
ip:151.101.128/24': 0.62; 'url-ip:151.101.192/24': 0.62; 'url-
ip:151.101.64/24': 0.62; 'here': 0.62; 'url:u': 0.63; 'skip:b 10':
0.63; 'public': 0.63; 'from:charset:utf-8': 0.64; 'security':
0.64; 'our': 0.64; 'lock': 0.64; 'your': 0.64; 'his': 0.65;
'&amp;': 0.65; 'skip:t 20': 0.66; 'listed': 0.67; 'worked': 0.67;
'url-ip:18/8': 0.67; 'factor': 0.69; 'residence': 0.69; 'skip:\xe2
20': 0.69; 'store,': 0.69; 'url:news': 0.69; 'affected': 0.70;
'longer': 0.71; 'content': 0.72; 'url:t': 0.73; 'deal': 0.73;
'yourself': 0.75; 'skip:f 20': 0.75; 'exposed': 0.76; 'supposed':
0.76; '8bit%:30': 0.78; 'out,': 0.78; 'highly': 0.78; 'quality':
0.80; 'we\xe2\x80\x99ve': 0.81; 'url:media': 0.84; '<>).': 0.84;
'accurate.': 0.84; 'attribute': 0.84; 'became': 0.84; 'bounds':
0.84; 'factor.': 0.84; 'summarized': 0.84; 'that!': 0.84; 'time!':
0.84; 'url:08': 0.84; 'fixed.': 0.91; 'news,': 0.91;
'received:103': 0.91; 'central': 0.95; 'hidden': 0.95; 'to:addr
:python-announce': 0.97
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langa.pl; h=cc
:content-type:content-type:date:date:from:from:in-reply-to
:message-id:mime-version:reply-to:subject:subject:to:to; s=fm1;
t=1710894899; x=1710981299; bh=OTiwV4pbTkLen/v5cyx3LDucB1JgfofQ
ct35i34TbFM=; b=tu3Zpn06WMyLNOSs2FjHcpVa5cEMVI/PfnRu3L4Q5W9w7GPk
YzKzsK2xzPwZHE82d6R+D5jWe6m0Za081GLeMg+aXQLJytC7MFTrO/KRgeeCb5Yz
A6ssJc6Nnj5+btBTBbf31nXNus8iBTGv+dTwmUOe+x5erHKQkGddVWgP88jkSTmh
ifAghTu7FylaUgRQmcI92K+zRMfNA1Bwumnj3lHu1/pYFojqlvBDbccAfc9XGda8
CNoLagnDRaSY51Nd8GR6a4ICBL6CjYGbWC7CukRdXHY2tPDSjtBIaq8V3PcajS8N
OOG+414sgruL6GYQfPNZZiFAGg+oe3QXJobDIQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:content-type:content-type:date:date
:feedback-id:feedback-id:from:from:in-reply-to:message-id
:mime-version:reply-to:subject:subject:to:to:x-me-proxy
:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=
1710894899; x=1710981299; bh=OTiwV4pbTkLen/v5cyx3LDucB1JgfofQct3
5i34TbFM=; b=G0MupT0gw9ZrhCNRnPwYmNshwisibPTvRrSwNELcpyYXeK2ELMt
JWlvDryeZtDXbORZGHG2YyK9OOo+yZH9SFf7L1WiHEfnjmrnDOlL7+tHyuli+6BU
tAGYB0S1U5n4BipjoHRu6zp5rbqIPrga8501Ldmn3uN0V/DuivrEjS3JAp5TwlfO
xebj4AePMGH7CkG/bwhbmbRKqWSncfB7mDV/mJXypH9gZlVsQ3Jgw+DOqcXiCJNd
wOF8p4BXrnq8NGi6PKJ7gO89dgkA4SLt/dQRiCCaV7VsCBuIr1Xb7h++rABSGS7/
cbaNaUCREzILyFcwsQG/TkuezPzy7si5O8Q==
