Sync from SUSE:SLFO:1.1 python-Twisted revision 802ba959007571a4690a0d8363c46412

1521_delegate_parseqs_stdlib_bpo42967.patch

@@ -1,19 +1,20 @@
-From 7130df7ee21ebd93d7e15e7c4ef752b759f8e1c3 Mon Sep 17 00:00:00 2001
+From df79d69adea5c819bb104861dccf1bbe25851644 Mon Sep 17 00:00:00 2001
 From: Thomas Grainger <tagrain@gmail.com>
 Date: Sun, 21 Feb 2021 11:54:25 +0000
-Subject: [PATCH] delegate to stdlib parse qs
+Subject: [PATCH 1/2] delegate to stdlib parse qs
 
 ---
- src/twisted/web/http.py                    | 29 +---------------------
+ src/twisted/web/http.py                    |   26 +-------------------------
- src/twisted/web/newsfragments/10096.bugfix |  1 +
+ src/twisted/web/newsfragments/10096.bugfix |    1 +
- 2 files changed, 2 insertions(+), 28 deletions(-)
+ src/twisted/web/server.py                  |    5 ++---
+ 3 files changed, 4 insertions(+), 28 deletions(-)
  create mode 100644 src/twisted/web/newsfragments/10096.bugfix
 
-Index: twisted-24.10.0/src/twisted/web/http.py
+Index: twisted-24.3.0/src/twisted/web/http.py
 ===================================================================
---- twisted-24.10.0.orig/src/twisted/web/http.py
+--- twisted-24.3.0.orig/src/twisted/web/http.py
-+++ twisted-24.10.0/src/twisted/web/http.py
++++ twisted-24.3.0/src/twisted/web/http.py
-@@ -125,6 +125,7 @@ from urllib.parse import (
+@@ -115,6 +115,7 @@ from urllib.parse import (
      ParseResultBytes,
      unquote_to_bytes as unquote,
      urlparse as _urlparse,
@@ -21,7 +22,7 @@ Index: twisted-24.10.0/src/twisted/web/http.py
  )
  
  from zope.interface import Attribute, Interface, implementer, provider
-@@ -371,34 +372,6 @@ def urlparse(url):
+@@ -288,34 +289,6 @@ def urlparse(url):
      return ParseResultBytes(scheme, netloc, path, params, query, fragment)
  
  
@@ -56,9 +57,39 @@ Index: twisted-24.10.0/src/twisted/web/http.py
  def datetimeToString(msSinceEpoch=None):
      """
      Convert seconds since epoch to HTTP datetime string.
-Index: twisted-24.10.0/src/twisted/web/newsfragments/10096.bugfix
+Index: twisted-24.3.0/src/twisted/web/newsfragments/10096.bugfix
 ===================================================================
 --- /dev/null
-+++ twisted-24.10.0/src/twisted/web/newsfragments/10096.bugfix
++++ twisted-24.3.0/src/twisted/web/newsfragments/10096.bugfix
 @@ -0,0 +1 @@
 +delegate to urllib.parse:parse_qs in twisted.web.http:parse_qs to avoid CVE-2021-23336 and the associated CI failures
+Index: twisted-24.3.0/src/twisted/web/server.py
+===================================================================
+--- twisted-24.3.0.orig/src/twisted/web/server.py
++++ twisted-24.3.0/src/twisted/web/server.py
+@@ -21,7 +21,7 @@ import zlib
+ from binascii import hexlify
+ from html import escape
+ from typing import List, Optional
+-from urllib.parse import quote as _quote
++from urllib.parse import quote as _quote, unquote_to_bytes as _unquote_to_bytes
+ 
+ from zope.interface import implementer
+ 
+@@ -37,7 +37,6 @@ from twisted.python.deprecate import dep
+ from twisted.spread.pb import Copyable, ViewPoint
+ from twisted.web import http, iweb, resource, util
+ from twisted.web.error import UnsupportedMethod
+-from twisted.web.http import unquote
+ 
+ NOT_DONE_YET = 1
+ 
+@@ -210,7 +209,7 @@ class Request(Copyable, http.Request, co
+ 
+         # Resource Identification
+         self.prepath = []
+-        self.postpath = list(map(unquote, self.path[1:].split(b"/")))
++        self.postpath = [_unquote_to_bytes(v) for v in self.path[1:].split(b"/")]
+ 
+         # Short-circuit for requests whose path is '*'.
+         if self.path == b"*":

CVE-2024-41671.patch

@@ -0,0 +1,242 @@
+Index: twisted-24.3.0/src/twisted/web/http.py
+===================================================================
+--- twisted-24.3.0.orig/src/twisted/web/http.py
++++ twisted-24.3.0/src/twisted/web/http.py
+@@ -1973,16 +1973,21 @@ class _ChunkedTransferDecoder:
+         @returns: C{False}, as there is either insufficient data to continue,
+             or no data remains.
+         """
+-        if (
+-            self._receivedTrailerHeadersSize + len(self._buffer)
+-            > self._maxTrailerHeadersSize
+-        ):
+-            raise _MalformedChunkedDataError("Trailer headers data is too long.")
+-
+         eolIndex = self._buffer.find(b"\r\n", self._start)
+ 
+         if eolIndex == -1:
+             # Still no end of network line marker found.
++            #
++            # Check if we've run up against the trailer size limit: if the next
++            # read contains the terminating CRLF then we'll have this many bytes
++            # of trailers (including the CRLFs).
++            minTrailerSize = (
++                self._receivedTrailerHeadersSize
++                + len(self._buffer)
++                + (1 if self._buffer.endswith(b"\r") else 2)
++            )
++            if minTrailerSize > self._maxTrailerHeadersSize:
++                raise _MalformedChunkedDataError("Trailer headers data is too long.")
+             # Continue processing more data.
+             return False
+ 
+@@ -1992,6 +1997,8 @@ class _ChunkedTransferDecoder:
+             del self._buffer[0 : eolIndex + 2]
+             self._start = 0
+             self._receivedTrailerHeadersSize += eolIndex + 2
++            if self._receivedTrailerHeadersSize > self._maxTrailerHeadersSize:
++                raise _MalformedChunkedDataError("Trailer headers data is too long.")
+             return True
+ 
+         # eolIndex in this part of code is equal to 0
+@@ -2315,8 +2322,8 @@ class HTTPChannel(basic.LineReceiver, po
+             self.__header = line
+ 
+     def _finishRequestBody(self, data):
+-        self.allContentReceived()
+         self._dataBuffer.append(data)
++        self.allContentReceived()
+ 
+     def _maybeChooseTransferDecoder(self, header, data):
+         """
+Index: twisted-24.3.0/src/twisted/web/newsfragments/12248.bugfix
+===================================================================
+--- /dev/null
++++ twisted-24.3.0/src/twisted/web/newsfragments/12248.bugfix
+@@ -0,0 +1 @@
++The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure (CVE-2024-41671/GHSA-c8m8-j448-xjx7)
+Index: twisted-24.3.0/src/twisted/web/test/test_http.py
+===================================================================
+--- twisted-24.3.0.orig/src/twisted/web/test/test_http.py
++++ twisted-24.3.0/src/twisted/web/test/test_http.py
+@@ -135,7 +135,7 @@ class DummyHTTPHandler(http.Request):
+         data = self.content.read()
+         length = self.getHeader(b"content-length")
+         if length is None:
+-            length = networkString(str(length))
++            length = str(length).encode()
+         request = b"'''\n" + length + b"\n" + data + b"'''\n"
+         self.setResponseCode(200)
+         self.setHeader(b"Request", self.uri)
+@@ -563,17 +563,23 @@ class HTTP0_9Tests(HTTP1_0Tests):
+ 
+ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+     """
+-    Tests that multiple pipelined requests with bodies are correctly buffered.
++    Pipelined requests get buffered and executed in the order received,
++    not processed in parallel.
+     """
+ 
+     requests = (
+         b"POST / HTTP/1.1\r\n"
+         b"Content-Length: 10\r\n"
+         b"\r\n"
+-        b"0123456789POST / HTTP/1.1\r\n"
+-        b"Content-Length: 10\r\n"
+-        b"\r\n"
+         b"0123456789"
++        # Chunk encoded request.
++        b"POST / HTTP/1.1\r\n"
++        b"Transfer-Encoding: chunked\r\n"
++        b"\r\n"
++        b"a\r\n"
++        b"0123456789\r\n"
++        b"0\r\n"
++        b"\r\n"
+     )
+ 
+     expectedResponses = [
+@@ -590,14 +596,16 @@ class PipeliningBodyTests(unittest.TestC
+             b"Request: /",
+             b"Command: POST",
+             b"Version: HTTP/1.1",
+-            b"Content-Length: 21",
+-            b"'''\n10\n0123456789'''\n",
++            b"Content-Length: 23",
++            b"'''\nNone\n0123456789'''\n",
+         ),
+     ]
+ 
+-    def test_noPipelining(self):
++    def test_stepwiseTinyTube(self):
+         """
+-        Test that pipelined requests get buffered, not processed in parallel.
++        Imitate a slow connection that delivers one byte at a time.
++        The request handler (L{DelayedHTTPHandler}) is puppeted to
++        step through the handling of each request.
+         """
