Revisions of python311
Ana Guerrero (anag+factory)
accepted
request 1171202
from
Matej Cepl (mcepl)
(revision 34)
- Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that it uses features sniffing, not just comparing version number. Include also support-expat-CVE-2022-25236-patched.patch. - Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping failing tests. - Refresh patches: - CVE-2023-27043-email-parsing-errors.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch - Remove included patch: - support-expat-CVE-2022-25236-patched.patch
Ana Guerrero (anag+factory)
accepted
request 1169286
from
Matej Cepl (mcepl)
(revision 33)
Forwarded request #1169083 from dgarcia - Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with patched libexpat below 2.6.0 that doesn't update the version number, just in SLE.
Ana Guerrero (anag+factory)
accepted
request 1161081
from
Matej Cepl (mcepl)
(revision 32)
- Add reference to CVE-2024-0450 (bsc#1221854) to changelog. - Because of bsc#1189495 we have to revert use of %autopatch. other entry or central directory (bsc#1221854, CVE-2024-0450).
Ana Guerrero (anag+factory)
accepted
request 1157149
from
Matej Cepl (mcepl)
(revision 31)
- Rewrite %prep to use %autosetup et al. for compatibility with rpm 4.20. - bsc#1221260 add bsc1221260-test_asyncio-ResourceWarning.patch to eliminate ResourceWarning which broke the test suite in test_asyncio. - Use the system-wide crypto-policies [bsc#1211301] * Use the system default cipher list instead of hardcoded values * Add the --with-ssl-default-suites=openssl configure option
Dominique Leuenberger (dimstar_suse)
accepted
request 1153186
from
Matej Cepl (mcepl)
(revision 30)
- (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory. - Remove double definition of /usr/bin/idle%%{version} in %%files.
Ana Guerrero (anag+factory)
accepted
request 1146838
from
Matej Cepl (mcepl)
(revision 29)
Forwarded request #1146787 from dgarcia - Add upstream patch libexpat260.patch, Fix tests for XMLPullParser with Expat 2.6.0, gh#python/cpython#115289
Ana Guerrero (anag+factory)
accepted
request 1136197
from
Factory Maintainer (factory-maintainer)
(revision 27)
Automatic submission by obs-autosubmit
Ana Guerrero (anag+factory)
accepted
request 1134084
from
Matej Cepl (mcepl)
(revision 26)
- Refresh CVE-2023-27043-email-parsing-errors.patch to gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). - Thus we can remove Revert-gh105127-left-tests.patch, which is now useless.
Ana Guerrero (anag+factory)
accepted
request 1128112
from
Factory Maintainer (factory-maintainer)
(revision 25)
Automatic submission by obs-autosubmit
Ana Guerrero (anag+factory)
accepted
request 1113067
from
Matej Cepl (mcepl)
(revision 24)
characters without truncating the path (bsc#1214693, CVE-2023-41105).