X-ME-Sender: <xms:My_6ZaNeboXnsrov8k9dK59xKrF5lZ7ahOpcrV8LWC71JQWk8yUMSg>
<xme:My_6ZY_ZPtn-8GcXR8fu6IGJBJLSz-eompdNwF6MaUSgy1kHGnKdpCbdBgOVbnxWk
9HTR2nxHV9cgIQ>
X-ME-Received: <xmr:My_6ZRR0bYAx_fPN5nyyBNH4eXvw1nadPWhTfHXIuDeszcFc8o-UiaxyCLtzOfvO1QzLYTyjk94hmA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrledugddvhecutefuodetggdotefrodftvf
curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
uegrihhlohhuthemuceftddtnecunecujfgurhephfgtggfukfffvffosehgtdhmrehhtd
ejnecuhfhrohhmpefnuhhkrghsiicunfgrnhhgrgcuoehluhhkrghsiieslhgrnhhgrgdr
phhlqeenucggtffrrghtthgvrhhnpeefvedvudfgieelheeitdeiieekieegleffieeigf
evhfekfeekueegudehuddvteenucffohhmrghinhepphihthhhohhnrdhorhhgpdhgihht
hhhusgdrtghomhdptghvvgdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrh
grmhepmhgrihhlfhhrohhmpehluhhkrghsiieslhgrnhhgrgdrphhl
X-ME-Proxy: <xmx:My_6ZavQN6TnK_QBeImpihP9KnmzDH6L3reRIa_xiG9MQXNLOE0jQw>
<xmx:My_6ZSc_JfVH16qAcPCTDhdEH_nkVnXlEpkrVM3AKmmu8TGyso8zAg>
<xmx:My_6Ze2Jc2IwrDNwHoB_ld1PnLdnjJsY0Qcx0yDT4_wVc0JoFwG00w>
<xmx:My_6ZW85NthtriOoTSw4lX6LVwfGo19aEhmvaLs7tB9vjfyxdgKlVg>
<xmx:My_6ZS5geHs74f5ncLjQCNtiJ7aPlAQJpIBcZyOF4zGrpKk5yBvk4g>
Feedback-ID: i8e7440be:Fastmail
X-Mailer: Apple Mail (2.3731.700.6.1.1)
X-MailFrom: lukasz@langa.pl
X-Mailman-Rule-Hits: emergency
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved
Message-ID-Hash: GY4W3JOP6MIL3NCVSAFDA3OSOZNSOE4Y
X-Message-ID-Hash: GY4W3JOP6MIL3NCVSAFDA3OSOZNSOE4Y
X-Mailman-Approved-At: Tue, 19 Mar 2024 20:35:44 -0400
X-Content-Filtered-By: Mailman/MimeDel 3.3.10b1
X-Mailman-Version: 3.3.10b1
Precedence: list
List-Id: Announcement-only list for the Python programming language <python-announce-list.python.org>
Archived-At: <https://mail.python.org/archives/list/python-announce-list@python.org/message/GY4W3JOP6MIL3NCVSAFDA3OSOZNSOE4Y/>
List-Archive: <https://mail.python.org/archives/list/python-announce-list@python.org/>
List-Help: <mailto:python-announce-list-request@python.org?subject=help>
List-Owner: <mailto:python-announce-list-owner@python.org>
List-Post: <mailto:python-announce-list@python.org>
List-Subscribe: <mailto:python-announce-list-join@python.org>
List-Unsubscribe: <mailto:python-announce-list-leave@python.org>
 by: Łukasz Langa - Wed, 20 Mar 2024 00:34 UTC
Attachments: signature.asc (application/pgp-signature)

