File python3-doc.changes of Package python3.35118
-------------------------------------------------------------------
Sat Jul 20 21:48:02 UTC 2024 - Matej Cepl <mcepl@suse.com>
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
addresses.
-------------------------------------------------------------------
Mon Jul 15 12:26:59 UTC 2024 - Matej Cepl <mcepl@suse.com>
- Stop using %%defattr, it seems to be breaking proper executable
attributes on /usr/bin/ scripts (bsc#1227378).
-------------------------------------------------------------------
Sat May 18 15:49:07 UTC 2024 - Matej Cepl <mcepl@suse.com>
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
-------------------------------------------------------------------
Fri May 10 16:00:24 UTC 2024 - Matej Cepl <mcepl@suse.com>
- Add CVE-2023-52425-libexpat-2.6.0-backport.patch fixing etree
XMLPullParser tests for Expat >=2.6.0 with reparse deferral
(fixing CVE-2023-52425 or bsc#1219559).
-------------------------------------------------------------------
Mon Feb 26 13:37:33 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
gh#python/cpython#108310, backport from upstream patch
gh#python/cpython#108315
(bsc#1214692, CVE-2023-40217)
------------------------------------------------------------------
Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
- (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
which fails on slow machines in IBS (s390x).
-------------------------------------------------------------------
Mon Dec 18 16:20:58 UTC 2023 - Matej Cepl <mcepl@cepl.eu>
- Refresh CVE-2023-27043-email-parsing-errors.patch from
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
-------------------------------------------------------------------
Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1214691, CVE-2022-48566) Add
CVE-2022-48566-compare_digest-more-constant.patch to make
compare_digest more constant-time.
-------------------------------------------------------------------
Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1214685, CVE-2022-48565) Add
CVE-2022-48565-plistlib-XML-vulns.patch (from
gh#python/cpython#86217) reject XML entity declarations in
plist files.
-------------------------------------------------------------------
Sat Sep 9 16:29:01 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1214677, CVE-2022-48564) Add
CVE-2022-48564-DoS-read_ints-plistlib.patch fixing
gh#python/cpython#86269 (backport from 3.6), which prevents DoS
when processing malformed Apple Property List files in binary
format.
- Skip test_plistlib.test_identity test on aarch64.
-------------------------------------------------------------------
Tue Jul 11 07:35:18 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
address parsing errors and returns empty tuple to indicate the
parsing error (old API).
-------------------------------------------------------------------
Sat May 6 17:31:35 UTC 2023 - Matej Cepl <mcepl@suse.com>
- Add 99366-patch.dict-can-decorate-async.patch fixing
gh#python/cpython#98086 (backport from Python 3.10 patch in
gh#python/cpython!99366), fixing bsc#1211158.
- Add stack_overflow_test_endless_recursion.patch to avoid
failing test.
-------------------------------------------------------------------
Wed May 3 14:09:37 UTC 2023 - Matej Cepl <mcepl@suse.com>
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
CVE-2007-4559 (bsc#1203750) by adding the filter for
tarfile.extractall (PEP 706).
CURRENTLY SWITCHED OFF, AS IT IS STILL WIP AND UNDEBUGGED
-------------------------------------------------------------------
Tue Apr 18 05:00:11 UTC 2023 - Steve Kowalik <steven.kowalik@suse.com>
- Use python3 modules to build the documentation.
-------------------------------------------------------------------
Wed Mar 15 18:14:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
- Add bpo-44434-libgcc_s-for-pthread_cancel.patch
which eliminates unnecessary and dangerous calls to
PyThread_exit_thread() (bsc#1203355).
-------------------------------------------------------------------
Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com>
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
-------------------------------------------------------------------
Mon Jan 9 09:04:08 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
- Add CVE-2022-40899-ReDos-cookiejar.patch to Fix REDoS in http.cookiejar
(gh#python/cpython#17157, bsc#1206673, CVE-2022-40899)
-------------------------------------------------------------------
Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
extremely long domain names.
-------------------------------------------------------------------
Fri Sep 16 16:46:07 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Add CVE-2020-10735-DoS-no-limit-int-size.patch to fix
CVE-2020-10735 (bsc#1203125) to limit amount of digits
converting text to int and vice vera (potential for DoS).
Originally by Victor Stinner of Red Hat.
-------------------------------------------------------------------
Fri Sep 2 06:53:55 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
- Add patch CVE-2021-28861-double-slash-path.patch:
* http.server: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
-------------------------------------------------------------------
Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
- Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests
on s390x.
-------------------------------------------------------------------
Wed May 25 04:39:56 UTC 2022 - Matej Cepl <mcepl@suse.com>
- drop PYTHONSTARTUP hooks that cause spurious startup errors
(bsc#1070738, bsc#1199441), as the relevant feature (REPL
history) is now built into Python itself.
-------------------------------------------------------------------
Sat Feb 26 15:14:57 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
-------------------------------------------------------------------
Tue Feb 15 22:38:32 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
containing ASCII newline and tabs in urlparse.
-------------------------------------------------------------------
Sun Feb 6 07:43:11 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.