+         b = StringTransport()
+         a = http.HTTPChannel()
+@@ -606,10 +614,9 @@ class PipeliningBodyTests(unittest.TestC
+         # one byte at a time, to stress it.
+         for byte in iterbytes(self.requests):
+             a.dataReceived(byte)
+-        value = b.value()
+ 
+         # So far only one request should have been dispatched.
+-        self.assertEqual(value, b"")
++        self.assertEqual(b.value(), b"")
+         self.assertEqual(1, len(a.requests))
+ 
+         # Now, process each request one at a time.
+@@ -618,8 +625,95 @@ class PipeliningBodyTests(unittest.TestC
+             request = a.requests[0].original
+             request.delayedProcess()
+ 
+-        value = b.value()
+-        self.assertResponseEquals(value, self.expectedResponses)
++        self.assertResponseEquals(b.value(), self.expectedResponses)
++
++    def test_stepwiseDumpTruck(self):
++        """
++        Imitate a fast connection where several pipelined
++        requests arrive in a single read. The request handler
++        (L{DelayedHTTPHandler}) is puppeted to step through the
++        handling of each request.
++        """
++        b = StringTransport()
++        a = http.HTTPChannel()
++        a.requestFactory = DelayedHTTPHandlerProxy
++        a.makeConnection(b)
++
++        a.dataReceived(self.requests)
++
++        # So far only one request should have been dispatched.
++        self.assertEqual(b.value(), b"")
++        self.assertEqual(1, len(a.requests))
++
++        # Now, process each request one at a time.
++        while a.requests:
++            self.assertEqual(1, len(a.requests))
++            request = a.requests[0].original
++            request.delayedProcess()
++
++        self.assertResponseEquals(b.value(), self.expectedResponses)
++
++    def test_immediateTinyTube(self):
++        """
++        Imitate a slow connection that delivers one byte at a time.
++
++        (L{DummyHTTPHandler}) immediately responds, but no more
++        than one
++        """
++        b = StringTransport()
++        a = http.HTTPChannel()
++        a.requestFactory = DummyHTTPHandlerProxy  # "sync"
++        a.makeConnection(b)
++
++        # one byte at a time, to stress it.
++        for byte in iterbytes(self.requests):
++            a.dataReceived(byte)
++            # There is never more than one request dispatched at a time:
++            self.assertLessEqual(len(a.requests), 1)
++
++        self.assertResponseEquals(b.value(), self.expectedResponses)
++
++    def test_immediateDumpTruck(self):
++        """
++        Imitate a fast connection where several pipelined
++        requests arrive in a single read. The request handler
++        (L{DummyHTTPHandler}) immediately responds.
++
++        This doesn't check the at-most-one pending request
++        invariant but exercises otherwise uncovered code paths.
++        See GHSA-c8m8-j448-xjx7.
++        """
++        b = StringTransport()
++        a = http.HTTPChannel()
++        a.requestFactory = DummyHTTPHandlerProxy
++        a.makeConnection(b)
++
++        # All bytes at once to ensure there's stuff to buffer.
++        a.dataReceived(self.requests)
++
++        self.assertResponseEquals(b.value(), self.expectedResponses)
++
++    def test_immediateABiggerTruck(self):
++        """
++        Imitate a fast connection where a so many pipelined
++        requests arrive in a single read that backpressure is indicated.
++        The request handler (L{DummyHTTPHandler}) immediately responds.
++
++        This doesn't check the at-most-one pending request
++        invariant but exercises otherwise uncovered code paths.
++        See GHSA-c8m8-j448-xjx7.
++
++        @see: L{http.HTTPChannel._optimisticEagerReadSize}
++        """
++        b = StringTransport()
++        a = http.HTTPChannel()
++        a.requestFactory = DummyHTTPHandlerProxy
++        a.makeConnection(b)
++
++        overLimitCount = a._optimisticEagerReadSize // len(self.requests) * 10
++        a.dataReceived(self.requests * overLimitCount)
++
++        self.assertResponseEquals(b.value(), self.expectedResponses * overLimitCount)
+ 
+     def test_pipeliningReadLimit(self):
+         """
+@@ -1522,7 +1616,11 @@ class ChunkedTransferEncodingTests(unitt
+             lambda b: None,  # pragma: nocov
+         )
+         p._maxTrailerHeadersSize = 10
+-        p.dataReceived(b"3\r\nabc\r\n0\r\n0123456789")
++        # 9 bytes are received so far, in 2 packets.
++        # For now, all is ok.
++        p.dataReceived(b"3\r\nabc\r\n0\r\n01234567")
++        p.dataReceived(b"\r")
++        # Once the 10th byte is received, the processing fails.
+         self.assertRaises(
+             http._MalformedChunkedDataError,
+             p.dataReceived,

CVE-2024-41810.patch

@@ -0,0 +1,83 @@
+Index: twisted-24.3.0/src/twisted/web/_template_util.py
+===================================================================
+--- twisted-24.3.0.orig/src/twisted/web/_template_util.py
++++ twisted-24.3.0/src/twisted/web/_template_util.py
+@@ -92,7 +92,7 @@ def redirectTo(URL: bytes, request: IReq
+     </body>
+ </html>
+ """ % {
+-        b"url": URL
++        b"url": escape(URL.decode("utf-8")).encode("utf-8")
+     }
+     return content
+ 
+Index: twisted-24.3.0/src/twisted/web/newsfragments/12263.bugfix
+===================================================================
+--- /dev/null
++++ twisted-24.3.0/src/twisted/web/newsfragments/12263.bugfix
+@@ -0,0 +1 @@
++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810.
+\ No newline at end of file
+Index: twisted-24.3.0/src/twisted/web/newsfragments/9839.bugfix
+===================================================================
+--- /dev/null
++++ twisted-24.3.0/src/twisted/web/newsfragments/9839.bugfix
+@@ -0,0 +1 @@
++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810).
+Index: twisted-24.3.0/src/twisted/web/test/test_util.py
+===================================================================
+--- twisted-24.3.0.orig/src/twisted/web/test/test_util.py
++++ twisted-24.3.0/src/twisted/web/test/test_util.py
+@@ -5,7 +5,6 @@
+ Tests for L{twisted.web.util}.
+ """
+ 
+-
+ import gc
+ 
+ from twisted.internet import defer
+@@ -64,6 +63,44 @@ class RedirectToTests(TestCase):
+         targetURL = "http://target.example.com/4321"
+         self.assertRaises(TypeError, redirectTo, targetURL, request)
+ 
++    def test_legitimateRedirect(self):
++        """
++        Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation
++        """
++        request = DummyRequest([b""])
++        html = redirectTo(b"https://twisted.org/", request)
++        expected = b"""
++<html>
++    <head>
++        <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\">
++    </head>
++    <body bgcolor=\"#FFFFFF\" text=\"#000000\">
++    <a href=\"https://twisted.org/\">click here</a>
++    </body>
++</html>
++"""
++        self.assertEqual(html, expected)
++
++    def test_maliciousRedirect(self):
++        """
++        Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body
++        """
++        request = DummyRequest([b""])
++        html = redirectTo(
++            b'https://twisted.org/"><script>alert(document.location)</script>', request
++        )
++        expected = b"""
++<html>
++    <head>
++        <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/&quot;&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">
++    </head>
++    <body bgcolor=\"#FFFFFF\" text=\"#000000\">
++    <a href=\"https://twisted.org/&quot;&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">click here</a>
++    </body>
++</html>
++"""
++        self.assertEqual(html, expected)
++
+ 
+ class ParentRedirectTests(SynchronousTestCase):
+     """

no-cython_test_exception_raiser.patch

@@ -1,9 +1,13 @@
-diff --git a/src/twisted/test/test_failure.py b/src/twisted/test/test_failure.py
+---
-index a9e920c10e..de9c499972 100644
+ src/twisted/test/test_failure.py |    3 ++-
---- a/src/twisted/test/test_failure.py
+ 1 file changed, 2 insertions(+), 1 deletion(-)
-+++ b/src/twisted/test/test_failure.py
+
-@@ -19,7 +19,8 @@ from types import TracebackType
+Index: twisted-24.3.0/src/twisted/test/test_failure.py
- from typing import Any, Generator, cast
+===================================================================
+--- twisted-24.3.0.orig/src/twisted/test/test_failure.py
++++ twisted-24.3.0/src/twisted/test/test_failure.py
+@@ -18,7 +18,8 @@ from types import TracebackType
+ from typing import Any, Generator
  from unittest import skipIf
  
 -from cython_test_exception_raiser import raiser

no-test_successResultOfWithFailureHasTraceback.patch

@@ -2,10 +2,10 @@
  src/twisted/conch/test/test_keys.py |    3 +++
  1 file changed, 3 insertions(+)
 
-Index: twisted-24.10.0/src/twisted/conch/test/test_keys.py
+Index: twisted-24.3.0/src/twisted/conch/test/test_keys.py
 ===================================================================
---- twisted-24.10.0.orig/src/twisted/conch/test/test_keys.py
+--- twisted-24.3.0.orig/src/twisted/conch/test/test_keys.py
-+++ twisted-24.10.0/src/twisted/conch/test/test_keys.py
++++ twisted-24.3.0/src/twisted/conch/test/test_keys.py
 @@ -15,6 +15,7 @@ from twisted.python import randbytes
  from twisted.python.filepath import FilePath
  from twisted.python.reflect import requireModule
@@ -14,9 +14,9 @@ Index: twisted-24.10.0/src/twisted/conch/test/test_keys.py
  
  cryptography = requireModule("cryptography")
  if cryptography is None:
-@@ -278,6 +279,8 @@ class KeyTests(unittest.TestCase):
+@@ -250,6 +251,8 @@ class KeyTests(unittest.TestCase):
-         publicKey = keys.Key.fromString(public)
+         for k, v in data.items():
-         self.assertTrue(publicKey._sk)
+             self.assertEqual(privateKey.data()[k], v)
  
 +    @pyunit.skip('Upstream ticket https://twistedmatrix.com/trac/ticket/9665' +
 +                 ' has still not been resolved.')

