- Add CVE-2022-42919-loc-priv-mulitproc-forksrv.patch to avoid
  CVE-2022-42919 (bsc#1204886) avoiding Linux specific local
  privilege escalation via the multiprocessing forkserver start
  method.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to 3.9.14:
  - (CVE-2020-10735, bsc#1203125). Converting between int
    and str in bases other than 2 (binary), 4, 8 (octal), 16
    (hexadecimal), or 32 such as base 10 (decimal) now raises a
    ValueError if the number of digits in string form is above a
    limit to avoid potential denial of service attacks due to the
    algorithmic complexity.
    This new limit can be configured or disabled by environment
    variable, command line flag, or sys APIs. See the integer
    string conversion length limitation documentation. The
    default limit is 4300 digits in string form.
  - Also other bug fixes:
    - http.server: Fix an open redirection vulnerability in the
      HTTP server when an URI path starts with //. Vulnerability
      discovered, and initial fix proposed, by Hamza Avvan.
    - Fix contextvars HAMT implementation to handle iteration
      over deep trees. The bug was discovered and fixed by Eli
      Libman. See MagicStack/immutables#84 for more details.
    - Fix binding of unix socket to empty address on Linux to use
      an available address from the abstract namespace, instead
      of “0”.
    - Suppress writing an XML declaration in open files
      in ElementTree.write() with encoding='unicode' and
      xml_declaration=None.
    - Fix the formatting for await x and not x in the operator
      precedence table when using the help() system.
    - Fix ensurepip environment isolation for subprocess running
      pip.
    - Fix problem with test_ssl test_get_ciphers on systems that
      require perfect forward secrecy (PFS) ciphers.

• Files Changed
• Browse Source

- Add patch CVE-2021-28861-double-slash-path.patch:
  * http.server: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)

• Files Changed
• Browse Source

- Switch from %primary_interpreter to prjconf-defined
  %primary_python (gh#openSUSE/python-rpm-macros#127).

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
- Fix building of documentation and the universal configuration of the
  %primary_interpreter.
- (bsc#1196784, CVE-2022-25236) Rename patch:
  support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch
  and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5
  as it was fully patched against CVE-2022-25236.

    22.0.4, bnc#1186819, CVE-2021-3572)

• Files Changed
• Browse Source

- Update to 3.9.13:
  - Core and Builtins
    - gh-92311: Fixed a bug where setting frame.f_lineno to jump
      over a list comprehension could misbehave or crash.
    - gh-92112: Fix crash triggered by an evil custom mro() on
      a metaclass.
    - gh-92036: Fix a crash in subinterpreters related to the
      garbage collector. When a subinterpreter is deleted,
      untrack all objects tracked by its GC. To prevent a crash
      in deallocator functions expecting objects to be tracked by
      the GC, leak a strong reference to these objects on
      purpose, so they are never deleted and their deallocator
      functions are not called. Patch by Victor Stinner.
    - gh-91421: Fix a potential integer overflow in
      _Py_DecodeUTF8Ex.
    - bpo-46775: Some Windows system error codes(>= 10000) are
      now mapped into the correct errno and may now raise
      a subclass of OSError. Patch by Dong-hee Na.
    - bpo-46962: Classes and functions that unconditionally
      declared their docstrings ignoring the
      --without-doc-strings compilation flag no longer do so.
    - The classes affected are pickle.PickleBuffer,
      testcapi.RecursingInfinitelyError, and types.GenericAlias.
    - The functions affected are 24 methods in ctypes.
    - Patch by Oleg Iarygin.
    - bpo-36819: Fix crashes in built-in encoders with error
      handlers that return position less or equal than the
      starting position of non-encodable characters.
  - Library
    - gh-91581: utcfromtimestamp() no longer attempts to resolve
      fold in the pure Python implementation, since the fold is
      never 1 in UTC. In addition to being slightly faster in the
      common case, this also prevents some errors when the
      timestamp is close to datetime.min. Patch by Paul Ganssle.
    - gh-92530: Fix an issue that occurred after interrupting
      threading.Condition.notify().
    - gh-92049: Forbid pickling constants re._constants.SUCCESS
      etc. Previously, pickling did not fail, but the result
      could not be unpickled.
    - bpo-47029: Always close the read end of the pipe used by
      multiprocessing.Queue after the last write of buffered data
      to the write end of the pipe to avoid BrokenPipeError at
      garbage collection and at multiprocessing.Queue.close()
      calls. Patch by Géry Ogam.
    - gh-91910: Add missing f prefix to f-strings in error
      messages from the multiprocessing and asyncio modules.
    - gh-91810: ElementTree method write() and function
      tostring() now use the text file’s encoding (“UTF-8” if not
      available) instead of locale encoding in XML declaration
      when encoding="unicode" is specified.
    - gh-91832: Add required attribute to argparse.Action repr
      output.
    - gh-91734: Fix OSS audio support on Solaris.
    - gh-91700: Compilation of regular expression containing
      a conditional expression (?(group)...) now raises an
      appropriate re.error if the group number refers to not
      defined group. Previously an internal RuntimeError was
      raised.
    - gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown
      the per test event loop executor before returning from its
      run method so that a not yet stopped or garbage collected
      executor state does not persist beyond the test.
    - gh-90568: Parsing \N escapes of Unicode Named Character
      Sequences in a regular expression raises now re.error
      instead of TypeError.
    - gh-91595: Fix the comparison of character and integer
      inside Tools.gdb.libpython.write_repr(). Patch by Yu Liu.
    - gh-90622: Worker processes for
      concurrent.futures.ProcessPoolExecutor are no longer
      spawned on demand (a feature added in 3.9) when the
      multiprocessing context start method is "fork" as that can
      lead to deadlocks in the child processes due to a fork
      happening while threads are running.
    - gh-91575: Update case-insensitive matching in the re module
      to the latest Unicode version.
    - gh-91581: Remove an unhandled error case in the
      C implementation of calls to datetime.fromtimestamp with no
      time zone (i.e. getting a local time from an epoch
      timestamp). This should have no user-facing effect other
      than giving a possibly more accurate error message when
      called with timestamps that fall on 10000-01-01 in the
      local time. Patch by Paul Ganssle.
    - bpo-34480: Fix a bug where _markupbase raised an
      UnboundLocalError when an invalid keyword was found in
      marked section. Patch by Marek Suscak.
    - bpo-27929: Fix asyncio.loop.sock_connect() to only resolve
      names for socket.AF_INET or socket.AF_INET6 families.
      Resolution may not make sense for other families, like
      socket.AF_BLUETOOTH and socket.AF_UNIX.
    - bpo-43323: Fix errors in the email module if the charset
      itself contains undecodable/unencodable characters.
    - bpo-46787: Fix concurrent.futures.ProcessPoolExecutor
      exception memory leak
    - bpo-46415: Fix ipaddress.ip_{address,interface,network}
      raising TypeError instead of ValueError if given invalid
      tuple as address parameter.
    - bpo-44911: IsolatedAsyncioTestCase will no longer throw an
      exception while cancelling leaked tasks. Patch by Bar
      Harel.
    - bpo-44493: Add missing terminated NUL in sockaddr_un’s
      length
    - This was potentially observable when using non-abstract
      AF_UNIX datagram sockets to processes written in another
      programming language.
    - bpo-42627: Fix incorrect parsing of Windows registry proxy
      settings
    - bpo-36073: Raise ProgrammingError instead of segfaulting on
      recursive usage of cursors in sqlite3 converters. Patch by
      Sergey Fedoseev.
  - Documentation
    - gh-91888: Add a new gh role to the documentation to link to
      GitHub issues.
    - gh-91783: Document security issues concerning the use of
      the function shutil.unpack_archive()
    - gh-91547: Remove “Undocumented modules” page.
    - bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of
      shutil.copytree().
    - bpo-38668: Update the introduction to documentation for
      os.path to remove warnings that became irrelevant after the
      implementations of PEP 383 and PEP 529.
    - bpo-47138: Pin Jinja to a version compatible with Sphinx
      version 2.4.4.
    - bpo-46962: All docstrings in code snippets are now wrapped
      into PyDoc_STR() to follow the guideline of PEP 7’s
      Documentation Strings paragraph. Patch by Oleg Iarygin.
    - bpo-26792: Improve the docstrings of runpy.run_module() and
      runpy.run_path(). Original patch by Andrew Brezovsky.
    - bpo-45790: Adjust inaccurate phrasing in Defining Extension
      Types: Tutorial about the ob_base field and the macros used
      to access its contents.
    - bpo-42340: Document that in some circumstances
      KeyboardInterrupt may cause the code to enter an
      inconsistent state. Provided a sample workaround to avoid
      it if needed.
    - bpo-41233: Link the errnos referenced in
      Doc/library/exceptions.rst to their respective section in
      Doc/library/errno.rst, and vice versa. Previously this was
      only done for EINTR and InterruptedError. Patch by Yan
      “yyyyyyyan” Orestes.
    - bpo-38056: Overhaul the Error Handlers documentation in
      codecs.
    - bpo-13553: Document tkinter.Tk args.
  - Tests
    - gh-91607: Fix test_concurrent_futures to test the correct
      multiprocessing start method context in several cases where
      the test logic mixed this up.
    - bpo-47205: Skip test for sched_getaffinity() and
      sched_setaffinity() error case on FreeBSD.
    - bpo-29890: Add tests for ipaddress.IPv4Interface and
      ipaddress.IPv6Interface construction with tuple arguments.
      Original patch and tests by louisom.
  - Build
    - bpo-47103: Windows PGInstrument builds now copy a required
      DLL into the output directory, making it easier to run the
      profile stage of a PGO build.
  - Windows
    - bpo-47194: Update zlib to v1.2.12 to resolve
      CVE-2018-25032.
    - bpo-46785: Fix race condition between os.stat() and
      unlinking a file on Windows, by using errors codes returned
      by FindFirstFileW() when appropriate in win32_xstat_impl.
    - bpo-40859: Update Windows build to use xz-5.2.5
  - Tools/Demos
    - gh-91583: Fix regression in the code generated by Argument
      Clinic for functions with the defining_class parameter.
- Add patch support-expat-245.patch:
  * Support Expat >= 2.4.4 (jsc#SLE-21253)

• Files Changed
• Browse Source

- Update to 3.9.12:
  - bpo-46968: Check for the existence of the “sys/auxv.h” header
    in faulthandler to avoid compilation problems in systems
    where this header doesn’t exist. Patch by Pablo Galindo
  - bpo-47101: hashlib.algorithms_available now lists only
    algorithms that are provided by activated crypto providers on
    OpenSSL 3.0. Legacy algorithms are not listed unless the
    legacy provider has been loaded into the default OSSL
    context.
  - bpo-23691: Protect the re.finditer() iterator from
    re-entering.
  - bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to
    avoid a “zipfile.BadZipFile: Bad CRC-32 for file” exception
    when reading a ZipFile from multiple threads.
  - bpo-38256: Fix binascii.crc32() when it is compiled to use
    zlib’c crc32 to work properly on inputs 4+GiB in length
    instead of returning the wrong result. The workaround prior
    to this was to always feed the function data in increments
    smaller than 4GiB or to just call the zlib module function.
  - bpo-39394: A warning about inline flags not at the start of
    the regular expression now contains the position of the flag.
  - bpo-47061: Deprecate the various modules listed by PEP 594:
  - aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt,
    imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd,
    sndhdr, spwd, sunau, telnetlib, uu, xdrlib
  - bpo-2604: Fix bug where doctests using globals would fail
    when run multiple times.
  - bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
  - bpo-47022: The asynchat, asyncore and smtpd modules have been
    deprecated since at least Python 3.6. Their documentation has

• Files Changed
• Browse Source

- Add patch support-expat-245.patch:
  * Support Expat >= 2.4.5

• Files Changed
• Browse Source

THIS SHOULD GO TO STAGING:D (TOGETHER WITH SR#947585)

- Update to 3.9.10:
  Bugfix-only release

• Files Changed
• Browse Source

- Remove shebangs from from python-base libraries in _libdir
  (bsc#1193179).
- Readjust patches:
  - bpo-31046_ensurepip_honours_prefix.patch
  - decimal.patch
  - python-3.3.0b1-fix_date_time_compiler.patch

- rpm-build-python dependency is available on the current
  Factory, not with SLE.

• Files Changed
• Browse Source

- Update to 3.9.9:
  * Core and Builtins
    + bpo-30570: Fixed a crash in issubclass() from infinite recursion when searching pathological __bases__ tuples.
    + bpo-45494: Fix parser crash when reporting errors involving invalid continuation characters. Patch by Pablo Galindo.
    + bpo-45385: Fix reference leak from descr_check. Patch by Dong-hee Na.
    + bpo-45167: Fix deepcopying of types.GenericAlias objects.
    + bpo-44219: Release the GIL while performing isatty system calls on arbitrary file descriptors. In particular, this affects os.isatty(), os.device_encoding() and io.TextIOWrapper. By extension, io.open() in text mode is also affected. This change solves a deadlock in os.isatty(). Patch by Vincent Michel in bpo-44219.
    + bpo-44959: Added fallback to extension modules with ‘.sl’ suffix on HP-UX
    + bpo-44050: Extensions that indicate they use global state (by setting m_size to -1) can again be used in multiple interpreters. This reverts to behavior of Python 3.8.
    + bpo-45121: Fix issue where Protocol.__init__ raises RecursionError when it’s called directly or via super(). Patch provided by Yurii Karabas.
    + bpo-45083: When the interpreter renders an exception, its name now has a complete qualname. Previously only the class name was concatenated to the module name, which sometimes resulted in an incorrect full name being displayed.
    + bpo-45738: Fix computation of error location for invalid continuation characters in the parser. Patch by Pablo Galindo.
    + Library
    + bpo-45678: Fix bug in Python 3.9 that meant functools.singledispatchmethod failed to properly wrap the attributes of the target method. Patch by Alex Waygood.
    + bpo-45679: Fix caching of multi-value typing.Literal. Literal[True, 2] is no longer equal to Literal[1, 2].
    + bpo-45438: Fix typing.Signature string representation for generic builtin types.
    + bpo-45581: sqlite3.connect() now correctly raises MemoryError if the underlying SQLite API signals memory error. Patch by Erlend E. Aasland.
    + bpo-39679: Fix bug in functools.singledispatchmethod that caused it to fail when attempting to register a classmethod() or staticmethod() using type annotations. Patch contributed by Alex Waygood.
    + bpo-45515: Add references to zoneinfo in the datetime documentation, mostly replacing outdated references to dateutil.tz. Change by Paul Ganssle.
    + bpo-45467: Fix incremental decoder and stream reader in the “raw-unicode-escape” codec. Previously they failed if the escape sequence was split.
    + bpo-45461: Fix incremental decoder and stream reader in the “unicode-escape” codec. Previously they failed if the escape sequence was split.
    + bpo-45239: Fixed email.utils.parsedate_tz() crashing with UnboundLocalError on certain invalid input instead of returning None. Patch by Ben Hoyt.
    + bpo-44904: Fix bug in the doctest module that caused it to fail if a docstring included an example with a classmethod property. Patch by Alex Waygood.
    + bpo-45406: Make inspect.getmodule() catch FileNotFoundError raised by :’func:inspect.getabsfile, and return None to indicate that the module could not be determined.
    + bpo-45262: Prevent use-after-free in asyncio. Make sure the cached running loop holder gets cleared on dealloc to prevent use-after-free in get_running_loop
    + bpo-45386: Make xmlrpc.client more robust to C runtimes where the underlying C strftime function results in a ValueError when testing for year formatting options.
    + bpo-45371: Fix clang rpath issue in distutils. The UnixCCompiler now uses correct clang option to add a runtime library directory (rpath) to a shared library.
    + bpo-20028: Improve error message of csv.Dialect when initializing. Patch by Vajrasky Kok and Dong-hee Na.
    + bpo-45343: Update bundled pip to 21.2.4 and setuptools to 58.1.0
    + bpo-41710: On Unix, if the sem_clockwait() function is available in the C library (glibc 2.30 and newer), the threading.Lock.acquire() method now uses the monotonic clock (time.CLOCK_MONOTONIC) for the timeout, rather than using the system clock (time.CLOCK_REALTIME), to not be affected by system clock changes. Patch by Victor Stinner.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

    - bpo-44022 (bsc#1189241, CVE-2021-3737): http.client now
      avoids infinitely reading potential HTTP headers after
      a 100 Continue status response from the server.
    - bpo-43075 (CVE-2021-3733, bsc#1189287): Fix Regular
      Expression Denial of Service (ReDoS) vulnerability in
      urllib.request.AbstractBasicAuthHandler. The
      ReDoS-vulnerable regex has quadratic worst-case complexity
      and it allows cause a denial of service when identifying
      crafted invalid RFCs. This ReDoS issue is on the client
      side and needs remote attackers to control the HTTP server.

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to 3.9.6:
  * Security
    - bpo-44022: mod:http.client now avoids infinitely reading
      potential HTTP headers after a 100 Continue status response
      from the server.
  * Core and Builtins
    - bpo-44168: Fix error message in the parser involving keyword
      arguments with invalid expressions. Patch by Pablo Galindo
    - bpo-44114: Fix incorrect dictkeys_reversed and
      dictitems_reversed function signatures in C code, which broke
      webassembly builds.
    - bpo-44070: No longer eagerly makes import filenames absolute,
      except for extension modules, which was introduced in 3.9.5.
    - bpo-28146: Fix a confusing error message in str.format().
    - bpo-11105: When compiling ast.AST objects with recursive
      references through compile(), the interpreter doesn’t crash
      anymore instead it raises a RecursionError.
  * Library
    - bpo-43972: When http.server.SimpleHTTPRequestHandler sends a
      301 (Moved Permanently) for a directory path not ending with
      /, add a Content-Length: 0 header. This improves the behavior
      for certain clients.
    - bpo-43776: When subprocess.Popen args are provided as a
      string or as pathlib.Path, the Popen instance repr now shows
      the right thing.
    - bpo-43318: Fix a bug where pdb does not always echo cleared
      breakpoints.
    - bpo-43295: datetime.datetime.strptime() now raises ValueError
      instead of IndexError when matching 'z' with the %z format
      specifier.

• Files Changed
• Browse Source

- Use versioned python-Sphinx to avoid dependency on other
  version of Python (bsc#1183858).

• Files Changed
• Browse Source

- Add bpo44426-complex-keyword-sphinx.patch allowing generating
  documentation with Sphinx 4 (bpo#44426).

• Files Changed
• Browse Source

- Revert previous skip over test_capi
- Add skip-test_pyobject_freed_is_freed.patch to skip failing
  test on SLE-15.
- allow build with Sphinx >= 3.x 
- Exclude test_capi on Leap (test fails there)
- Stop providing "python" symbol (bsc#1185588), which means
  python2 currently.

• Files Changed
• Browse Source