File _patchinfo of Package patchinfo.26740
<patchinfo incident="26740">
<issue tracker="cve" id="2022-42919"/>
<issue tracker="cve" id="2022-45061"/>
<issue tracker="bnc" id="1205244">VUL-0: CVE-2022-45061: python39,python3,python310,python36,python,python27: quadratic time IDNA decoding</issue>
<issue tracker="bnc" id="1204886">VUL-0: CVE-2022-42919: python39,python310: python: local privilege escalation via the multiprocessing forkserver start method</issue>
<packager>mcepl</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for python39</summary>
<description>This update for python39 fixes the following issues:
Security fixes:
- CVE-2022-42919: Fixed local privilege escalation via the multiprocessing forkserver start method (bsc#1204886).
- CVE-2022-45061: Fixed a quadratic IDNA decoding time (bsc#1205244).
Other fixes:
- Allow building of documentation with the latest Sphinx 5.3.0 (gh#python/cpython#98366).
- Update to 3.9.15:
- Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close
to the maximum size.
- Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no
longer uses a shell to run openssl commands. (originally
filed as CVE-2022-37460, later withdrawn)
- Fix command line parsing: reject -X int_max_str_digits option
with no value (invalid) when the PYTHONINTMAXSTRDIGITS
environment variable is set to a valid limit.
- When ValueError is raised if an integer is larger than the
limit, mention the sys.set_int_max_str_digits() function in
the error message.
- Update bundled libexpat to 2.4.9
</description>
</patchinfo>