python-Twisted.changes

@@ -1,161 +1,3 @@
--------------------------------------------------------------------
-Tue Oct 29 18:00:39 UTC 2024 - Dirk Müller <dmueller@suse.com>
-
-- update to 24.10.0:
-  * Python 3.13 is now supported.
-  * twisted.internet.defer.succeed() is significantly faster, and
-    awaiting Deferred has also been sped up.
-  * twisted.python.failure.Failure creation no longer records the
-    place where it was created. This reduces creation time by 60%
-    at least, thereby speeding up Deferred error handling.
-  * twisted.internet.defer.Deferred no longer removes the
-    traceback object from Failures. This may result in more
-    objects staying in memory if you don't clean up failed
-    Deferreds, but it speeds up error handling and enables
-    improvements to traceback reporting.
-  * twisted.internet.defer APIs are 2%-4% faster in many cases.
-  * twisted.internet.defer.Deferred runs callbacks with chained
-    Deferreds a little faster.
-  * The reactor now will use a little less CPU when events have
-    been scheduled with callLater().
-  * Creation of twisted.python.failure.Failure is now faster.
-  * Fixed unreleased regression caused by PR 12109.
-  * twisted.logger.eventAsText can now format the output having
-    types/classes as input. This was a regression introduced in
-    Twisted 24.3.0.
-  * twisted.internet.endpoints.clientFromString for TLS endpoints
-    with "bindAddress="  no longer crashes during connect.
-    twisted.internet.endpoints.HostnameEndpoint() no longer
-    crashes when given a bindAddress= argument that is just a
-    string, and that argument now accepts either address strings
-    or (address, port) tuples.
-  * The URLs from README and pyproject.toml were updated.
-  * #11236, #12060, #12062, #12099, #12219, #12290, #12296,
-    #12305, #12329, #12331, #12339
-  * twisted.conch.ssh.keys.Key can now load public blob keys of
-    type sk-ssh-ed25519@openssh.com and sk-ecdsa-
-    sha2-nistp256@openssh.com.
-  * twisted.conch tests no longer rely on OpenSSH supporting DSA
-    keys, fixing compatibility with OpenSSH >= 9.8.
-  * twisted.conch.ssh.SSHCiphers no longer supports the
-    cast128-ctr, cast128-cbc, blowfish-ctr, and blowfish-cbc
-    ciphers. The Blowfish and CAST5 ciphers were removed as they
-    were deprecated by the Python cryptography library.
-  * #12313
-  * The twisted.web HTTP server and client now reject HTTP header
-    names containing whitespace or other invalid characters by
-    raising twisted.web.http_headers.InvalidHeaderName, improving
-    compliance with RFC 9110. As a side effect, the server is
-    slightly faster.
-  * twisted.web.client and twisted.web.server now disable the
-    Nagle algorithm (enable TCP_NODELAY), reducing the latency of
-    small HTTP queries.
-  * twisted.web.server is 1-2% faster in some cases.
-  * twisted.web's HTTP/1.1 server now rejects header values
-    containing a NUL byte with a 400 error, in compliance with
-    RFC 9110.
-  * twisted.internet.address no longer raises DeprecationWarning
-    when used with attrs>=24.1.0.
-  * twisted.web's HTTP/1.1 server now accepts '&' within tokens
-    (methods, header field names, etc.), in compliance with RFC
-    9110.
-  * #9743, #12276
-  * Trial's -j flag now accepts an auto keyword to spawn a number
-    of workers based on the available CPUs.
-- drop 12313-fix-test_manhole.patch: upstream
-
--------------------------------------------------------------------
-Wed Sep 25 06:38:11 UTC 2024 - Markéta Machová <mmachova@suse.com>
-
-- Add upstream patch 12313-fix-test_manhole.patch to fix test failure
-  with latest python312
-
--------------------------------------------------------------------
-Mon Sep  9 14:23:03 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
-- Update to 24.7.0
-  * 24.7.0.rc2 fixed an unreleased regression caused by PR 12109. (#12279)
-  * twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback
-    response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810). (#9839)
-  * The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined
-    HTTP requests out-of-order, possibly resulting in information disclosure
-    (CVE-2024-41671/GHSA-c8m8-j448-xjx7) (#12248)
-  * twisted.protocols.ftp now supports the IPv6 extensions defined in RFC 2428. (#9645)
-  * twisted.internet.defer.inlineCallbacks can now yield a coroutine. (#9972)
-  * twisted.python._shellcomp.ZshArgumentsGenerator was updated for Python 3.13. (#12065)
-  * twisted.web.wsgi request environment now contains the peer port number as `REMOTE_PORT`. (#12096)
-  * twisted.internet.defer.Deferred.callback() and twisted.internet.defer.Deferred.addCallbacks()
-    no longer use `assert` to check the type of the arguments. You should now use type checking
-    to validate your code. These changes were done to reduce the CPU usage. (#12122)
-  * Added two new methods, twisted.logger.Logger.failuresHandled and twisted.logger.Logger.\
-    failureHandler, which allow for more concise and convenient handling of exceptions when
-    dispatching out to application code.  The former can arbitrarily customize failure handling
-    at the call site, and the latter can be used for performance-sensitive cases where no
-    additional information needs to be logged. (#12188)
-  * twisted.internet.defer.Deferred.addCallback now runs about 10% faster. (#12223)
-  * twisted.internet.defer.Deferred error handling is now faster, taking 40% less time to run. (#12227)
-  * twisted.internet.ssl.Certificate.__repr__ can now handle certificates without
-    a common name (CN) in the certificate itself or the signing CA. (#5851)
-  * Type annotations have been added to twisted.conch.interfaces.IKnownHostEntry
-    and its implementations, twisted.conch.client.knownhosts.PlainHost and
-    twisted.conch.client.knownhosts.HashedHost, correcting a variety of
-    type confusion issues throughout the conch client code. (#9713)
-  * twisted.python.failure.Failure once again utilizes the custom
-    pickling logic it used to in the past. (#12112)
-  * twisted.conch.client.knownhosts.KnownHostsFile.verifyHostKey no longer logs
-    an exception when automatically adding an IP address host key, which means
-    the interactive `conch` command-line no longer will either. (#12141)
-  * The IRC server example found in the documentation was updated for readability. (#12097)
-  * Remove contextvars from list of optional dependencies. (#12128)
-  * The documentation for installing Twisted was moved into a single page. (#12145)
-  * The project's compatibility policy now clearly indicates that the GitHub Actions
-    test matrix defines the supported platforms. (#12167)
-  * Updated imap4client.py example, it no longer references Python 2. (#12252)
-  * twisted.internet.defer.returnValue has been deprecated. You can replace
-    it with the standard `return` statement. (#9930)
-  * The `twisted-iocpsupport` is no longer a hard dependency on Windows.
-  * The IOCP support is now installed together with the other Windows soft
-  * dependencies via `twisted[windows-platform]`. (#11893)
-  * twisted.python.deprecate helper function will now always strip whitespaces from the docstrings.
-  * This is done to have the same behaviour as with Python 3.13. (#12063)
-  * twisted.conch.manhole.ManholeInterpreter.write, twisted.conch.manhole.ManholeInterpreter.
-    addOutput, twisted.mail.imap4.IMAP4Server.sendUntaggedResponse `async` argument,
-    deprecated since 18.9.0, has been removed. (#12130)
-  * twisted.web.soap was removed.
-  * The SOAP support was already broken, for at least the last 4 years.
-  * The SOAP support in Twisted has no active maintainer. (#12146)
-  * Fix #11744, #11771, #12113, #12154, #12169, #12179, #12193, #12195,
-    #12197, #12215, #12221, #12243, #12249, #12254, #12259, #12669
-  * twisted.conch.insults.window.Widget.functionKeyReceived now dispatches
-    functional key events to corresponding `func_KEYNAME` methods, where `KEYNAME` can be `F1`, `F2`,
-    `HOME`, `UP_ARROW` etc. This is a regression introduced with #8214 in Twisted 16.5.0, where events
-    changed from `const` objects to bytestrings in square brackets like `[F1]`. (#12046)
-  * twisted.web.agent.Agent now allows duplicate Content-Length headers having the same value, per RFC
-    9110 section 8.6. It is otherwise more strict when parsing Content-Length header values. (#9064)
-  * twisted.web.client.HTTPConnectionPool used by HTTP clients now runs faster by using a little less CPU. (#12108)
-  * twisted.web.http_headers now uses less CPU, making a small HTTP client request 10% faster or so. (#12116)
-  * twisted.web's HTTP/1.1 server now runs a little faster, with about 10% lower CPU overhead. (#12133)
-  * twisted.web's HTTP 1.1 server is an additional 5% faster. (#12155)
-  * twisted.web.http.IM_A_TEAPOT was added and returns `I'm a teapot`
-  * as default message for the status code 418,
-  * as defined in RFC 2324 section 2.3.2. (#12104)
-  * The HTTP 1.0/1.1 server provided by twisted.web is now more picky about the first line of a request,
-    improving compliance with RFC 9112. (#12233)
-  * The HTTP 1.0/1.1 server provided by twisted.web now constraints the character set of HTTP header names,
-    improving compliance with RFC 9110. (#12235)
-  * Fix ReverseProxyResource example in developer guide. (#12152)
-  * twisted.web.util.ChildRedirector, which has never worked on Python 3, has been removed. (#9591)
-  * ``twisted.web.http.Request.setResponseCode()`` no longer validates the types of inputs;
-    we encourage you to use a type checker like mypy to catch these sort of errors. The
-    long-deprecated ``twisted.web.server.string_date_time()`` and ``twisted.web.server.date_time_string()``
-    APIs were removed altogether. (#12133)
-  * twisted.web.http.HTTPClient is now deprecated in favor of twisted.web.client.Agent (#12158)
-  * Fix #12098, #12194, #12200, #12241, #12257
-- Drop CVE-2024-41671.patch, merged upstream
-- Drop CVE-2024-41810.patch, merged upstream
-- Refresh 1521_delegate_parseqs_stdlib_bpo42967.patch
-- Refresh no-cython_test_exception_raiser.patch
-
 -------------------------------------------------------------------
 Wed Jul 31 06:07:19 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
 

python-Twisted.spec

@@ -27,7 +27,7 @@
 
 %{?sle15_python_module_pythons}
 Name:           python-Twisted%{psuffix}
-Version:        24.10.0
+Version:        24.3.0
 Release:        0
 Summary:        An asynchronous networking framework written in Python
 License:        MIT
@@ -45,9 +45,13 @@ Patch3:         1521_delegate_parseqs_stdlib_bpo42967.patch
 Patch5:         no-cython_test_exception_raiser.patch
 # PATCH-FIX-OPENSUSE remove-dependency-version-upper-bounds.patch boo#1190036 -- run with h2 >= 4.0.0 and priority >= 2.0
 Patch6:         remove-dependency-version-upper-bounds.patch
+# PATCH-FIX-UPSTREAM CVE-2024-41671.patch gh#twisted/twisted@4a930de12fb6
+Patch7:         CVE-2024-41671.patch
+# PATCH-FIX-UPSTREAM CVE-2024-41810.patch gh#twisted/twisted@046a164f89a0
+Patch8:         CVE-2024-41810.patch
 BuildRequires:  %{python_module hatch-fancy-pypi-readme}
 BuildRequires:  %{python_module hatchling}
-BuildRequires:  %{python_module incremental >= 24.7.0}
+BuildRequires:  %{python_module incremental >= 21.3.0}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module wheel}
@@ -61,7 +65,7 @@ Requires:       python-Automat >= 0.8.0
 Requires:       python-attrs >= 19.2.0
 Requires:       python-constantly >= 15.1
 Requires:       python-hyperlink >= 17.1.1
-Requires:       python-incremental >= 24.7.0
+Requires:       python-incremental >= 21.3.0
 Requires:       python-typing_extensions >= 3.6.5
 Requires:       python-zope.interface >= 4.4.2
 # /SECTION
@@ -70,10 +74,9 @@ Requires:       python-Twisted-tls = %{version}
 %if %{with test}
 BuildRequires:  %{python_module Twisted-all_non_platform = %{version}}
 BuildRequires:  %{python_module Twisted-conch_nacl = %{version}}
-BuildRequires:  %{python_module httpx}
-BuildRequires:  %{python_module hypothesis}
 # declared nowhere but required to pass 8 tests with timezone checks
 BuildRequires:  %{python_module pytz}
+BuildRequires:  %{python_module hypothesis}
 %endif
 BuildArch:      noarch
 %python_subpackages

remove-dependency-version-upper-bounds.patch

@@ -1,14 +1,14 @@
-Index: twisted-24.10.0/pyproject.toml
+Index: twisted-23.10.0/pyproject.toml
 ===================================================================
---- twisted-24.10.0.orig/pyproject.toml
+--- twisted-23.10.0.orig/pyproject.toml
-+++ twisted-24.10.0/pyproject.toml
++++ twisted-23.10.0/pyproject.toml
-@@ -97,8 +97,8 @@ serial = [
+@@ -95,8 +95,8 @@ serial = [
  ]
  
  http2 = [
--    "h2 >= 3.2, < 5.0",
+-    "h2 >= 3.0, < 5.0",
 -    "priority >= 1.1.0, < 2.0",
-+    "h2 >= 3.2",
++    "h2 >= 3.0",
 +    "priority >= 1.1.0",
  ]