This release is a security fix for PyO3 0.22.0 through 0.22.3.
The PyWeakrefMethods trait functions for reading borrowed values from Python weak references have been identified as unsound, because they did not account for the possibility the last strong reference could be cleared at any time, leading the borrowed value to be dangling and risk of use-after-free.
PyO3 0.22.4 protects against this issue by making these methods permanently leak strong references. The methods are also marked deprecated and will be removed in PyO3 0.23. Users should switch to use the use PyWeakrefMethods functions which return owned references (the deprecation messages indicate the appropriate upgrade paths).
These functions were added in PyO3 0.22.0; all versions from 0.22.0 through 0.22.3 have been yanked.
Aside from the security fix, PyO3 0.22.4 contains a number of other bugfixes, including:
- A fix for cases where
__traverse__functions of base types were not called when using#[pyclass(extends = ...)] - A fix for a regression in 0.22.3 where PyO3 generated code would trigger compile failures with crates using
#![forbid(unsafe_code)]
Thank you to the following contributors for the improvements:
