[Bug 1934132] [NEW] SRU: backport Python 3.8.11 to 20.04 LTS and 20.10

Wed Jun 30 11:01:22 UTC 2021

Public bug reported:

As done with LP: #1928057, backport the 3.8.11 release to focal and
groovy, consisting of security updates and a fix for a regression
introduced in 3.8.10 (we already fixed sssd to pass its tests with
3.8.10).

Changes are:

Security
--------

- bpo-44022: mod:`http.client` now avoids infinitely reading potential HTTP
  headers after a ``100 Continue`` status response from the server.

- bpo-43882: The presence of newline or tab characters in parts of a URL
  could allow some forms of attacks.

  Following the controlling specification for URLs defined by WHATWG
  :func:`urllib.parse` now removes ASCII newlines and tabs from URLs,
  preventing such attacks.

- bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
  and generator code/frame attribute access.

Core and Builtins
-----------------

- bpo-44070: No longer eagerly makes import filenames absolute, except for
  extension modules, which was introduced in 3.8.10.

Library
-------

- bpo-44061: Fix regression in previous release when calling
  :func:`pkgutil.iter_modules` with a list of :class:`pathlib.Path` objects

Validation: Test suite passes during the build, and all triggered autopkg tests pass.  I don't think we need another complete test rebuild with these changes.

Regression potential: Low, we already had the test rebuild with 3.8.10,
and these changes are very targeted.

Building the packages in the ubuntu-toolchain-r/ppa PPA with only the
security pocket enabled, so these build can be binary-copied to the
updates and security pockets.

** Affects: python3.8 (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: python3.8 (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Affects: python3.8 (Ubuntu Groovy)
     Importance: Undecided
         Status: New

** Also affects: python3.8 (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: python3.8 (Ubuntu Groovy)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.8 in Ubuntu.
https://bugs.launchpad.net/bugs/1934132

Title:
  SRU: backport Python 3.8.11 to 20.04 LTS and 20.10

Status in python3.8 package in Ubuntu:
  New
Status in python3.8 source package in Focal:
  New
Status in python3.8 source package in Groovy:
  New

Bug description:
  As done with LP: #1928057, backport the 3.8.11 release to focal and
  groovy, consisting of security updates and a fix for a regression
  introduced in 3.8.10 (we already fixed sssd to pass its tests with
  3.8.10).

  Changes are:

  Security
  --------

  - bpo-44022: mod:`http.client` now avoids infinitely reading potential HTTP
    headers after a ``100 Continue`` status response from the server.

  - bpo-43882: The presence of newline or tab characters in parts of a URL
    could allow some forms of attacks.

    Following the controlling specification for URLs defined by WHATWG
    :func:`urllib.parse` now removes ASCII newlines and tabs from URLs,
    preventing such attacks.

  - bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
    and generator code/frame attribute access.

  Core and Builtins
  -----------------

  - bpo-44070: No longer eagerly makes import filenames absolute, except for
    extension modules, which was introduced in 3.8.10.

  Library
  -------

  - bpo-44061: Fix regression in previous release when calling
    :func:`pkgutil.iter_modules` with a list of :class:`pathlib.Path` objects

  Validation: Test suite passes during the build, and all triggered autopkg tests pass.  I don't think we need another complete test rebuild with these changes.

  Regression potential: Low, we already had the test rebuild with
  3.8.10, and these changes are very targeted.

  Building the packages in the ubuntu-toolchain-r/ppa PPA with only the
  security pocket enabled, so these build can be binary-copied to the
  updates and security pockets.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.8/+bug/1934132/+subscriptions