-------------------------------------------------------------------
Sat Sep 25 15:35:06 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Add CVE-2021-3733-ReDoS-urllib-AbstractBasicAuthHandler.patch
fixing ReDoS in urllib AbstractBasicAuthHandler (bsc#1189287,
CVE-2021-3733, bpo#43075)
-------------------------------------------------------------------
Wed Sep 15 15:49:00 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Add CVE-2021-3737-infinite-loop-on-100-Continue.patch fixing bpo-44022
(bsc#1189241, CVE-2021-3737): http.client now avoids infinitely
reading potential HTTP headers after a 100 Continue status response
from the server.
-------------------------------------------------------------------
Thu Aug 12 19:35:28 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Reorder and better documented patches related to bpo#30458 (also, for
rechecking solution for bsc#1129071).
- Refresh patches:
- CVE-2019-10160-netloc-port-regression.patch
- CVE-2019-18348-CRLF_injection_via_host_part.patch
- CVE-2019-9947-no-ctrl-char-http.patch
- CVE-2020-8492-urllib-ReDoS.patch
- Python-3.3.0b2-multilib.patch
- python-3.6-CVE-2017-18207.patch
- python3-urllib-prefer-lowercase-proxies.patch
- subprocess-raise-timeout.patch
-------------------------------------------------------------------
Fri Jul 16 14:25:20 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Modify Lib/ensurepip/__init__.py to contain the same version
numbers as are in reality the ones in the bundled wheels
(bsc#1187668).
-------------------------------------------------------------------
Wed May 12 15:33:37 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Add CVE-2020-27619-no-eval-http-content.patch fixing
CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support
calls eval() on content retrieved via HTTP.
-------------------------------------------------------------------
Sun May 2 09:20:06 UTC 2021 - Ben Greiner <code@bnavigator.de>
- Make sure to close the import_failed.map file after the exception
has been raised in order to avoid ResourceWarnings when the
failing import is part of a try...except block.
-------------------------------------------------------------------
Wed Mar 10 22:41:18 CET 2021 - Matej Cepl <mcepl@suse.com>
- Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids
use of semicolon as a query string separator (bpo#42967,
bsc#1182379, CVE-2021-23336).
-------------------------------------------------------------------
Fri Jan 29 17:22:48 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
-------------------------------------------------------------------
Sat Jan 23 23:37:31 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
-------------------------------------------------------------------
Tue Nov 24 17:38:21 UTC 2020 - Matej Cepl <mcepl@suse.com>
- Replace bundled wheels for pip and setuptools with the updated ones
(bsc#1176262 CVE-2019-20916).
-------------------------------------------------------------------
Mon Oct 19 01:49:43 UTC 2020 - Steve Kowalik <steven.kowalik@suse.com>
- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
(CVE-2020-26116, bpo#39603) no longer allowing special characters in
the method parameter of HTTPConnection.putrequest in httplib, stopping
injection of headers. Such characters now raise ValueError.
- Add update-ssl-certs.patch, which updates the SSL certificates shipped
with the upstream tarball which have since expired.
-------------------------------------------------------------------
Fri Sep 11 00:16:38 UTC 2020 - Matej Cepl <mcepl@suse.com>
- Add CVE-2020-14422-ipaddress-hash-collision.patch fixing
CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions
in IPv4Interface and IPv6Interface could lead to DOS.
-------------------------------------------------------------------
Fri Sep 11 00:03:14 UTC 2020 - Matej Cepl <mcepl@suse.com>
- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch
Address the issue by disallowing URL paths with embedded
whitespace or control characters through into the underlying
http client request. Such potentially malicious header
injection URLs now cause a ValueError to be raised.
(bnc#1130840)
-------------------------------------------------------------------
Thu Sep 10 13:24:57 UTC 2020 - Matej Cepl <mcepl@suse.com>
- Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing
bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in
python/Lib/DocXMLRPCServer.py (bnc#1153238)
This patch requires also
bpo37614-race_test_docxmlrpc_srv_setup.patch (from bpo#37614),
which avoids the race in the tested procedure (bsc#1174701).
-------------------------------------------------------------------
Mon Jul 20 12:06:41 UTC 2020 - Matej Cepl <mcepl@suse.com>
- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
(CVE-2019-20907, bpo#39017) avoiding possible infinite loop
in specifically crafted tarball.
Add recursion.tar as a testing tarball for the patch.
-------------------------------------------------------------------
Wed Mar 18 11:26:23 UTC 2020 - Matej Cepl <mcepl@suse.com>
- Add CVE-2019-18348-CRLF_injection_via_host_part.patch to
disallow control characters in hostnames in httplib,
addressing CVE-2019-18348. Such potentially malicious header
injection URLs now cause a InvalidURL to be raised.
(bsc#1155094)
-------------------------------------------------------------------
Wed Mar 11 22:33:06 UTC 2020 - Matej Cepl <mcepl@suse.com>
- Change name of idle3 icons to idle3.png
to avoid collision with Python 2 version (bsc#1165894).