Howdy!
Those are the boring security releases that aren’t supposed to bring anything new. But not this time! We do have a bit of news, actually. But first things first: go update your systems!

<https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993#python-31014-1>Python 3.10.14

Get it here: Python Release Python 3.10.14 <https://www.python.org/downloads/release/python-31014/>
26 commits since last release.

<https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993#python-3919-2>Python 3.9.19

Get it here: Python Release Python 3.9.19 <https://www.python.org/downloads/release/python-3919/>
26 commits since last release.

<https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993#python-3819-3>Python 3.8.19

Get it here: Python Release Python 3.8.19 <https://www.python.org/downloads/release/python-3819/>
28 commits since last release.

<https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993#security-content-in-this-release-4>Security content in this release

gh-115399 <https://github.com/python/cpython/issues/115399> & gh-115398 <https://github.com/python/cpython/issues/115398>: bundled libexpat was updated to 2.6.0 to address CVE-2023-52425 <https://www.cve.org/CVERecord?id=CVE-2023-52425>, and control of the new reparse deferral functionality was exposed with new APIs. Thanks to Sebastian Pipping, the maintainer of libexpat, who worked with us directly on incorporating those fixes!
gh-109858 <https://github.com/python/cpython/issues/109858>: zipfile is now protected from the “quoted-overlap” zipbomb to address CVE-2024-0450 <https://www.cve.org/CVERecord?id=CVE-2024-0450>. It now raises BadZipFile when attempting to read an entry that overlaps with another entry or central directory
gh-91133 <https://github.com/python/cpython/issues/91133>: tempfile.TemporaryDirectory cleanup no longer dereferences symlinks when working around file system permission errors to address CVE-2023-6597 <https://www.cve.org/CVERecord?id=CVE-2023-6597>
gh-115197 <https://github.com/python/cpython/issues/115197>: urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows
gh-81194 <https://github.com/python/cpython/issues/81194>: a crash in socket.if_indextoname() with a specific value (UINT_MAX) was fixed. Relatedly, an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms was fixed
gh-113659 <https://github.com/python/cpython/issues/113659>: .pth files with names starting with a dot or containing the hidden file attribute are now skipped
gh-102388 <https://github.com/python/cpython/issues/102388>: iso2022_jp_3 and iso2022_jp_2004 codecs no longer read out of bounds
gh-114572 <https://github.com/python/cpython/issues/114572>: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads
<https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993#stay-safe-and-upgrade-5>Stay safe and upgrade!

Upgrading is highly recommended to all users of affected versions.

<https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993#source-builds-are-moving-to-github-actions-6>Source builds are moving to GitHub Actions

It’s not something you will notice when downloading, but 3.10.14 here is the first release we’ve done were the source artifacts were built on GHA <https://github.com/python/release-tools/actions/runs/8350750234> and not on a local computer of one of the release managers. We have the Security Developer in Residence @sethmlarson <https://discuss.python.org/u/sethmlarson> to thank for that!

It’s a big deal since public builds allow for easier auditing and repeatability. It also helps with the so-called bus factor. In fact, to test this out, this build of 3.10.14 was triggered by me and not Pablo, who would usually release Python 3.10.

The artifacts are later still signed by the respective release manager, ensuring integrity when put on the downloads server.

<https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993#python-now-manages-its-own-cves-7>Python now manages its own CVEs

The security releases you’re looking at are the first after the PSF became a CVE Numbering Authority <https://www.cve.org/Media/News/item/news/2023/08/29/Python-Software-Foundation-Added-as-CNA>. That’s also thanks to @sethmlarson <https://discuss.python.org/u/sethmlarson>. What being our own CNA allows us to ensure the quality of the vulnerability reports is high, and the severity estimate is accurate. Seth summarized it best in his announcement here <https://discuss.python.org/t/the-python-software-foundation-has-been-authorized-by-the-cve-program-as-a-cve-numbering-authority-cna/32561>.

What this also allows us to do is to combine announcement of CVEs with the release of patched versions of Python. This is in fact the case with two of the CVEs listed above (CVE-2023-6597 <https://www.cve.org/CVERecord?id=CVE-2023-6597> and CVE-2024-0450 <https://www.cve.org/CVERecord?id=CVE-2024-0450>). And since Seth is now traveling, this announcement duty was fulfilled by the PSF’s Director of Infrastructure @EWDurbin <https://discuss.python.org/u/ewdurbin>. Thanks!

I’m happy to see us successfully testing bus factor resilience on multiple fronts with this round of releases.

<https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993#thank-you-for-your-support-8>Thank you for your support

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Python.org <http://python.org/> - the official home of the Python Programming Language.

Łukasz Langa @ambv <https://discuss.python.org/u/ambv>
on behalf of your friendly release team,

Ned Deily @nad <https://discuss.python.org/u/nad>
Steve Dower @steve.dower <https://discuss.python.org/u/steve.dower>
Pablo Galindo Salgado @pablogsal <https://discuss.python.org/u/pablogsal>
Łukasz Langa @ambv <https://discuss.python.org/u/ambv>
Thomas Wouters @thomas <https://discuss.python.org/u/thomas>

Attachments: signature.asc (application/pgp-signature)

devel / comp.lang.python.announce / [Python-announce] [RELEASE] Python 3.10.14, 3.9.19, and 3.8.19 is now available

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor