- Update to 3.11.3:

- Security
    - gh-101727: Updated the OpenSSL version used in Windows
      and macOS binary release builds to 1.1.1t to address
      CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per the
      OpenSSL 2023-02-07 security advisory.
    - gh-101283: subprocess.Popen now uses a safer approach to
      find cmd.exe when launching with shell=True. Patch by Eryk
      Sun, based on a patch by Oleg Iarygin.
  - Core and Builtins
    - gh-101975: Fixed stacktop value on tracing entries to avoid
      corruption on garbage collection.
    - gh-102701: Fix overflow when creating very large dict.
    - gh-102416: Do not memoize incorrectly automatically
      generated loop rules in the parser. Patch by Pablo Galindo.
    - gh-102356: Fix a bug that caused a crash when deallocating
      deeply nested filter objects. Patch by Marta Gómez Macías.
    - gh-102397: Fix segfault from race condition in signal
      handling during garbage collection. Patch by Kumar Aditya.
    - gh-102281: Fix potential nullptr dereference and use of
      uninitialized memory in fileutils. Patch by Max Bachmann.
    - gh-102126: Fix deadlock at shutdown when clearing thread
      states if any finalizer tries to acquire the runtime head
      lock. Patch by Kumar Aditya.
    - gh-102027: Fix SSE2 and SSE3 detection in _blake2 internal
      module. Patch by Max Bachmann.
    - gh-101967: Fix possible segfault in
      positional_only_passed_as_keyword function, when new list
      created.
    - gh-101765: Fix SystemError / segmentation fault in iter

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=57

Python-3.11.2.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:29e4b8f5f1658542a8c13e2dd277358c9c48f2b2f7318652ef1675e402b9d2af
-size 19893284

Python-3.11.2.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmPiV84ACgkQ/+h0BBaL
-2EeZ1xAAwBi0AEjUlZ9oeC54VuqC/XLuVwc3xWf+Irw/5mJA2/weJHoQqG9aEDkB
-ph1pDJ6G/vDyKdjh8NZKkKftIL9pggRpAcA4mQ3XcDMKI/J+EQe5P/BwsTGClLhK
-cZg6IcQKZvo9djfyRz48w9wfKs34NasBgoFQP+hOzmU10UMrcR7gUSB2ZgMVMDID
-0rK1w2aPmZmDLUltBhf6Xb2voUYo+3jINLHWmQC6tdDOBxtxv222dhxS1mvpV7Zu
-Xw8do9OsQxonc+owkpciMKDLcFoVmkdQPz9bmvHJKovMXT2RY7FEam9H7ukr35fC
-xA6BKnyMgvWIWQVTwjBhcz3C85adzAz/ypHNTbJOuPxp1ZP8qO3D6vPlhZIFyTeJ
-7LhagUBUkIKKtbz7u3ERJgvA6tn3UVyLOXM1DnaKkXQ1FgSymgWPRU7BsxanQ8FD
-QkfTjC8fatZLCewNfGInkeAdLue+rMwZc8Q6vw2CAmcVdOKsQ98Db/FLF5sC+Kjz
-D3brUESEX1ELcVk7vumUI0/z+MECF11dpv5hPOZ4cZDoInsNu846TfU0rzOeVe7H
-gGO6Ae/Lu5gG09TNqepbFGA/dWR8V3zdLs5ZShTT4FsNFrHh7GDAEAMZSwT3AsVZ
-TjOdU3+xEGsEfrYWRXOkhVIQdJtuovwv9+me5YWeyC4Puzp0Zwk=
-=8/cW
------END PGP SIGNATURE-----

Python-3.11.3.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8a5db99c961a7ecf27c75956189c9602c968751f11dbeae2b900dbff1c085b5e
+size 19906156