- Add skip-failing-tests.patch to skip
test_write_filtered_python_package test
-------------------------------------------------------------------
Sat Feb 8 23:29:28 CET 2020 - Matej Cepl <mcepl@suse.com>
- Add CVE-2019-9674-zip-bomb.patch to improve documentation
warning about dangers of zip-bombs and other security problems
with zipfile library. (bsc#1162825 CVE-2019-9674)
- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
"Python urrlib allowed an HTTP server to conduct Regular
Expression Denial of Service (ReDoS)" (bsc#1162367)
-------------------------------------------------------------------
Sat Feb 8 22:21:10 CET 2020 - Matej Cepl <mcepl@suse.com>
- Add Requires: libpython%{so_version} == %{version}-%{release}
to python3-base to keep both packages always synchronized
(bsc#1162224).
-------------------------------------------------------------------
Fri Dec 20 15:34:09 CET 2019 - Matej Cepl <mcepl@suse.com>
- Move idle subpackage build from python3-base to python3 (bsc#1159623).
python3-idle introduces considerable extra dependencies and
a build loop via rust/librsvg.
- Correct installation of idle IDE icons:
+ idle.png is not the target directory
+ non-GNOME-specific icons belong into icons/hicolor
- Add required Name key to idle3 desktop file
- Unify *.changes
-------------------------------------------------------------------
Fri Dec 13 16:40:30 CET 2019 - Matej Cepl <mcepl@suse.com>
- Update to 3.4.10 (jsc#SLE-9427, bsc#1159208) from 3.4.6:
- Security:
- bpo-36216: Changes urlsplit() to raise ValueError when the
URL contains characters that decompose under IDNA encoding
(NFKC-normalization) into characters that affect how the
URL is parsed.
- bpo-35121: Don’t send cookies of domain A without Domain
attribute to domain B when domain A is a suffix match of
domain B while using a cookiejar with
http.cookiejar.DefaultCookiePolicy policy. Patch by
Karthikeyan Singaravelan.
- bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl
module. The cert parser did not handle CRL distribution
points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault. Vulnerability
(TALOS-2018-0758) reported by Colin Read and Nicolas Edet
of Cisco.
- bpo-34791: The xml.sax and xml.dom.domreg no longer use
environment variables to override parser implementations
when sys.flags.ignore_environment is set by -E or -I
arguments.
- bpo-34623: CVE-2018-14647: The C accelerated _elementtree
module now initializes hash randomization salt from
_Py_HashSecret instead of libexpat’s default CSPRNG.
- bpo-33001: Minimal fix to prevent buffer overrun in
os.symlink on Windows
- bpo-32981: Regexes in difflib and poplib were vulnerable to
catastrophic backtracking. These regexes formed potential
DOS vectors (REDOS). They have been refactored. This
resolves CVE-2018-1060 and CVE-2018-1061. Patch by Jamie
Davis.
- bpo-30657: Fixed possible integer overflow in
PyBytes_DecodeEscape, CVE-2017-1000158. Original patch by
Jay Bosamiya; rebased to Python 3 by Miro Hrončok.
- bpo-30947: Upgrade libexpat embedded copy from version
2.2.1 to 2.2.3 to get security fixes.
- bpo-29169: Update zlib from 1.2.8 to 1.2.11 to get security
fixes.
- bpo-29591: Update expat copy from 2.1.1 to 2.2.0 to get
fixes of CVE-2016-0718 and CVE-2016-4472. See
https://sourceforge.net/p/expat/bugs/537/ for more
information.
- bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get
fixes of multiple security vulnerabilities including:
CVE-2017-9233 (External entity infinite loop DoS),
CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718
(Fix regression bugs from 2.2.0’s fix to CVE-2016-0718) and
CVE-2012-0876 (Counter hash flooding with SipHash). Note:
the CVE-2016-5300 (Use os- specific entropy sources like
getrandom) doesn’t impact Python, since Python already gets
entropy from the OS to set the expat secret using
XML_SetHashSalt().
- bpo-26657: Fix directory traversal vulnerability with
http.server on Windows. This fixes a regression that was
introduced in 3.3.4rc1 and 3.4.0rc1. Based on patch by
Philipp Hagemeister.
- bpo-30500: Fix urllib.parse.splithost() to correctly parse
fragments. For example, splithost('//127.0.0.1#@evil.com/')
now correctly returns the 127.0.0.1 host, instead of
treating @evil.com as the host in an authentification
(login@host).
- bpo-30730: Prevent environment variables injection in
subprocess on Windows. Prevent passing other invalid
environment variables and command arguments.
- Library:
- bpo-35121: Don’t set cookie for a request when the request
path is a prefix match of the cookie’s path attribute but
doesn’t end with “/”. Patch by Karthikeyan Singaravelan.
- bpo-33329: Fix multiprocessing regression on newer glibcs
- bpo-32072: Fixed issues with binary plists:
Fixed saving bytearrays.
Identical objects will be saved only once.
Equal references will be load as identical objects.
Added support for saving and loading recursive data structures.
- bpo-31170: expat: Update libexpat from 2.2.3 to 2.2.4. Fix
copying of partial characters for UTF-8 input (libexpat bug
115): https://github.com/libexpat/libexpat/issues/115
- bpo-30119: ftplib.FTP.putline() now throws ValueError on
commands that contains CR or LF. Patch by Dong-hee Na.
- bpo-27850: Remove 3DES from ssl module’s default cipher
list to counter measure sweet32 attack (CVE-2016-2183).
- Core and Builtins
- bpo-26617: Fix crash when GC runs during weakref callbacks.
- bpo-27945: Fixed various segfaults with dict when input
collections are mutated during searching, inserting or
comparing. Based on patches by Duane Griffin and Tim
Mitchell.
- Documentation
- bpo-25008: Document smtpd.py as effectively deprecated and
add a pointer to aiosmtpd, a third-party asyncio-based
replacement.
- Patches replaced by the upstream tarball:
- CVE-2019-5010-null-defer-x509-cert-DOS.patch
- CVE-2018-1061-DOS-via-regexp-difflib.patch
- CVE-2018-20406-pickle_LONG_BINPUT.patch
- CVE-2019-9636-urlsplit-NFKC-norm.patch
- CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
- CVE-2018-20852-cookie-domain-check.patch
-------------------------------------------------------------------
Thu Sep 26 15:42:34 CEST 2019 - Matej Cepl <mcepl@suse.com>
- Add CVE-2018-20852-cookie-domain-check.patch prefix dot in
domain for proper subdomain [bsc#1141853, CVE-2018-20852]
-------------------------------------------------------------------
Mon Sep 16 15:57:54 CEST 2019 - Matej Cepl <mcepl@suse.com>
- Add CVE-2019-16056-email-parse-addr.patch fixing the email
module wrongly parses email addresses [bsc#1149955,
CVE-2019-16056]
- Remove obsolete patch python-2.6b1-canonicalize2.patch
-------------------------------------------------------------------
Wed Jul 24 17:19:58 CEST 2019 - Matej Cepl <mcepl@suse.com>
- Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which
converts shutil._call_external_zip to use subprocess rather than
distutils.spawn. [bsc#1109663, CVE-2018-1000802]
-------------------------------------------------------------------
Wed Jul 24 15:27:24 CEST 2019 - Matej Cepl <mcepl@suse.com>
- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
fixing bpo#34623.
-------------------------------------------------------------------
Wed Jul 3 21:02:00 CEST 2019 - Matej Cepl <mcepl@suse.com>
- bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch
which fixes regression introduced by the previous patch.
(CVE-2019-10160)
Upstream gh#python/cpython#13812
-------------------------------------------------------------------
Tue Apr 9 15:15:44 CEST 2019 - Matej Cepl <mcepl@suse.com>
- bsc#1129346: add CVE-2019-9636-urlsplit-NFKC-norm.patch
Characters in the netloc attribute that decompose under NFKC
normalization (as used by the IDNA encoding) into any of ``/``,
``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the
URL is decomposed before parsing, or is not a Unicode string,
no error will be raised. (CVE-2019-9636)
Upstream gh#python/cpython#12224
-------------------------------------------------------------------
Mon Jan 21 17:51:37 UTC 2019 - Matěj Cepl <mcepl@suse.com>
- bsc#1120644 add CVE-2018-20406-pickle_LONG_BINPUT.patch fixing bpo#34656
Modules/_pickle.c in Python before 3.7.1 has an integer overflow via
a large LONG_BINPUT value that is mishandled during a "resize to twice
the size" attempt. This issue might cause memory exhaustion, but is
only relevant if the pickle format is used for serializing tens or
hundreds of gigabytes of data.
-------------------------------------------------------------------
Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com
- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
fixing bpo-35746.
An exploitable denial-of-service vulnerability exists in the
X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
A specially crafted X509 certificate can cause a NULL pointer
dereference, resulting in a denial of service. An attacker can
initiate or accept TLS connections using crafted certificates
to trigger this vulnerability.
-------------------------------------------------------------------
Mon Sep 3 16:38:15 UTC 2018 - Matěj Cepl <mcepl@suse.com>
- Add -fwrapv to OPTS, which is default for python3 anyway
See for example https://github.com/zopefoundation/persistent/issues/86
for bugs which are caused by avoiding it. (bsc#1107030)
-------------------------------------------------------------------
Fri Jun 29 10:24:27 UTC 2018 - mcepl@suse.com
- Apply "CVE-2018-1061-DOS-via-regexp-difflib.patch" to prevent
low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS
(CVE-2018-1061). Prior to this patch mail server's timestamp was
susceptible to catastrophic backtracking on long evil response from
the server. Also, it was susceptible to catastrophic backtracking,
which was a potential DOS vector.
[bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060]
-------------------------------------------------------------------
Fri Jun 29 09:05:03 UTC 2018 - mcepl@suse.com
- Apply "python-sorted_tar.patch" (bsc#1086001)
sort tarfile output directory listing
-------------------------------------------------------------------
Tue Mar 13 18:49:34 UTC 2018 - psimons@suse.com
- Apply "python-3.6-CVE-2017-18207.patch" to add a check to
Lib/wave.py that verifies that at least one channel is provided.
Prior to this check, attackers could cause a denial of service
(divide-by-zero error and application crash) via a crafted wav
format audio file. [bsc#1083507, CVE-2017-18207]
-------------------------------------------------------------------
Wed Mar 1 16:50:48 UTC 2017 - jmatejek@suse.com
- update to 3.4.6 (bsc#1027282):
* fixed potential crash in PyUnicode_AsDecodedObject() in debug build
* fixed possible DoS and arbitrary execution in gettext plurals
* fix possible use of uninitialized memory in operator.methodcaller
* fix possible Py_DECREF on unowned object in _sre
* fix possible integer overflow in _csv module
* prevent HTTPoxy attack (CVE-2016-1000110)
* fix selectors incorrectly retaining invalid fds
- move _elementtree to python3.rpm to match its pyexpat dependency
(bsc#1029377)
- drop upstreamed python-3.4-CVE-2016-1000110-fix.patch
-------------------------------------------------------------------
Mon Aug 8 14:28:04 UTC 2016 - jmatejek@suse.com
- rename rpmlintrc to python3-rpmlintrc (applied change from 13.2)
- drop python-fix-short-dh.patch and dh2048.pem, this is now fixed
upstream
- drop disabled libffi-ppc64le.diff completely
- reverse order of lowercase-proxies and HTTPoxy patches in order
to fix documented behavior
- drop upstreamed werror-declaration-after-statement.patch
-------------------------------------------------------------------
Sun Aug 7 11:25:39 UTC 2016 - hpj@urpla.net
- fix python3-urllib-prefer-lowercase-proxies.patch
-------------------------------------------------------------------
Sat Aug 6 21:11:02 UTC 2016 - hpj@urpla.net
- apply fix for CVE-2016-1000110 - CGIHandler: sets environmental
variable based on user supplied Proxy request header:
python-3.4-CVE-2016-1000110-fix.patch
(fixes bsc#989523, CVE-2016-1000110)
- refresh python3-urllib-prefer-lowercase-proxies.patch
-------------------------------------------------------------------
Sun Jul 3 12:41:08 UTC 2016 - hpj@urpla.net
- update to 3.4.5
check: https://docs.python.org/3.4/whatsnew/changelog.html
(fixes bsc#984751, CVE-2016-0772)
(fixes bsc#985177, CVE-2016-5636)
(fixes bsc#985348, CVE-2016-5699)
-------------------------------------------------------------------
Wed Jun 15 12:57:55 UTC 2016 - hpj@urpla.net
- apply upstream patch python3-urllib-prefer-lowercase-proxies.patch
in order to make urllib proxy var handling behave as usual on POSIX
-------------------------------------------------------------------
Tue Jun 14 08:49:18 UTC 2016 - hpj@urpla.net
- Due to being fixed upstream (differently), removed outdated patch
CVE-2014-4650-CGIHTTPServer-traversal.patch (bsc#983582)
-------------------------------------------------------------------
Sat May 7 09:02:50 UTC 2016 - hpj@urpla.net
- update to 3.4.4
check: https://docs.python.org/3.4/whatsnew/changelog.html
- all necessary patches refreshed
- adjusted Python-3.3.0b2-multilib.patch
- disabled libffi-ppc64le.diff: horribly deviated
- fix a new multilib issue in configure.ac with $LIBPL
(target of python3 config)
- disabled more tests, that require ssl
-------------------------------------------------------------------
Fri Oct 23 13:59:56 UTC 2015 - jmatejek@suse.com
- Issue #21121: Don't force 3rd party C extensions to be built with
-Werror=declaration-after-statement.
(werror-declaration-after-statement.patch, bsc#951166)
-------------------------------------------------------------------
Tue Sep 22 12:54:10 UTC 2015 - dmueller@suse.com
- add python-2.7-libffi-aarch64.patch to fix incorrect FFI on aarch64
-------------------------------------------------------------------
Thu Sep 17 09:37:23 UTC 2015 - meissner@suse.com
- python-fix-short-dh.patch,dh2048.pem:
Bump DH parameters to 2048 bit to fix logjam security issue. bsc#935856
-------------------------------------------------------------------
Wed Jul 23 16:31:02 UTC 2014 - jmatejek@suse.com
- CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file
disclosure and directory traversal through URL-encoded characters
(CVE-2014-4650, bnc#885882)
-------------------------------------------------------------------
Tue Jul 22 13:55:57 UTC 2014 - jmatejek@suse.com
- drop python-3.4.1-SUSE-ensurepip.patch for compatibility reasons,
reinstate bundled copies of pip and setuptools
(fixes bnc#885662)
- add more files as sources to silence the validator
-------------------------------------------------------------------
Wed May 21 11:01:56 UTC 2014 - jmatejek@suse.com
- update to 3.4.1
* bugfix-only release, over 300 bugs fixed
- drop upstreamed python-3.4.0rc2-sqlite-3.8.4-tests.patch
- drop upstreamed CVE-2014-2667-mkdir.patch
- include Python release manager keyring and signature file
for the source archive (thus renumbering of source files)
(see https://www.python.org/download/#openpgp-public-keys )
- move ensurepip to python3, because it transitively requires ssl
-------------------------------------------------------------------
Fri Apr 4 16:21:40 UTC 2014 - jmatejek@suse.com
- CVE-2014-2667-mkdir.patch: race condition with reseting umask
in os.makedirs
(CVE-2014-2667, bnc#871152)
- updated multilib patch to include ~/.local/lib64 (bnc#637176)
-------------------------------------------------------------------
Wed Mar 26 15:24:46 UTC 2014 - jmatejek@suse.com
- raise timeout value for test_subprocess to 10s (might fix
intermittent build failures in OBS)
-------------------------------------------------------------------
Mon Mar 24 17:29:31 UTC 2014 - dmueller@suse.com
- remove blacklisting of test_posix on aarch64: qemu bug is fixed
-------------------------------------------------------------------
Mon Mar 17 18:26:58 UTC 2014 - jmatejek@suse.com
- update to 3.4.0 final
- drop upstreamed python-3.4rc2-importlib.patch
-------------------------------------------------------------------
Sun Mar 16 16:33:25 UTC 2014 - schwab@suse.de
- Only build with profile-opt if profiling is enabled
- Update test exclusion lists:
* test_ctypes no longer fails on arm
* test_io no longer fails on ppc*
* test_multiprocessing has been split in multiple tests
* test_posix and test_signal fail due to qemu bugs
-------------------------------------------------------------------
Fri Mar 14 20:26:03 UTC 2014 - andreas.stieger@gmx.de
- Fix build with SQLite 3.8.4 [bnc#867887], fixing SQLite tests,
adding python-2.7.6-sqlite-3.8.4-tests.patch
-------------------------------------------------------------------
Thu Feb 27 14:08:40 UTC 2014 - jmatejek@suse.com
- update to 3.4.0 rc2
* pre-release bugfixes
* improvements to asyncio library
- drop upstreamed tracemalloc_gcov.patch
- python-3.4rc2-importlib.patch fixes backwards-incompatibility
in the reworked importlib module that blocks build of vim
-------------------------------------------------------------------
Fri Jan 17 18:45:27 UTC 2014 - jmatejek@suse.com
- initial commit of 3.4.0 beta 3
* new stdlib modules: pathlib, enum, statistics, tracemalloc
* asynchronous IO with new asyncio module
* introspection data for builtins
* subprocesses no longer inherit open file descriptors
* standardized metadata for packages
* internal hashing changed to SipHash
* new pickle protocol
* improved handling of codecs
* TLS 1.2 support
* major speed improvements for internal unicode handling
* many bugfixes and optimizations
- see porting guide at:
http://docs.python.org/3.4/whatsnew/3.4.html#porting-to-python-3-4
- moved several modules to -testsuite subpackage
- updated list of binary extensions, refreshed patches
- tracemalloc_gcov.patch fixes profile-based optimization build
- updated packages and pre_checkin.sh to use ~-version notation
for prereleases
- fix-shebangs part of build process moved to common %prep
- drop python-3.3.2-no-REUSEPORT.patch (upstreamed)
- update baselibs for new soname
- TODOs:
* require python-pip, make ensurepip work with zypper
-------------------------------------------------------------------
Wed Dec 4 13:21:26 UTC 2013 - matz@suse.de
- add ppc64le (ELFv2) support for libffi copy for ctypes module
- Adjust Python-3.3.0b2-multilib.patch for ppc64le (make sys.lib be
"lib64").
- added patches:
* libffi-ppc64le.diff
-------------------------------------------------------------------
Tue Dec 3 09:51:43 UTC 2013 - adrian@suse.de
- add ppc64le rules
-------------------------------------------------------------------
Fri Nov 22 13:17:23 UTC 2013 - speilicke@suse.com
- Add python-3.3.3-skip-distutils-test_sysconfig_module.patch:
+ Disable global and distutils sysconfig comparison test, we deviate
from the default depending on optflags
-------------------------------------------------------------------
Tue Nov 19 14:28:41 UTC 2013 - jmatejek@suse.com
- update to 3.3.3
* bugfix-only release
* many SSL-related fixes
* upstream fix for CVE-2013-4238
* upstream fixes for CVE-2013-1752
- move example module xxlimited to python3-testsuite
- remove --with-wide-unicode config option, it is now the default
(and only) choice
- don't touch anything between make and makeinstall
- drop python-3.2b2-buildtime-generate.patch - the issue was caused
by touching things between make and makeinstall
- link pycache entries for import_failed hooks properly
-------------------------------------------------------------------
Fri Aug 16 11:35:15 UTC 2013 - jmatejek@suse.com
- handle NULL bytes in certain fields of SSL certificates
(CVE-2013-4238, bnc#834601)
-------------------------------------------------------------------
Thu Aug 8 14:54:49 UTC 2013 - dvaleev@suse.com
- Exclue test_faulthandler from tests on powerpc due to bnc#831629
-------------------------------------------------------------------
Thu Jun 13 15:05:34 UTC 2013 - jmatejek@suse.com
- update to 3.3.2 (bnc#709442)
* bugfix-only release
* fixes several regressions introduced in 3.3.1
- switch to xz compression
- move _lzma module to python3-base
- python-3.3.2-no-REUSEPORT.patch to fix build on kernels without SO_REUSEPORT
-------------------------------------------------------------------
Mon Apr 29 22:32:43 UTC 2013 - schwab@suse.de
- Readd missing bits from ctypes-libffi-aarch64.patch
-------------------------------------------------------------------
Sat Apr 13 07:56:51 UTC 2013 - idonmez@suse.com
- Update to version 3.3.1
* Fix the –enable-profiling configure switch.
