Commit Graph

143 Commits

Author SHA256 Message Date
Ana Guerrero
346624a8d5 Accepting request 1182484 from devel:languages:python:Factory
- Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with
  patched libexpat below 2.6.0 that doesn't update the version number,
  just in SLE.
- Remove old-libexpat.patch, of course.

    across multiple threads (bsc#1226447, CVE-2024-0397)

OBS-URL: https://build.opensuse.org/request/show/1182484
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=43
2024-06-24 18:50:16 +00:00
50f46d2e31 across multiple threads (bsc#1226447, CVE-2024-0397)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=130
2024-06-21 13:27:20 +00:00
1f90dc5291 - Remove old-libexpat.patch, of course.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=129
2024-06-21 09:50:19 +00:00
31dd9389f8 - Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with
patched libexpat below 2.6.0 that doesn't update the version number,
  just in SLE.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=128
2024-06-21 09:49:34 +00:00
78324fb6c5 Redownload sources
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=127
2024-04-18 15:36:23 +00:00
Ana Guerrero
ccf2930393 Accepting request 1161074 from devel:languages:python:Factory
- Add old-libexpat.patch making the test suite work with
  libexpat < 2.6.0 (gh#python/cpython#117187).
- Because of bsc#1189495 we have to revert use of %autopatch.
- Update 3.10.14:
  - gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0
    to address CVE-2023-52425, and control of the new reparse
    deferral functionality was exposed with new APIs
    (bsc#1219559).
  - gh-109858: zipfile is now protected from the “quoted-overlap”
    zipbomb to address CVE-2024-0450. It now raises BadZipFile
    when attempting to read an entry that overlaps with another
    entry or central directory. (bsc#1221854)
  - gh-91133: tempfile.TemporaryDirectory cleanup no longer
    dereferences symlinks when working around file system
    permission errors to address CVE-2023-6597 (bsc#1219666)
  - gh-115197: urllib.request no longer resolves the hostname
    before checking it against the system’s proxy bypass list on
    macOS and Windows
  - gh-81194: a crash in socket.if_indextoname() with a specific
    value (UINT_MAX) was fixed. Relatedly, an integer overflow in
    socket.if_indextoname() on 64-bit non-Windows platforms was
    fixed
  - gh-113659: .pth files with names starting with a dot or
    containing the hidden file attribute are now skipped
  - gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer
    read out of bounds
  - gh-114572: ssl.SSLContext.cert_store_stats() and
    ssl.SSLContext.get_ca_certs() now correctly lock access to
    the certificate store, when the ssl.SSLContext is shared
    across multiple threads
- Remove upstreamed patches:
  - CVE-2023-6597-TempDir-cleaning-symlink.patch
  - libexpat260.patch
- Readjust patches:
  -  F00251-change-user-install-location.patch
  -  fix_configure_rst.patch
  -  python-3.3.0b1-localpath.patch
  -  skip-test_pyobject_freed_is_freed.patch
- Port to %autosetup and %autopatch.

OBS-URL: https://build.opensuse.org/request/show/1161074
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=42
2024-03-26 18:24:42 +00:00
46b4064b47 - Add old-libexpat.patch making the test suite work with
libexpat < 2.6.0 (gh#python/cpython#117187).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=125
2024-03-24 01:15:19 +00:00
949104af99 - Because of bsc#1189495 we have to revert use of %autopatch.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=124
2024-03-22 21:18:18 +00:00
17f54b09e3 Fix *.changes
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=123
2024-03-22 09:01:33 +00:00
f508bcd9bd Fix *.changes
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=122
2024-03-21 20:16:09 +00:00
78ff6e46e1 - libexpat260.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=121
2024-03-21 18:48:55 +00:00
c9951abf64 Fix *.changes
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=120
2024-03-21 16:46:39 +00:00
041ff70f73 - Update 3.10.14:
- gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0
    to address CVE-2023-52425, and control of the new reparse
    deferral functionality was exposed with new APIs
  - gh-109858: zipfile is now protected from the “quoted-overlap”
    zipbomb to address CVE-2024-0450. It now raises BadZipFile
    when attempting to read an entry that overlaps with another
    entry or central directory
  - gh-91133: tempfile.TemporaryDirectory cleanup no longer
    dereferences symlinks when working around file system
    permission errors to address CVE-2023-6597
  - gh-115197: urllib.request no longer resolves the hostname
    before checking it against the system’s proxy bypass list on
    macOS and Windows
  - gh-81194: a crash in socket.if_indextoname() with a specific
    value (UINT_MAX) was fixed. Relatedly, an integer overflow in
    socket.if_indextoname() on 64-bit non-Windows platforms was
    fixed
  - gh-113659: .pth files with names starting with a dot or
    containing the hidden file attribute are now skipped
  - gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer
    read out of bounds
  - gh-114572: ssl.SSLContext.cert_store_stats() and
    ssl.SSLContext.get_ca_certs() now correctly lock access to
    the certificate store, when the ssl.SSLContext is shared
    across multiple threads
- Remove upstreamed patches:
  - CVE-2023-6597-TempDir-cleaning-symlink.patch
- Port to %autosetup and %autopatch.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=119
2024-03-21 16:45:30 +00:00
Ana Guerrero
a358b6b1ec Accepting request 1157645 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1157645
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=41
2024-03-14 16:42:36 +00:00
9d2100328b Accepting request 1155683 from home:pmonrealgonzalez:branches:devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1155683
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=117
2024-03-06 21:50:46 +00:00
Dominique Leuenberger
fb64581e60 Accepting request 1153061 from devel:languages:python:Factory
- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.