Python-3.11.3.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmQsppwACgkQ/+h0BBaL
+2Ee3kg//ewFzE4twuLz2MKoki+7xKz5VzTm2fvCtymAtqVq8Tk3oTvRrc9llHIQn
++QU6Cjiu38igRgQ4O0/i6909U3N1tmqXsSHtuGIB5mEOqwK9LESTPJG+wK4nULg5
+fLH+FgBAJ4HSI3WIMt8jn98LJ8lsfFrH1sdv9ijcDN9VdekY8vXOOaWbAWg2vpYb
+vXTtajHXA1KLZR1GvhDel3G6qPhxOjud/gwVJgzHcxA/mpDjT5DTiqS5rVMsJQq0
+R/LCtsqM4NVjurWwe5jEOi/Fv60qTN7ekuIdziC3IB50WjkwXltKB90l9heihnZo
+oGAe2T9Kv74Pr1kWhkstURwFGP6hRrZHNfvZXYgcJdN2SxsS9VNkt2JQ9aKevPo3
+t1ZgmB5WGsWAWgny7pm+qLfKy5mkdaal/BB7iLTh5/u3b6tlO2C7wNpGRLS1OBrN
+kr/SMS0uyVXcZfcjMTs9e/7YU/ArAvu5nwbFqDrFLHe1SHqTq1PXkeVxbxf1c6KW
+TZyOivQA7pcbPyqrbm+tuL2qbAjfOtDo771i9AG2vjgsblxTQvBxXc7buv5/JoCl
+4jKuDYHuteiVsuJFeC2Gs67hcM0qjEzbB7mFSJLPDZU3gMMGQxMn/ZWrI/laD5hB
+biXtLQJt/Z+3f1ROWiFgjZvdaWYjT26BWaBkIMrv65NG//M7wfo=
+=SzVA
+-----END PGP SIGNATURE-----

fix_configure_rst.patch

@@ -13,7 +13,7 @@
  .. cmdoption:: --with-cxx-main=COMPILER
  
     Compile the Python ``main()`` function and link Python executable with C++
-@@ -511,13 +510,11 @@ macOS Options
+@@ -527,13 +526,11 @@ macOS Options
  
  See ``Mac/README.rst``.
  
@@ -29,7 +29,7 @@
     Create a Python.framework rather than a traditional Unix install. Optional
 --- a/Misc/NEWS
 +++ b/Misc/NEWS
-@@ -7621,7 +7621,7 @@ C API
+@@ -7809,7 +7809,7 @@ C API
  - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
  
  - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name

python311.changes

@@ -1,3 +1,120 @@
+-------------------------------------------------------------------
+Thu Apr 27 21:57:15 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Update to 3.11.3:
+  - Security
+    - gh-101727: Updated the OpenSSL version used in Windows
+      and macOS binary release builds to 1.1.1t to address
+      CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per the
+      OpenSSL 2023-02-07 security advisory.
+    - gh-101283: subprocess.Popen now uses a safer approach to
+      find cmd.exe when launching with shell=True. Patch by Eryk
+      Sun, based on a patch by Oleg Iarygin.
+  - Core and Builtins
+    - gh-101975: Fixed stacktop value on tracing entries to avoid
+      corruption on garbage collection.
+    - gh-102701: Fix overflow when creating very large dict.
+    - gh-102416: Do not memoize incorrectly automatically
+      generated loop rules in the parser. Patch by Pablo Galindo.
+    - gh-102356: Fix a bug that caused a crash when deallocating
+      deeply nested filter objects. Patch by Marta Gómez Macías.
+    - gh-102397: Fix segfault from race condition in signal
+      handling during garbage collection. Patch by Kumar Aditya.
+    - gh-102281: Fix potential nullptr dereference and use of
+      uninitialized memory in fileutils. Patch by Max Bachmann.
+    - gh-102126: Fix deadlock at shutdown when clearing thread
+      states if any finalizer tries to acquire the runtime head
+      lock. Patch by Kumar Aditya.
+    - gh-102027: Fix SSE2 and SSE3 detection in _blake2 internal
+      module. Patch by Max Bachmann.
+    - gh-101967: Fix possible segfault in
+      positional_only_passed_as_keyword function, when new list
+      created.
+    - gh-101765: Fix SystemError / segmentation fault in iter
+      __reduce__ when internal access of builtins.__dict__ keys
+      mutates the iter object.
+    - gh-101696: Invalidate type version tag in
+      _PyStaticType_Dealloc for static types, avoiding bug where
+      a false cache hit could crash the interpreter. Patch by
+      Kumar Aditya.
+  - Library
+    - gh-102549: Don’t ignore exceptions in member type creation.
+    - gh-102947: Improve traceback when dataclasses.fields() is
+      called on a non-dataclass. Patch by Alex Waygood
+    - gh-102780: The asyncio.Timeout context manager now
+      works reliably even when performing cleanup due to task
+      cancellation. Previously it could raise a CancelledError
+      instead of an TimeoutError in such cases.
+    - gh-88965: typing: Fix a bug relating to substitution in   .
+    Pacustom classes generic over a ParamSpec. Previously, if   .
+    Pathe ParamSpec was substituted with a parameters list that .
+    Paitself contained a TypeVar, the TypeVar in the parameters .
+    Palist could not be subsequently substituted. This is now   .
+    Pafixed tch by Nikita Sobolev                               .
+    - gh-101979: Fix a bug where parentheses in the metavar
+      argument to argparse.ArgumentParser.add_argument() were
+      dropped. Patch by Yeojin Kim.
+    - gh-102179: Fix os.dup2() error message for negative fds.
+    - gh-101961: For the binary mode, fileinput.hookcompressed()
+      doesn’t set the encoding value even if the value is
+      None. Patch by Gihwan Kim.
+    - gh-101936: The default value of fp becomes io.BytesIO
+      if HTTPError is initialized without a designated fp
+      parameter. Patch by Long Vo.
+    - gh-102069: Fix __weakref__ descriptor generation for custom
+      dataclasses.
+    - gh-101566: In zipfile, apply fix for extractall on the
+      underlying zipfile after being wrapped in Path.
+    - gh-101892: Callable iterators no longer raise SystemError
+      when the callable object exhausts the iterator but forgets
+      to either return a sentinel value or raise StopIteration.
+    - gh-97786: Fix potential undefined behaviour in corner cases
+      of floating-point-to-time conversions.
+    - gh-101517: Fixed bug where bdb looks up the source line
+      with linecache with a lineno=None, which causes it to fail
+      with an unhandled exception.
+    - gh-101673: Fix a pdb bug where ll clears the changes to
+      local variables.
+    - gh-96931: Fix incorrect results from
+      ssl.SSLSocket.shared_ciphers()
+    - gh-88233: Correctly preserve “extra” fields in zipfile
+      regardless of their ordering relative to a zip64 “extra.”
+    - gh-96127: inspect.signature was raising TypeError on
+      call with mock objects. Now it correctly returns (*args,
+      **kwargs) as infered signature.
+    - gh-95495: When built against OpenSSL 3.0, the ssl module
+      had a bug where it reported unauthenticated EOFs (i.e.
+      without close_notify) as a clean TLS-level EOF. It now
+      raises SSLEOFError, matching the behavior in previous
+      versions of OpenSSL. The options attribute on SSLContext
+      also no longer includes OP_IGNORE_UNEXPECTED_EOF by
+      default. This option may be set to specify the previous
+      OpenSSL 3.0 behavior.
+    - gh-94440: Fix a concurrent.futures.process bug where
+      ProcessPoolExecutor shutdown could hang after a future has
+      been quickly submitted and canceled.
+  - Documentation
+    - gh-103112: Add docstring to http.client.HTTPResponse.read()
+      to fix pydoc output.
+    - gh-85417: Update cmath documentation to clarify behaviour
+      on branch cuts.
+    - gh-97725: Fix asyncio.Task.print_stack() description for
+      file=None. Patch by Oleg Iarygin.
+  - Tests
+    - gh-102980: Improve test coverage on pdb.
+    - gh-102537: Adjust the error handling strategy in
+      test_zoneinfo.TzPathTest.python_tzpath_context. Patch by
+      Paul Ganssle.
+    - gh-89792: test_tools now copies up to 10x less source data
+      to a temporary directory during the freeze test by ignoring
+      git metadata and other artifacts. It also limits its python
+      build parallelism based on os.cpu_count instead of hard
+      coding it as 8 cores.
+    - gh-101377: Improved test_locale_calendar_formatweekday of
+      calendar.
+  - Build
+    - gh-102711: Fix -Wstrict-prototypes compiler warnings.
+
 -------------------------------------------------------------------
 Fri Mar  3 17:23:35 UTC 2023 - Matej Cepl <mcepl@suse.com>
 

python311.spec

@@ -104,7 +104,7 @@ Obsoletes:      python310%{?1:-%{1}}
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.11.2
+Version:        3.11.3
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@@ -167,6 +167,9 @@ Patch35:        fix_configure_rst.patch
 # PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com
 # Makes Python resilient to changes of API of libexpat
 Patch36:        support-expat-CVE-2022-25236-patched.patch
+# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mcepl@suse.com
+# PEP 706 – Filter for tarfile.extractall
+Patch37:        CVE-2007-4559-filter-tarfile_extractall.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -438,6 +441,7 @@ other applications.
 %endif
 %patch35 -p1
 %patch36 -p1
+%patch37 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac