Reword NEWS, refer to CVE-2022-42919.

python · Yhg1s · Oct 20, 2022 · Sep 23, 2022 · Sep 23, 2022 · Oct 14, 2022
commit 8c5071403d6a7b254a7fc9e0e3875eff26fe55e1
diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
@@ -1,4 +1,16 @@
-On Linux :mod:`multiprocessing` no longer uses Linux specific abstract socket
-namespace sockets by default for inter-process communication as they have no
-permissions and thus allowed anyone on the system to inject code into the
-multiprocessing server process.
+On Linux the :mod:`multiprocessing` module when configured to use the
+``"forkserver"`` start method has switched back to using filesystem backed unix
+domain sockets by default for communication with the fork server. No longer
+using Linux's abstract socket namespace by default. Abstract sockets have no
+permissions and could thus allow any user on the system in the same `network
+namespace <https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_
+(often the whole system) to inject code into the multiprocessing *forkserver*
+process as a potential privilege escalation. Filesystem based socket
+permissions are restricted to the forkserver user as with Python 3.8 and
+earlier.
+
+This prevents Linux `CVE-2022-42919
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_ in code that
+chooses to use the *forkserver* start method as documented in
+:ref:`multiprocessing contexts and start methods
+<multiprocessing-start-methods>`.