Overview
Request 1160501 superseded
- Update to 3.9.19:
- Security
- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
(CVE-2023-52425) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
- gh-115399: Update bundled libexpat to 2.6.0
- gh-113659: Skip .pth files with names starting with a dot
or hidden file attribute.
- Core and Builtins
- gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
codecs read out of bounds
- Library
- gh-115197: urllib.request no longer resolves the hostname
before checking it against the system’s proxy bypass list
on macOS and Windows.
- gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
- gh-81194: Fix a crash in socket.if_indextoname() with
specific value (UINT_MAX). Fix an integer overflow in
socket.if_indextoname() on 64-bit non-Windows platforms.
- gh-109858: Protect zipfile from “quoted-overlap”
zipbomb. It now raises BadZipFile when try to read an entry
that overlaps with other entry or central directory.
- gh-107077: Seems that in some conditions, OpenSSL will
return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
when a certification verification has failed, but
the error parameters will still contain ERR_LIB_SSL
and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now
detecting this situation and raising the appropiate
ssl.SSLCertVerificationError. Patch by Pablo Galindo
- gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
which now no longer dereferences symlinks when working
around file system permission errors.
- Documentation
- gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under
“XML vulnerabilities”.
- Tools/Demos
- gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11
and multissltests to use 1.1.1w and 3.0.11.
- Remove upstreamed patches:
- CVE-2023-6597-TempDir-cleaning-symlink.patch
- libexpat260.patch
- Refreshed patches:
- F00251-change-user-install-location.patch
- python-3.3.0b1-localpath.patch
- Created by mcepl
- In state superseded
- Superseded by 1160580
- Open review for openSUSE:Factory:Staging:H
Request History
mcepl created request
- Update to 3.9.19:
- Security
- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
(CVE-2023-52425) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
- gh-115399: Update bundled libexpat to 2.6.0
- gh-113659: Skip .pth files with names starting with a dot
or hidden file attribute.
- Core and Builtins
- gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
codecs read out of bounds
- Library
- gh-115197: urllib.request no longer resolves the hostname
before checking it against the system’s proxy bypass list
on macOS and Windows.
- gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
- gh-81194: Fix a crash in socket.if_indextoname() with
specific value (UINT_MAX). Fix an integer overflow in
socket.if_indextoname() on 64-bit non-Windows platforms.
- gh-109858: Protect zipfile from “quoted-overlap”
zipbomb. It now raises BadZipFile when try to read an entry
that overlaps with other entry or central directory.
- gh-107077: Seems that in some conditions, OpenSSL will
return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
when a certification verification has failed, but
the error parameters will still contain ERR_LIB_SSL
and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now
detecting this situation and raising the appropiate
ssl.SSLCertVerificationError. Patch by Pablo Galindo
- gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
which now no longer dereferences symlinks when working
around file system permission errors.
- Documentation
- gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under
“XML vulnerabilities”.
- Tools/Demos
- gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11
and multissltests to use 1.1.1w and 3.0.11.
- Remove upstreamed patches:
- CVE-2023-6597-TempDir-cleaning-symlink.patch
- libexpat260.patch
- Refreshed patches:
- F00251-change-user-install-location.patch
- python-3.3.0b1-localpath.patch
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
darix accepted review
Accepted review for by_group opensuse-review-team request 1160501 from user factory-auto
anag+factory set openSUSE:Factory:Staging:H as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:H"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:H"
superseded by 1160580