Ana Guerrero (anag+factory)
accepted
request 1109225
from
Daniel Garcia (dgarcia)
(revision 23)
- Update to 3.11.5 (bsc#1214692): - Security - gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith. - Core and Builtins - gh-104432: Fix potential unaligned memory access on C APIs involving returned sequences of char * pointers within the grp and socket modules. These were revealed using a -fsaniziter=alignment build on ARM macOS. Patch by Christopher Chavez. - gh-77377: Ensure that multiprocessing synchronization objects created in a fork context are not sent to a different process created in a spawn context. This changes a segfault into an actionable RuntimeError in the parent process. - gh-106092: Fix a segmentation fault caused by a use-after-free bug in frame_dealloc when the trashcan delays the deallocation of a PyFrameObject. - gh-106719: No longer suppress arbitrary errors in the __annotations__ getter and setter in the type and module types. - gh-106723: Propagate frozen_modules to multiprocessing spawned process interpreters. - gh-105979: Fix crash in _imp.get_frozen_object() due to improper exception handling. - gh-105840: Fix possible crashes when specializing function calls with too many __defaults__. - gh-105588: Fix an issue that could result in crashes when compiling malformed ast nodes. - gh-105375: Fix bugs in the builtins module where exceptions could end up being overwritten. - gh-105375: Fix bug in the compiler where an exception could end up being overwritten. - gh-105375: Improve error handling in PyUnicode_BuildEncodingMap() where an exception could end up being overwritten. - gh-105235: Prevent out-of-bounds memory access during mmap.find() calls. - gh-101006: Improve error handling when read marshal data. - Library - gh-105736: Harmonized the pure Python version of OrderedDict with the C version. Now, both versions set up their internal state in __new__. Formerly, the pure Python version did the set up in __init__. - gh-107963: Fix multiprocessing.set_forkserver_preload() to check the given list of modules names. Patch by Dong-hee Na. - gh-106242: Fixes os.path.normpath() to handle embedded null characters without truncating the path. - gh-107845: tarfile.data_filter() now takes the location of symlinks into account when determining their target, so it will no longer reject some valid tarballs with LinkOutsideDestinationError. - gh-107715: Fix doctest.DocTestFinder.find() in presence of class names with special characters. Patch by Gertjan van Zwieten. - gh-100814: Passing a callable object as an option value to a Tkinter image now raises the expected TclError instead of an AttributeError. - gh-106684: Close asyncio.StreamWriter when it is not closed by application leading to memory leaks. Patch by Kumar Aditya. - gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification verification has failed, but the error parameters will still contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising the appropiate ssl.SSLCertVerificationError. Patch by Pablo Galindo - gh-107396: tarfiles; Fixed use before assignment of self.exception for gzip decompression - gh-62519: Make gettext.pgettext() search plural definitions when translation is not found. - gh-83006: Document behavior of shutil.disk_usage() for non-mounted filesystems on Unix. - gh-106186: Do not report MultipartInvariantViolationDefect defect when the email.parser.Parser class is used to parse emails with headersonly=True. - gh-106831: Fix potential missing NULL check of d2i_SSL_SESSION result in _ssl.c. - gh-106774: Update the bundled copy of pip to version 23.2.1. - gh-106752: Fixed several bug in zipfile.Path in name/suffix/suffixes/stem operations when no filename is present and the Path is not at the root of the zipfile. - gh-106602: Add __copy__ and __deepcopy__ in enum - gh-106530: Revert a change to colorsys.rgb_to_hls() that caused division by zero for certain almost-white inputs. Patch by Terry Jan Reedy. - gh-106052: re module: fix the matching of possessive quantifiers in the case of a subpattern containing backtracking. - gh-106510: Improve debug output for atomic groups in regular expressions. - gh-105497: Fix flag mask inversion when unnamed flags exist. - gh-90876: Prevent multiprocessing.spawn from failing to import in environments where sys.executable is None. This regressed in 3.11 with the addition of support for path-like objects in multiprocessing. - gh-106350: Detect possible memory allocation failure in the libtommath function mp_init() used by the _tkinter module. - gh-102541: Make pydoc.doc catch bad module ImportError when output stream is not None. - gh-106263: Fix crash when calling repr with a manually constructed SignalDict object. Patch by Charlie Zhao. - gh-105375: Fix a bug in _Unpickler_SetInputStream() where an exception could end up being overwritten in case of failure. - gh-105375: Fix bugs in sys where exceptions could end up being overwritten because of deferred error handling. - gh-105605: Harden pyexpat error handling during module initialisation to prevent exceptions from possibly being overwritten, and objects from being dereferenced twice. - gh-105375: Fix bug in decimal where an exception could end up being overwritten. - gh-105375: Fix bugs in _datetime where exceptions could be overwritten in case of module initialisation failure. - gh-105375: Fix bugs in _ssl initialisation which could lead to leaked references and overwritten exceptions. - gh-105375: Fix a bug in array.array where an exception could end up being overwritten. - gh-105375: Fix bugs in _ctypes where exceptions could end up being overwritten. - gh-105375: Fix a bug in the posix module where an exception could be overwritten. - gh-105375: Fix bugs in _elementtree where exceptions could be overwritten. - gh-105375: Fix bugs in zoneinfo where exceptions could be overwritten. - gh-105375: Fix bugs in pickle where exceptions could be overwritten. - gh-105497: Fix flag inversion when alias/mask members exist. - gh-105375: Fix bugs in pickle where exceptions could be overwritten. - gh-103171: Revert undocumented behaviour change with runtime-checkable protocols decorated with typing.final() in Python 3.11. The behaviour change had meant that objects would not be considered instances of these protocols at runtime unless they had a __final__ attribute. Patch by Alex Waygood. - gh-105375: Fix a bug in sqlite3 where an exception could be overwritten in the collation callback. - gh-105332: Revert pickling method from by-name back to by-value. - gh-104554: Add RTSPS scheme support in urllib.parse - gh-100061: Fix a bug that causes wrong matches for regular expressions with possessive qualifier. - gh-102541: Hide traceback in help() prompt, when import failed. - gh-99203: Restore following CPython <= 3.10.5 behavior of shutil.make_archive(): do not create an empty archive if root_dir is not a directory, and, in that case, raise FileNotFoundError or NotADirectoryError regardless of format choice. Beyond the brought-back behavior, the function may now also raise these exceptions in dry_run mode. - gh-94777: Fix hanging multiprocessing ProcessPoolExecutor when a child process crashes while data is being written in the call queue. - bpo-18319: Ensure gettext(msg) retrieve translations even if a plural form exists. In other words: gettext(msg) == ngettext(msg, '', 1). - Documentation - gh-107008: Document the curses module variables LINES and COLS. - gh-106948: Add a number of standard external names to nitpick_ignore. - gh-54738: Add documentation on how to localize the argparse module. - Tests - gh-105776: Fix test_cppext when the C compiler command -std=c11 option: remove -std= options from the compiler command. Patch by Victor Stinner. - gh-107237: test_logging: Fix test_udp_reconnection() by increasing the timeout from 100 ms to 5 minutes (LONG_TIMEOUT). Patch by Victor Stinner. - gh-101634: When running the Python test suite with -jN option, if a worker stdout cannot be decoded from the locale encoding report a failed testn so the exitcode is non-zero. Patch by Victor Stinner. - Build - gh-107814: When calling find_python.bat with -q it did not properly silence the output of nuget. That is now fixed. - gh-106881: Check for linux/limits.h before including it in Modules/posixmodule.c. - gh-104692: Include commoninstall as a prerequisite for bininstall - This ensures that commoninstall is completed before bininstall is started when parallel builds are used (make -j install), and so the python3 symlink is only installed after all standard library modules are installed. - gh-100340: Allows -Wno-int-conversion for wasm-sdk 17 and onwards, thus enables building WASI builds once against the latest sdk. - Windows - gh-106242: Fixes realpath() to behave consistently when passed a path containing an embedded null character on Windows. In strict mode, it now raises OSError instead of the unexpected ValueError, and in non-strict mode will make the path absolute. - gh-106844: Fix integer overflow in _winapi.LCMapStringEx() which affects ntpath.normcase(). - gh-99079: Update Windows build to use OpenSSL 3.0.9 - gh-105436: Ensure that an empty environment block is terminated by two null characters, as is required by Windows. - macOS - gh-107565: Update macOS installer to use OpenSSL 3.0.10. - gh-99079: Update macOS installer to use OpenSSL 3.0.9. - Tools/Demos - gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2. - gh-95065: Argument Clinic now supports overriding automatically generated signature by using directive @text_signature. See How to override the generated signature. - gh-106970: Fix bugs in the Argument Clinic destination <name> clear command; the destination buffers would never be cleared, and the destination directive parser would simply continue to the fault handler after processing the command. Patch by Erlend E. Aasland. - C API - gh-107916: C API functions PyErr_SetFromErrnoWithFilename(), PyErr_SetExcFromWindowsErrWithFilename() and PyErr_SetFromWindowsErrWithFilename() save now the error code before calling PyUnicode_DecodeFSDefault(). - gh-107915: Such C API functions as PyErr_SetString(), PyErr_Format(), PyErr_SetFromErrnoWithFilename() and many others no longer crash or ignore errors if it failed to format the error message or decode the filename. Instead, they keep a corresponding error. - gh-107226: PyModule_AddObjectRef() is now only available in the limited API version 3.10 or later. - gh-105375: Fix a bug in PyErr_WarnExplicit() where an exception could end up being overwritten if the API failed internally. - gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data: *consumed was not set.
