Fix for CVE-2022-42919

python3.9.spec

@@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python
 
 
@@ -397,6 +397,23 @@ Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-g
 # Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
 Patch382: 00382-cve-2015-20107.patch
 
+# 00391 # e6d12d8fca6afad3a56dc076c220f213b723a28e
+# Don't use Linux abstract sockets for multiprocessing
+#
+# Linux abstract sockets are insecure as they lack any form of filesystem
+# permissions so their use allows anyone on the system to inject code into
+# the process.
+#
+# This removes the default preference for abstract sockets in
+# multiprocessing introduced in Python 3.9+ via
+# https://github.com/python/cpython/pull/18866 while fixing
+# https://github.com/python/cpython/issues/84031.
+#
+# Explicit use of an abstract socket by a user now generates a
+# RuntimeWarning.  If we choose to keep this warning, it should be
+# backported to the 3.7 and 3.8 branches.
+Patch391: 00391-don-t-use-linux-abstract-sockets-for-multiprocessing.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1812,6 +1829,10 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Wed Nov 09 2022 Lumír Balhar <lbalhar@redhat.com> - 3.9.15-2
+- Fix for CVE-2022-42919
+Resolves: rhbz#2138711
+
 * Wed Oct 12 2022 Miro Hrončok <mhroncok@redhat.com> - 3.9.15-1
 - Update to 3.9.15