Sync from SUSE:ALP:Source:Standard:1.0 python311 revision 24888b6e79686939128bfd89479a3336

2025-07-11 11:07:54 +02:00
parent a472037c77
commit 369c1d5a7e
10 changed files with 314 additions and 164 deletions
--- a/python311.changes
+++ b/python311.changes
@@ -1,3 +1,61 @@
+-------------------------------------------------------------------
+Wed Jul  2 14:47:20 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
+  case quadratic complexity when processing certain crafted
+  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
+
+-------------------------------------------------------------------
+Tue Jul  1 08:19:52 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Use one core to build doc. This will make sphinx doc build
+  reproducible.
+  bsc#1243155
+
+-------------------------------------------------------------------
+Mon Jun  9 17:19:32 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.13:
+  - Security
+    - gh-135034: Fixes multiple issues that allowed tarfile
+      extraction filters (filter="data" and filter="tar")
+      to be bypassed using crafted symlinks and hard links.
+      Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
+      (bsc#1244059), CVE-2025-4330 (bsc#1244060), and
+      CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
+      (gh#135034, bsc#1244061).
+    - gh-133767: Fix use-after-free in the “unicode-escape”
+      decoder with a non-“strict” error handler (CVE-2025-4516,
+      bsc#1243273).
+    - gh-128840: Short-circuit the processing of long IPv6
+      addresses early in ipaddress to prevent excessive memory
+      consumption and a minor denial-of-service.
+  - Library
+    - gh-128840: Fix parsing long IPv6 addresses with embedded
+      IPv4 address.
+    - gh-134062: ipaddress: fix collisions in __hash__() for
+      IPv4Network and IPv6Network objects.
+    - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
+      according to RFC 3596, §2.5. Patch by Bénédikt Tran.
+    - bpo-43633: Improve the textual representation of
+      IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
+      in ipaddress. Patch by Oleksandr Pavliuk.
+- Remove upstreamed patches:
+  - gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
+  - CVE-2025-4516-DecodeError-handler.patch
+
+-------------------------------------------------------------------
+Thu May 22 13:01:17 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-4516-DecodeError-handler.patch fixing
+  CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
+  vulnerability, which could lead to DoS.
+
+-------------------------------------------------------------------
+Sat May 17 10:02:27 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Use extended %autopatch.
+
 -------------------------------------------------------------------
 Sat May 10 11:38:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>

@@ -261,7 +319,7 @@ Thu Jul 18 22:37:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 Mon Jul 15 12:14:05 UTC 2024 - Matej Cepl <mcepl@cepl.eu>

 - Stop using %%defattr, it seems to be breaking proper executable
-  attributes on /usr/bin/ scripts (bsc#1227378). 
+  attributes on /usr/bin/ scripts (bsc#1227378).

 -------------------------------------------------------------------
 Tue Jul  2 10:32:58 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
@@ -602,7 +660,7 @@ Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
 Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>

 - Remove double definition of /usr/bin/idle%%{version} in
-  %%files. 
+  %%files.

 -------------------------------------------------------------------
 Thu Feb 15 10:29:07 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
@@ -1522,12 +1580,12 @@ Wed Sep  6 07:52:11 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
 -------------------------------------------------------------------
 Thu Aug 10 09:33:26 UTC 2023 - Dirk Müller <dmueller@suse.com>

- restrict PEP668 to ALP/Tumbleweed 
+- restrict PEP668 to ALP/Tumbleweed

 -------------------------------------------------------------------
 Fri Aug  4 06:37:41 UTC 2023 - Dirk Müller <dmueller@suse.com>

- add externally_managed.in to label this build as PEP-668 managed 
+- add externally_managed.in to label this build as PEP-668 managed

 -------------------------------------------------------------------
 Thu Aug  3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
@@ -2882,7 +2940,7 @@ Sat Mar 26 22:52:45 UTC 2022 - Matej Cepl <mcepl@suse.com>
 Tue Feb 22 05:53:06 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>

 - Add patch support-expat-245.patch:
-  * Support Expat >= 2.4.5 
+  * Support Expat >= 2.4.5

 -------------------------------------------------------------------
 Tue Feb 15 23:05:55 UTC 2022 - Matej Cepl <mcepl@suse.com>
@@ -3072,7 +3130,7 @@ Sat Jun  5 21:21:38 UTC 2021 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Fri Jun  4 21:36:30 UTC 2021 - Dirk Müller <dmueller@suse.com>

- allow build with Sphinx >= 3.x 
+- allow build with Sphinx >= 3.x

 -------------------------------------------------------------------
 Wed Jun  2 13:12:04 UTC 2021 - Dan Čermák <dcermak@suse.com>
@@ -3624,7 +3682,7 @@ Sat Dec 12 14:29:33 UTC 2020 - Matej Cepl <mcepl@suse.com>
 Thu Dec 10 00:26:51 UTC 2020 - Benjamin Greiner <code@bnavigator.de>

 - Last try before this results in an editwar:
-  * remove importlib_resources and importlib-metadata 
+  * remove importlib_resources and importlib-metadata
    provides/obsoletes
  * import importlib_resources is not the same as
    import importlib.resources, same for metadata
@@ -3741,54 +3799,54 @@ Tue Jul 21 09:53:06 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
 - Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream
 - Removed recursion.tar: contained in upstream
 - Update to 3.9.0b5:
-  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused 
+  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused
    by the fix for bpo-29778 (CVE-2020-15801).
  - bpo-41162: Audit hooks are now cleared later during
    finalization to avoid missing events.
-  - bpo-29778: Ensure python3.dll is loaded from correct locations 
+  - bpo-29778: Ensure python3.dll is loaded from correct locations
    when Python is embedded (CVE-2020-15523).
-  - bpo-39603: Prevent http header injection by rejecting control 
+  - bpo-39603: Prevent http header injection by rejecting control
    characters in http.client.putrequest(…).
  - bpo-41295: Resolve a regression in CPython 3.8.4 where defining
-    “__setattr__” in a multi-inheritance setup and 
+    “__setattr__” in a multi-inheritance setup and
    calling up the hierarchy chain could fail if builtins/extension
    types were involved in the base types.
-  - bpo-41247: Always cache the running loop holder when running 
+  - bpo-41247: Always cache the running loop holder when running
    asyncio.set_running_loop.
-  - bpo-41252: Fix incorrect refcounting in 
+  - bpo-41252: Fix incorrect refcounting in
    _ssl.c’s _servername_callback().
-  - bpo-41215: Use non-NULL default values in the PEG parser 
+  - bpo-41215: Use non-NULL default values in the PEG parser
    keyword list to overcome a bug that was '
    preventing Python from being properly compiled when using the
    XLC compiler. Patch by Pablo Galindo.
-  - bpo-41218: Python 3.8.3 had a regression where compiling with 
-    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would 
+  - bpo-41218: Python 3.8.3 had a regression where compiling with
+    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
    aggressively mark list comprehension with CO_COROUTINE. Now only
    list comprehension making use of async/await will tagged as so.
-  - bpo-41175: Guard against a NULL pointer dereference within 
+  - bpo-41175: Guard against a NULL pointer dereference within
    bytearrayobject triggered by the bytearray() + bytearray() operation.
-  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s 
-    __setattr__() by calling the superclass method was 
+  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s
+    __setattr__() by calling the superclass method was
    rewritten to allow C implemented heap types.
-  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the 
+  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
    C implementation raises now UnpicklingError instead of crashing.
-  - bpo-39017: Avoid infinite loop when reading specially crafted 
+  - bpo-39017: Avoid infinite loop when reading specially crafted
    TAR files using the tarfile module (CVE-2019-20907, bsc#1174091).
  - bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
-  - bpo-41207: In distutils.spawn, restore expectation that 
+  - bpo-41207: In distutils.spawn, restore expectation that
    DistutilsExecError is raised when the command is not found.
  - bpo-39168: Remove the __new__ method of typing.Generic.
-  - bpo-41194: Fix a crash in the _ast module: it can no longer be 
+  - bpo-41194: Fix a crash in the _ast module: it can no longer be
    loaded more than once. It now uses a global state rather than a module state.
-  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a 
+  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a
    null string.
-  - bpo-41300: Save files with non-ascii chars. 
+  - bpo-41300: Save files with non-ascii chars.
    Fix regression released in 3.9.0b4 and 3.8.4.
-  - bpo-37765: Add keywords to module name completion list. 
+  - bpo-37765: Add keywords to module name completion list.
    Rewrite Completions section of IDLE doc.
-  - bpo-40170: Revert PyType_HasFeature() change: it reads 
-    again directly the PyTypeObject.tp_flags 
-    member when the limited C API is not used, rather than always calling 
+  - bpo-40170: Revert PyType_HasFeature() change: it reads
+    again directly the PyTypeObject.tp_flags
+    member when the limited C API is not used, rather than always calling
    PyType_GetFlags() which hides implementation details.

 -------------------------------------------------------------------
@@ -4309,7 +4367,7 @@ Wed Jun  5 12:19:09 CEST 2019 - Matej Cepl <mcepl@suse.com>
    pickling costs between processes
  - typed_ast is merged back to CPython
  - LOAD_GLOBAL is now 40% faster
-  - pickle now uses Protocol 4 by default, improving performance 
+  - pickle now uses Protocol 4 by default, improving performance
 - Remove patches which were included in the upstream:
  - 00251-change-user-install-location.patch
  - 00316-mark-bdist_wininst-unsupported.patch
@@ -4454,7 +4512,7 @@ Mon Dec 17 17:24:49 CET 2018 - mcepl@suse.com

 - Upgrade to 3.7.2rc1:
    * bugfix release, for the full list of all changes see
-      https://docs.python.org/3.7/whatsnew/changelog.html#changelog 
+      https://docs.python.org/3.7/whatsnew/changelog.html#changelog
 - Make run of the test suite more verbose

 -------------------------------------------------------------------
@@ -4881,7 +4939,7 @@ Mon Mar 13 14:04:22 UTC 2017 - jmatejek@suse.com
 Sat Feb 25 20:55:57 UTC 2017 - bwiedemann@suse.com

 - Add 0001-allow-for-reproducible-builds-of-python-packages.patch
-  upstream https://github.com/python/cpython/pull/296 
+  upstream https://github.com/python/cpython/pull/296

 -------------------------------------------------------------------
 Wed Feb  8 12:30:20 UTC 2017 - jmatejek@suse.com
@@ -4947,7 +5005,7 @@ Mon Mar  7 20:38:11 UTC 2016 - toddrme2178@gmail.com

 - Add  Python-3.5.1-fix_lru_cache_copying.patch
  Fix copying the lru_cache() wrapper object.
-  Fixes deep-copying lru_cache regression, which worked on 
+  Fixes deep-copying lru_cache regression, which worked on
  previous versions of python but fails on python 3.5.
  This fixes a bunch of packages in devel:languages:python3.
  See: https://bugs.python.org/issue25447
@@ -5085,7 +5143,7 @@ Sun Jan 11 13:01:30 UTC 2015 - p.drouand@gmail.com
 -------------------------------------------------------------------
 Sat Oct 18 20:14:54 UTC 2014 - crrodriguez@opensuse.org

- Only pkgconfig(x11) is required for build, not the whole 
+- Only pkgconfig(x11) is required for build, not the whole
  set of packages provided by xorg-x11-devel metapackage.

