Overview Repositories Revisions Requests Users Attributes Meta

Revisions of python39

Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1161042 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 56) 
- Add old-libexpat.patch making the test suite work with
  libexpat < 2.6.0 (gh#python/cpython#117187).
- Update to 3.9.19:
  - Security
    - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
      (CVE-2023-52425, bsc#1219559) by adding five new methods:
        xml.etree.ElementTree.XMLParser.flush()
        xml.etree.ElementTree.XMLPullParser.flush()
        xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
        xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
        xml.sax.expatreader.ExpatParser.flush()
    - gh-115399: Update bundled libexpat to 2.6.0
    - gh-113659: Skip .pth files with names starting with a dot
      or hidden file attribute.
  - Core and Builtins
    - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
      codecs read out of bounds
  - Library
    - gh-115197: urllib.request no longer resolves the hostname
      before checking it against the system’s proxy bypass list
      on macOS and Windows.
    - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
    - gh-81194: Fix a crash in socket.if_indextoname() with
      specific value (UINT_MAX). Fix an integer overflow in
      socket.if_indextoname() on 64-bit non-Windows platforms.
    - gh-109858: Protect zipfile from “quoted-overlap”
      zipbomb. It now raises BadZipFile when try to read an
      entry that overlaps with other entry or central directory
      (CVE-2024-0450, bsc#1221854).
    - gh-107077: Seems that in some conditions, OpenSSL will
      return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
      when a certification verification has failed, but
      the error parameters will still contain ERR_LIB_SSL
      and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now
      detecting this situation and raising the appropiate
      ssl.SSLCertVerificationError. Patch by Pablo Galindo
    - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
      which now no longer dereferences symlinks when working
      around file system permission errors (CVE-2023-6597,
      bsc#1219666).
  - Documentation
    - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under
      “XML vulnerabilities”.
  - Tools/Demos
    - gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11
      and multissltests to use 1.1.1w and 3.0.11.
- Remove upstreamed patches:
  - CVE-2023-6597-TempDir-cleaning-symlink.patch
  - libexpat260.patch
- Refreshed patches:
  - F00251-change-user-install-location.patch
  - python-3.3.0b1-localpath.patch
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1157648 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 55) 
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1153059 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 54) 
- Update SPEC file to build on SLE-15-SP5 (jsc#PED-7886).

- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
  test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
  which fails on slow machines in IBS (s390x).
 

  - (bsc#1215454, gh-108310) Fixed an issue where instances
- Refresh all patches:
  - 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
  - 99366-patch.dict-can-decorate-async.patch
  - Revert-gh105127-left-tests.patch
  - bpo-31046_ensurepip_honours_prefix.patch
  - decimal.patch
  - distutils-reproducible-compile.patch
  - gh-78214-marshal_stabilize_FLAG_REF.patch
  - python-3.3.0b1-localpath.patch
  - python-3.3.0b1-test-posix_fadvise.patch
  - python3-imp-returntype.patch
  - subprocess-raise-timeout.patch
  - support-expat-CVE-2022-25236-patched.patch
  - downport-Sphinx-features.patch
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1152789 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 53) 
Automatic submission by obs-autosubmit
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1119266 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 51) 
Automatic submission by obs-autosubmit
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1109203 from Daniel Garcia's avatar Daniel Garcia (dgarcia) (revision 50) 
- Update to 3.9.18 (bsc#1214692):
  - gh-108310: Fixed an issue where instances of ssl.SSLSocket were
    vulnerable to a bypass of the TLS handshake and included
    protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
    Gregory P. Smith.
  - gh-107845: tarfile.data_filter() now takes the location of
    symlinks into account when determining their target, so it will no
    longer reject some valid tarballs with
    LinkOutsideDestinationError.
  - gh-107565: Update multissltests and GitHub CI workflows to use
    OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1102236 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 49) 
- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API). (The patch is faulty,
  gh#python/cpython#106669, but upstream decided not to just
  revert it).
Yuchen Lin's avatar Yuchen Lin (maxlin_factory) accepted request 1101338 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 48) 
- Add bpo-37596-make-set-marshalling.patch making marshalling of
  `set` and `frozenset` deterministic (bsc#1211765).
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1100886 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 47) 
- Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for
  stabilizing FLAG_REF usage (required for reproduceability;
  bsc#1213463).
- Revert faulty fix for CVE-2023-27043 (gh#python/cpython#106669)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1096213 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 46) 
- Add downport-Sphinx-features.patch to make documentation
  buildable even on SLE-15.

- Update to 3.9.17:
  - gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
  - gh-102126: Fixed a deadlock at shutdown when clearing thread
    states if any finalizer tries to acquire the runtime head
    lock.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1087859 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 44) 
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1080041 from Steve Kowalik's avatar Steve Kowalik (StevenK) (revision 43) 
- Use python3 modules to build the documentation.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1068564 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 42) 
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1067030 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 41) 
- Add provides for readline and sqlite3 to the main Python
  package.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1041648 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 38) 
- Update to 3.9.16:
  - python -m http.server no longer allows terminal control
    characters sent within a garbage request to be printed to the
    stderr server log.
    This is done by changing the http.server
    BaseHTTPRequestHandler .log_message method to replace control
    characters with a \xHH hex escape before printing.
  - Avoid publishing list of active per-interpreter audit hooks
    via the gc module
  - The IDNA codec decoder used on DNS hostnames by socket or
    asyncio related name resolution functions no longer involves
    a quadratic algorithm. This prevents a potential CPU denial
    of service if an out-of-spec excessive length hostname
    involving bidirectional characters were decoded. Some
    protocols such as urllib http 3xx redirects potentially allow
    for an attacker to supply such a name (CVE-2015-20107).
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - On Linux the multiprocessing module returns to using
    filesystem backed unix domain sockets for communication with
    the forkserver process instead of the Linux abstract socket
    namespace. Only code that chooses to use the “forkserver”
    start method is affected.
    Abstract sockets have no permissions and could allow any
    user on the system in the same network namespace (often
    the whole system) to inject code into the multiprocessing
    forkserver process. This was a potential privilege
    escalation. Filesystem based socket permissions restrict this
    to the forkserver process user as was the default in Python
    3.8 and earlier.
    This prevents Linux CVE-2022-42919.
  - The deprecated mailcap module now refuses to inject unsafe
    text (filenames, MIME types, parameters) into shell
    commands. Instead of using such text, it will warn and act
    as if a match was not found (or for test commands, as if the
    test failed).
- Removed upstreamed patches:
  - CVE-2015-20107-mailcap-unsafe-filenames.patch
  - CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
  - CVE-2022-45061-DoS-by-IDNA-decode.patch
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1034968 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 37) 
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
  CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.
Displaying revisions 1 - 20 of 56
openSUSE Build Service is sponsored by
Places