* In IDLE, close the replace dialog after it is used.
- Too many bugfixes to list here,
see See http://hg.python.org/cpython/file/v3.3.0/Misc/NEWS
- Refresh Python-3.3.0b2-multilib.patch
- Refresh python-3.2b2-buildtime-generate.patch
- Drop upstream patches: ctypes-libffi-aarch64.patch,
python-3.2.3rc2-pypirc-secure.patch, python-3.3.0-getdents64.patch
-------------------------------------------------------------------
Fri Apr 5 12:59:20 UTC 2013 - idonmez@suse.com
- Add Source URL, see https://en.opensuse.org/title=SourceUrls
-------------------------------------------------------------------
Wed Apr 3 15:36:04 UTC 2013 - jmatejek@suse.com
- remove spurious modification of python-3.3.0b1-localpath.patch
that would force installation into /usr/local.
this fixes bnc#809831
-------------------------------------------------------------------
Thu Mar 28 18:38:51 UTC 2013 - jmatejek@suse.com
- replace broken movetogetdents64.diff patch with a correct one
from upstream repo (python-3.3.0-getdents64.patch)
-------------------------------------------------------------------
Fri Mar 1 07:42:21 UTC 2013 - dmueller@suse.com
- add ctypes-libffi-aarch64.patch:
* import aarch64 support for libffi in _ctypes module
- add aarch64 to the list of lib64 based archs
- add movetogetdents64.diff:
* port to getdents64, as SYS_getdents is not implemented everywhere
-------------------------------------------------------------------
Tue Feb 26 08:57:55 UTC 2013 - saschpe@suse.de
- /etc/rpm/macros.python3 is no %config, it is not meant to be changed
by users.
- Add rpmlintrc with some obvious filters
-------------------------------------------------------------------
Mon Jan 28 18:14:39 UTC 2013 - jmatejek@suse.com
- update baselibs for new version of libpython3
-------------------------------------------------------------------
Thu Nov 29 17:02:37 UTC 2012 - jmatejek@suse.com
- fix include path in macros (bnc#787526)
- implement failed import handlers for modules that live in
subpackages - e.g. "import ssl" will now throw a sensible error
message telling you to install "python3"
-------------------------------------------------------------------
Wed Nov 28 17:02:07 UTC 2012 - jmatejek@suse.com
- merge python3-xml into python3
- merge python3-2to3 library into python3-base
and the 2to3 binary into python3-devel
(python3-devel is now in conflict with python-2to3, which
will be dropped)
- enable --with-system-expat for python3, making the xml modules
(and thus python3) depend on expat
- reconfigure tests to disable network and GUI resources, which
the upstream apparently thought is a good idea to enable by default.
this fixes build failures in Factory
- add lzma-devel to build the _lzma module
- moved %dynlib macro definition to common section
-------------------------------------------------------------------
Mon Nov 5 20:01:46 UTC 2012 - coolo@suse.com
- buildrequire timezone for the test suite
-------------------------------------------------------------------
Mon Oct 29 18:21:45 UTC 2012 - dmueller@suse.com
- disable more checks for qemu builds as they use syscalls not
implemented yet
-------------------------------------------------------------------
Thu Oct 25 08:14:36 UTC 2012 - Rene.vanPaassen@gmail.com
- exclude test_math for SLE 11; math library fails on negative
gamma function values close to integers and 0, probably
due to imprecision in -lm on SLE_11_SP2.
-------------------------------------------------------------------
Tue Oct 16 12:15:34 UTC 2012 - coolo@suse.com
- buildrequire libbz2-devel explicitly
-------------------------------------------------------------------
Mon Oct 8 14:33:08 UTC 2012 - jmatejek@suse.com
- remove distutils.cfg (bnc#658604)
* this changes default prefix for distutils to /usr
* see ML for details:
http://lists.opensuse.org/opensuse-packaging/2012-09/msg00254.html
-------------------------------------------------------------------
Mon Oct 1 08:53:03 UTC 2012 - idonmez@suse.com
- Update to final 3.3.0 release
* See http://hg.python.org/cpython/file/v3.3.0/Misc/NEWS
-------------------------------------------------------------------
Thu Sep 27 12:35:01 UTC 2012 - idonmez@suse.com
- Correct dependency for python3-testsuite,
python3-tkinter -> python3-tk
-------------------------------------------------------------------
Thu Aug 23 13:08:11 UTC 2012 - jmatejek@suse.com
- update to 3.3.0 RC1
-------------------------------------------------------------------
Fri Aug 3 12:09:34 UTC 2012 - jmatejek@suse.com
- update to 3.3.0 beta 1
* flexible string representation, no longer distinguishing
between wide and narrow Unicode builds
* importlib-based import system
* virtualenv support in core
* namespace packages
* explicit Unicode literals for easier porting
* key-sharing dict implementation reduces memory footprint
of OO code
* hash randomization on by default
* many other new bugfixes and features, check NEWS for details
- pre_checkin.sh now autofills various version strings in specs
- ship hashlib's fallback modules - those uselessly take up space
when real _hashlib.so from python3 is present, but the space wasted
is only 114kB and it provides python3-base with a working hashlib
module.
