Accepting request 1041730 from devel:languages:python:Factory
- Update to 3.10.9: - python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server lo This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printin - Avoid publishing list of active per-interpreter audit hooks via the gc module - The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name. - Update bundled libexpat to 2.5.0 - Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454). - On Linux the multiprocessing module returns to using filesystem backed unix domain sockets for communication with the forkserver process instead of the Linux abstract socket namespace. Only code that chooses to use the “forkserver” start method is affected Abstract sockets have no permissions and could allow any user on the system in the same network namespace (often the whole system) to inject code into the multiprocessing forkserver process. This was a potential privilege escalation. Filesystem based socket permissions restrict this to the forkserver process user as was the default in OBS-URL: https://build.opensuse.org/request/show/1041730 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=26
This commit is contained in:
commit
438d63cfde
@ -1,54 +0,0 @@
|
|||||||
From 5775f51691d7d64fb676586e008b41261ce64ac2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Matt.Wang" <mattwang44@gmail.com>
|
|
||||||
Date: Wed, 19 Oct 2022 14:49:08 +0800
|
|
||||||
Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
|
|
||||||
backward-compatibility in pyspecific.py
|
|
||||||
|
|
||||||
[why] spinix 5.3 changed locale.translators from a defaultdict(gettext.NullTranslations) to a dict, which leads to failure of pyspecific.py. Use sphinx.locale._ as gettext to fix the issue.
|
|
||||||
---
|
|
||||||
Doc/tools/extensions/pyspecific.py | 8 ++++----
|
|
||||||
Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst | 1 +
|
|
||||||
2 files changed, 5 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
--- a/Doc/tools/extensions/pyspecific.py
|
|
||||||
+++ b/Doc/tools/extensions/pyspecific.py
|
|
||||||
@@ -26,7 +26,7 @@ try:
|
|
||||||
from sphinx.errors import NoUri
|
|
||||||
except ImportError:
|
|
||||||
from sphinx.environment import NoUri
|
|
||||||
-from sphinx.locale import translators
|
|
||||||
+from sphinx.locale import _ as sphinx_gettext
|
|
||||||
from sphinx.util import status_iterator, logging
|
|
||||||
from sphinx.util.nodes import split_explicit_title
|
|
||||||
from sphinx.writers.text import TextWriter, TextTranslator
|
|
||||||
@@ -109,7 +109,7 @@ class ImplementationDetail(Directive):
|
|
||||||
def run(self):
|
|
||||||
self.assert_has_content()
|
|
||||||
pnode = nodes.compound(classes=['impl-detail'])
|
|
||||||
- label = translators['sphinx'].gettext(self.label_text)
|
|
||||||
+ label = sphinx_gettext(self.label_text)
|
|
||||||
content = self.content
|
|
||||||
add_text = nodes.strong(label, label)
|
|
||||||
self.state.nested_parse(content, self.content_offset, pnode)
|
|
||||||
@@ -203,7 +203,7 @@ class AuditEvent(Directive):
|
|
||||||
else:
|
|
||||||
args = []
|
|
||||||
|
|
||||||
- label = translators['sphinx'].gettext(self._label[min(2, len(args))])
|
|
||||||
+ label = sphinx_gettext(self._label[min(2, len(args))])
|
|
||||||
text = label.format(name="``{}``".format(name),
|
|
||||||
args=", ".join("``{}``".format(a) for a in args if a))
|
|
||||||
|
|
||||||
@@ -382,7 +382,7 @@ class DeprecatedRemoved(Directive):
|
|
||||||
else:
|
|
||||||
label = self._removed_label
|
|
||||||
|
|
||||||
- label = translators['sphinx'].gettext(label)
|
|
||||||
+ label = sphinx_gettext(label)
|
|
||||||
text = label.format(deprecated=self.arguments[0], removed=self.arguments[1])
|
|
||||||
if len(self.arguments) == 3:
|
|
||||||
inodes, messages = self.state.inline_text(self.arguments[2],
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst
|
|
||||||
@@ -0,0 +1 @@
|
|
||||||
+Use sphinx.locale._ as the gettext function in pyspecific.py.
