bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
for newer SLE versions they will be python2-xxxx
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=310
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
OBS-URL: https://build.opensuse.org/request/show/925378
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=307
- CVE-2019-18348-CRLF_injection_via_host_part.patch
- python-2.7.14-CVE-2017-1000158.patch
- CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
- CVE-2018-1061-DOS-via-regexp-difflib.patch
- CVE-2019-10160-netloc-port-regression.patch
- CVE-2019-16056-email-parse-addr.patch
- Fixes a ReDoS vulnerability in `http.cookiejar`. Patch by Ben
Caller.
- Fixed possible leak in `PyArg_Parse` and similar
`PY_SSIZE_T_CLEAN` is not defined.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=306
(CVE-2019-20907, bpo#39017) avoiding possible infinite loop
in specifically crafted tarball.
Add recursion.tar as a testing tarball for the patch.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
(CVE-2020-26116, bpo#39603) no longer allowing special characters in
the method parameter of HTTPConnection.putrequest in httplib, stopping
injection of headers. Such characters now raise ValueError.
- bsc#1155094 (CVE-2019-18348) Disallow control characters in
hostnames in http.client. Such potentially malicious header
injection URLs now cause a InvalidURL to be raised.
- bsc#1109847 (CVE-2018-14647): add
CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
bpo-34623.
fixing bpo-35746 (CVE-2019-5010).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=304
- Newline characters have been escaped when performing uu
encoding to prevent them from overflowing into to content
section of the encoded file. This prevents malicious or
accidental modification of data during the decoding process.
- Fixes a ReDoS vulnerability in :mod:`http.cookiejar`. Patch
by Ben Caller.
- Fixed line numbers and column offsets for AST nodes for calls
without arguments in decorators.
- Disallow control characters in hostnames in http.client,
addressing CVE-2019-18348. Such potentially malicious header
injection URLs now cause a InvalidURL to be raised.
- Fix urllib.urlretrieve failing on subsequent ftp transfers
from the same host.
- Fix problems identified by GCC's -Wstringop-truncation
warning.
- AddRefActCtx() was needlessly being checked for failure in
PC/dl_nt.c.
- Prevent failure of test_relative_path in test_py_compile on
macOS Catalina.
- Fixed possible leak in :c:func:`PyArg_Parse` and similar
functions for format units "es#" and "et#" when the macro
:c:macro:`PY_SSIZE_T_CLEAN` is not defined.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=281
off tests coliding with the combination of modern Python and
ancient OpenSSL on SLE-12.
- Add python-2.7.17-switch-off-failing-SSL-tests.patch to switch
off tests coliding with the combination of modern Python and
ancient OpenSSL on SLE-12.
- libnsl is required only on more recent SLEs and openSUSE, older
glibc supported NIS on its own.
- Add python-2.7.17-switch-off-failing-SSL-tests.patch to switch
off tests coliding with the combination of modern Python and
ancient OpenSSL on SLE-12.
- libnsl is required only on more recent SLEs and openSUSE, older
glibc supported NIS on its own.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=272
allows us to use %%{python_module dbm} as a dependency and have
it properly resolved for both python2 and python3
- Add provides in gdbm subpackage to provide dbm symbols. This
allows us to use %%{python_module dbm} as a dependency and have
it properly resolved for both python2 and python3
- Add provides in gdbm subpackage to provide dbm symbols. This
allows us to use %%{python_module dbm} as a dependency and have
it properly resolved for both python2 and python3
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=266
- Drop appstream-glib BuildRequires and no longer call
appstream-util validate-relax: eliminate a build cycle between
as-glib and python. The only thing would would gain by calling
as-uril is catching if upstream breaks the appdata.xml file in a
future release. Considering py2 is dying, chances for a new
release, let alone one breaking the xml file, are slim.
- Drop appstream-glib BuildRequires and no longer call
appstream-util validate-relax: eliminate a build cycle between
as-glib and python. The only thing would would gain by calling
as-uril is catching if upstream breaks the appdata.xml file in a
future release. Considering py2 is dying, chances for a new
release, let alone one breaking the xml file, are slim.
- Drop appstream-glib BuildRequires and no longer call
appstream-util validate-relax: eliminate a build cycle between
as-glib and python. The only thing would would gain by calling
as-uril is catching if upstream breaks the appdata.xml file in a
future release. Considering py2 is dying, chances for a new
release, let alone one breaking the xml file, are slim.
OBS-URL: https://build.opensuse.org/request/show/758098
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=264
