File _patchinfo of Package patchinfo.29749

<patchinfo incident="29749">
  <issue tracker="cve" id="2007-4559"/>
  <issue tracker="cve" id="2023-24329"/>
  <issue tracker="bnc" id="1208471">VUL-0: CVE-2023-24329: python,python3,python27,python36,python39,python310: blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters</issue>
  <issue tracker="bnc" id="1203750">VUL-0: CVE-2007-4559: python36,python3,python39,python310,python,python27: python tarfile module directory traversal</issue>
  <packager>mcepl</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for python39</summary>
  <description>This update for python39 fixes the following issues:

Update to 3.9.17:

- urllib.parse.urlsplit() now strips leading C0 control and space
  characters following the specification for URLs defined by WHATWG in
  response to CVE-2023-24329 (bsc#1208471).
- Fixed a security in flaw in uu.decode() that could allow for directory
  traversal based on the input if no out_file was specified.
- Do not expose the local on-disk location in directory indexes produced by
  http.client.SimpleHTTPRequestHandler.
- trace.__main__ now uses io.open_code() for files
  to be executed instead of raw open().
- CVE-2007-4559: The extraction methods in tarfile, and shutil.unpack_archive(), have
  a new filter argument that allows limiting tar features than may be
  surprising or dangerous, such as creating files outside the destination
  directory. See Extraction filters for details (fixing bsc#1203750).
- Fixed a deadlock at shutdown when clearing thread states if any
  finalizer tries to acquire the runtime head lock.
- Fixed a crash due to a race while iterating over thread states in
  clearing threading.local.
</description>
</patchinfo>