|
|
@ -1,54 +0,0 @@
|
|||||||
From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Viktorin <encukou@gmail.com>
|
|
||||||
Date: Wed, 27 Apr 2022 18:17:33 +0200
|
|
||||||
Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe
|
|
||||||
filenames/types/params
|
|
||||||
|
|
||||||
---
|
|
||||||
Doc/library/mailcap.rst | 12 ++++++++++
|
|
||||||
Lib/mailcap.py | 5 ++++
|
|
||||||
Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++
|
|
||||||
3 files changed, 21 insertions(+)
|
|
||||||
|
|
||||||
--- a/Doc/library/mailcap.rst
|
|
||||||
+++ b/Doc/library/mailcap.rst
|
|
||||||
@@ -27,6 +27,18 @@ The mailcap format is documented in :rfc
|
|
||||||
Mechanism For Multimedia Mail Format Information", but is not an internet
|
|
||||||
standard. However, mailcap files are supported on most Unix systems.
|
|
||||||
|
|
||||||
+ .. versionchanged:: 3.11
|
|
||||||
+
|
|
||||||
+ To prevent security issues with shell metacharacters (symbols that have
|
|
||||||
+ special effects in a shell command line), ``findmatch`` will refuse
|
|
||||||
+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
|
|
||||||
+ into the returned command line.
|
|
||||||
+
|
|
||||||
+ If a disallowed character appears in *filename*, ``findmatch`` will always
|
|
||||||
+ return ``(None, None)`` as if no entry was found.
|
|
||||||
+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
|
|
||||||
+ ``findmatch`` will ignore all mailcap entries which use that value.
|
|
||||||
+ A :mod:`warning <warnings>` will be raised in either case.
|
|
||||||
|
|
||||||
.. function:: findmatch(caps, MIMEtype, key='view', filename='/dev/null', plist=[])
|
|
||||||
|
|
||||||
--- a/Lib/mailcap.py
|
|
||||||
+++ b/Lib/mailcap.py
|
|
||||||
@@ -19,6 +19,11 @@ _find_unsafe = re.compile(r'[^\xa1-\U001
|
|
||||||
class UnsafeMailcapInput(Warning):
|
|
||||||
"""Warning raised when refusing unsafe input"""
|
|
||||||
|
|
||||||
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
|
|
||||||
+
|
|
||||||
+class UnsafeMailcapInput(Warning):
|
|
||||||
+ """Warning raised when refusing unsafe input"""
|
|
||||||
+
|
|
||||||
|
|
||||||
# Part 1: top-level interface.
|
|
||||||
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
|
||||||
@@ -0,0 +1,4 @@
|
|
||||||
+The deprecated mailcap module now refuses to inject unsafe text (filenames,
|
|
||||||
+MIME types, parameters) into shell commands. Instead of using such text, it
|
|
||||||
+will warn and act as if a match was not found (or for test commands, as if
|
|
||||||
+the test failed).
|
|
@ -1,59 +0,0 @@
|
|||||||
From 85178d5849a4d9b5b46e7b91b1ebad7425139b44 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Gregory P. Smith" <greg@krypto.org>
|
|
||||||
Date: Thu, 20 Oct 2022 15:30:09 -0700
|
|
||||||
Subject: [PATCH] gh-97514: Don't use Linux abstract sockets for
|
|
||||||
multiprocessing (GH-98501)
|
|
||||||
|
|
||||||
Linux abstract sockets are insecure as they lack any form of filesystem
|
|
||||||
permissions so their use allows anyone on the system to inject code into
|
|
||||||
the process.
|
|
||||||
|
|
||||||
This removes the default preference for abstract sockets in
|
|
||||||
multiprocessing introduced in Python 3.9+ via
|
|
||||||
https://github.com/python/cpython/pull/18866 while fixing
|
|
||||||
https://github.com/python/cpython/issues/84031.
|
|
||||||
|
|
||||||
Explicit use of an abstract socket by a user now generates a
|
|
||||||
RuntimeWarning. If we choose to keep this warning, it should be
|
|
||||||
backported to the 3.7 and 3.8 branches.
|
|
||||||
(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
|
|
||||||
|
|
||||||
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
|
||||||
---
|
|
||||||
Lib/multiprocessing/connection.py | 5 ---
|
|
||||||
Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 ++++++++++
|
|
||||||
2 files changed, 15 insertions(+), 5 deletions(-)
|
|
||||||
create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
|
|
||||||
|
|
||||||
--- a/Lib/multiprocessing/connection.py
|
|
||||||
+++ b/Lib/multiprocessing/connection.py
|
|
||||||
@@ -73,11 +73,6 @@ def arbitrary_address(family):
|
|
||||||
if family == 'AF_INET':
|
|
||||||
return ('localhost', 0)
|
|
||||||
elif family == 'AF_UNIX':
|
|
||||||
- # Prefer abstract sockets if possible to avoid problems with the address
|
|
||||||
- # size. When coding portable applications, some implementations have
|
|
||||||
- # sun_path as short as 92 bytes in the sockaddr_un struct.
|
|
||||||
- if util.abstract_sockets_supported:
|
|
||||||
- return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
|
|
||||||
return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
|
|
||||||
elif family == 'AF_PIPE':
|
|
||||||
return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
|
|
||||||
@@ -0,0 +1,15 @@
|
|
||||||
+On Linux the :mod:`multiprocessing` module returns to using filesystem backed
|
|
||||||
+unix domain sockets for communication with the *forkserver* process instead of
|
|
||||||
+the Linux abstract socket namespace. Only code that chooses to use the
|
|
||||||
+:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
|
|
||||||
+
|
|
||||||
+Abstract sockets have no permissions and could allow any user on the system in
|
|
||||||
+the same `network namespace
|
|
||||||
+<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
|
|
||||||
+whole system) to inject code into the multiprocessing *forkserver* process.
|
|
||||||
+This was a potential privilege escalation. Filesystem based socket permissions
|
|
||||||
+restrict this to the *forkserver* process user as was the default in Python 3.8
|
|
||||||
+and earlier.
|
|
||||||
+
|
|
||||||
+This prevents Linux `CVE-2022-42919
|
|
||||||
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
|
|
@ -1,88 +0,0 @@
|
|||||||
From b8f89940de09a51fdbd8fe4705d3d1d7f1bb0c6a Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Miss Islington (bot)"
|
|
||||||
<31488909+miss-islington@users.noreply.github.com>
|
|
||||||
Date: Mon, 7 Nov 2022 18:57:10 -0800
|
|
||||||
Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092)
|
|
||||||
(GH-99222)
|
|
||||||
|
|
||||||
There was an unnecessary quadratic loop in idna decoding. This restores
|
|
||||||
the behavior to linear.
|
|
||||||
|
|
||||||
(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
|
|
||||||
|
|
||||||
(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
|
|
||||||
|
|
||||||
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
|
|
||||||
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
|
||||||
---
|
|
||||||
Lib/encodings/idna.py | 32 ++++------
|
|
||||||
Lib/test/test_codecs.py | 6 +
|
|
||||||
Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 +
|
|
||||||
3 files changed, 27 insertions(+), 17 deletions(-)
|
|
||||||
create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
|
|
||||||
|
|
||||||
--- a/Lib/encodings/idna.py
|
|
||||||
+++ b/Lib/encodings/idna.py
|
|
||||||
@@ -39,23 +39,21 @@ def nameprep(label):
|
|
||||||
|
|
||||||
# Check bidi
|
|
||||||
RandAL = [stringprep.in_table_d1(x) for x in label]
|
|
||||||
- for c in RandAL:
|
|
||||||
- if c:
|
|
||||||
- # There is a RandAL char in the string. Must perform further
|
|
||||||
- # tests:
|
|
||||||
- # 1) The characters in section 5.8 MUST be prohibited.
|
|
||||||
- # This is table C.8, which was already checked
|
|
||||||
- # 2) If a string contains any RandALCat character, the string
|
|
||||||
- # MUST NOT contain any LCat character.
|
|
||||||
- if any(stringprep.in_table_d2(x) for x in label):
|
|
||||||
- raise UnicodeError("Violation of BIDI requirement 2")
|
|
||||||
-
|
|
||||||
- # 3) If a string contains any RandALCat character, a
|
|
||||||
- # RandALCat character MUST be the first character of the
|
|
||||||
- # string, and a RandALCat character MUST be the last
|
|
||||||
- # character of the string.
|
|
||||||
- if not RandAL[0] or not RandAL[-1]:
|
|
||||||
- raise UnicodeError("Violation of BIDI requirement 3")
|
|
||||||
+ if any(RandAL):
|
|
||||||
+ # There is a RandAL char in the string. Must perform further
|
|
||||||
+ # tests:
|
|
||||||
+ # 1) The characters in section 5.8 MUST be prohibited.
|
|
||||||
+ # This is table C.8, which was already checked
|
|
||||||
+ # 2) If a string contains any RandALCat character, the string
|
|
||||||
+ # MUST NOT contain any LCat character.
|
|
||||||
+ if any(stringprep.in_table_d2(x) for x in label):
|
|
||||||
+ raise UnicodeError("Violation of BIDI requirement 2")
|
|
||||||
+ # 3) If a string contains any RandALCat character, a
|
|
||||||
+ # RandALCat character MUST be the first character of the
|
|
||||||
+ # string, and a RandALCat character MUST be the last
|
|
||||||
+ # character of the string.
|
|
||||||
+ if not RandAL[0] or not RandAL[-1]:
|
|
||||||
+ raise UnicodeError("Violation of BIDI requirement 3")
|
|
||||||
|
|
||||||
return label
|
|
||||||
|
|
||||||
--- a/Lib/test/test_codecs.py
|
|
||||||
+++ b/Lib/test/test_codecs.py
|
|
||||||
@@ -1534,6 +1534,12 @@ class IDNACodecTest(unittest.TestCase):
|
|
||||||
self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org")
|
|
||||||
self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.")
|
|
||||||
|
|
||||||
+ def test_builtin_decode_length_limit(self):
|
|
||||||
+ with self.assertRaisesRegex(UnicodeError, "too long"):
|
|
||||||
+ (b"xn--016c"+b"a"*1100).decode("idna")
|
|
||||||
+ with self.assertRaisesRegex(UnicodeError, "too long"):
|
|
||||||
+ (b"xn--016c"+b"a"*70).decode("idna")
|
|
||||||
+
|
|
||||||
def test_stream(self):
|
|
||||||
r = codecs.getreader("idna")(io.BytesIO(b"abc"))
|
|
||||||
r.read(3)
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
|
|
||||||
@@ -0,0 +1,6 @@
|
|
||||||
+The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
|
|
||||||
+related name resolution functions no longer involves a quadratic algorithm.
|
|
||||||
+This prevents a potential CPU denial of service if an out-of-spec excessive
|
|
||||||
+length hostname involving bidirectional characters were decoded. Some protocols
|
|
||||||
+such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
|
|
||||||
+to supply such a name.
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:6a30ecde59c47048013eb5a658c9b5dec277203d2793667f578df7671f7f03f3
|
|
||||||
size 19619508
|
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmNFVREACgkQ/+h0BBaL
|
|
||||||
2EfmBhAAlIlx22S5RL7ehPDOWlEj06uK87EKEfMXch2DMapEXsrBR2Z+Q3Kb0Le+
|
|
||||||
T3vru6k9MUbDGI0pei+o5k621jvg8Gj+0rUKTydAd46Pt9ZoCPWuIdyWKaJBknLu
|
|
||||||
XsYs6Xiv6Ug7Q3JGy67j8ei6bFoqATyYEe45ljReVfug7VmisjMXHdiyZoAkAFMO
|
|
||||||
fDZvtfXRY/ZwLcCfK5SkaJqSRVfYowAh1lQqiXDnbfaX40BVCw78YKFsYN//PCpU
|
|
||||||
DrsE7JFapXQGvCJmcZ+WC8A/WMjyLoKI36w2WDcy8AFKsf49xQWPEWnUzXcJyF2n
|
|
||||||
zKGxn6kUEMdzelSWWWqMYlckL6Xf87E+CRTRS0MRX6OIrf+zJkeEoWRW8cGT/U8I
|
|
||||||
1o0hawm9O50nSIjMGzaXGKjWsHLSIeOA9ToLz19TzzO7VikNkXAx5gQcHQu3bJyT
|
|
||||||
SrMCw/VXJy+0BinBpSX/qZoptX2+6lFfArb/xOZGX2ZhU44+ecPrUHxB8xiw0qr8
|
|
||||||
pw16k6nCkW3f0aZ0jrlsfNLsXr9G/ZRu+ugrcTTQ53rfXO0pQ5nxm0CJ5O9twDjw
|
|
||||||
DIKvuqnOHlSGEcFM4bNDvpqskDnXrK6oyqBvtVhsjdFAp8YHYoM0yALTBlS4v2Xt
|
|
||||||
Em1BPUXHps0M1AY59KrXe0OpwibJjKhvWoogAS5bqe/mYInBE/Y=
|
|
||||||
=2vcv
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
Python-3.10.9.tar.xz
Normal file
3
Python-3.10.9.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:5ae03e308260164baba39921fdb4dbf8e6d03d8235a939d4582b33f0b5e46a83
|
||||||
|
size 19612112
|
16
Python-3.10.9.tar.xz.asc
Normal file
16
Python-3.10.9.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmOPjc0ACgkQ/+h0BBaL
|
||||||
|
2EeV0hAAqnRoPq/yKFBquimXkwLGWPOwmPC1W4ehfS8OzXtfqw53xyG8q5ggemyd
|
||||||
|
pc6k6lXlgFS1AzE3wGPfVNzr+iFf2xP+3c21e3nbKUISxFQ6xF+X2xY7sTLIZUuQ
|
||||||
|
h8ZEyq7W9a1ta/78ap03+C3i98EWK5WaO5PIt57yq4ZLWdNVaJpqXessFQiZ5+ys
|
||||||
|
pN0D0iC9TCUv3QTDhyB2xB7fThVXcIsvfgvAsSzLMC3t/POsp3Qiooa1Tc9lB4TK
|
||||||
|
GEgfGUrvd/YZaI9LKT309aXfBuorjX9oDN05+efg+8/2DsRCus7KX+buNRC5xRX6
|
||||||
|
gIFp/Bjgc+eBDW/8f8zEl/aB8DWm/rkfX83Xc0m9W0iZYtSQT0AGoQE5fcJg1jnR
|
||||||
|
lV5RpD9uZa/RrHtc/Sl7e0PfOdfZsWUKsNiiJhDVdfRPJYanezAHZCZpc8q2JoOV
|
||||||
|
IoxKlWp5eBhk10hWwtAjLGPK2iGNfUksV72oqDGU8IyA4+wL/iC9quq5nWED0U0w
|
||||||
|
gjrmXYIspCT2oCF/U3kCjqf26vYp6hxFrvloseD65ExwNiqQCGQlsxZJelCJUDnO
|
||||||
|
lezBraV5QSElsRReO2t8+XQgxoCeBbsvRpCNPWnzGdvNHljTRWVQtdx8s3A+LYEX
|
||||||
|
dNnL5pI91C+5pn+vvKYO4x2S7hdgG4aRNSwH19D05VdThEsmt0U=
|
||||||
|
=L+IQ
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -15,7 +15,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
|
|||||||
|
|
||||||
--- a/Doc/library/ensurepip.rst
|
--- a/Doc/library/ensurepip.rst
|
||||||
+++ b/Doc/library/ensurepip.rst
|
+++ b/Doc/library/ensurepip.rst
|
||||||
@@ -56,8 +56,9 @@ is at least as recent as the one availab
|
@@ -58,8 +58,9 @@ is at least as recent as the one availab
|
||||||
By default, ``pip`` is installed into the current virtual environment
|
By default, ``pip`` is installed into the current virtual environment
|
||||||
(if one is active) or into the system site packages (if there is no
|
(if one is active) or into the system site packages (if there is no
|
||||||
active virtual environment). The installation location can be controlled
|
active virtual environment). The installation location can be controlled
|
||||||
@ -26,7 +26,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
|
|||||||
* ``--root <dir>``: Installs ``pip`` relative to the given root directory
|
* ``--root <dir>``: Installs ``pip`` relative to the given root directory
|
||||||
rather than the root of the currently active virtual environment (if any)
|
rather than the root of the currently active virtual environment (if any)
|
||||||
or the default root for the current Python installation.
|
or the default root for the current Python installation.
|
||||||
@@ -89,7 +90,7 @@ Module API
|
@@ -91,7 +92,7 @@ Module API
|
||||||
Returns a string specifying the available version of pip that will be
|
Returns a string specifying the available version of pip that will be
|
||||||
installed when bootstrapping an environment.
|
installed when bootstrapping an environment.
|
||||||
|
|
||||||
@ -35,7 +35,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
|
|||||||
altinstall=False, default_pip=False, \
|
altinstall=False, default_pip=False, \
|
||||||
verbosity=0)
|
verbosity=0)
|
||||||
|
|
||||||
@@ -99,6 +100,8 @@ Module API
|
@@ -101,6 +102,8 @@ Module API
|
||||||
If *root* is ``None``, then installation uses the default install location
|
If *root* is ``None``, then installation uses the default install location
|
||||||
for the current environment.
|
for the current environment.
|
||||||
|
|
||||||
@ -44,7 +44,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
|
|||||||
*upgrade* indicates whether or not to upgrade an existing installation
|
*upgrade* indicates whether or not to upgrade an existing installation
|
||||||
of an earlier version of ``pip`` to the available version.
|
of an earlier version of ``pip`` to the available version.
|
||||||
|
|
||||||
@@ -119,6 +122,8 @@ Module API
|
@@ -121,6 +124,8 @@ Module API
|
||||||
*verbosity* controls the level of output to :data:`sys.stdout` from the
|
*verbosity* controls the level of output to :data:`sys.stdout` from the
|
||||||
bootstrapping operation.
|
bootstrapping operation.
|
||||||
|
|
||||||
|
@ -29,7 +29,7 @@
|
|||||||
Create a Python.framework rather than a traditional Unix install. Optional
|
Create a Python.framework rather than a traditional Unix install. Optional
|
||||||
--- a/Misc/NEWS
|
--- a/Misc/NEWS
|
||||||
+++ b/Misc/NEWS
|
+++ b/Misc/NEWS
|
||||||
@@ -2979,7 +2979,7 @@ C API
|
@@ -3254,7 +3254,7 @@ C API
|
||||||
-----
|
-----
|
||||||
|
|
||||||
- bpo-43795: The list in :ref:`stable-abi-list` now shows the public name
|
- bpo-43795: The list in :ref:`stable-abi-list` now shows the public name
|
||||||
|
@ -1,3 +1,178 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Dec 8 14:42:15 UTC 2022 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
- Update to 3.10.9:
|
||||||
|
- python -m http.server no longer allows terminal
|
||||||
|
control characters sent within a garbage request to be
|
||||||
|
printed to the stderr server lo This is done by changing
|
||||||
|
the http.server BaseHTTPRequestHandler .log_message method
|
||||||
|
to replace control characters with a \xHH hex escape before
|
||||||
|
printin
|
||||||
|
- Avoid publishing list of active per-interpreter
|
||||||
|
audit hooks via the gc module
|
||||||
|
- The IDNA codec decoder used on DNS hostnames by
|
||||||
|
socket or asyncio related name resolution functions no
|
||||||
|
longer involves a quadratic algorithm. This prevents a
|
||||||
|
potential CPU denial of service if an out-of-spec excessive
|
||||||
|
length hostname involving bidirectional characters were
|
||||||
|
decoded. Some protocols such as urllib http 3xx redirects
|
||||||
|
potentially allow for an attacker to supply such a name.
|
||||||
|
- Update bundled libexpat to 2.5.0
|
||||||
|
- Port XKCP’s fix for the buffer overflows in SHA-3
|
||||||
|
(CVE-2022-37454).
|
||||||
|
- On Linux the multiprocessing module returns
|
||||||
|
to using filesystem backed unix domain sockets for
|
||||||
|
communication with the forkserver process instead of the
|
||||||
|
Linux abstract socket namespace. Only code that chooses
|
||||||
|
to use the “forkserver” start method is affected Abstract
|
||||||
|
sockets have no permissions and could allow any user
|
||||||
|
on the system in the same network namespace (often the
|
||||||
|
whole system) to inject code into the multiprocessing
|
||||||
|
forkserver process. This was a potential privilege
|
||||||
|
escalation. Filesystem based socket permissions restrict
|
||||||
|
this to the forkserver process user as was the default in
|
||||||
|
Python 3.8 and earlier This prevents Linux CVE-2022-42919
|
||||||
|
- Fix a reference bug in _imp.create_builtin()
|
||||||
|
after the creation of the first sub-interpreter for modules
|
||||||
|
builtins and sys. Patch by Victor Stinner.
|
||||||
|
- Fixed a bug that was causing a buffer overflow if
|
||||||
|
the tokenizer copies a line missing the newline caracter
|
||||||
|
from a file that is as long as the available tokenizer
|
||||||
|
buffer. Patch by Pablo galindo
|
||||||
|
- Update faulthandler to emit an error message with
|
||||||
|
the proper unexpected signal number. Patch by Dong-hee Na.
|
||||||
|
- Fix subscription of types.GenericAlias instances
|
||||||
|
containing bare generic types: for example tuple[A, T][int],
|
||||||
|
where A is a generic type, and T is a type variable.
|
||||||
|
- Fix detection of MAC addresses for uuid on certain
|
||||||
|
OSs. Patch by Chaim Sanders
|
||||||
|
- Print exception class name instead of its string
|
||||||
|
representation when raising errors from ctypes calls.
|
||||||
|
- Allow pdb to locate source for frozen modules in
|
||||||
|
the standard library.
|
||||||
|
- Raise ValueError instead of SystemError when
|
||||||
|
methods of uninitialized io.IncrementalNewlineDecoder objects
|
||||||
|
are called. Patch by Oren Milman.
|
||||||
|
- Fix a possible assertion failure in io.FileIO when
|
||||||
|
the opener returns an invalid file descriptor.
|
||||||
|
- Also escape s in the http.server
|
||||||
|
BaseHTTPRequestHandler.log_message so that it is technically
|
||||||
|
possible to parse the line and reconstruct what the original
|
||||||
|
data was. Without this a xHH is ambiguious as to if it is a
|
||||||
|
hex replacement we put in or the characters r”x” came through
|
||||||
|
in the original request line.
|
||||||
|
- asyncio.get_event_loop() now only emits a
|
||||||
|
deprecation warning when a new event loop was created
|
||||||
|
implicitly. It no longer emits a deprecation warning if the
|
||||||
|
current event loop was set.
|
||||||
|
- Fix bug when calling trace.CoverageResults with
|
||||||
|
valid infile.
|
||||||
|
- Fix a bug in handling class cleanups in
|
||||||
|
unittest.TestCase. Now addClassCleanup() uses separate lists
|
||||||
|
for different TestCase subclasses, and doClassCleanups() only
|
||||||
|
cleans up the particular class.
|
||||||
|
- Release the GIL when calling termios APIs to avoid
|
||||||
|
blocking threads.
|
||||||
|
- Fix ast.increment_lineno() to also cover
|
||||||
|
ast.TypeIgnore when changing line numbers.
|
||||||
|
- Fixed bug where inspect.signature() reported
|
||||||
|
incorrect arguments for decorated methods.
|
||||||
|
- Fix SystemError in ctypes when exception was not
|
||||||
|
set during __initsubclass__.
|
||||||
|
- Fix statistics.NormalDist pickle with 0 and 1
|
||||||
|
protocols.
|
||||||
|
- Update the bundled copy of pip to version 22.3.1.
|
||||||
|
- Apply bugfixes from importlib_metadata 4.11.4,
|
||||||
|
namely: In PathDistribution._name_from_stem, avoid
|
||||||
|
including parts of the extension in the result. In
|
||||||
|
PathDistribution._normalized_name, ensure names loaded from
|
||||||
|
the stem of the filename are also normalized, ensuring
|
||||||
|
duplicate entry points by packages varying only by
|
||||||
|
non-normalized name are hidden.
|
||||||
|
- Clean up refleak on failed module initialisation in
|
||||||
|
_zoneinfo
|
||||||
|
- Clean up refleaks on failed module initialisation
|
||||||
|
in in _pickle
|
||||||
|
- Clean up refleak on failed module initialisation in
|
||||||
|
_io.
|
||||||
|
- Fix memory leak in math.dist() when both points
|
||||||
|
don’t have the same dimension. Patch by Kumar Aditya.
|
||||||
|
- Fix argument typechecks in _overlapped.WSAConnect()
|
||||||
|
and _overlapped.Overlapped.WSASendTo() functions.
|
||||||
|
- Fix internal error in the re module which in
|
||||||
|
very rare circumstances prevented compilation of a regular
|
||||||
|
expression containing a conditional expression without the
|
||||||
|
“else” branch.
|
||||||
|
- Fix asyncio.StreamWriter.drain() to call
|
||||||
|
protocol.connection_lost callback only once on Windows.
|
||||||
|
- Add a mutex to unittest.mock.NonCallableMock to
|
||||||
|
protect concurrent access to mock attributes.
|
||||||
|
- Fix hang on Windows in subprocess.wait_closed() in
|
||||||
|
asyncio with ProactorEventLoop. Patch by Kumar Aditya.
|
||||||
|
- Fix infinite loop in unittest when a
|
||||||
|
self-referencing chained exception is raised
|
||||||
|
- tkinter.Text.count() raises now an exception for
|
||||||
|
options starting with “-” instead of silently ignoring them.
|
||||||
|
- On uname_result, restored expectation that _fields
|
||||||
|
and _asdict would include all six properties including
|
||||||
|
processor.
|
||||||
|
- Update the bundled copies of pip and setuptools to
|
||||||
|
versions 22.3 and 65.5.0 respectively.
|
||||||
|
- Fix bug in urllib.parse.urlparse() that causes
|
||||||
|
certain port numbers containing whitespace, underscores,
|
||||||
|
plus and minus signs, or non-ASCII digits to be incorrectly
|
||||||
|
accepted.
|
||||||
|
- Allow venv to pass along PYTHON* variables to
|
||||||
|
ensurepip and pip when they do not impact path resolution
|
||||||
|
- On macOS, fix a crash in syslog.syslog() in
|
||||||
|
multi-threaded applications. On macOS, the libc syslog()
|
||||||
|
function is not thread-safe, so syslog.syslog() no longer
|
||||||
|
releases the GIL to call it. Patch by Victor Stinner.
|
||||||
|
- Allow BUILTINS to be a valid field name for frozen
|
||||||
|
dataclasses.
|
||||||
|
- Make sure patch.dict() can be applied on async
|
||||||
|
functions.
|
||||||
|
- To avoid apparent memory leaks when
|
||||||
|
asyncio.open_connection() raises, break reference cycles
|
||||||
|
generated by local exception and future instances (which has
|
||||||
|
exception instance as its member var). Patch by Dong Uk,
|
||||||
|
Kang.
|
||||||
|
- Prevent error when activating venv in nested fish
|
||||||
|
instances.
|
||||||
|
- Restrict use of sockets instead of pipes for stdin
|
||||||
|
of subprocesses created by asyncio to AIX platform only.
|
||||||
|
- shutil.copytree() now applies the
|
||||||
|
ignore_dangling_symlinks argument recursively.
|
||||||
|
- Fix IndexError in argparse.ArgumentParser when a
|
||||||
|
store_true action is given an explicit argument.
|
||||||
|
- Document that calling variadic functions with
|
||||||
|
ctypes requires special care on macOS/arm64 (and possibly
|
||||||
|
other platforms).
|
||||||
|
- Skip test_normalization() of test_unicodedata
|
||||||
|
if it fails to download NormalizationTest.txt file from
|
||||||
|
pythontest.net. Patch by Victor Stinner.
|
||||||
|
- Some C API tests were moved into the new
|
||||||
|
Lib/test/test_capi/ directory.
|
||||||
|
- Fix -Wimplicit-int, -Wstrict-prototypes, and
|
||||||
|
-Wimplicit-function-declaration compiler warnings in
|
||||||
|
configure checks.
|
||||||
|
- Fix -Wimplicit-int compiler warning in configure
|
||||||
|
check for PTHREAD_SCOPE_SYSTEM.
|
||||||
|
- Specify the full path to the source location for
|
||||||
|
make docclean (needed for cross-builds).
|
||||||
|
- Fix NO_MISALIGNED_ACCESSES being not defined
|
||||||
|
for the SHA3 extension when HAVE_ALIGNED_REQUIRED is
|
||||||
|
set. Allowing builds on hardware that unaligned memory
|
||||||
|
accesses are not allowed.
|
||||||
|
- Fix handling of module docstrings in
|
||||||
|
Tools/i18n/pygettext.py.
|
||||||
|
|
||||||
|
- Remove upstreamed patches:
|
||||||
|
- 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
|
||||||
|
- CVE-2015-20107-mailcap-unsafe-filenames.patch
|
||||||
|
- CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
|
||||||
|
- CVE-2022-45061-DoS-by-IDNA-decode.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
|
Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
@ -103,7 +103,7 @@ Obsoletes: python39%{?1:-%{1}}
|
|||||||
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
|
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
|
||||||
%bcond_without profileopt
|
%bcond_without profileopt
|
||||||
Name: %{python_pkg_name}%{psuffix}
|
Name: %{python_pkg_name}%{psuffix}
|
||||||
Version: 3.10.8
|
Version: 3.10.9
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Python 3 Interpreter
|
Summary: Python 3 Interpreter
|
||||||
License: Python-2.0
|
License: Python-2.0
|
||||||
@ -166,18 +166,6 @@ Patch35: fix_configure_rst.patch
|
|||||||
# PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com
|
# PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com
|
||||||
# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
|
# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
|
||||||
Patch36: support-expat-CVE-2022-25236-patched.patch
|
Patch36: support-expat-CVE-2022-25236-patched.patch
|
||||||
# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
|
|
||||||
# avoid the command injection in the mailcap module.
|
|
||||||
Patch37: CVE-2015-20107-mailcap-unsafe-filenames.patch
|
|
||||||
# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
|
|
||||||
# this patch makes things totally awesome
|
|
||||||
Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
|
|
||||||
# PATCH-FIX-UPSTREAM CVE-2022-42919-loc-priv-mulitproc-forksrv.patch bsc#1204886 mcepl@suse.com
|
|
||||||
# Avoid Linux specific local privilege escalation via the multiprocessing forkserver start method
|
|
||||||
Patch39: CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
|
|
||||||
# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com
|
|
||||||
# Avoid DoS by decoding IDNA for too long domain names
|
|
||||||
Patch40: CVE-2022-45061-DoS-by-IDNA-decode.patch
|
|
||||||
BuildRequires: autoconf-archive
|
BuildRequires: autoconf-archive
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
@ -446,10 +434,6 @@ other applications.
|
|||||||
%endif
|
%endif
|
||||||
%patch35 -p1
|
%patch35 -p1
|
||||||
%patch36 -p1
|
%patch36 -p1
|
||||||
%patch37 -p1
|
|
||||||
%patch38 -p1
|
|
||||||
%patch39 -p1
|
|
||||||
%patch40 -p1
|
|
||||||
|
|
||||||
# drop Autoconf version requirement
|
# drop Autoconf version requirement
|
||||||
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
||||||
|
Loading…
Reference in New Issue
Block a user