- Add old-libexpat.patch making the test suite work with
libexpat < 2.6.0 (gh#python/cpython#117187).
- Because of bsc#1189495 we have to revert use of %autopatch.
- Update 3.10.14:
- gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0
to address CVE-2023-52425, and control of the new reparse
deferral functionality was exposed with new APIs
(bsc#1219559).
- gh-109858: zipfile is now protected from the “quoted-overlap”
zipbomb to address CVE-2024-0450. It now raises BadZipFile
when attempting to read an entry that overlaps with another
entry or central directory. (bsc#1221854)
- gh-91133: tempfile.TemporaryDirectory cleanup no longer
dereferences symlinks when working around file system
permission errors to address CVE-2023-6597 (bsc#1219666)
- gh-115197: urllib.request no longer resolves the hostname
before checking it against the system’s proxy bypass list on
macOS and Windows
- gh-81194: a crash in socket.if_indextoname() with a specific
value (UINT_MAX) was fixed. Relatedly, an integer overflow in
socket.if_indextoname() on 64-bit non-Windows platforms was
fixed
- gh-113659: .pth files with names starting with a dot or
containing the hidden file attribute are now skipped
- gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer
read out of bounds
- gh-114572: ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to
the certificate store, when the ssl.SSLContext is shared
across multiple threads
- Remove upstreamed patches:
- CVE-2023-6597-TempDir-cleaning-symlink.patch
- libexpat260.patch
- Readjust patches:
- F00251-change-user-install-location.patch
- fix_configure_rst.patch
- python-3.3.0b1-localpath.patch
- skip-test_pyobject_freed_is_freed.patch
- Port to %autosetup and %autopatch.
OBS-URL: https://build.opensuse.org/request/show/1161074
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=42
- gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0
to address CVE-2023-52425, and control of the new reparse
deferral functionality was exposed with new APIs
- gh-109858: zipfile is now protected from the “quoted-overlap”
zipbomb to address CVE-2024-0450. It now raises BadZipFile
when attempting to read an entry that overlaps with another
entry or central directory
- gh-91133: tempfile.TemporaryDirectory cleanup no longer
dereferences symlinks when working around file system
permission errors to address CVE-2023-6597
- gh-115197: urllib.request no longer resolves the hostname
before checking it against the system’s proxy bypass list on
macOS and Windows
- gh-81194: a crash in socket.if_indextoname() with a specific
value (UINT_MAX) was fixed. Relatedly, an integer overflow in
socket.if_indextoname() on 64-bit non-Windows platforms was
fixed
- gh-113659: .pth files with names starting with a dot or
containing the hidden file attribute are now skipped
- gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer
read out of bounds
- gh-114572: ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to
the certificate store, when the ssl.SSLContext is shared
across multiple threads
- Remove upstreamed patches:
- CVE-2023-6597-TempDir-cleaning-symlink.patch
- Port to %autosetup and %autopatch.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=119
- Add fix-sphinx-72.patch to make it work with latest sphinx version
gh#python/cpython#97950
- Update to 3.10.13:
- gh-108310: Fixed an issue where instances of ssl.SSLSocket were
vulnerable to a bypass of the TLS handshake and included
protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.
Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
Gregory P. Smith.
- gh-107845: tarfile.data_filter() now takes the location of
symlinks into account when determining their target, so it will no
longer reject some valid tarballs with
LinkOutsideDestinationError.
- gh-107565: Update multissltests and GitHub CI workflows to use
OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
- gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data:
*consumed was not set.
OBS-URL: https://build.opensuse.org/request/show/1108888
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=105
- Update to 3.10.12:
- gh-103142: The version of OpenSSL used in Windows and
Mac installers has been upgraded to 1.1.1u to address
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
fixed previously in 1.1.1t (gh-101727).
- gh-102153: urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329
(bsc#1208471).
- gh-99889: Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- gh-104049: Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- gh-103935: trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details (fixing
CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
- CVE-2023-24329-blank-URL-bypass.patch
- CVE-2007-4559-filter-tarfile_extractall.patch
OBS-URL: https://build.opensuse.org/request/show/1095863
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=33
- gh-103142: The version of OpenSSL used in Windows and
Mac installers has been upgraded to 1.1.1u to address
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
fixed previously in 1.1.1t (gh-101727).
- gh-102153: urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329.
- gh-99889: Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- gh-104049: Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- gh-103935: trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details.
- Remove upstreamed patches:
- CVE-2007-4559-filter-tarfile_extractall.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=95