OBS-URL: https://build.opensuse.org/request/show/1153061
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=40
2024-03-01 22:34:08 +00:00
9713a81b12 Fix the patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=115
2024-02-29 01:27:25 +00:00
ec6474e9bc - (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=114
2024-02-28 23:32:27 +00:00
Ana Guerrero
f660687d3f Accepting request 1152786 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1152786
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=39
2024-02-28 18:44:32 +00:00
3711a039e6 - Remove double definition of /usr/bin/idle%%{version} in
%%files.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=112
2024-02-20 22:16:34 +00:00
Ana Guerrero
f2acc64a8c Accepting request 1146869 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1146869
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=38
2024-02-15 19:59:20 +00:00
951fa01e4b Accepting request 1146817 from home:dgarcia:branches:devel:languages:python:Factory
- Add upstream patch libexpat260.patch, Fix tests for XMLPullParser
  with Expat 2.6.0, gh#python/cpython#115289

OBS-URL: https://build.opensuse.org/request/show/1146817
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=110
2024-02-15 14:36:25 +00:00
9168347d4a - Refresh CVE-2023-27043-email-parsing-errors.patch to
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- Thus we can remove Revert-gh105127-left-tests.patch, which is
  now useless.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=109
2024-02-12 13:18:00 +00:00
Ana Guerrero
83a7da7040 Accepting request 1110597 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1110597
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=37
2023-09-12 19:02:42 +00:00
dc236e4d07 - Link to CVE-2023-40217 bug report in changelog, bsc#1214692
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=107
2023-09-05 11:37:11 +00:00
Ana Guerrero
044091027d Accepting request 1108911 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1108911
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=36
2023-09-04 20:52:31 +00:00
310cd89462 Accepting request 1108888 from home:dgarcia:branches:devel:languages:python:Factory
- Add fix-sphinx-72.patch to make it work with latest sphinx version
  gh#python/cpython#97950
- Update to 3.10.13:
  - gh-108310: Fixed an issue where instances of ssl.SSLSocket were
    vulnerable to a bypass of the TLS handshake and included
    protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
    Gregory P. Smith.
  - gh-107845: tarfile.data_filter() now takes the location of
    symlinks into account when determining their target, so it will no
    longer reject some valid tarballs with
    LinkOutsideDestinationError.
  - gh-107565: Update multissltests and GitHub CI workflows to use
    OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
  - gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data:
    *consumed was not set.

OBS-URL: https://build.opensuse.org/request/show/1108888
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=105
2023-09-04 15:07:39 +00:00
Dominique Leuenberger
9708415de3 Accepting request 1102193 from devel:languages:python:Factory
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.

OBS-URL: https://build.opensuse.org/request/show/1102193
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=35
2023-08-06 14:29:12 +00:00
4a7871d409 - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=103
2023-08-03 14:14:37 +00:00
Ana Guerrero
0d124ed5f4 Accepting request 1099501 from devel:languages:python:Factory
- Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for
  stabilizing FLAG_REF usage (required for reproduceability;
  bsc#1213463).
- (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API).

OBS-URL: https://build.opensuse.org/request/show/1099501
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=34
2023-07-24 16:12:32 +00:00
32717ebf00 - Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for
stabilizing FLAG_REF usage (required for reproduceability;
  bsc#1213463).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=101
2023-07-19 11:19:26 +00:00
3c34744813 Accepting request 1098690 from devel:languages:python:Factory
Revert faulty fix for CVE-2023-27043 (gh#python/cpython#106669)

OBS-URL: https://build.opensuse.org/request/show/1098690
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=100
2023-07-14 14:06:10 +00:00
18f6b99d17 - (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=99
2023-07-12 10:49:44 +00:00
Dominique Leuenberger
7870b5cb09 Accepting request 1095863 from devel:languages:python:Factory
- Update to 3.10.12:
  - gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
  - CVE-2023-24329-blank-URL-bypass.patch
  - CVE-2007-4559-filter-tarfile_extractall.patch

OBS-URL: https://build.opensuse.org/request/show/1095863
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=33
2023-06-30 17:58:24 +00:00
4c4727d238 Fix changes
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=97
2023-06-28 19:10:39 +00:00
24b222e77c - CVE-2023-24329-blank-URL-bypass.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=96
2023-06-28 17:58:17 +00:00
402f3ae924 - Update to 3.10.12:
- gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329.
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details.
- Remove upstreamed patches:
  - CVE-2007-4559-filter-tarfile_extractall.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=95
2023-06-28 17:56:56 +00:00
Dominique Leuenberger
d26ce719ad Accepting request 1094243 from devel:languages:python:Factory
- Add bpo-37596-make-set-marshalling.patch making marshalling of
  `set` and `frozenset` deterministic (bsc#1211765).

OBS-URL: https://build.opensuse.org/request/show/1094243
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=32
2023-06-22 21:24:50 +00:00
895080bf5f Add missing import
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=93
2023-06-20 22:19:48 +00:00
f21150c420 - Add bpo-37596-make-set-marshalling.patch making marshalling of
`set` and `frozenset` deterministic (bsc#1211765).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=92
2023-06-20 21:41:03 +00:00
55e2bbd4e9 Remove nonsensical commit message.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=91
2023-06-05 13:02:45 +00:00
Dominique Leuenberger
65206a5cff Accepting request 1086101 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1086101
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=31
2023-05-30 20:01:58 +00:00
54a90c01cb Adjust CVE-2007-4559-filter-tarfile_extractall.patch.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=89
2023-05-03 14:07:47 +00:00
1ab2e0976b Why in the world we download from HTTP?
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=88
2023-04-30 18:19:12 +00:00
6a2f407ebc We can always chmod
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=87
2023-04-27 23:43:26 +00:00
d6d4479296 There is no wasi in 3.10
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=86
2023-04-27 22:49:00 +00:00
e8a35797e6 - Update to 3.10.11:
- Core and Builtins
    - gh-102416: Do not memoize incorrectly automatically
      generated loop rules in the parser. Patch by Pablo Galindo.
    - gh-102356: Fix a bug that caused a crash when deallocating
      deeply nested filter objects. Patch by Marta Gómez Macías.
    - gh-102397: Fix segfault from race condition in signal
      handling during garbage collection. Patch by Kumar Aditya.
    - gh-102126: Fix deadlock at shutdown when clearing thread
      states if any finalizer tries to acquire the runtime head
      lock. Patch by Kumar Aditya.
    - gh-102027: Fix SSE2 and SSE3 detection in _blake2 internal
      module. Patch by Max Bachmann.
    - gh-101967: Fix possible segfault in
      positional_only_passed_as_keyword function, when new list
      created.
    - gh-101765: Fix SystemError / segmentation fault in iter
      __reduce__ when internal access of builtins.__dict__ keys
      mutates the iter object.
  - Library
    - gh-102947: Improve traceback when dataclasses.fields() is
      called on a non-dataclass. Patch by Alex Waygood
    - gh-101979: Fix a bug where parentheses in the metavar
      argument to argparse.ArgumentParser.add_argument() were
      dropped. Patch by Yeojin Kim.
    - gh-102179: Fix os.dup2() error message for negative fds.
    - gh-101961: For the binary mode, fileinput.hookcompressed()
      doesn’t set the encoding value even if the value is
      None. Patch by Gihwan Kim.
    - gh-101936: The default value of fp becomes io.BytesIO

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=85
2023-04-27 21:53:08 +00:00
0a6bd2edcb - Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
CVE-2007-4559 (bsc#1203750) by adding the filter for
  tarfile.extractall (PEP 706).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=84
2023-04-27 21:21:50 +00:00
f5edaf893f Revert
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=83
2023-03-27 15:08:59 +00:00
ff2aadd3f5 - Switch off obsoleting previous interpreters.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=82
2023-03-27 15:00:17 +00:00