dongjoon-hyun commented on PR #57040: URL: https://github.com/apache/spark/pull/57040#issuecomment-4900985323
May I ask if it's only your imagination or you are trying to refer some real production environments? > My concern is that for some Python users, they download their minor Python version (3.11) once and never upgrade it. To be honest with you, I don't think it's a usable or real production system, @gaogaotiantian . If you are aware of any systems, you had better inform them to upgrade. That's the Python and Apache Spark community recommendation. For example, let's say that they are using `Python 3.11.3 (April 5, 2023)` in their production environment. They have the following issues. **Correctness/Crash/Hang Issues** Python 3.11.4 (June 6, 2023) - gh-104615 — Compiler generated wrong ordering of assignments in code like a, a = x, y. Silently produces incorrect results — the most dangerous class of bug. - gh-103590 — try-except* wrongly wrapped a single exception in an ExceptionGroup, breaking exception-handling logic. - gh-104035 — Slotted frozen dataclasses ignored user-defined __getstate__/__setstate__, silently breaking custom pickling. - gh-102818 — sys.setprofile/sys.settrace duplicated or omitted frames in tracebacks when the callback raised. - gh-103987 — mmap could access memory-mapped files after invalidation (crash). - gh-104265 — Instantiating _csv.Reader/_csv.Writer directly crashed the interpreter (3.10 regression). - gh-104536 — Race condition in multiprocessing process cleanup causing spurious AttributeError in process.close(). - gh-96522 — Potential deadlock in pty.spawn(). - gh-87474 — File descriptor leaks in subprocess.Popen. Python 3.11.5 (August 24, 2023) - gh-106092 — Segfault from a use-after-free in frame deallocation (trashcan mechanism). - gh-105840 — Crashes when specializing function calls with too many __defaults__. - gh-105588 — Crashes when compiling malformed ast nodes. - gh-104432 — Unaligned memory access in grp/socket C APIs (visible on ARM macOS). - gh-94777 — ProcessPoolExecutor hung forever if a child process crashed while data was being written to the call queue. - gh-106684 — asyncio.StreamWriter leaked memory when not explicitly closed. - gh-105375 — Exceptions could be silently overwritten in builtins, pickle, _datetime, _ssl, array, _ctypes, and zoneinfo. - gh-105332 — Reverted enum pickling from by-name back to by-value (unpickling compatibility regression). - gh-103171 — Reverted an undocumented behavior change in runtime-checkable typing protocols. Python 3.11.6 (October 2, 2023) - gh-105829 — concurrent.futures.ProcessPoolExecutor deadlock. - gh-109593 — Deadlock in the multiprocessing resource tracker on reentrant calls. - gh-107219 — Race condition in concurrent.futures when a process was terminated abruptly. - gh-108987 — _thread.start_new_thread() race during interpreter finalization. - gh-104372 — subprocess with vfork() blocked other threads; GIL now released while waiting for child exec. - gh-108520 — multiprocessing.SemLock initialization regression affecting nested processes (locks passed between processes). - gh-110038 — KqueueSelector.select() missed ready events when an fd was registered for both read and write (affects asyncio on BSD/macOS). - gh-109631 — re functions (findall, split, sub) could not be interrupted by Ctrl-C. - gh-110036 — multiprocessing on Windows: Popen.terminate() mishandled PermissionError. Python 3.11.7 (December 4, 2023) - gh-112618 — typing.Annotated caching bug: Annotated[str, True] and Annotated[str, 1] were treated as identical (silent type-metadata corruption). - gh-112509 — typing.TypedDict keys could appear in both __required_keys__ and __optional_keys__. - gh-110196 — Pickling ipaddress.IPv6Address silently lost the scope_id. - gh-102388 — Out-of-bounds read in iso2022_jp_3/iso2022_jp_2004 codecs. - gh-73561 — http.client sent the IPv6 scope suffix in the Host: header (protocol violation). - gh-112625 — Use-after-free: bytearray.join() could read freed memory if the bytearray was cleared during iteration. - gh-111942 — Crashes in io.TextIOWrapper with invalid arguments. - gh-109786 — Crashes and reference leaks when re-entering itertools.pairwise.