dongjoon-hyun commented on PR #57040:
URL: https://github.com/apache/spark/pull/57040#issuecomment-4900985323

   May I ask if it's only your imagination or you are trying to refer some real 
production environments?
   > My concern is that for some Python users, they download their minor Python 
version (3.11) once and never upgrade it.
   
   To be honest with you, I don't think it's a usable or real production 
system, @gaogaotiantian . If you are aware of any systems, you had better 
inform them to upgrade. That's the Python and Apache Spark community 
recommendation.
   
   For example, let's say that they are using `Python 3.11.3 (April 5, 2023)` 
in their production environment. They have the following issues.
   
   **Correctness/Crash/Hang Issues**
   
   Python 3.11.4 (June 6, 2023)
   
   - gh-104615 — Compiler generated wrong ordering of assignments in code like 
a, a = x, y. Silently produces incorrect results — the most dangerous class of 
bug.
   - gh-103590 — try-except* wrongly wrapped a single exception in an 
ExceptionGroup, breaking exception-handling logic.
   - gh-104035 — Slotted frozen dataclasses ignored user-defined 
__getstate__/__setstate__, silently breaking custom pickling.
   - gh-102818 — sys.setprofile/sys.settrace duplicated or omitted frames in 
tracebacks when the callback raised.
   - gh-103987 — mmap could access memory-mapped files after invalidation 
(crash).
   - gh-104265 — Instantiating _csv.Reader/_csv.Writer directly crashed the 
interpreter (3.10 regression).
   - gh-104536 — Race condition in multiprocessing process cleanup causing 
spurious AttributeError in process.close().
   - gh-96522 — Potential deadlock in pty.spawn().
   - gh-87474 — File descriptor leaks in subprocess.Popen.
   
   Python 3.11.5 (August 24, 2023)
   
   - gh-106092 — Segfault from a use-after-free in frame deallocation (trashcan 
mechanism).
   - gh-105840 — Crashes when specializing function calls with too many 
__defaults__.
   - gh-105588 — Crashes when compiling malformed ast nodes.
   - gh-104432 — Unaligned memory access in grp/socket C APIs (visible on ARM 
macOS).
   - gh-94777 — ProcessPoolExecutor hung forever if a child process crashed 
while data was being written to the call queue.
   - gh-106684 — asyncio.StreamWriter leaked memory when not explicitly closed.
   - gh-105375 — Exceptions could be silently overwritten in builtins, pickle, 
_datetime, _ssl, array, _ctypes, and zoneinfo.
   - gh-105332 — Reverted enum pickling from by-name back to by-value 
(unpickling compatibility regression).
   - gh-103171 — Reverted an undocumented behavior change in runtime-checkable 
typing protocols.
   
   Python 3.11.6 (October 2, 2023)
   
   - gh-105829 — concurrent.futures.ProcessPoolExecutor deadlock.
   - gh-109593 — Deadlock in the multiprocessing resource tracker on reentrant 
calls.
   - gh-107219 — Race condition in concurrent.futures when a process was 
terminated abruptly.
   - gh-108987 — _thread.start_new_thread() race during interpreter 
finalization.
   - gh-104372 — subprocess with vfork() blocked other threads; GIL now 
released while waiting for child exec.
   - gh-108520 — multiprocessing.SemLock initialization regression affecting 
nested processes (locks passed between processes).
   - gh-110038 — KqueueSelector.select() missed ready events when an fd was 
registered for both read and write (affects asyncio on BSD/macOS).
   - gh-109631 — re functions (findall, split, sub) could not be interrupted by 
Ctrl-C.
   - gh-110036 — multiprocessing on Windows: Popen.terminate() mishandled 
PermissionError.
   
   Python 3.11.7 (December 4, 2023)
   
   - gh-112618 — typing.Annotated caching bug: Annotated[str, True] and 
Annotated[str, 1] were treated as identical (silent type-metadata corruption).
   - gh-112509 — typing.TypedDict keys could appear in both __required_keys__ 
and __optional_keys__.
   - gh-110196 — Pickling ipaddress.IPv6Address silently lost the scope_id.
   - gh-102388 — Out-of-bounds read in iso2022_jp_3/iso2022_jp_2004 codecs.
   - gh-73561 — http.client sent the IPv6 scope suffix in the Host: header 
(protocol violation).
   - gh-112625 — Use-after-free: bytearray.join() could read freed memory if 
the bytearray was cleared during iteration.
   - gh-111942 — Crashes in io.TextIOWrapper with invalid arguments.
   - gh-109786 — Crashes and reference leaks when re-entering 
itertools.pairwise.__next__().
   - gh-110378 — contextmanager()/asynccontextmanager() failed to close 
generators that yielded more than once.
   - gh-109216 — Memory leak in the BUILD_MAP bytecode instruction.
   
