Description
CPython did a security release
We should
- Update libexpat to 2.6.0. This requires updating the build workers (linux Dockerfiles, windows dependency, macos via brew). Perhaps we should do like CPython and bundle libexpat into our sources for
pypy/modules/pyexpat[3.9] Upgrade bundled libexpat to 2.6.0 (GH-115399) python/cpython#115474 which would statically link libexpat and reduce the number of bundled shared objects from 8 to 7 - Update the stdlib to get the fixes for zipfile, tempfile, urllib, socket test, hidden pth, iso2022_jp_3 test, libexpat test, etc
- Check that we properly handle the underlying socket function changed in [3.9] bpo-37013: Fix the error handling in socket.if_indextoname() (GH-13503) python/cpython#112600
- Check that we pass the iso2022_jp_3 test [3.9] gh-101180: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds (gh-111695) python/cpython#111780
- Use X509_STORE_get1_objects instead of X509_STORE_get0_objects in _ssl [3.10] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) python/cpython#115548, raising better error in _ssl test_asyncio: test_create_connection_ssl_failed_certificate() failed on ARM64 macOS 3.x buildbot python/cpython#107077
- Update bundled OpenSSL to 3.0.11 (we already use 3.0.12)
- Update zlib 1.3.1 (windows)
- Use new libexpat API [3.9] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) (GH-115623) python/cpython#116272
cc @mgorny