Dominique Leuenberger (dimstar_suse)
accepted
request 1102237
from
Matej Cepl (mcepl)
(revision 21)
- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). (The patch is faulty, gh#python/cpython#106669, but upstream decided not to just revert it).
Fabian Vogt (favogt_factory)
accepted
request 1096536
from
Matej Cepl (mcepl)
(revision 20)
- Update to Python 3.11.4: - gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329 (bsc#1208471). - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). - gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details (fixing CVE-2007-4559, bsc#1203750). - Remove upstreamed patches: - CVE-2007-4559-filter-tarfile_extractall.patch
Dominique Leuenberger (dimstar_suse)
accepted
request 1095626
from
Matej Cepl (mcepl)
(revision 19)
- Remove obsolete_python_versioned macro again. This mechanism has no business to be in Python 3.11, because we have abolished with it whole interpreter+setuptools+pip product. Python 3.11 should not be replaced by later versions anymore.
Dominique Leuenberger (dimstar_suse)
accepted
request 1092590
from
Factory Maintainer (factory-maintainer)
(revision 18)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1084262
from
Matej Cepl (mcepl)
(revision 17)
- Why in the world we download from HTTP? - Add 103213-fetch-CONFIG_ARGS.patch (gh#python/cpython#103053). - Add skip_if_buildbot-extend.patch to avoid the bug altogether (extending what skip_if_buildbot covers). - Add CVE-2007-4559-filter-tarfile_extractall.patch to fix bsc#1203750 (CVE-2007-4559) and implementing "PEP 706 – Filter for tarfile.extractall". - Update to 3.11.3: - Security - gh-101727: Updated the OpenSSL version used in Windows and macOS binary release builds to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per the OpenSSL 2023-02-07 security advisory. - Core and Builtins - gh-101975: Fixed stacktop value on tracing entries to avoid corruption on garbage collection. - gh-102701: Fix overflow when creating very large dict. - gh-102416: Do not memoize incorrectly automatically generated loop rules in the parser. Patch by Pablo Galindo. - gh-102356: Fix a bug that caused a crash when deallocating deeply nested filter objects. Patch by Marta Gómez Macías. - gh-102397: Fix segfault from race condition in signal handling during garbage collection. Patch by Kumar Aditya. - gh-102281: Fix potential nullptr dereference and use of uninitialized memory in fileutils. Patch by Max Bachmann. - gh-102126: Fix deadlock at shutdown when clearing thread states if any finalizer tries to acquire the runtime head lock. Patch by Kumar Aditya. - gh-102027: Fix SSE2 and SSE3 detection in _blake2 internal module. Patch by Max Bachmann. - gh-101967: Fix possible segfault in positional_only_passed_as_keyword function, when new list created. - gh-101765: Fix SystemError / segmentation fault in iter __reduce__ when internal access of builtins.__dict__ keys mutates the iter object. - gh-101696: Invalidate type version tag in _PyStaticType_Dealloc for static types, avoiding bug where a false cache hit could crash the interpreter. Patch by Kumar Aditya. - Library - gh-102549: Don’t ignore exceptions in member type creation. - gh-102947: Improve traceback when dataclasses.fields() is called on a non-dataclass. Patch by Alex Waygood - gh-102780: The asyncio.Timeout context manager now works reliably even when performing cleanup due to task cancellation. Previously it could raise a CancelledError instead of an TimeoutError in such cases. - gh-88965: typing: Fix a bug relating to substitution in . Pacustom classes generic over a ParamSpec. Previously, if . Pathe ParamSpec was substituted with a parameters list that . Paitself contained a TypeVar, the TypeVar in the parameters . Palist could not be subsequently substituted. This is now . Pafixed tch by Nikita Sobolev . - gh-101979: Fix a bug where parentheses in the metavar argument to argparse.ArgumentParser.add_argument() were dropped. Patch by Yeojin Kim. - gh-102179: Fix os.dup2() error message for negative fds. - gh-101961: For the binary mode, fileinput.hookcompressed() doesn’t set the encoding value even if the value is None. Patch by Gihwan Kim. - gh-101936: The default value of fp becomes io.BytesIO if HTTPError is initialized without a designated fp parameter. Patch by Long Vo. - gh-102069: Fix __weakref__ descriptor generation for custom dataclasses. - gh-101566: In zipfile, apply fix for extractall on the underlying zipfile after being wrapped in Path. - gh-101892: Callable iterators no longer raise SystemError when the callable object exhausts the iterator but forgets to either return a sentinel value or raise StopIteration. - gh-97786: Fix potential undefined behaviour in corner cases of floating-point-to-time conversions. - gh-101517: Fixed bug where bdb looks up the source line with linecache with a lineno=None, which causes it to fail with an unhandled exception. - gh-101673: Fix a pdb bug where ll clears the changes to local variables. - gh-96931: Fix incorrect results from ssl.SSLSocket.shared_ciphers() - gh-88233: Correctly preserve “extra” fields in zipfile regardless of their ordering relative to a zip64 “extra.” - gh-96127: inspect.signature was raising TypeError on call with mock objects. Now it correctly returns (*args, **kwargs) as infered signature. - gh-95495: When built against OpenSSL 3.0, the ssl module had a bug where it reported unauthenticated EOFs (i.e. without close_notify) as a clean TLS-level EOF. It now raises SSLEOFError, matching the behavior in previous versions of OpenSSL. The options attribute on SSLContext also no longer includes OP_IGNORE_UNEXPECTED_EOF by default. This option may be set to specify the previous OpenSSL 3.0 behavior. - gh-94440: Fix a concurrent.futures.process bug where ProcessPoolExecutor shutdown could hang after a future has been quickly submitted and canceled. - Documentation - gh-103112: Add docstring to http.client.HTTPResponse.read() to fix pydoc output. - gh-85417: Update cmath documentation to clarify behaviour on branch cuts. - gh-97725: Fix asyncio.Task.print_stack() description for file=None. Patch by Oleg Iarygin. - Tests - gh-102980: Improve test coverage on pdb. - gh-102537: Adjust the error handling strategy in test_zoneinfo.TzPathTest.python_tzpath_context. Patch by Paul Ganssle. - gh-89792: test_tools now copies up to 10x less source data to a temporary directory during the freeze test by ignoring git metadata and other artifacts. It also limits its python build parallelism based on os.cpu_count instead of hard coding it as 8 cores. - gh-101377: Improved test_locale_calendar_formatweekday of calendar. - Build - gh-102711: Fix -Wstrict-prototypes compiler warnings.
Dominique Leuenberger (dimstar_suse)
accepted
request 1069317
from
Matej Cepl (mcepl)
(revision 16)
- Update to 3.11.2: Bug fixes, no changes in API and no security bugs. - Add python310 Obsoletes line to obsolete_python_versioned macro.
Dominique Leuenberger (dimstar_suse)
accepted
request 1067032
from
Matej Cepl (mcepl)
(revision 15)
- Add provides for readline and sqlite3 to the main Python package.
Displaying revisions 1 - 20 of 34