ALP-pool/python311
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 python311 revision f31ae414ccef9af37ecc85f23e571418

Browse Source
This commit is contained in:
Adrian Schröter
2025-03-19 11:25:16 +01:00
parent 8472e59a77
commit 3b5fab8182
24 changed files with 1218 additions and 2341 deletions
Download Patch File Download Diff File Expand all files Collapse all files

615
python311.changes
View File

@@ -1,40 +1,510 @@
-------------------------------------------------------------------
Thu Sep 19 13:14:43 UTC 2024 - Matej Cepl <mcepl@suse.com>
Wed Mar 12 15:05:46 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
- Add CVE-2024-8088-zipfile-Path-sanitization.patch sanitizing
names in zipfile.Path (bsc#1229704, CVE-2024-8088).
- Add CVE-2024-6232-ReDOS-backtrack-tarfile.patch removing
backtracking when parsing tarfile headers (bsc#1230227,
CVE-2024-6232).
- Add CVE-2024-7592-quad-complex-cookies.patch fixing quadratic
complexity in parsing "-quoted cookie values with backslashes
(bsc#1229596, CVE-2024-7592).
- Allow to disable PGO
-------------------------------------------------------------------
Sat Aug 3 17:28:26 UTC 2024 - Matej Cepl <mcepl@suse.com>
Mon Mar 10 15:44:31 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
- Skip PGO with %want_reproducible_builds (bsc#1239210)
-------------------------------------------------------------------
Tue Feb 4 14:43:13 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-0938-sq-brackets-domain-names.patch which
disallows square brackets ([ and ]) in domain names for parsed
URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
-------------------------------------------------------------------
Mon Jan 27 09:00:48 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
- Configure externally_managed with a bcond
https://en.opensuse.org/openSUSE:Python:Externally_managed
bsc#1228165
-------------------------------------------------------------------
Wed Dec 4 21:40:41 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.11.11:
- Tools/Demos
- gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
- Tests
- gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlibs software
implementation and the hardware-accelerated implementation.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-124651: Properly quote template strings in venv
activation scripts (bsc#1232241, CVE-2024-9287).
- Removed upstreamed patches:
- CVE-2024-9287-venv_path_unquoted.patch
-------------------------------------------------------------------
Tue Dec 3 08:21:35 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Add add-loongarch64-support.patch to support loongarch64
-------------------------------------------------------------------
Mon Dec 2 22:50:07 UTC 2024 - Matej Cepl <mcepl@suse.com>
- Fix changelog
-------------------------------------------------------------------
Mon Nov 11 12:43:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Remove -IVendor/ from python-config boo#1231795
-------------------------------------------------------------------
Fri Nov 1 16:32:10 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
path names provided when creating a virtual environment
(bsc#1232241, CVE-2024-9287)
-------------------------------------------------------------------
Wed Oct 2 16:18:29 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Drop .pyc files from docdir for reproducible builds
(bsc#1230906).
-------------------------------------------------------------------
Mon Sep 9 16:53:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.11.10:
- Security
- gh-123678: Upgrade libexpat to 2.6.3
- gh-121957: Fixed missing audit events around interactive
use of Python, now also properly firing for ``python -i``,
as well as for ``python -m asyncio``. The event in question
is ``cpython.run_stdin``.
- gh-122133: Authenticate the socket connection for the
``socket.socketpair()`` fallback on platforms where
``AF_UNIX`` is not available like Windows. Patch by
Gregory P. Smith <greg@krypto.org> and Seth Larson
<seth@python.org>. Reported by Ellie <el@horse64.org>
- gh-121285: Remove backtracking from tarfile header parsing
for ``hdrcharset``, PAX, and GNU sparse headers
(bsc#1230227, CVE-2024-6232).
- gh-118486: :func:`os.mkdir` on Windows now accepts
*mode* of ``0o700`` to restrict the new directory to
the current user. This fixes CVE-2024-4030 affecting
:func:`tempfile.mkdtemp` in scenarios where the base
temporary directory is more permissive than the default.
- gh-116741: Update bundled libexpat to 2.6.2
- Library
- gh-123270: Applied a more surgical fix for malformed
payloads in :class:`zipfile.Path` causing infinite loops
(gh-122905) without breaking contents using legitimate
characters (bsc#1229704, CVE-2024-8088).
- gh-123067: Fix quadratic complexity in parsing ``"``-quoted
cookie values with backslashes by :mod:`http.cookies`
(bsc#1229596, CVE-2024-7592).
- gh-122905: :class:`zipfile.Path` objects now sanitize names
from the zipfile.
- gh-121650: :mod:`email` headers with embedded newlines are
now quoted on output. The :mod:`~email.generator` will now
refuse to serialize (write) headers that are unsafely folded
or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`.
(Contributed by Bas Bloemsaat and Petr Viktorin in
:gh:`121650`; CVE-2024-6923, bsc#1228780).
- gh-119506: Fix :meth:`!io.TextIOWrapper.write` method
breaks internal buffer when the method is called again
during flushing internal buffer.
- gh-118643: Fix an AttributeError in the :mod:`email` module
when re-fold a long address list. Also fix more cases of
incorrect encoding of the address separator in the address
list.
- gh-113171: Fixed various false positives and false
negatives in * :attr:`ipaddress.IPv4Address.is_private`
(see these docs for details) *
:attr:`ipaddress.IPv4Address.is_global` *
:attr:`ipaddress.IPv6Address.is_private` *
:attr:`ipaddress.IPv6Address.is_global` Also in the
corresponding :class:`ipaddress.IPv4Network` and
:class:`ipaddress.IPv6Network` attributes.
Fixes bsc#1226448 (CVE-2024-4032).
- gh-102988: :func:`email.utils.getaddresses` and
:func:`email.utils.parseaddr` now return ``('', '')``
2-tuples in more situations where invalid email addresses
are encountered instead of potentially inaccurate
values. Add optional *strict* parameter to these two
functions: use ``strict=False`` to get the old behavior,
accept malformed inputs. ``getattr(email.utils,
'supports_strict_parsing', False)`` can be use to check if
the *strict* paramater is available. Patch by Thomas Dwyer
and Victor Stinner to improve the CVE-2023-27043 fix
(bsc#1210638).
- gh-67693: Fix :func:`urllib.parse.urlunparse` and
:func:`urllib.parse.urlunsplit` for URIs with path starting
with multiple slashes and no authority. Based on patch by
Ashwin Ramaswami.
- Core and Builtins
- gh-112275: A deadlock involving ``pystate.c``'s
``HEAD_LOCK`` in ``posixmodule.c`` at fork is now
fixed. Patch by ChuBoning based on previous Python 3.12 fix
by Victor Stinner.
- gh-109120: Added handle of incorrect star expressions, e.g
``f(3, *)``. Patch by Grigoryev Semyon
- Removed upstreamed patches:
- CVE-2023-27043-email-parsing-errors.patch
- CVE-2024-4032-private-IP-addrs.patch
- CVE-2024-6923-email-hdr-inject.patch
- CVE-2024-8088-inf-loop-zipfile_Path.patch
(renamed from CVE-2024-8088-zipfile-Path-sanitization.patch)
- CVE-2024-6232-ReDOS-backtrack-tarfile.patch
- CVE-2024-7592-quad-complex-cookies.patch
-------------------------------------------------------------------
Mon Sep 2 09:44:26 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Add gh120226-fix-sendfile-test-kernel-610.patch to avoid
failing test_sendfile_close_peer_in_the_middle_of_receiving
tests on Linux >= 6.10 (GH-120227).
-------------------------------------------------------------------
Wed Aug 28 16:54:34 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent
malformed payload to cause infinite loops in zipfile.Path
(bsc#1229704, CVE-2024-8088).
-------------------------------------------------------------------
Wed Aug 7 12:12:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with
patched libexpat below 2.6.0 that doesn't update the version number,
just in SLE.
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
addresses.
- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
fixing bsc#1226447 (CVE-2024-0397) by removing memory race
condition in ssl.SSLContext certificate store methods.
- Add CVE-2024-6923-email-hdr-inject.patch to prevent email
header injection due to unquoted newlines (bsc#1228780,
CVE-2024-6923).
- %{profileopt} variable is set according to the variable
%{do_profiling} (bsc#1227999)
-------------------------------------------------------------------
Mon Jul 22 21:20:55 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Remove %suse_update_desktop_file macro as it is not useful any
more.
-------------------------------------------------------------------
Thu Jul 18 22:37:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Adding bso1227999-reproducible-builds.patch fixing bsc#1227999
adding reproducibility patches from gh#python/cpython!121872
and gh#python/cpython!121883.
-------------------------------------------------------------------
Mon Jul 15 12:14:05 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Stop using %%defattr, it seems to be breaking proper executable
attributes on /usr/bin/ scripts (bsc#1227378).
- Remove included patches:
- libexpat260.patch
attributes on /usr/bin/ scripts (bsc#1227378).
-------------------------------------------------------------------
Tue Jul 2 10:32:58 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Update F00251-change-user-install-location.patch to make pip and
modern tools install directly in /usr/local when used by the user.
bsc#1225660
-------------------------------------------------------------------
Tue Jun 25 21:57:40 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
addresses.
-------------------------------------------------------------------
Wed May 1 08:39:08 UTC 2024 - Matej Cepl <mcepl@suse.com>
- Update CVE-2023-52425-libexpat-2.6.0-backport.patch
so that it uses features sniffing, not just
comparing version number. Include also
support-expat-CVE-2022-25236-patched.patch.
- Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping
failing tests.
- Refresh patches:
- CVE-2023-27043-email-parsing-errors.patch
- fix_configure_rst.patch
- skip_if_buildbot-extend.patch
- Remove included patch:
- support-expat-CVE-2022-25236-patched.patch
- CVE-2023-52425-remove-reparse_deferral-tests.patch
-------------------------------------------------------------------
Mon Apr 15 10:31:32 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with
patched libexpat below 2.6.0 that doesn't update the version number,
just in SLE.
-------------------------------------------------------------------
Mon Apr 8 05:44:04 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Remove not needed upstream patches:
* libexpat260.patch
* CVE-2023-6597-TempDir-cleaning-symlink.patch, bsc#1219666
* CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
- Update to 3.11.9:
* Security
- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
(CVE-2023-52425, bsc#1219559) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
- gh-115399: Update bundled libexpat to 2.6.0
- gh-115243: Fix possible crashes in collections.deque.index()
when the deque is concurrently modified.
- gh-114572: ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to the
certificate store, when the ssl.SSLContext is shared across
multiple threads (bsc#1226447, CVE-2024-0397).
* Core and Builtins
- gh-116296: Fix possible refleak in object.__reduce__() internal
error handling.
- gh-116034: Fix location of the error on a failed assertion.
- gh-115823: Properly calculate error ranges in the parser when
raising SyntaxError exceptions caused by invalid byte sequences.
Patch by Pablo Galindo
- gh-112087: For an empty reverse iterator for list will be
reduced to reversed(). Patch by Donghee Na.
- gh-115011: Setters for members with an unsigned integer type now
support the same range of valid values for objects that has a
__index__() method as for int.
- gh-96497: Fix incorrect resolution of mangled class variables
used in assignment expressions in comprehensions.
* Library
- gh-117310: Fixed an unlikely early & extra Py_DECREF triggered
crash in ssl when creating a new _ssl._SSLContext if CPython was
built implausibly such that the default cipher list is empty or
the SSL library it was linked against reports a failure from its
C SSL_CTX_set_cipher_list() API.
- gh-117178: Fix regression in lazy loading of self-referential
modules, introduced in gh-114781.
- gh-117084: Fix zipfile extraction for directory entries with the
name containing backslashes on Windows.
- gh-117110: Fix a bug that prevents subclasses of typing.Any to
be instantiated with arguments. Patch by Chris Fu.
- gh-90872: On Windows, subprocess.Popen.wait() no longer calls
WaitForSingleObject() with a negative timeout: pass 0 ms if the
timeout is negative. Patch by Victor Stinner.
- gh-116957: configparser: Dont leave ConfigParser values in an
invalid state (stored as a list instead of a str) after an
earlier read raised DuplicateSectionError or
DuplicateOptionError.
- gh-90095: Ignore empty lines and comments in .pdbrc
- gh-116764: Restore support of None and other false values in
urllib.parse functions parse_qs() and parse_qsl(). Also, they
now raise a TypeError for non-zero integers and non-empty
sequences.
- gh-116811: In PathFinder.invalidate_caches, delegate to
MetadataPathFinder.invalidate_caches.
- gh-116600: Fix repr() for global Flag members.
- gh-116484: Change automatically generated tkinter.Checkbutton
widget names to avoid collisions with automatically generated
tkinter.ttk.Checkbutton widget names within the same parent
widget.
- gh-116401: Fix blocking os.fwalk() and shutil.rmtree() on
opening named pipe.
- gh-116143: Fix a race in pydoc _start_server, eliminating a
window in which _start_server can return a thread that is
“serving” but without a docserver set.
- gh-116325: typing: raise SyntaxError instead of AttributeError
on forward references as empty strings.
- gh-90535: Fix support of interval values > 1 in
logging.TimedRotatingFileHandler for when='MIDNIGHT' and
when='Wx'.
- gh-115978: Disable preadv(), readv(), pwritev(), and writev() on
WASI.
- Under wasmtime for WASI 0.2, these functions dont pass
test_posix
(https://github.com/bytecodealliance/wasmtime/issues/7830).
- gh-88352: Fix the computation of the next rollover time in the
logging.TimedRotatingFileHandler handler. computeRollover() now
always returns a timestamp larger than the specified time and
works correctly during the DST change. doRollover() no longer
overwrite the already rolled over file, saving from data loss
when run at midnight or during repeated time at the DST change.
- gh-87115: Set __main__.__spec__ to None when running a script
with pdb
- gh-76511: Fix UnicodeEncodeError in email.Message.as_string()
that results when a message that claims to be in the ascii
character set actually has non-ascii characters. Non-ascii
characters are now replaced with the U+FFFD replacement
character, like in the replace error handler.
- gh-75988: Fixed unittest.mock.create_autospec() to pass the call
through to the wrapped object to return the real result.
- gh-115881: Fix issue where ast.parse() would incorrectly flag
conditional context managers (such as with (x() if y else z()):
...) as invalid syntax if feature_version=(3, 8) was passed.
This reverts changes to the grammar made as part of gh-94949.
- gh-115886: Fix silent truncation of the name with an embedded
null character in multiprocessing.shared_memory.SharedMemory.
- gh-115809: Improve algorithm for computing which rolled-over log
files to delete in logging.TimedRotatingFileHandler. It is now
reliable for handlers without namer and with arbitrary
deterministic namer that leaves the datetime part in the file
name unmodified.
- gh-74668: urllib.parse functions parse_qs() and parse_qsl() now
support bytes arguments containing raw and percent-encoded
non-ASCII data.
- gh-67044: csv.writer() now always quotes or escapes '\r' and
'\n', regardless of lineterminator value.
- gh-115712: csv.writer() now quotes empty fields if delimiter is
a space and skipinitialspace is true and raises exception if
quoting is not possible.
- gh-115618: Fix improper decreasing the reference count for None
argument in property methods getter(), setter() and deleter().
- gh-115570: A DeprecationWarning is no longer omitted on access
to the __doc__ attributes of the deprecated typing.io and
typing.re pseudo-modules.
- gh-112006: Fix inspect.unwrap() for types with the __wrapper__
data descriptor.
- gh-101293: Support callables with the __call__() method and
types with __new__() and __init__() methods set to class
methods, static methods, bound methods, partial functions, and
other types of methods and descriptors in
inspect.Signature.from_callable().
- gh-115392: Fix a bug in doctest where incorrect line numbers
would be reported for decorated functions.
- gh-114563: Fix several format() bugs when using the C
implementation of Decimal: * memory leak in some rare cases when
using the z format option (coerce negative 0) * incorrect output
when applying the z format option to type F (fixed-point with
capital NAN / INF) * incorrect output when applying the # format
option (alternate form)
- gh-115197: urllib.request no longer resolves the hostname before
checking it against the systems proxy bypass list on macOS and
Windows.
- gh-115198: Fix support of Docutils >= 0.19 in distutils.
- gh-115165: Most exceptions are now ignored when attempting to
set the __orig_class__ attribute on objects returned when
calling typing generic aliases (including generic aliases
created using typing.Annotated). Previously only AttributeError
was ignored. Patch by Dave Shawley.
- gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
- gh-115059: io.BufferedRandom.read1() now flushes the underlying
write buffer.
- gh-79382: Trailing ** no longer allows to match files and
non-existing paths in recursive glob().
- gh-114763: Protect modules loaded with importlib.util.LazyLoader
from race conditions when multiple threads try to access
attributes before the loading is complete.
- gh-97959: Fix rendering class methods, bound methods, method and
function aliases in pydoc. Class methods no longer have “method
of builtins.type instance” note. Corresponding notes are now
added for class and unbound methods. Method and function aliases
now have references to the module or the class where the origin
was defined if it differs from the current. Bound methods are
now listed in the static methods section. Methods of builtin
classes are now supported as well as methods of Python classes.
- gh-112281: Allow creating union of types for typing.Annotated
with unhashable metadata.
- gh-111775: Fix importlib.resources.simple.ResourceHandle.open()
for text mode, added missed stream argument.
- gh-90095: Make .pdbrc and -c work with any valid pdb commands.
- gh-107155: Fix incorrect output of help(x) where x is a lambda
function, which has an __annotations__ dictionary attribute with
a "return" key.
- gh-105866: Fixed _get_slots bug which caused error when defining
dataclasses with slots and a weakref_slot.
- gh-60346: Fix ArgumentParser inconsistent with parse_known_args.
- gh-100985: Update HTTPSConnection to consistently wrap IPv6
Addresses when using a proxy.
- gh-100884: email: fix misfolding of comma in address-lists
over multiple lines in combination with unicode encoding
(bsc#1238450 CVE-2025-1795)
- gh-95782: Fix io.BufferedReader.tell(),
io.BufferedReader.seek(), _pyio.BufferedReader.tell(),
io.BufferedRandom.tell(), io.BufferedRandom.seek() and
_pyio.BufferedRandom.tell() being able to return negative
offsets.
- gh-96310: Fix a traceback in argparse when all options in a
mutually exclusive group are suppressed.
- gh-93205: Fixed a bug in
logging.handlers.TimedRotatingFileHandler where multiple
rotating handler instances pointing to files with the same name
but different extensions would conflict and not delete the
correct files.
- bpo-44865: Add missing call to localization function in
argparse.
- bpo-43952: Fix multiprocessing.connection.Listener.accept() to
accept empty bytes as authkey. Not accepting empty bytes as key
causes it to hang indefinitely.
- bpo-42125: linecache: get module name from __spec__ if
available. This allows getting source code for the __main__
module when a custom loader is used.
- gh-66543: Make mimetypes.guess_type() properly parsing of URLs
with only a host name, URLs containing fragment or query, and
filenames with only a UNC sharepoint on Windows. Based on patch
by Dong-hee Na.
- bpo-33775: Add default and version help text for
localization in argparse.
* Documentation
- gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML
vulnerabilities”.
- gh-115233: Fix an example for LoggerAdapter in the Logging
Cookbook.
* Tests
- gh-83434: Disable JUnit XML output (--junit-xml=FILE command
line option) in regrtest when hunting for reference leaks (-R
option). Patch by Victor Stinner.
- gh-117187: Fix XML tests for vanilla Expat <2.6.0.
- gh-115979: Update test_importlib so that it passes under WASI
SDK 21.
- gh-116307: Added import helper isolated_modules as CleanImport
does not remove modules imported during the context.
- gh-115720: Leak tests (-R, --huntrleaks) now show a summary of
the number of leaks found in each iteration.
- gh-115122: Add --bisect option to regrtest test runner: run
failed tests with test.bisect_cmd to identify failing tests.
Patch by Victor Stinner.
- gh-115596: Fix ProgramPriorityTests in test_os permanently
changing the process priority.
- gh-115198: Fix test_check_metadata_deprecate in distutils tests
with a newer Docutils.
* Build
- gh-116313: Get WASI builds to work under wasmtime 18 w/ WASI
0.2/preview2 primitives.
- gh-115167: Avoid vendoring vcruntime140_threads.dll when
building with Visual Studio 2022 version 17.8.
* Windows
- gh-116773: Fix instances of <_overlapped.Overlapped object at
0xXXX> still has pending operation at deallocation, the process
may crash.
- gh-91227: Fix the asyncio ProactorEventLoop implementation so
that sending a datagram to an address that is not listening does
not prevent receiving any more datagrams.
- gh-115554: The installer now has more strict rules about
updating the Python Launcher for Windows. In general, most users
only have a single launcher installed and will see no
difference. When multiple launchers have been installed, the
option to install the launcher is disabled until all but one
have been removed. Downgrading the launcher (which was never
allowed) is now more obviously blocked.
- gh-115543: Python Launcher for Windows can now detect Python
3.13 when installed from the Microsoft Store, and will install
Python 3.12 by default when PYLAUNCHER_ALLOW_INSTALL is set.
- gh-115009: Update Windows installer to use SQLite 3.45.1.
* IDLE
- gh-88516: On macOS show a proxy icon in the title bar of editor
windows to match platform behaviour.
* Tools/Demos
- gh-113516: Dont set LDSHARED when building for WASI.
* C API
- gh-117021: Fix integer overflow in PyLong_AsPid() on non-Windows
64-bit platforms.
-------------------------------------------------------------------
Sun Mar 24 07:51:45 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Add reference to CVE-2024-0450 (bsc#1221854) to changelog.
-------------------------------------------------------------------
Fri Mar 22 21:22:27 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
@@ -73,7 +543,7 @@ Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Remove double definition of /usr/bin/idle%%{version} in
%%files.
%%files.
-------------------------------------------------------------------
Thu Feb 15 10:29:07 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
@@ -240,7 +710,7 @@ Thu Feb 8 07:27:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
tkinter._test().
- gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now
raises BadZipFile when try to read an entry that overlaps with
other entry or central directory.
other entry or central directory (bsc#1221854, CVE-2024-0450).
- gh-38807: Fix race condition in trace. Instead of checking if a
directory exists and creating it, directly call os.makedirs()
with the kwarg exist_ok=True.
@@ -331,7 +801,8 @@ Thu Feb 8 07:27:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
METH_FASTCALL | METH_KEYWORDS calling convention. Only the
positional parameter count was checked; any keyword argument
passed would be silently accepted.
- Remove upstreamed patches:
- CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
- Refresh all patches:
- CVE-2023-27043-email-parsing-errors.patch
- F00251-change-user-install-location.patch
@@ -992,12 +1463,12 @@ Wed Sep 6 07:52:11 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
-------------------------------------------------------------------
Thu Aug 10 09:33:26 UTC 2023 - Dirk Müller <dmueller@suse.com>
- restrict PEP668 to ALP/Tumbleweed
- restrict PEP668 to ALP/Tumbleweed
-------------------------------------------------------------------
Fri Aug 4 06:37:41 UTC 2023 - Dirk Müller <dmueller@suse.com>
- add externally_managed.in to label this build as PEP-668 managed
- add externally_managed.in to label this build as PEP-668 managed
-------------------------------------------------------------------
Thu Aug 3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
@@ -2352,7 +2823,7 @@ Sat Mar 26 22:52:45 UTC 2022 - Matej Cepl <mcepl@suse.com>
Tue Feb 22 05:53:06 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
- Add patch support-expat-245.patch:
* Support Expat >= 2.4.5
* Support Expat >= 2.4.5
-------------------------------------------------------------------
Tue Feb 15 23:05:55 UTC 2022 - Matej Cepl <mcepl@suse.com>
@@ -2542,7 +3013,7 @@ Sat Jun 5 21:21:38 UTC 2021 - Matej Cepl <mcepl@suse.com>
-------------------------------------------------------------------
Fri Jun 4 21:36:30 UTC 2021 - Dirk Müller <dmueller@suse.com>
- allow build with Sphinx >= 3.x
- allow build with Sphinx >= 3.x
-------------------------------------------------------------------
Wed Jun 2 13:12:04 UTC 2021 - Dan Čermák <dcermak@suse.com>
@@ -3094,7 +3565,7 @@ Sat Dec 12 14:29:33 UTC 2020 - Matej Cepl <mcepl@suse.com>
Thu Dec 10 00:26:51 UTC 2020 - Benjamin Greiner <code@bnavigator.de>
- Last try before this results in an editwar:
* remove importlib_resources and importlib-metadata
* remove importlib_resources and importlib-metadata
provides/obsoletes
* import importlib_resources is not the same as
import importlib.resources, same for metadata
@@ -3211,54 +3682,54 @@ Tue Jul 21 09:53:06 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
- Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream
- Removed recursion.tar: contained in upstream
- Update to 3.9.0b5:
- bpo-41304: Fixes python3x._pth being ignored on Windows, caused
- bpo-41304: Fixes python3x._pth being ignored on Windows, caused
by the fix for bpo-29778 (CVE-2020-15801).
- bpo-41162: Audit hooks are now cleared later during
finalization to avoid missing events.
- bpo-29778: Ensure python3.dll is loaded from correct locations
- bpo-29778: Ensure python3.dll is loaded from correct locations
when Python is embedded (CVE-2020-15523).
- bpo-39603: Prevent http header injection by rejecting control
- bpo-39603: Prevent http header injection by rejecting control
characters in http.client.putrequest(…).
- bpo-41295: Resolve a regression in CPython 3.8.4 where defining
“__setattr__” in a multi-inheritance setup and
“__setattr__” in a multi-inheritance setup and
calling up the hierarchy chain could fail if builtins/extension
types were involved in the base types.
- bpo-41247: Always cache the running loop holder when running
- bpo-41247: Always cache the running loop holder when running
asyncio.set_running_loop.
- bpo-41252: Fix incorrect refcounting in
- bpo-41252: Fix incorrect refcounting in
_ssl.cs _servername_callback().
- bpo-41215: Use non-NULL default values in the PEG parser
- bpo-41215: Use non-NULL default values in the PEG parser
keyword list to overcome a bug that was '
preventing Python from being properly compiled when using the
XLC compiler. Patch by Pablo Galindo.
- bpo-41218: Python 3.8.3 had a regression where compiling with
ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
- bpo-41218: Python 3.8.3 had a regression where compiling with
ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
aggressively mark list comprehension with CO_COROUTINE. Now only
list comprehension making use of async/await will tagged as so.
- bpo-41175: Guard against a NULL pointer dereference within
- bpo-41175: Guard against a NULL pointer dereference within
bytearrayobject triggered by the bytearray() + bytearray() operation.
- bpo-39960: The “hackcheck” that prevents sneaking around a types
__setattr__() by calling the superclass method was
- bpo-39960: The “hackcheck” that prevents sneaking around a types
__setattr__() by calling the superclass method was
rewritten to allow C implemented heap types.
- bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
- bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
C implementation raises now UnpicklingError instead of crashing.
- bpo-39017: Avoid infinite loop when reading specially crafted
- bpo-39017: Avoid infinite loop when reading specially crafted
TAR files using the tarfile module (CVE-2019-20907, bsc#1174091).
- bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
- bpo-41207: In distutils.spawn, restore expectation that
- bpo-41207: In distutils.spawn, restore expectation that
DistutilsExecError is raised when the command is not found.
- bpo-39168: Remove the __new__ method of typing.Generic.
- bpo-41194: Fix a crash in the _ast module: it can no longer be
- bpo-41194: Fix a crash in the _ast module: it can no longer be
loaded more than once. It now uses a global state rather than a module state.
- bpo-39384: Fixed email.contentmanager to allow set_content() to set a
- bpo-39384: Fixed email.contentmanager to allow set_content() to set a
null string.
- bpo-41300: Save files with non-ascii chars.
- bpo-41300: Save files with non-ascii chars.
Fix regression released in 3.9.0b4 and 3.8.4.
- bpo-37765: Add keywords to module name completion list.
- bpo-37765: Add keywords to module name completion list.
Rewrite Completions section of IDLE doc.
- bpo-40170: Revert PyType_HasFeature() change: it reads
again directly the PyTypeObject.tp_flags
member when the limited C API is not used, rather than always calling
- bpo-40170: Revert PyType_HasFeature() change: it reads
again directly the PyTypeObject.tp_flags
member when the limited C API is not used, rather than always calling
PyType_GetFlags() which hides implementation details.
-------------------------------------------------------------------
@@ -3779,7 +4250,7 @@ Wed Jun 5 12:19:09 CEST 2019 - Matej Cepl <mcepl@suse.com>
pickling costs between processes
- typed_ast is merged back to CPython
- LOAD_GLOBAL is now 40% faster
- pickle now uses Protocol 4 by default, improving performance
- pickle now uses Protocol 4 by default, improving performance
- Remove patches which were included in the upstream:
- 00251-change-user-install-location.patch
- 00316-mark-bdist_wininst-unsupported.patch
@@ -3924,7 +4395,7 @@ Mon Dec 17 17:24:49 CET 2018 - mcepl@suse.com
- Upgrade to 3.7.2rc1:
* bugfix release, for the full list of all changes see
https://docs.python.org/3.7/whatsnew/changelog.html#changelog
https://docs.python.org/3.7/whatsnew/changelog.html#changelog
- Make run of the test suite more verbose
-------------------------------------------------------------------
@@ -4351,7 +4822,7 @@ Mon Mar 13 14:04:22 UTC 2017 - jmatejek@suse.com
Sat Feb 25 20:55:57 UTC 2017 - bwiedemann@suse.com
- Add 0001-allow-for-reproducible-builds-of-python-packages.patch
upstream https://github.com/python/cpython/pull/296
upstream https://github.com/python/cpython/pull/296
-------------------------------------------------------------------
Wed Feb 8 12:30:20 UTC 2017 - jmatejek@suse.com
@@ -4417,7 +4888,7 @@ Mon Mar 7 20:38:11 UTC 2016 - toddrme2178@gmail.com
- Add Python-3.5.1-fix_lru_cache_copying.patch
Fix copying the lru_cache() wrapper object.
Fixes deep-copying lru_cache regression, which worked on
Fixes deep-copying lru_cache regression, which worked on
previous versions of python but fails on python 3.5.
This fixes a bunch of packages in devel:languages:python3.
See: https://bugs.python.org/issue25447
@@ -4555,7 +5026,7 @@ Sun Jan 11 13:01:30 UTC 2015 - p.drouand@gmail.com
-------------------------------------------------------------------
Sat Oct 18 20:14:54 UTC 2014 - crrodriguez@opensuse.org
- Only pkgconfig(x11) is required for build, not the whole
- Only pkgconfig(x11) is required for build, not the whole
set of packages provided by xorg-x11-devel metapackage.
-------------------------------------------------------------------
@@ -4615,7 +5086,7 @@ Wed Mar 26 15:24:46 UTC 2014 - jmatejek@suse.com
-------------------------------------------------------------------
Mon Mar 24 17:29:31 UTC 2014 - dmueller@suse.com
- remove blacklisting of test_posix on aarch64: qemu bug is fixed
- remove blacklisting of test_posix on aarch64: qemu bug is fixed
-------------------------------------------------------------------
Mon Mar 17 18:26:58 UTC 2014 - jmatejek@suse.com
@@ -4718,7 +5189,7 @@ Tue Nov 19 14:28:41 UTC 2013 - jmatejek@suse.com
-------------------------------------------------------------------
Tue Oct 15 17:44:08 UTC 2013 - crrodriguez@opensuse.org
- build with -DOPENSSL_LOAD_CONF for the same reasons
- build with -DOPENSSL_LOAD_CONF for the same reasons
described in the python2 package.
-------------------------------------------------------------------
@@ -4730,7 +5201,7 @@ Fri Aug 16 11:35:15 UTC 2013 - jmatejek@suse.com
-------------------------------------------------------------------
Thu Aug 8 14:54:49 UTC 2013 - dvaleev@suse.com
- Exclue test_faulthandler from tests on powerpc due to bnc#831629
- Exclue test_faulthandler from tests on powerpc due to bnc#831629
-------------------------------------------------------------------
Thu Jun 13 15:05:34 UTC 2013 - jmatejek@suse.com
@@ -4789,7 +5260,7 @@ Fri Mar 1 07:42:21 UTC 2013 - dmueller@suse.com
- add ctypes-libffi-aarch64.patch:
* import aarch64 support for libffi in _ctypes module
- add aarch64 to the list of lib64 based archs
- add aarch64 to the list of lib64 based archs
- add movetogetdents64.diff:
* port to getdents64, as SYS_getdents is not implemented everywhere
@@ -4843,9 +5314,9 @@ Mon Oct 29 18:21:45 UTC 2012 - dmueller@suse.com
-------------------------------------------------------------------
Thu Oct 25 08:14:36 UTC 2012 - Rene.vanPaassen@gmail.com
- exclude test_math for SLE 11; math library fails on negative
- exclude test_math for SLE 11; math library fails on negative
gamma function values close to integers and 0, probably
due to imprecision in -lm on SLE_11_SP2.
due to imprecision in -lm on SLE_11_SP2.
-------------------------------------------------------------------
Tue Oct 16 12:15:34 UTC 2012 - coolo@suse.com
@@ -4869,7 +5340,7 @@ Mon Oct 1 08:53:03 UTC 2012 - idonmez@suse.com
-------------------------------------------------------------------
Thu Sep 27 12:35:01 UTC 2012 - idonmez@suse.com
- Correct dependency for python3-testsuite,
- Correct dependency for python3-testsuite,
python3-tkinter -> python3-tk
-------------------------------------------------------------------
@@ -4902,7 +5373,7 @@ Fri Aug 3 12:09:34 UTC 2012 - jmatejek@suse.com
-------------------------------------------------------------------
Fri Jul 27 09:02:41 UTC 2012 - dvaleev@suse.com
- skip test_io on ppc
- skip test_io on ppc
- drop test_io ppc patch
-------------------------------------------------------------------
@@ -4951,8 +5422,8 @@ Wed Jan 18 15:49:47 UTC 2012 - jmatejek@suse.com
-------------------------------------------------------------------
Sun Dec 25 13:25:01 UTC 2011 - idonmez@suse.com
- Use system ffi, included one is broken see
http://bugs.python.org/issue11729 and
- Use system ffi, included one is broken see
http://bugs.python.org/issue11729 and
http://bugs.python.org/issue12081
-------------------------------------------------------------------