(also, this fixes bnc#743787)
-------------------------------------------------------------------
Fri Jul 27 09:02:41 UTC 2012 - dvaleev@suse.com
- skip test_io on ppc
- drop test_io ppc patch
-------------------------------------------------------------------
Thu Jun 28 07:57:58 UTC 2012 - saschpe@suse.de
- Satisfy source_validator by uncommenting an otherwise unused "Patch"
line
-------------------------------------------------------------------
Fri May 18 11:50:27 UTC 2012 - idonmez@suse.com
- update to 3.2.3
* No changes since rc2
-------------------------------------------------------------------
Thu Mar 29 15:44:33 UTC 2012 - jmatejek@suse.com
- update to 3.2.3rc2
* fixes several security issues:
* CVE-2012-0845, bnc#747125
* CVE-2012-1150, bnc#751718
* CVE-2011-4944, bnc#754447
* CVE-2011-3389, bnc#754677
- fix for insecure .pypirc (CVE-2011-4944, bnc#754447)
- disable test_gdb because it is broken by our gdb
-------------------------------------------------------------------
Thu Feb 16 12:33:12 UTC 2012 - dvaleev@suse.com
- skip broken test_io test on ppc
-------------------------------------------------------------------
Wed Jan 18 15:49:47 UTC 2012 - jmatejek@suse.com
- update to 3.2.2
* bugfix-only release
* reports "linux2" as sys.platform regardless of Linux kernel
- added pre_checkin.sh to copy common spec sections to python3.spec
- added PACKAGING-NOTES with some helpful info for packagers
-------------------------------------------------------------------
Sun Dec 25 13:25:01 UTC 2011 - idonmez@suse.com
- Use system ffi, included one is broken see
http://bugs.python.org/issue11729 and
http://bugs.python.org/issue12081
-------------------------------------------------------------------
Fri Dec 9 17:19:55 UTC 2011 - jmatejek@suse.com
- license.opensuse.org-compatible license headers
-------------------------------------------------------------------
Fri Dec 2 16:46:44 UTC 2011 - coolo@suse.com
- add automake as buildrequire to avoid implicit dependency
-------------------------------------------------------------------
Thu Nov 24 12:42:25 UTC 2011 - agraf@suse.com
- fix ARM build (exclude some test cases which break for us)
-------------------------------------------------------------------
Tue Aug 16 17:02:22 UTC 2011 - termim@gmail.com
- use sysconfig module to get py3_incdir, py3_abiflags,
py3_soflags, python3_sitelib and python3_sitearch
-------------------------------------------------------------------
Mon Jul 18 16:22:31 UTC 2011 - jmatejek@novell.com
- update to 3.2.1
* bugfix-only release, no major changes
- fix build on linux3 platform
- remove upstreamed pybench patch
- install /usr/lib directories in all cases to prevent spurious
"directory not owned" in dependent packages
-------------------------------------------------------------------
Wed Jun 15 14:16:38 UTC 2011 - jmatejek@novell.com
- replaced dynamic so version with manual so version, because
autobuild does not support autogeneration
-------------------------------------------------------------------
Tue May 24 13:39:06 UTC 2011 - jmatejek@novell.com
- generate macros.python3 at compile-time with fixed values
- don't include bogus values in pyconfig.h, as they can break
third-party packages (bnc#673071)
-------------------------------------------------------------------
Tue May 17 12:52:51 UTC 2011 - jmatejek@novell.com
- added Obsoletes: python3 < 3.1 so that the transition from
non-split to split packages goes smoothly
-------------------------------------------------------------------
Fri May 13 12:38:19 UTC 2011 - jmatejek@novell.com
- fixed RPM macros to use python3 instead of python
- updated to build --with-wide-unicode (for compatibility with
fedora and our own python 2.x series)
-------------------------------------------------------------------
Thu Apr 21 03:39:25 UTC 2011 - termim@gmail.com
- fix python3-base build failure due to pybench.py crash by
python-3.2-pybench.patch
- move pyconfig.h from python3-devel to python3-base package to
make python3-base functional again
-------------------------------------------------------------------
Wed Mar 23 04:26:28 UTC 2011 - termim@gmail.com
- update to python 3.2
* stable ABI, ABI-tagged .so files
* concurrent.futures and many other new or upgraded modules
* PYC repository directories ( __pycache__ )
* python WSGI 1.0.1
* Unicode 6.0.0 support
* a great number of bugfixes and assorted improvements
-------------------------------------------------------------------
Tue Feb 8 19:42:17 CET 2011 - matejcik@suse.cz
- update to python 3.2 RC2
- renamed python3-demo to python3-tools, because the demo part
became much smaller than the tools part
- added rpm macros
-------------------------------------------------------------------
Tue Jan 18 14:13:04 UTC 2011 - jmatejek@novell.com
- update to python 3.2 beta 2, see NEWS for details
- split off -base package with less dependencies, and a shlib-policy
compliant libpython3 package
- mostly rewritten the spec file with more detailed comments
- cleaned up lists of patches
