Commit Graph

116 Commits

Author SHA256 Message Date
Dominique Leuenberger
9708415de3 Accepting request 1102193 from devel:languages:python:Factory
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.

OBS-URL: https://build.opensuse.org/request/show/1102193
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=35
2023-08-06 14:29:12 +00:00
4a7871d409 - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=103
2023-08-03 14:14:37 +00:00
Ana Guerrero
0d124ed5f4 Accepting request 1099501 from devel:languages:python:Factory
- Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for
  stabilizing FLAG_REF usage (required for reproduceability;
  bsc#1213463).
- (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API).

OBS-URL: https://build.opensuse.org/request/show/1099501
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=34
2023-07-24 16:12:32 +00:00
32717ebf00 - Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for
stabilizing FLAG_REF usage (required for reproduceability;
  bsc#1213463).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=101
2023-07-19 11:19:26 +00:00
3c34744813 Accepting request 1098690 from devel:languages:python:Factory
Revert faulty fix for CVE-2023-27043 (gh#python/cpython#106669)

OBS-URL: https://build.opensuse.org/request/show/1098690
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=100
2023-07-14 14:06:10 +00:00
18f6b99d17 - (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=99
2023-07-12 10:49:44 +00:00
Dominique Leuenberger
7870b5cb09 Accepting request 1095863 from devel:languages:python:Factory
- Update to 3.10.12:
  - gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
  - CVE-2023-24329-blank-URL-bypass.patch
  - CVE-2007-4559-filter-tarfile_extractall.patch

OBS-URL: https://build.opensuse.org/request/show/1095863
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=33
2023-06-30 17:58:24 +00:00
4c4727d238 Fix changes
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=97
2023-06-28 19:10:39 +00:00
24b222e77c - CVE-2023-24329-blank-URL-bypass.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=96
2023-06-28 17:58:17 +00:00
402f3ae924 - Update to 3.10.12:
- gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329.
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details.
- Remove upstreamed patches:
  - CVE-2007-4559-filter-tarfile_extractall.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=95
2023-06-28 17:56:56 +00:00
Dominique Leuenberger
d26ce719ad Accepting request 1094243 from devel:languages:python:Factory
- Add bpo-37596-make-set-marshalling.patch making marshalling of
  `set` and `frozenset` deterministic (bsc#1211765).

OBS-URL: https://build.opensuse.org/request/show/1094243
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=32
2023-06-22 21:24:50 +00:00
895080bf5f Add missing import
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=93
2023-06-20 22:19:48 +00:00
f21150c420 - Add bpo-37596-make-set-marshalling.patch making marshalling of
`set` and `frozenset` deterministic (bsc#1211765).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=92
2023-06-20 21:41:03 +00:00
55e2bbd4e9 Remove nonsensical commit message.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=91
2023-06-05 13:02:45 +00:00
Dominique Leuenberger
65206a5cff Accepting request 1086101 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1086101
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=31
2023-05-30 20:01:58 +00:00
54a90c01cb Adjust CVE-2007-4559-filter-tarfile_extractall.patch.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=89
2023-05-03 14:07:47 +00:00
1ab2e0976b Why in the world we download from HTTP?
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=88
2023-04-30 18:19:12 +00:00
6a2f407ebc We can always chmod
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=87
2023-04-27 23:43:26 +00:00
d6d4479296 There is no wasi in 3.10
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=86
2023-04-27 22:49:00 +00:00
e8a35797e6 - Update to 3.10.11:
- Core and Builtins
    - gh-102416: Do not memoize incorrectly automatically
      generated loop rules in the parser. Patch by Pablo Galindo.
    - gh-102356: Fix a bug that caused a crash when deallocating
      deeply nested filter objects. Patch by Marta Gómez Macías.
    - gh-102397: Fix segfault from race condition in signal
      handling during garbage collection. Patch by Kumar Aditya.
    - gh-102126: Fix deadlock at shutdown when clearing thread
      states if any finalizer tries to acquire the runtime head
      lock. Patch by Kumar Aditya.
    - gh-102027: Fix SSE2 and SSE3 detection in _blake2 internal
      module. Patch by Max Bachmann.
    - gh-101967: Fix possible segfault in
      positional_only_passed_as_keyword function, when new list
      created.
    - gh-101765: Fix SystemError / segmentation fault in iter
      __reduce__ when internal access of builtins.__dict__ keys
      mutates the iter object.
  - Library
    - gh-102947: Improve traceback when dataclasses.fields() is
      called on a non-dataclass. Patch by Alex Waygood
    - gh-101979: Fix a bug where parentheses in the metavar
      argument to argparse.ArgumentParser.add_argument() were
      dropped. Patch by Yeojin Kim.
    - gh-102179: Fix os.dup2() error message for negative fds.
    - gh-101961: For the binary mode, fileinput.hookcompressed()
      doesn’t set the encoding value even if the value is
      None. Patch by Gihwan Kim.
    - gh-101936: The default value of fp becomes io.BytesIO

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=85
2023-04-27 21:53:08 +00:00
0a6bd2edcb - Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
CVE-2007-4559 (bsc#1203750) by adding the filter for
  tarfile.extractall (PEP 706).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=84
2023-04-27 21:21:50 +00:00
f5edaf893f Revert
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=83
2023-03-27 15:08:59 +00:00
ff2aadd3f5 - Switch off obsoleting previous interpreters.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=82
2023-03-27 15:00:17 +00:00
Dominique Leuenberger
c64e33ed3e Accepting request 1071070 from devel:languages:python:Factory
- Add invalid-json.patch fixing invalid JSON in
  Doc/howto/logging-cookbook.rst (somehow similar to
  gh#python/cpython#102582).

OBS-URL: https://build.opensuse.org/request/show/1071070
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=30
2023-03-15 17:52:49 +00:00
f698aaf4d9 Somebody has not enough to do.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=80
2023-03-13 08:40:16 +00:00
e4ffe4ce0f - Add invalid-json.patch fixing invalid JSON in
Doc/howto/logging-cookbook.rst (somehow similar to
  gh#python/cpython#102582).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=79
2023-03-10 14:39:59 +00:00
Dominique Leuenberger
a67ddc0ae1 Accepting request 1068979 from devel:languages:python:Factory
- Update to 3.10.10:
  Bug fixes and regressions handling, no change of behaviour and
  no security bugs fixed.
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

OBS-URL: https://build.opensuse.org/request/show/1068979
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=29
2023-03-05 19:07:48 +00:00
0c5704949d Take care of _testclinic binary module.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=77
2023-03-02 15:23:34 +00:00
602adbc016 - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=76
2023-03-01 21:21:46 +00:00
a60c90b1d7 - Update to 3.10.10:
Bug fixes and regressions handling, no change of behaviour and
  no security bugs fixed.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=75
2023-03-01 21:10:15 +00:00
Dominique Leuenberger
55a026e97b Accepting request 1066987 from devel:languages:python:Factory
- Add provides for readline and sqlite3 to the main Python
  package.

OBS-URL: https://build.opensuse.org/request/show/1066987
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=28
2023-02-22 14:21:08 +00:00
0269832509 Fix SPEC file
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=73
2023-02-21 11:42:46 +00:00
b88ed8b5bd - Add provides for readline and sqlite3 to the main Python
package.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=72
2023-02-21 11:35:05 +00:00
Dominique Leuenberger
eb1e8bd53a Accepting request 1061591 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1061591
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=27
2023-01-29 13:10:05 +00:00
a2b5c7c23b Accepting request 1061584 from home:kukuk:branches:devel:languages:python:Factory
- Disable NIS for new products, it's deprecated and gets removed

OBS-URL: https://build.opensuse.org/request/show/1061584
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=70
2023-01-27 16:14:56 +00:00
Dominique Leuenberger
438d63cfde Accepting request 1041730 from devel:languages:python:Factory
- Update to 3.10.9:
  - python -m http.server no longer allows terminal
    control characters sent within a garbage request to be
    printed to the stderr server lo This is done by changing
    the http.server BaseHTTPRequestHandler .log_message method
    to replace control characters with a \xHH hex escape before
    printin
  - Avoid publishing list of active per-interpreter
    audit hooks via the gc module
  - The IDNA codec decoder used on DNS hostnames by
    socket or asyncio related name resolution functions no
    longer involves a quadratic algorithm. This prevents a
    potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were
    decoded. Some protocols such as urllib http 3xx redirects
    potentially allow for an attacker to supply such a name.
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - On Linux the multiprocessing module returns
    to using filesystem backed unix domain sockets for
    communication with the forkserver process instead of the
    Linux abstract socket namespace. Only code that chooses
    to use the “forkserver” start method is affected Abstract
    sockets have no permissions and could allow any user
    on the system in the same network namespace (often the
    whole system) to inject code into the multiprocessing
    forkserver process. This was a potential privilege
    escalation. Filesystem based socket permissions restrict
    this to the forkserver process user as was the default in

OBS-URL: https://build.opensuse.org/request/show/1041730
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=26
2022-12-12 17:59:10 +00:00
7757e5a6dc - Update to 3.10.9:
- python -m http.server no longer allows terminal
    control characters sent within a garbage request to be
    printed to the stderr server lo This is done by changing
    the http.server BaseHTTPRequestHandler .log_message method
    to replace control characters with a \xHH hex escape before
    printin
  - Avoid publishing list of active per-interpreter
    audit hooks via the gc module
  - The IDNA codec decoder used on DNS hostnames by
    socket or asyncio related name resolution functions no
    longer involves a quadratic algorithm. This prevents a
    potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were
    decoded. Some protocols such as urllib http 3xx redirects
    potentially allow for an attacker to supply such a name.
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - On Linux the multiprocessing module returns
    to using filesystem backed unix domain sockets for
    communication with the forkserver process instead of the
    Linux abstract socket namespace. Only code that chooses
    to use the “forkserver” start method is affected Abstract
    sockets have no permissions and could allow any user
    on the system in the same network namespace (often the
    whole system) to inject code into the multiprocessing
    forkserver process. This was a potential privilege
    escalation. Filesystem based socket permissions restrict
    this to the forkserver process user as was the default in

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=68
2022-12-08 14:49:07 +00:00
Dominique Leuenberger
d498aa5eb1 Accepting request 1034962 from devel:languages:python:Factory
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
  CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.

OBS-URL: https://build.opensuse.org/request/show/1034962
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=25
2022-11-12 16:39:52 +00:00
00fe94daed - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=66
2022-11-09 18:33:25 +00:00
Dominique Leuenberger
992e439ab9 Accepting request 1033570 from devel:languages:python:Factory
- Add CVE-2022-42919-loc-priv-mulitproc-forksrv.patch to avoid
  CVE-2022-42919 (bsc#1204886) avoiding Linux specific local
  privilege escalation via the multiprocessing forkserver start
  method.

OBS-URL: https://build.opensuse.org/request/show/1033570
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=24
2022-11-05 13:46:32 +00:00
7c8b7412f2 - Add CVE-2022-42919-loc-priv-mulitproc-forksrv.patch to avoid
CVE-2022-42919 (bsc#1204886) avoiding Linux specific local
  privilege escalation via the multiprocessing forkserver start
  method.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=64
2022-11-04 14:58:28 +00:00
Dominique Leuenberger
b954ccba31 Accepting request 1031406 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1031406
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=23
2022-10-28 17:28:30 +00:00
87c3616141 Accepting request 1031400 from home:mcepl:branches:devel:languages:python:Factory
- Add 98437-sphinx.locale._-as-gettext-in-pyspecific.patch to
  allow building of documentation with the latest Sphinx 5.3.0
  (gh#python/cpython#98366).

OBS-URL: https://build.opensuse.org/request/show/1031400
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=62
2022-10-26 21:24:55 +00:00
9ffbba32c9 - Update to 3.10.8:
- Fix multiplying a list by an integer (list *= int): detect
    the integer overflow when the new allocated length is close
    to the maximum size.
  - Fix a shell code injection vulnerability in the
    get-remote-certificate.py example script. The script no
    longer uses a shell to run openssl commands. (originally
    filed as CVE-2022-37460, later withdrawn)
  - Fix command line parsing: reject -X int_max_str_digits option
    with no value (invalid) when the PYTHONINTMAXSTRDIGITS
    environment variable is set to a valid limit.
  - When ValueError is raised if an integer is larger than the
    limit, mention the sys.set_int_max_str_digits() function in
    the error message.
  - The deprecated mailcap module now refuses to inject unsafe
    text (filenames, MIME types, parameters) into shell
    commands. Instead of using such text, it will warn and act
    as if a match was not found (or for test commands, as if the
    test failed).
  - os.sched_yield() now release the GIL while calling
    sched_yield(2).
  - Bugfix: PyFunction_GetAnnotations() should return a borrowed
    reference. It was returning a new reference.
  - Fixed a missing incref/decref pair in
    Exception.__setstate__().
  - Fix overly-broad source position information for chained
    comparisons used as branching conditions.
  - Fix undefined behaviour in _testcapimodule.c.
  - At Python exit, sometimes a thread holding the GIL can
    wait forever for a thread (usually a daemon thread) which

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=61
2022-10-19 07:46:21 +00:00
Dominique Leuenberger
cb4bb1e48d Accepting request 1004684 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1004684
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=22
2022-09-21 12:38:55 +00:00
01ff931ee1 Accepting request 1004493 from openSUSE:Factory:RISCV
- test-int-timing.patch: gh-96710: Make the test timing more lenient for
  the int/str DoS regression test. (#96717)

OBS-URL: https://build.opensuse.org/request/show/1004493
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=59
2022-09-19 11:20:10 +00:00
Dominique Leuenberger
f7ce61916b Accepting request 1002508 from devel:languages:python:Factory
- Update to 3.10.7:
  - Fix for CVE-2020-10735 (bsc#1203125) Converting between int
    and str in bases other than 2 (binary), 4, 8 (octal), 16
    (hexadecimal), or 32 such as base 10 (decimal) now raises
    a ValueError if the number of digits in string form is above
    a limit to avoid potential denial of service attacks due to
    the algorithmic complexity.
  - Other bug fixes:
    - Fixed a bug that caused _PyCode_GetExtra to return garbage
      for negative indexes.
    - Fix format string in _PyPegen_raise_error_known_location
      that can lead to memory corruption on some 64bit systems.
      The function was building a tuple with i (int) instead of
      n (Py_ssize_t) for Py_ssize_t arguments.
    - Fix misleading contents of error message when converting an
      all-whitespace string to float.
    - coroutine.throw() now properly initializes the frame.f_back
      when resuming a stack of coroutines. This allows e.g.
      traceback.print_stack() to work correctly when an exception
      (such as CancelledError) is thrown into a coroutine.
    - ast.parse() will no longer parse function definitions with
      positional-only params when passed feature_version less
      than (3, 8).
    - Correct conversion of numbers.Rational’s to float.
    - Fix a performance regression in logging
      TimedRotatingFileHandler. Only check for special files when
      the rollover time has passed.
    - Fix unused localName parameter in the Attr class in
      xml.dom.minidom.
    - Update bundled pip to 22.2.2.

OBS-URL: https://build.opensuse.org/request/show/1002508
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=21
2022-09-17 18:08:07 +00:00
0dca4d95d4 Accepting request 991870 from home:coolo:branches:devel:languages:python:Factory
- Extend distutils-reproducible-compile.patch with a workaround
  for non reproducible pyc files issue 93317

OBS-URL: https://build.opensuse.org/request/show/991870
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=57
2022-09-11 08:43:05 +00:00
8e56b3482c - Update to 3.10.7:
- Fix for CVE-2020-10735 (bsc#1203125) Converting between int
    and str in bases other than 2 (binary), 4, 8 (octal), 16
    (hexadecimal), or 32 such as base 10 (decimal) now raises
    a ValueError if the number of digits in string form is above
    a limit to avoid potential denial of service attacks due to
    the algorithmic complexity.
  - Other bug fixes:
    - Fixed a bug that caused _PyCode_GetExtra to return garbage
      for negative indexes.
    - Fix format string in _PyPegen_raise_error_known_location
      that can lead to memory corruption on some 64bit systems.
      The function was building a tuple with i (int) instead of
      n (Py_ssize_t) for Py_ssize_t arguments.
    - Fix misleading contents of error message when converting an
      all-whitespace string to float.
    - coroutine.throw() now properly initializes the frame.f_back
      when resuming a stack of coroutines. This allows e.g.
      traceback.print_stack() to work correctly when an exception
      (such as CancelledError) is thrown into a coroutine.
    - ast.parse() will no longer parse function definitions with
      positional-only params when passed feature_version less
      than (3, 8).
    - Correct conversion of numbers.Rational’s to float.
    - Fix a performance regression in logging
      TimedRotatingFileHandler. Only check for special files when
      the rollover time has passed.
    - Fix unused localName parameter in the Attr class in
      xml.dom.minidom.
    - Update bundled pip to 22.2.2.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=56
2022-09-11 08:41:57 +00:00
Dominique Leuenberger
2efb08548d Accepting request 1000538 from devel:languages:python:Factory
Add references to bsc#1202624, CVE-2021-28861

OBS-URL: https://build.opensuse.org/request/show/1000538
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=20
2022-09-01 20:10:16 +00:00