SRU: backport Python 3.8.11 to 20.04 LTS and 20.10
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python3.8 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Focal |
Confirmed
|
Undecided
|
Unassigned | ||
Groovy |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
As done with LP: #1928057, backport the 3.8.11 release to focal and groovy, consisting of security updates and a fix for a regression introduced in 3.8.10 (we already fixed sssd to pass its tests with 3.8.10).
Changes are:
Security
--------
- bpo-44022: mod:`http.client` now avoids infinitely reading potential HTTP
headers after a ``100 Continue`` status response from the server.
- bpo-43882: The presence of newline or tab characters in parts of a URL
could allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG
:func:
preventing such attacks.
- bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
and generator code/frame attribute access.
Core and Builtins
-----------------
- bpo-44070: No longer eagerly makes import filenames absolute, except for
extension modules, which was introduced in 3.8.10.
Library
-------
- bpo-44061: Fix regression in previous release when calling
:func:
Validation: Test suite passes during the build, and all triggered autopkg tests pass. I don't think we need another complete test rebuild with these changes.
Regression potential: Low, we already had the test rebuild with 3.8.10, and these changes are very targeted.
Building the packages in the ubuntu-
Status changed to 'Confirmed' because the bug affects multiple users.