- Update to 3.10.9:
- python -m http.server no longer allows terminal
control characters sent within a garbage request to be
printed to the stderr server lo This is done by changing
the http.server BaseHTTPRequestHandler .log_message method
to replace control characters with a \xHH hex escape before
printin
- Avoid publishing list of active per-interpreter
audit hooks via the gc module
- The IDNA codec decoder used on DNS hostnames by
socket or asyncio related name resolution functions no
longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive
length hostname involving bidirectional characters were
decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a name.
- Update bundled libexpat to 2.5.0
- Port XKCP’s fix for the buffer overflows in SHA-3
(CVE-2022-37454).
- On Linux the multiprocessing module returns
to using filesystem backed unix domain sockets for
communication with the forkserver process instead of the
Linux abstract socket namespace. Only code that chooses
to use the “forkserver” start method is affected Abstract
sockets have no permissions and could allow any user
on the system in the same network namespace (often the
whole system) to inject code into the multiprocessing
forkserver process. This was a potential privilege
escalation. Filesystem based socket permissions restrict
this to the forkserver process user as was the default in
OBS-URL: https://build.opensuse.org/request/show/1041730
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=26
- python -m http.server no longer allows terminal
control characters sent within a garbage request to be
printed to the stderr server lo This is done by changing
the http.server BaseHTTPRequestHandler .log_message method
to replace control characters with a \xHH hex escape before
printin
- Avoid publishing list of active per-interpreter
audit hooks via the gc module
- The IDNA codec decoder used on DNS hostnames by
socket or asyncio related name resolution functions no
longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive
length hostname involving bidirectional characters were
decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a name.
- Update bundled libexpat to 2.5.0
- Port XKCP’s fix for the buffer overflows in SHA-3
(CVE-2022-37454).
- On Linux the multiprocessing module returns
to using filesystem backed unix domain sockets for
communication with the forkserver process instead of the
Linux abstract socket namespace. Only code that chooses
to use the “forkserver” start method is affected Abstract
sockets have no permissions and could allow any user
on the system in the same network namespace (often the
whole system) to inject code into the multiprocessing
forkserver process. This was a potential privilege
escalation. Filesystem based socket permissions restrict
this to the forkserver process user as was the default in
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=68
- Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close
to the maximum size.
- Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no
longer uses a shell to run openssl commands. (originally
filed as CVE-2022-37460, later withdrawn)
- Fix command line parsing: reject -X int_max_str_digits option
with no value (invalid) when the PYTHONINTMAXSTRDIGITS
environment variable is set to a valid limit.
- When ValueError is raised if an integer is larger than the
limit, mention the sys.set_int_max_str_digits() function in
the error message.
- The deprecated mailcap module now refuses to inject unsafe
text (filenames, MIME types, parameters) into shell
commands. Instead of using such text, it will warn and act
as if a match was not found (or for test commands, as if the
test failed).
- os.sched_yield() now release the GIL while calling
sched_yield(2).
- Bugfix: PyFunction_GetAnnotations() should return a borrowed
reference. It was returning a new reference.
- Fixed a missing incref/decref pair in
Exception.__setstate__().
- Fix overly-broad source position information for chained
comparisons used as branching conditions.
- Fix undefined behaviour in _testcapimodule.c.
- At Python exit, sometimes a thread holding the GIL can
wait forever for a thread (usually a daemon thread) which
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=61
- Update to 3.10.7:
- Fix for CVE-2020-10735 (bsc#1203125) Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises
a ValueError if the number of digits in string form is above
a limit to avoid potential denial of service attacks due to
the algorithmic complexity.
- Other bug fixes:
- Fixed a bug that caused _PyCode_GetExtra to return garbage
for negative indexes.
- Fix format string in _PyPegen_raise_error_known_location
that can lead to memory corruption on some 64bit systems.
The function was building a tuple with i (int) instead of
n (Py_ssize_t) for Py_ssize_t arguments.
- Fix misleading contents of error message when converting an
all-whitespace string to float.
- coroutine.throw() now properly initializes the frame.f_back
when resuming a stack of coroutines. This allows e.g.
traceback.print_stack() to work correctly when an exception
(such as CancelledError) is thrown into a coroutine.
- ast.parse() will no longer parse function definitions with
positional-only params when passed feature_version less
than (3, 8).
- Correct conversion of numbers.Rational’s to float.
- Fix a performance regression in logging
TimedRotatingFileHandler. Only check for special files when
the rollover time has passed.
- Fix unused localName parameter in the Attr class in
xml.dom.minidom.
- Update bundled pip to 22.2.2.
OBS-URL: https://build.opensuse.org/request/show/1002508
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=21
- Fix for CVE-2020-10735 (bsc#1203125) Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises
a ValueError if the number of digits in string form is above
a limit to avoid potential denial of service attacks due to
the algorithmic complexity.
- Other bug fixes:
- Fixed a bug that caused _PyCode_GetExtra to return garbage
for negative indexes.
- Fix format string in _PyPegen_raise_error_known_location
that can lead to memory corruption on some 64bit systems.
The function was building a tuple with i (int) instead of
n (Py_ssize_t) for Py_ssize_t arguments.
- Fix misleading contents of error message when converting an
all-whitespace string to float.
- coroutine.throw() now properly initializes the frame.f_back
when resuming a stack of coroutines. This allows e.g.
traceback.print_stack() to work correctly when an exception
(such as CancelledError) is thrown into a coroutine.
- ast.parse() will no longer parse function definitions with
positional-only params when passed feature_version less
than (3, 8).
- Correct conversion of numbers.Rational’s to float.
- Fix a performance regression in logging
TimedRotatingFileHandler. Only check for special files when
the rollover time has passed.
- Fix unused localName parameter in the Attr class in
xml.dom.minidom.
- Update bundled pip to 22.2.2.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=56
- Update to 3.10.6:
- gh-87389: http.server: Fix an open redirection vulnerability
in the HTTP server when an URI path starts with //.
Vulnerability discovered, and initial fix proposed, by Hamza
Avvan.
- gh-92888: Fix memoryview use after free when accessing the
backing buffer in certain cases.
- gh-95355: _PyPegen_Parser_New now properly detects token
memory allocation errors. Patch by Honglin Zhu.
- gh-94938: Fix error detection in some builtin functions when
keyword argument name is an instance of a str subclass with
overloaded __eq__ and __hash__. Previously it could cause
SystemError or other undesired behavior.
- gh-94949: ast.parse() will no longer parse parenthesized
context managers when passed feature_version less than
(3, 9). Patch by Shantanu Jain.
- gh-94947: ast.parse() will no longer parse assignment
expressions when passed feature_version less than
(3, 8). Patch by Shantanu Jain.
- gh-94869: Fix the column offsets for some expressions in
multi-line f-strings ast nodes. Patch by Pablo Galindo.
- gh-91153: Fix an issue where a bytearray item assignment
could crash if it’s resized by the new value’s __index__()
method.
- gh-94329: Compile and run code with unpacking of extremely
large sequences (1000s of elements). Such code failed to
compile. It now compiles and runs correctly.
- gh-94360: Fixed a tokenizer crash when reading encoded
files with syntax errors from stdin with non utf-8 encoded
text. Patch by Pablo Galindo
- gh-94192: Fix error for dictionary literals with invalid
expression as value.
- gh-93964: Strengthened compiler overflow checks to prevent
crashes when compiling very large source files.
- gh-93671: Fix some exponential backtrace case happening with
deeply nested sequence patterns in match statements. Patch by
Pablo Galindo
- gh-93021: Fix the __text_signature__ for __get__() methods
implemented in C. Patch by Jelle Zijlstra.
- gh-92930: Fixed a crash in _pickle.c from mutating
collections during __reduce__ or persistent_id.
- gh-92914: Always round the allocated size for lists up to the
nearest even number.
- gh-92858: Improve error message for some suites with syntax
error before ‘:’
- gh-95339: Update bundled pip to 22.2.1.
- gh-95045: Fix GC crash when deallocating _lsprof.Profiler by
untracking it before calling any callbacks. Patch by Kumar
Aditya.
- gh-95087: Fix IndexError in parsing invalid date in the email
module.
- gh-95199: Upgrade bundled setuptools to 63.2.0.
- gh-95194: Upgrade bundled pip to 22.2.
- gh-93899: Fix check for existence of os.EFD_CLOEXEC,
os.EFD_NONBLOCK and os.EFD_SEMAPHORE flags on older kernel
versions where these flags are not present. Patch by Kumar
Aditya.
- gh-95166: Fix concurrent.futures.Executor.map() to cancel the
currently waiting on future on an error - e.g. TimeoutError
or KeyboardInterrupt.
- gh-93157: Fix fileinput module didn’t support errors option
when inplace is true.
- gh-94821: Fix binding of unix socket to empty address
on Linux to use an available address from the abstract
namespace, instead of “0”.
- gh-94736: Fix crash when deallocating an instance of a
subclass of _multiprocessing.SemLock. Patch by Kumar Aditya.
- gh-94637: SSLContext.set_default_verify_paths() now releases
the GIL around SSL_CTX_set_default_verify_paths call. The
function call performs I/O and CPU intensive work.
- gh-94510: Re-entrant calls to sys.setprofile() and
sys.settrace() now raise RuntimeError. Patch by Pablo
Galindo.
- gh-92336: Fix bug where linecache.getline() fails on bad
files with UnicodeDecodeError or SyntaxError. It now returns
an empty string as per the documentation.
- gh-89988: Fix memory leak in pickle.Pickler when looking up
dispatch_table. Patch by Kumar Aditya.
- gh-94254: Fixed types of struct module to be immutable. Patch
by Kumar Aditya.
- gh-94245: Fix pickling and copying of typing.Tuple[()].
- gh-94207: Made _struct.Struct GC-tracked in order to fix a
reference leak in the _struct module.
- gh-94101: Manual instantiation of ssl.SSLSession objects is
no longer allowed as it lead to misconfigured instances that
crashed the interpreter when attributes where accessed on
them.
- gh-84753: inspect.iscoroutinefunction(),
inspect.isgeneratorfunction(), and
inspect.isasyncgenfunction() now properly return True
for duck-typed function-like objects like instances of
unittest.mock.AsyncMock.
- This makes inspect.iscoroutinefunction() consistent with the
behavior of asyncio.iscoroutinefunction(). Patch by Mehdi
ABAAKOUK.
- gh-83499: Fix double closing of file description in tempfile.
- gh-79512: Fixed names and __module__ value of weakref classes
ReferenceType, ProxyType, CallableProxyType. It makes them
pickleable.
- gh-90494: copy.copy() and copy.deepcopy() now always raise
a TypeError if __reduce__() returns a tuple with length 6
instead of silently ignore the 6th item or produce incorrect
result.
- gh-90549: Fix a multiprocessing bug where a global named
resource (such as a semaphore) could leak when a child
process is spawned (as opposed to forked).
- gh-79579: sqlite3 now correctly detects DML queries with
leading comments. Patch by Erlend E. Aasland.
- gh-93421: Update sqlite3.Cursor.rowcount when a DML
statement has run to completion. This fixes the row count
for SQL queries like UPDATE ... RETURNING. Patch by Erlend
E. Aasland.
- gh-91810: Suppress writing an XML declaration in open
files in ElementTree.write() with encoding='unicode' and
xml_declaration=None.
- gh-93353: Fix the importlib.resources.as_file() context
manager to remove the temporary file if destroyed late
during Python finalization: keep a local reference to the
os.remove() function. Patch by Victor Stinner.
- gh-83658: Make multiprocessing.Pool raise an exception if
maxtasksperchild is not None or a positive int.
- gh-74696: shutil.make_archive() no longer temporarily changes
the current working directory during creation of standard
.zip or tar archives.
- gh-91577: Move imports in SharedMemory methods to module
level so that they can be executed late in python
finalization.
- bpo-47231: Fixed an issue with inconsistent trailing slashes
in tarfile longname directories.
- bpo-46755: In QueueHandler, clear stack_info from LogRecord
to prevent stack trace from being written twice.
- bpo-46053: Fix OSS audio support on NetBSD.
- bpo-46197: Fix ensurepip environment isolation for subprocess
running pip.
- bpo-45924: Fix asyncio incorrect traceback when future’s
exception is raised multiple times. Patch by Kumar Aditya.
- bpo-34828: sqlite3.Connection.iterdump() now handles
databases that use AUTOINCREMENT in one or more tables.
- gh-94321: Document the PEP 246 style protocol type
sqlite3.PrepareProtocol.
- gh-86128: Document a limitation in ThreadPoolExecutor where
its exit handler is executed before any handlers in atexit.
- gh-61162: Clarify sqlite3 behavior when Using the connection
as a context manager.
- gh-87260: Align sqlite3 argument specs with the actual
implementation.
- gh-86986: The minimum Sphinx version required to build the
documentation is now 3.2.
- gh-88831: Augmented documentation of
asyncio.create_task(). Clarified the need to keep strong
references to tasks and added a code snippet detailing how to
to this.
- bpo-47161: Document that pathlib.PurePath does not collapse
initial double slashes because they denote UNC paths.
- gh-95280: Fix problem with test_ssl test_get_ciphers on
systems that require perfect forward secrecy (PFS) ciphers.
- gh-95212: Make multiprocessing test case
test_shared_memory_recreate parallel-safe.
- gh-91330: Added more tests for dataclasses to cover behavior
with data descriptor-based fields.
- gh-94208: test_ssl is now checking for supported TLS version
and protocols in more tests.
- gh-93951: In test_bdb.StateTestCase.test_skip, avoid
including auxiliary importers.
- gh-93957: Provide nicer error reporting from subprocesses in
test_venv.EnsurePipTest.test_with_pip.
- gh-57539: Increase calendar test coverage for
calendar.LocaleTextCalendar.formatweekday().
- gh-92886: Fixing tests that fail when running with
optimizations (-O) in test_zipimport.py
- bpo-47016: Create a GitHub Actions workflow for verifying
bundled pip and setuptools. Patch by Illia Volochii and Adam
Turner.
- gh-94841: Fix the possible performance regression of
PyObject_Free() compiled with MSVC version 1932.
- gh-95511: Fix the Shell context menu copy-with-prompts bug of
copying an extra line when one selects whole lines.
- gh-95471: In the Edit menu, move Select All and add a new
separator.
- gh-95411: Enable using IDLE’s module browser with .pyw files.
- gh-89610: Add .pyi as a recognized extension for IDLE on
macOS. This allows opening stub files by double clicking on
them in the Finder.
- gh-94538: Fix Argument Clinic output to custom file
destinations. Patch by Erlend E. Aasland.
- gh-94430: Allow parameters named module and self with custom
C names in Argument Clinic. Patch by Erlend E. Aasland
- gh-94930: Fix SystemError raised when
PyArg_ParseTupleAndKeywords() is used with # in (...) but
without PY_SSIZE_T_CLEAN defined.
- gh-94864: Fix PyArg_Parse* with deprecated format units “u”
and “Z”. It returned 1 (success) when warnings are turned
into exceptions.
- Reapply patches
- bpo-31046_ensurepip_honours_prefix.patch
- fix_configure_rst.patch
- no-skipif-doctests.patch
- skip-test_pyobject_freed_is_freed.patch
OBS-URL: https://build.opensuse.org/request/show/992411
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=18
- gh-87389: http.server: Fix an open redirection vulnerability
in the HTTP server when an URI path starts with //.
Vulnerability discovered, and initial fix proposed, by Hamza
Avvan.
- gh-92888: Fix memoryview use after free when accessing the
backing buffer in certain cases.
- gh-95355: _PyPegen_Parser_New now properly detects token
memory allocation errors. Patch by Honglin Zhu.
- gh-94938: Fix error detection in some builtin functions when
keyword argument name is an instance of a str subclass with
overloaded __eq__ and __hash__. Previously it could cause
SystemError or other undesired behavior.
- gh-94949: ast.parse() will no longer parse parenthesized
context managers when passed feature_version less than
(3, 9). Patch by Shantanu Jain.
- gh-94947: ast.parse() will no longer parse assignment
expressions when passed feature_version less than
(3, 8). Patch by Shantanu Jain.
- gh-94869: Fix the column offsets for some expressions in
multi-line f-strings ast nodes. Patch by Pablo Galindo.
- gh-91153: Fix an issue where a bytearray item assignment
could crash if it’s resized by the new value’s __index__()
method.
- gh-94329: Compile and run code with unpacking of extremely
large sequences (1000s of elements). Such code failed to
compile. It now compiles and runs correctly.
- gh-94360: Fixed a tokenizer crash when reading encoded
files with syntax errors from stdin with non utf-8 encoded
text. Patch by Pablo Galindo
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=49
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
- Fix building of documentation and the universal configuration of the
%primary_interpreter.
- Switch primary_interpreter from python38 to python310 for
Factory (only)
- (bsc#1196784, CVE-2022-25236) Rename patch:
support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch
and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5
as it was fully patched against CVE-2022-25236.
OBS-URL: https://build.opensuse.org/request/show/983936
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=16
%primary_interpreter.
- Switch primary_interpreter from python38 to python310 for
Factory (only)
- (bsc#1196784, CVE-2022-25236) Rename patch:
support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch
and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5
as it was fully patched against CVE-2022-25236.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=41
- Core and Builtins
- gh-93418: Fixed an assert where an f-string has an equal
sign ‘=’ following an expression, but there’s no trailing
brace. For example, f”{i=”.
- gh-91924: Fix __ltrace__ debug feature if the stdout
encoding is not UTF-8. Patch by Victor Stinner.
- gh-93061: Backward jumps after async for loops are no
longer given dubious line numbers.
- gh-93065: Fix contextvars HAMT implementation to handle
iteration over deep trees.
- The bug was discovered and fixed by Eli Libman. See
MagicStack/immutables#84 for more details.
- gh-92311: Fixed a bug where setting frame.f_lineno to jump
over a list comprehension could misbehave or crash.
- gh-92112: Fix crash triggered by an evil custom mro() on
a metaclass.
- gh-92036: Fix a crash in subinterpreters related to the
garbage collector. When a subinterpreter is deleted,
untrack all objects tracked by its GC. To prevent a crash
in deallocator functions expecting objects to be tracked by
the GC, leak a strong reference to these objects on
purpose, so they are never deleted and their deallocator
functions are not called. Patch by Victor Stinner.
- gh-91421: Fix a potential integer overflow in
_Py_DecodeUTF8Ex.
- bpo-47212: Raise IndentationError instead of SyntaxError
for a bare except with no following indent. Improve
SyntaxError locations for an un-parenthesized generator
used as arguments. Patch by Matthieu Dartiailh.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=38
- Update to 3.10.4:
- bpo-46968: Check for the existence of the “sys/auxv.h” header
in faulthandler to avoid compilation problems in systems
where this header doesn’t exist. Patch by Pablo Galindo
- bpo-23691: Protect the re.finditer() iterator from
re-entering.
- bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to
avoid a “zipfile.BadZipFile: Bad CRC-32 for file” exception
when reading a ZipFile from multiple threads.
- bpo-38256: Fix binascii.crc32() when it is compiled to use
zlib’c crc32 to work properly on inputs 4+GiB in length
instead of returning the wrong result. The workaround prior
to this was to always feed the function data in increments
smaller than 4GiB or to just call the zlib module function.
- bpo-39394: A warning about inline flags not at the start of
the regular expression now contains the position of the flag.
- bpo-47061: Deprecate the various modules listed by PEP 594:
- aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt,
imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd,
sndhdr, spwd, sunau, telnetlib, uu, xdrlib
- bpo-2604: Fix bug where doctests using globals would fail
when run multiple times.
- bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
- bpo-47022: The asynchat, asyncore and smtpd modules have been
deprecated since at least Python 3.6. Their documentation and
deprecation warnings and have now been updated to note they
will removed in Python 3.12 (PEP 594).
- bpo-46421: Fix a unittest issue where if the command was
invoked as python -m unittest and the filename(s) began with
a dot (.), a ValueError is returned.
OBS-URL: https://build.opensuse.org/request/show/965119
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python310?expand=0&rev=14
- bpo-46968: Check for the existence of the “sys/auxv.h” header
in faulthandler to avoid compilation problems in systems
where this header doesn’t exist. Patch by Pablo Galindo
- bpo-23691: Protect the re.finditer() iterator from
re-entering.
- bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to
avoid a “zipfile.BadZipFile: Bad CRC-32 for file” exception
when reading a ZipFile from multiple threads.
- bpo-38256: Fix binascii.crc32() when it is compiled to use
zlib’c crc32 to work properly on inputs 4+GiB in length
instead of returning the wrong result. The workaround prior
to this was to always feed the function data in increments
smaller than 4GiB or to just call the zlib module function.
- bpo-39394: A warning about inline flags not at the start of
the regular expression now contains the position of the flag.
- bpo-47061: Deprecate the various modules listed by PEP 594:
- aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt,
imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd,
sndhdr, spwd, sunau, telnetlib, uu, xdrlib
- bpo-2604: Fix bug where doctests using globals would fail
when run multiple times.
- bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
- bpo-47022: The asynchat, asyncore and smtpd modules have been
deprecated since at least Python 3.6. Their documentation and
deprecation warnings and have now been updated to note they
will removed in Python 3.12 (PEP 594).
- bpo-46421: Fix a unittest issue where if the command was
invoked as python -m unittest and the filename(s) began with
a dot (.), a ValueError is returned.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=34