   Python 3.11.8 (February 6, 2024)
   
   - gh-105967 — zlib.crc32() and binascii.crc32() returned incorrect checksums 
on multi-gigabyte inputs on macOS. Directly relevant to data-integrity 
pipelines.
   - gh-104522 — OSError from subprocess wrongly attributed failures to cwd 
(misleading error attribution).
   - Crashes / races / hangs:
   - gh-106905 — Race condition in multithreaded ast.parse() (global parser 
state shared across threads).
   - gh-113566 — 3.11-specific crash when repr() of an asyncio.Future was 
requested after module GC.
   - gh-89811 — Bytecode-specialization crash (missing type-version validity 
check).
   - gh-79325 — Infinite recursion in tempfile.TemporaryDirectory() cleanup on 
Windows.
   - gh-114887 — Regression: asyncio.create_datagram_endpoint() rejected raw 
(non-datagram) sockets.
   - gh-113214 — AttributeError during asyncio SSL aborts in SSL-over-SSL 
scenarios.
   - gh-113280 / gh-109534 — Socket and reference leaks in ssl/asyncio SSL 
handshake error paths.
   
   Python 3.11.9 (April 2, 2024)
   
   - gh-96497 — Name mangling of class variables resolved incorrectly in 
assignment expressions (walrus) inside comprehensions.
   - gh-116957 — configparser left values in an invalid state (list instead of 
str) after duplicate-key errors.
   - gh-114563 — Three Decimal.__format__ bugs: memory leak with z option, 
wrong output with F + z, wrong # alternate form.
   - gh-95782 — io.BufferedReader/BufferedRandom tell()/seek() could return 
negative offsets.
   - gh-115243 — Crash in collections.deque.index() under concurrent 
modification.
   - gh-114572 — Race in ssl.SSLContext.cert_store_stats()/get_ca_certs() with 
thread-shared contexts.
   - gh-114763 — importlib.util.LazyLoader race during concurrent attribute 
access.
   - gh-117178 — Regression in lazy loading of self-referential modules.
   - gh-115618 — Incorrect refcount decrease for None in 
property.getter()/setter()/deleter().
   
   **CVE Issues**
   
   Python 3.11.4 (June 6, 2023)
   
   - CVE-2023-24329 — urllib.parse.urlsplit() allowed URLs beginning with C0 
control characters or spaces to bypass scheme/host blocklist checks (SSRF / 
filter bypass). (gh-102153)
   - CVE-2007-4559 mitigation (PEP 706) — tarfile.extractall() / 
shutil.unpack_archive() gained the filter= argument to block path-traversal tar 
members. The safe-extraction API does not exist before 3.11.4. (gh-102953)
   - gh-99889 — uu.decode() directory traversal: a crafted input could write 
files to arbitrary paths when no output file was specified.
   - gh-104049 — http.server.SimpleHTTPRequestHandler disclosed the local 
on-disk path in generated directory indexes.
   - gh-103142 — Bundled OpenSSL upgraded to 1.1.1u in binary installers (rolls 
up multiple OpenSSL CVEs).
   
   Python 3.11.5 (August 24, 2023)
   
   - CVE-2023-40217 — ssl.SSLSocket TLS handshake bypass: unencrypted data sent 
before the handshake could be treated as post-handshake encrypted data, 
bypassing certificate verification. (gh-108310)
   - CVE-2023-41105 — os.path.normpath() silently truncated paths at embedded 
null bytes, allowing path-validation bypass. This is a regression that exists 
only in 3.11.0–3.11.4. (gh-106242)
   
   Python 3.11.8 (February 6, 2024)
   - CVE-2023-6597 — tempfile.TemporaryDirectory cleanup dereferenced symlinks, 
allowing modification of permissions on files outside the temp directory. 
(gh-91133)
   - CVE-2024-0450 — zipfile "quoted-overlap" zip-bomb: overlapping entries now 
raise BadZipFile instead of enabling resource-exhaustion attacks. (gh-109858)
   - gh-113659 — .pth files with hidden-file names are now skipped 
(arbitrary-code-execution hardening at interpreter startup).
   
   Python 3.11.9 (April 2, 2024)
   
   - CVE-2023-52425 — Bundled libexpat updated to 2.6.0; new APIs to control 
Expat reparse deferral (XML denial-of-service). (gh-115398, gh-115399)
   - gh-114572 — ssl.SSLContext.cert_store_stats() / get_ca_certs() race 
condition when the context is shared across threads (memory corruption / crash).
   - gh-115243 — Crash in collections.deque.index() under concurrent 
modification.
   
   Python 3.11.10 (September 7, 2024)
   
   - CVE-2024-28757, CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 — Bundled 
libexpat upgraded to 2.6.3. (gh-123678, gh-116741)
   - CVE-2024-4030 — On Windows, os.mkdir(mode=0o700) did not actually restrict 
the directory to the current user. (gh-118486)
   - CVE-2024-4032 — ipaddress misclassified some private/global IPv4 and IPv6 
ranges. (gh-113171)
   - CVE-2024-6232 — ReDoS (quadratic regex complexity) when parsing crafted 
tarfile headers. (gh-121285)
   - CVE-2024-6923 — email did not quote newlines in message headers, enabling 
header injection. (gh-121650)
   - CVE-2024-7592 — Quadratic-complexity DoS when parsing crafted cookies in 
http.cookies. (gh-123067)
   - CVE-2024-8088 — Infinite loop in zipfile.Path when reading crafted zip 
archives. (gh-123270)
   - CVE-2023-27043 (follow-up) — email.utils.getaddresses() / parseaddr() 
gained a strict= parameter to reject malformed addresses. (gh-102988)
   - Plus hardening: socket.socketpair() fallback authentication (gh-122133), 
missing audit events (gh-121957).
   
   Python 3.11.11 (December 3, 2024)
   
   - CVE-2024-9287 — venv activation scripts did not quote paths, allowing 
command injection via a crafted venv path. (gh-124651)
   - CVE-2024-50602 — Bundled libexpat upgraded to 2.6.4 (XML DoS). (gh-126623)
   - gh-122792 — IPv4-mapped ipaddress.IPv6Address now consistently uses the 
mapped IPv4 address (classification-bypass hardening).
   
   Python 3.11.12 (April 8, 2025)
   
   - CVE-2025-0938 — urllib.parse.urlparse() accepted domain names containing [ 
or ], diverging from RFC 3986 and enabling SSRF via parser differentials. 
(gh-105704)
   - gh-119511 — Out-of-memory DoS in imaplib when reading a malicious server's 
response.
   - gh-131261, gh-131809 — Bundled libexpat upgraded to 2.7.0/2.7.1 (covers 
expat CVE-2024-8176, stack-overflow DoS).
   - gh-80222, gh-121284 — email quoted-string folding fixes (address-spoofing 
hardening).
   - Python 3.11.13 (June 3, 2025)
   - CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517 
— Multiple bypasses of the tarfile extraction filters (filter="data" / 
filter="tar") using crafted symlinks and hard links. (gh-135034)
   - CVE-2025-4516 (gh-133767) — Use-after-free in the unicode-escape decoder 
with a non-strict error handler.
   - gh-128840 — Excessive memory consumption / DoS from overly long IPv6 
addresses in ipaddress.
   
   Python 3.11.14 (October 2025)
   
   - CVE-2025-6069 (gh-135462) — Quadratic-complexity DoS in 
html.parser.HTMLParser, plus several related HTMLParser parsing fixes 
(gh-135661, gh-102555, gh-118350, gh-86155).
   - CVE-2025-8194 (gh-130577) — tarfile now validates that member offsets are 
non-negative (infinite-loop DoS with crafted archives).
   - CVE-2025-59375 — Bundled libexpat upgraded to 2.7.3 (allocation DoS). 
(gh-139312)
   - CVE-2025-47273, CVE-2024-6345 — ensurepip's bundled setuptools updated to 
79.0.1 (path traversal / code injection in setuptools). (gh-135374)
   - gh-139700 — zipfile zip64 end-of-central-directory consistency checks 
(crafted-archive hardening).
   
   Python 3.11.15 (March 3, 2026) — latest as of today
   
   - CVE-2026-24515, CVE-2026-25210 — Bundled libexpat upgraded (XML DoS). 
(gh-144363)
   - CVE-2025-59375 follow-up — Expat allocation-tracker APIs for 
large-allocation DoS mitigation. (gh-90949)
   - CVE-2024-6923 follow-up — Additional email comment-folding fix preventing 
header injection. (gh-144125, gh-143935)
   - Hardening batch: control-character rejection in wsgiref.headers, 
http.cookies.Morsel, and data: URL media types (gh-143916, gh-143919, 
gh-143925); memory-DoS/complexity fixes (gh-119342, gh-119451, gh-119452, 
gh-136065); use-after-free and out-of-bounds fixes in core/SSL (gh-144833, 
gh-120298, gh-120384).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to