__next__(). - gh-110378 — contextmanager()/asynccontextmanager() failed to close generators that yielded more than once. - gh-109216 — Memory leak in the BUILD_MAP bytecode instruction. Python 3.11.8 (February 6, 2024) - gh-105967 — zlib.crc32() and binascii.crc32() returned incorrect checksums on multi-gigabyte inputs on macOS. Directly relevant to data-integrity pipelines. - gh-104522 — OSError from subprocess wrongly attributed failures to cwd (misleading error attribution). - Crashes / races / hangs: - gh-106905 — Race condition in multithreaded ast.parse() (global parser state shared across threads). - gh-113566 — 3.11-specific crash when repr() of an asyncio.Future was requested after module GC. - gh-89811 — Bytecode-specialization crash (missing type-version validity check). - gh-79325 — Infinite recursion in tempfile.TemporaryDirectory() cleanup on Windows. - gh-114887 — Regression: asyncio.create_datagram_endpoint() rejected raw (non-datagram) sockets. - gh-113214 — AttributeError during asyncio SSL aborts in SSL-over-SSL scenarios. - gh-113280 / gh-109534 — Socket and reference leaks in ssl/asyncio SSL handshake error paths. Python 3.11.9 (April 2, 2024) - gh-96497 — Name mangling of class variables resolved incorrectly in assignment expressions (walrus) inside comprehensions. - gh-116957 — configparser left values in an invalid state (list instead of str) after duplicate-key errors. - gh-114563 — Three Decimal.__format__ bugs: memory leak with z option, wrong output with F + z, wrong # alternate form. - gh-95782 — io.BufferedReader/BufferedRandom tell()/seek() could return negative offsets. - gh-115243 — Crash in collections.deque.index() under concurrent modification. - gh-114572 — Race in ssl.SSLContext.cert_store_stats()/get_ca_certs() with thread-shared contexts. - gh-114763 — importlib.util.LazyLoader race during concurrent attribute access. - gh-117178 — Regression in lazy loading of self-referential modules. - gh-115618 — Incorrect refcount decrease for None in property.getter()/setter()/deleter(). **CVE Issues** Python 3.11.4 (June 6, 2023) - CVE-2023-24329 — urllib.parse.urlsplit() allowed URLs beginning with C0 control characters or spaces to bypass scheme/host blocklist checks (SSRF / filter bypass). (gh-102153) - CVE-2007-4559 mitigation (PEP 706) — tarfile.extractall() / shutil.unpack_archive() gained the filter= argument to block path-traversal tar members. The safe-extraction API does not exist before 3.11.4. (gh-102953) - gh-99889 — uu.decode() directory traversal: a crafted input could write files to arbitrary paths when no output file was specified. - gh-104049 — http.server.SimpleHTTPRequestHandler disclosed the local on-disk path in generated directory indexes. - gh-103142 — Bundled OpenSSL upgraded to 1.1.1u in binary installers (rolls up multiple OpenSSL CVEs). Python 3.11.5 (August 24, 2023) - CVE-2023-40217 — ssl.SSLSocket TLS handshake bypass: unencrypted data sent before the handshake could be treated as post-handshake encrypted data, bypassing certificate verification. (gh-108310) - CVE-2023-41105 — os.path.normpath() silently truncated paths at embedded null bytes, allowing path-validation bypass. This is a regression that exists only in 3.11.0–3.11.4. (gh-106242) Python 3.11.8 (February 6, 2024) - CVE-2023-6597 — tempfile.TemporaryDirectory cleanup dereferenced symlinks, allowing modification of permissions on files outside the temp directory. (gh-91133) - CVE-2024-0450 — zipfile "quoted-overlap" zip-bomb: overlapping entries now raise BadZipFile instead of enabling resource-exhaustion attacks. (gh-109858) - gh-113659 — .pth files with hidden-file names are now skipped (arbitrary-code-execution hardening at interpreter startup). Python 3.11.9 (April 2, 2024) - CVE-2023-52425 — Bundled libexpat updated to 2.6.0; new APIs