 -------------------------------------------------------------------
@@ -5145,7 +5203,7 @@ Wed Mar 26 15:24:46 UTC 2014 - jmatejek@suse.com
 -------------------------------------------------------------------
 Mon Mar 24 17:29:31 UTC 2014 - dmueller@suse.com

- remove blacklisting of test_posix on aarch64: qemu bug is fixed 
+- remove blacklisting of test_posix on aarch64: qemu bug is fixed

 -------------------------------------------------------------------
 Mon Mar 17 18:26:58 UTC 2014 - jmatejek@suse.com
@@ -5248,7 +5306,7 @@ Tue Nov 19 14:28:41 UTC 2013 - jmatejek@suse.com
 -------------------------------------------------------------------
 Tue Oct 15 17:44:08 UTC 2013 - crrodriguez@opensuse.org

- build with -DOPENSSL_LOAD_CONF for the same reasons 
+- build with -DOPENSSL_LOAD_CONF for the same reasons
  described in the python2 package.

 -------------------------------------------------------------------
@@ -5260,7 +5318,7 @@ Fri Aug 16 11:35:15 UTC 2013 - jmatejek@suse.com
 -------------------------------------------------------------------
 Thu Aug  8 14:54:49 UTC 2013 - dvaleev@suse.com

- Exclue test_faulthandler from tests on powerpc due to bnc#831629 
+- Exclue test_faulthandler from tests on powerpc due to bnc#831629

 -------------------------------------------------------------------
 Thu Jun 13 15:05:34 UTC 2013 - jmatejek@suse.com
@@ -5319,7 +5377,7 @@ Fri Mar  1 07:42:21 UTC 2013 - dmueller@suse.com

 - add ctypes-libffi-aarch64.patch:
  * import aarch64 support for libffi in _ctypes module
- add aarch64 to the list of lib64 based archs 
+- add aarch64 to the list of lib64 based archs
 - add movetogetdents64.diff:
  * port to getdents64, as SYS_getdents is not implemented everywhere

@@ -5373,9 +5431,9 @@ Mon Oct 29 18:21:45 UTC 2012 - dmueller@suse.com
 -------------------------------------------------------------------
 Thu Oct 25 08:14:36 UTC 2012 - Rene.vanPaassen@gmail.com

- exclude test_math for SLE 11; math library fails on negative 
+- exclude test_math for SLE 11; math library fails on negative
  gamma function values close to integers and 0, probably
-  due to imprecision in -lm on SLE_11_SP2. 
+  due to imprecision in -lm on SLE_11_SP2.

 -------------------------------------------------------------------
 Tue Oct 16 12:15:34 UTC 2012 - coolo@suse.com
@@ -5399,7 +5457,7 @@ Mon Oct  1 08:53:03 UTC 2012 - idonmez@suse.com
 -------------------------------------------------------------------
 Thu Sep 27 12:35:01 UTC 2012 - idonmez@suse.com

- Correct dependency for python3-testsuite, 
+- Correct dependency for python3-testsuite,
  python3-tkinter -> python3-tk

 -------------------------------------------------------------------
@@ -5432,7 +5490,7 @@ Fri Aug  3 12:09:34 UTC 2012 - jmatejek@suse.com
 -------------------------------------------------------------------
 Fri Jul 27 09:02:41 UTC 2012 - dvaleev@suse.com

- skip test_io on ppc 
+- skip test_io on ppc
 - drop test_io ppc patch

 -------------------------------------------------------------------
@@ -5481,8 +5539,8 @@ Wed Jan 18 15:49:47 UTC 2012 - jmatejek@suse.com
 -------------------------------------------------------------------
 Sun Dec 25 13:25:01 UTC 2011 - idonmez@suse.com

- Use system ffi, included one is broken see 
-  http://bugs.python.org/issue11729 and 
+- Use system ffi, included one is broken see
+  http://bugs.python.org/issue11729 and
  http://bugs.python.org/issue12081

 -------------------------------------------------------------------