Overview Repositories Revisions Requests Users Attributes Meta

Revisions of python310

Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1161074 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 42) 
- Add old-libexpat.patch making the test suite work with
  libexpat < 2.6.0 (gh#python/cpython#117187).
- Because of bsc#1189495 we have to revert use of %autopatch.
- Update 3.10.14:
  - gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0
    to address CVE-2023-52425, and control of the new reparse
    deferral functionality was exposed with new APIs
    (bsc#1219559).
  - gh-109858: zipfile is now protected from the “quoted-overlap”
    zipbomb to address CVE-2024-0450. It now raises BadZipFile
    when attempting to read an entry that overlaps with another
    entry or central directory. (bsc#1221854)
  - gh-91133: tempfile.TemporaryDirectory cleanup no longer
    dereferences symlinks when working around file system
    permission errors to address CVE-2023-6597 (bsc#1219666)
  - gh-115197: urllib.request no longer resolves the hostname
    before checking it against the system’s proxy bypass list on
    macOS and Windows
  - gh-81194: a crash in socket.if_indextoname() with a specific
    value (UINT_MAX) was fixed. Relatedly, an integer overflow in
    socket.if_indextoname() on 64-bit non-Windows platforms was
    fixed
  - gh-113659: .pth files with names starting with a dot or
    containing the hidden file attribute are now skipped
  - gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer
    read out of bounds
  - gh-114572: ssl.SSLContext.cert_store_stats() and
    ssl.SSLContext.get_ca_certs() now correctly lock access to
    the certificate store, when the ssl.SSLContext is shared
    across multiple threads
- Remove upstreamed patches:
  - CVE-2023-6597-TempDir-cleaning-symlink.patch
  - libexpat260.patch
- Readjust patches:
  -  F00251-change-user-install-location.patch
  -  fix_configure_rst.patch
  -  python-3.3.0b1-localpath.patch
  -  skip-test_pyobject_freed_is_freed.patch
- Port to %autosetup and %autopatch.
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1157645 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 41) 
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1153061 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 40) 
- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1152786 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 39) 
Automatic submission by obs-autosubmit
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1110597 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 37) 
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1102193 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 35) 
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1099501 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 34) 
- Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for
  stabilizing FLAG_REF usage (required for reproduceability;
  bsc#1213463).
- (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API).
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1095863 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 33) 
- Update to 3.10.12:
  - gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
  - CVE-2023-24329-blank-URL-bypass.patch
  - CVE-2007-4559-filter-tarfile_extractall.patch
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1094243 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 32) 
- Add bpo-37596-make-set-marshalling.patch making marshalling of
  `set` and `frozenset` deterministic (bsc#1211765).
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1086101 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 31) 
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1071070 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 30) 
- Add invalid-json.patch fixing invalid JSON in
  Doc/howto/logging-cookbook.rst (somehow similar to
  gh#python/cpython#102582).
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1068979 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 29) 
- Update to 3.10.10:
  Bug fixes and regressions handling, no change of behaviour and
  no security bugs fixed.
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1066987 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 28) 
- Add provides for readline and sqlite3 to the main Python
  package.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1041730 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 26) 
- Update to 3.10.9:
  - python -m http.server no longer allows terminal
    control characters sent within a garbage request to be
    printed to the stderr server lo This is done by changing
    the http.server BaseHTTPRequestHandler .log_message method
    to replace control characters with a \xHH hex escape before
    printin
  - Avoid publishing list of active per-interpreter
    audit hooks via the gc module
  - The IDNA codec decoder used on DNS hostnames by
    socket or asyncio related name resolution functions no
    longer involves a quadratic algorithm. This prevents a
    potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were
    decoded. Some protocols such as urllib http 3xx redirects
    potentially allow for an attacker to supply such a name.
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - On Linux the multiprocessing module returns
    to using filesystem backed unix domain sockets for
    communication with the forkserver process instead of the
    Linux abstract socket namespace. Only code that chooses
    to use the “forkserver” start method is affected Abstract
    sockets have no permissions and could allow any user
    on the system in the same network namespace (often the
    whole system) to inject code into the multiprocessing
    forkserver process. This was a potential privilege
    escalation. Filesystem based socket permissions restrict
    this to the forkserver process user as was the default in
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1034962 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 25) 
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
  CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1033570 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 24) 
- Add CVE-2022-42919-loc-priv-mulitproc-forksrv.patch to avoid
  CVE-2022-42919 (bsc#1204886) avoiding Linux specific local
  privilege escalation via the multiprocessing forkserver start
  method.
Displaying revisions 1 - 20 of 42
openSUSE Build Service is sponsored by
Places