From 2999469a134b0d9c322010cfc5d8388a2278a2cad81c09ff1778279cb8a9dcb1 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Mon, 9 Sep 2024 14:17:15 +0000 Subject: [PATCH] - Tests - gh-112769: The tests now correctly compare zlib version when :const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For example zlib-ng defines the version as ``1.3.0.zlib-ng``. - gh-117187: Fix XML tests for vanilla Expat <2.6.0. - gh-100454: Fix SSL tests CI for OpenSSL 3.1+ - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith and Seth Larson . Reported by Ellie - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123693: Use platform-agnostic behavior when computing ``zipfile.Path.name``. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=147 --- python310.changes | 71 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) diff --git a/python310.changes b/python310.changes index e6f84f0..79fd403 100644 --- a/python310.changes +++ b/python310.changes @@ -2,7 +2,76 @@ Mon Sep 9 13:41:07 UTC 2024 - Matej Cepl - Update to 3.10.15: - + - Tests + - gh-112769: The tests now correctly compare zlib version + when :const:`zlib.ZLIB_RUNTIME_VERSION` contains + non-integer suffixes. For example zlib-ng defines the + version as ``1.3.0.zlib-ng``. + - gh-117187: Fix XML tests for vanilla Expat <2.6.0. + - gh-100454: Fix SSL tests CI for OpenSSL 3.1+ + - Security + - gh-123678: Upgrade libexpat to 2.6.3 + - gh-121957: Fixed missing audit events around interactive + use of Python, now also properly firing for ``python -i``, + as well as for ``python -m asyncio``. The event in question + is ``cpython.run_stdin``. + - gh-122133: Authenticate the socket connection for the + ``socket.socketpair()`` fallback on platforms where + ``AF_UNIX`` is not available like Windows. Patch by + Gregory P. Smith and Seth Larson + . Reported by Ellie + - gh-121285: Remove backtracking from tarfile header + parsing for ``hdrcharset``, PAX, and GNU sparse headers + (bsc#1230227, CVE-2024-6232). + - gh-118486: :func:`os.mkdir` on Windows now accepts + *mode* of ``0o700`` to restrict the new directory to + the current user. This fixes CVE-2024-4030 affecting + :func:`tempfile.mkdtemp` in scenarios where the base + temporary directory is more permissive than the default. + - gh-116741: Update bundled libexpat to 2.6.2 + - Library + - gh-123693: Use platform-agnostic behavior when computing + ``zipfile.Path.name``. + - gh-123270: Applied a more surgical fix for malformed + payloads in :class:`zipfile.Path` causing infinite loops + (gh-122905) without breaking contents using legitimate + characters (bsc#1229704, CVE-2024-8088). + - gh-123067: Fix quadratic complexity in parsing ``"``-quoted + cookie values with backslashes by :mod:`http.cookies` + (bsc#1229596, CVE-2024-7592). + - gh-122905: :class:`zipfile.Path` objects now sanitize names + from the zipfile. + - gh-121650: :mod:`email` headers with embedded newlines are + now quoted on output. The :mod:`~email.generator` will now + refuse to serialize (write) headers that are unsafely folded + or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. + (Contributed by Bas Bloemsaat and Petr Viktorin in + gh-121650.; CVE-2024-6923, bsc#1228780). + - gh-113171: Fixed various false positives and false negatives in + * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) + * :attr:`ipaddress.IPv4Address.is_global` + * :attr:`ipaddress.IPv6Address.is_private` + * :attr:`ipaddress.IPv6Address.is_global` + Also in the corresponding :class:`ipaddress.IPv4Network` and + :class:`ipaddress.IPv6Network` attributes. + Fixes bsc#1226448 (CVE-2024-4032). + - gh-102988: :func:`email.utils.getaddresses` and + :func:`email.utils.parseaddr` now return ``('', '')`` 2-tuples in more + situations where invalid email addresses are encountered instead of + potentially inaccurate values. Add optional *strict* parameter to these + two functions: use ``strict=False`` to get the old behavior, accept + malformed inputs. ``getattr(email.utils, 'supports_strict_parsing', + False)`` can be use to check if the *strict* paramater is available. Patch + by Thomas Dwyer and Victor Stinner to improve the + CVE-2023-27043 fix (bsc#1210638). + - gh-67693: Fix :func:`urllib.parse.urlunparse` and + :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple + slashes and no authority. Based on patch by Ashwin Ramaswami. + - Core and Builtins + - gh-112275: A deadlock involving ``pystate.c``'s + ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now + fixed. Patch by ChuBoning based on previous Python 3.12 fix + by Victor Stinner. - Remove upstreamed patches: - CVE-2023-27043-email-parsing-errors.patch - CVE-2024-4032-private-IP-addrs.patch