to control Expat reparse deferral (XML denial-of-service). (gh-115398, gh-115399) - gh-114572 — ssl.SSLContext.cert_store_stats() / get_ca_certs() race condition when the context is shared across threads (memory corruption / crash). - gh-115243 — Crash in collections.deque.index() under concurrent modification. Python 3.11.10 (September 7, 2024) - CVE-2024-28757, CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 — Bundled libexpat upgraded to 2.6.3. (gh-123678, gh-116741) - CVE-2024-4030 — On Windows, os.mkdir(mode=0o700) did not actually restrict the directory to the current user. (gh-118486) - CVE-2024-4032 — ipaddress misclassified some private/global IPv4 and IPv6 ranges. (gh-113171) - CVE-2024-6232 — ReDoS (quadratic regex complexity) when parsing crafted tarfile headers. (gh-121285) - CVE-2024-6923 — email did not quote newlines in message headers, enabling header injection. (gh-121650) - CVE-2024-7592 — Quadratic-complexity DoS when parsing crafted cookies in http.cookies. (gh-123067) - CVE-2024-8088 — Infinite loop in zipfile.Path when reading crafted zip archives. (gh-123270) - CVE-2023-27043 (follow-up) — email.utils.getaddresses() / parseaddr() gained a strict= parameter to reject malformed addresses. (gh-102988) - Plus hardening: socket.socketpair() fallback authentication (gh-122133), missing audit events (gh-121957). Python 3.11.11 (December 3, 2024) - CVE-2024-9287 — venv activation scripts did not quote paths, allowing command injection via a crafted venv path. (gh-124651) - CVE-2024-50602 — Bundled libexpat upgraded to 2.6.4 (XML DoS). (gh-126623) - gh-122792 — IPv4-mapped ipaddress.IPv6Address now consistently uses the mapped IPv4 address (classification-bypass hardening). Python 3.11.12 (April 8, 2025) - CVE-2025-0938 — urllib.parse.urlparse() accepted domain names containing [ or ], diverging from RFC 3986 and enabling SSRF via parser differentials. (gh-105704) - gh-119511 — Out-of-memory DoS in imaplib when reading a malicious server's response. - gh-131261, gh-131809 — Bundled libexpat upgraded to 2.7.0/2.7.1 (covers expat CVE-2024-8176, stack-overflow DoS). - gh-80222, gh-121284 — email quoted-string folding fixes (address-spoofing hardening). - Python 3.11.13 (June 3, 2025) - CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517 — Multiple bypasses of the tarfile extraction filters (filter="data" / filter="tar") using crafted symlinks and hard links. (gh-135034) - CVE-2025-4516 (gh-133767) — Use-after-free in the unicode-escape decoder with a non-strict error handler. - gh-128840 — Excessive memory consumption / DoS from overly long IPv6 addresses in ipaddress. Python 3.11.14 (October 2025) - CVE-2025-6069 (gh-135462) — Quadratic-complexity DoS in html.parser.HTMLParser, plus several related HTMLParser parsing fixes (gh-135661, gh-102555, gh-118350, gh-86155). - CVE-2025-8194 (gh-130577) — tarfile now validates that member offsets are non-negative (infinite-loop DoS with crafted archives). - CVE-2025-59375 — Bundled libexpat upgraded to 2.7.3 (allocation DoS). (gh-139312) - CVE-2025-47273, CVE-2024-6345 — ensurepip's bundled setuptools updated to 79.0.1 (path traversal / code injection in setuptools). (gh-135374) - gh-139700 — zipfile zip64 end-of-central-directory consistency checks (crafted-archive hardening). Python 3.11.15 (March 3, 2026) — latest as of today - CVE-2026-24515, CVE-2026-25210 — Bundled libexpat upgraded (XML DoS). (gh-144363) - CVE-2025-59375 follow-up — Expat allocation-tracker APIs for large-allocation DoS mitigation. (gh-90949) - CVE-2024-6923 follow-up — Additional email comment-folding fix preventing header injection. (gh-144125, gh-143935) - Hardening batch: control-character rejection in wsgiref.headers, http.cookies.Morsel, and data: URL media types (gh-143916, gh-143919, gh-143925); memory-DoS/complexity fixes (gh-119342, gh-119451, gh-119452, gh-136065); use-after-free and out-of-bounds fixes in core/SSL (gh-144833, gh-120298, gh-120384). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
