File _patchinfo of Package patchinfo.29655
<patchinfo incident="29655">
<issue tracker="bnc" id="1211765">python310 unreproducible pyc</issue>
<issue tracker="cve" id="2007-4559"/>
<issue tracker="cve" id="2023-24329"/>
<issue tracker="bnc" id="1208471">VUL-0: CVE-2023-24329: python,python3,python27,python36,python39,python310: blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters</issue>
<issue tracker="bnc" id="1203750">VUL-0: CVE-2007-4559: python36,python3,python39,python310,python,python27: python tarfile module directory traversal</issue>
<packager>mcepl</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for python310</summary>
<description>This update for python310 fixes the following issues:
- Make marshalling of `set` and `frozenset` deterministic (bsc#1211765)
python310 was updated to 3.10.12:
- urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329
(bsc#1208471).
- Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- CVE-2007-4559: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details (fixing
bsc#1203750).
</description>
</patchinfo>