4d0e8ae006- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now validates archives to ensure member offsets are non-negative (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).Matej Cepl2025-08-01 20:20:01 +00:00
a1677ef90dAccepting request 1290033 from devel:languages:python:FactoryAna Guerrero2025-07-03 10:10:49 +00:00
21d02acf4f- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).Matej Cepl2025-07-02 16:01:11 +00:00
e00f14a3f1Accepting request 1288601 from devel:languages:python:FactoryAna Guerrero2025-06-26 09:39:54 +00:00
0ae2dc2f69Accepting request 1284259 from devel:languages:python:FactoryAna Guerrero2025-06-10 10:24:40 +00:00
5c156cd8cb- Update to 3.10.18: - Security - gh-135034: Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138 (bsc#1244059), CVE-2025-4330 (bsc#1244060), and CVE-2025-4517 (bsc#1244032). - gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler (CVE-2025-4516, bsc#1243273). - gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. - Library - gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address. - gh-134062: ipaddress: fix collisions in __hash__() for IPv4Network and IPv6Network objects. - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output according to RFC 3596, §2.5. Patch by Bénédikt Tran. - bpo-43633: Improve the textual representation of IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2) in ipaddress. Patch by Oleksandr Pavliuk. - Remove upstreamed patches: - gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch - CVE-2025-4516-DecodeError-handler.patchMatej Cepl2025-06-09 17:02:25 +00:00
482cd35216Accepting request 1281886 from devel:languages:python:FactoryAna Guerrero2025-06-02 20:01:01 +00:00
c1c3249a12- Add CVE-2025-4516-DecodeError-handler.patch fixing CVE-2025-4516 (bsc#1243273) blocking DecodeError handling vulnerability, which could lead to DoS.Matej Cepl2025-05-30 15:54:19 +00:00
8576c1ee61Accepting request 1270151 from devel:languages:python:FactoryAna Guerrero2025-04-18 14:14:32 +00:00
91bc0ccbd9- Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch which makes test_ssl not to stop ThreadedEchoServer on OSError, which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067, gh#python/cpython!126572)Matej Cepl2025-04-17 01:21:02 +00:00
ac296bbdefAccepting request 1269057 from devel:languages:python:FactoryAna Guerrero2025-04-16 18:37:17 +00:00
d9086c0242- Update to 3.10.17: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is onlyMatej Cepl2025-04-11 08:15:51 +00:00
8a5d187b75- Update to 3.10.16: - Tests - gh-125041: Re-enable skipped tests for zlib on the s390x architecture: only skip checks of the compressed bytes, which can be different between zlib’s software implementation and the hardware-accelerated implementation. - gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode. Use a longer key: FIPS mode requires at least of at least 112 bits. The previous key was only 32 bits. Patch by Victor Stinner. - Security - gh-126623: Upgrade libexpat to 2.6.4 - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified (bsc#1233307, CVE-2024-11168). - Library - gh-124651: Properly quote template strings in venv activation scripts (bsc#1232241, CVE-2024-9287). - gh-103848: Add checks to ensure that [ bracketed ] hosts found by urllib.parse.urlsplit() are of IPv6 or IPvFuture format. - Removed upstreamed patches: - CVE-2024-9287-venv_path_unquoted.patch - CVE-2024-11168-validation-IPv6-addrs.patchMatej Cepl2024-12-04 21:28:34 +00:00
98a593499cAccepting request 1227182 from devel:languages:python:FactoryAna Guerrero2024-11-30 12:27:20 +00:00
9a60aeb3ff- Apply sphinx-72.patch only conditionally for non-SLE-15 builds.Matej Cepl2024-11-28 18:17:32 +00:00
cae840a2efAccepting request 1224262 from devel:languages:python:FactoryAna Guerrero2024-11-15 14:37:43 +00:00
622f9d4446- Remove -IVendor/ from python-config boo#1231795Matej Cepl2024-11-14 16:25:57 +00:00
7ee50cc171- Add CVE-2024-11168-validation-IPv6-addrs.patch fixing bsc#1233307 (CVE-2024-11168, gh#python/cpython#103848): Improper validation of IPv6 and IPvFuture addresses.Matej Cepl2024-11-13 14:50:14 +00:00
87b79dfb11Accepting request 1221276 from devel:languages:python:FactoryAna Guerrero2024-11-05 14:39:49 +00:00
fa752e2d67- Update sphinx-72.patch to include renaming :noindex: option to :no-index: in Sphinx 7.2 (bsc#1232750). - While renaming drop fix-sphinx-72.patch.Matej Cepl2024-11-04 21:51:43 +00:00
ff4810a8a2- Drop .pyc files from docdir for reproducible buildsMatej Cepl2024-10-02 16:22:51 +00:00
a4325ecaa9Accepting request 1199711 from devel:languages:python:FactoryAna Guerrero2024-09-18 13:26:05 +00:00
805320f21a- Add sphinx-802.patch to overcome working both with the most recent and older Sphinx versions.Matej Cepl2024-09-09 15:27:02 +00:00
2999469a13- Tests - gh-112769: The tests now correctly compare zlib version when :const:zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For example zlib-ng defines the version as `1.3.0.zlib-ng. - gh-117187: Fix XML tests for vanilla Expat <2.6.0. - gh-100454: Fix SSL tests CI for OpenSSL 3.1+ - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for python -i, as well as for python -m asyncio. The event in question is cpython.run_stdin. - gh-122133: Authenticate the socket connection for the socket.socketpair() fallback on platforms where AF_UNIX is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for hdrcharset, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:os.mkdir on Windows now accepts *mode* of 0o700 to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:tempfile.mkdtemp in scenarios where the base temporary directory is more permissive than the default. - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123693: Use platform-agnostic behavior when computing zipfile.Path.name`.Matej Cepl2024-09-09 14:17:15 +00:00
be25887dfa- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, CVE-2024-8088).Matej Cepl2024-08-29 12:04:00 +00:00
ca334cc307- Adding bso1227999-reproducible-builds.patch fixing bsc#1227999 adding reproducibility patches from gh#python/cpython!121872 and gh#python/cpython!121883.Matej Cepl2024-08-07 20:30:36 +00:00
a5c76344b0- Add CVE-2024-6923-email-hdr-inject.patch to prevent email header injection due to unquoted newlines (bsc#1228780, CVE-2024-6923). - %{profileopt} variable is set according to the variable %{do_profiling} (bsc#1227999) - Update bluez-devel-vendor.tar.xzMatej Cepl2024-08-07 15:06:12 +00:00
351afad84b- Remove %suse_update_desktop_file macro as it is not useful any more.Matej Cepl2024-07-22 21:25:49 +00:00
57b3bbe7c5- Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378).Matej Cepl2024-07-15 12:15:29 +00:00
f7b7d9f2f6Accepting request 1185398 from devel:languages:python:FactoryAna Guerrero2024-07-05 17:45:12 +00:00
ef3a96a70cAccepting request 1184844 from home:dgarcia:usr-local-cpythonMatej Cepl2024-07-04 13:17:05 +00:00
9fdf5d0b2cAccepting request 1183503 from devel:languages:python:FactoryAna Guerrero2024-06-29 13:16:42 +00:00
b062a97a85- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448 (CVE-2024-4032) rearranging definition of private v global IP addresses.Matej Cepl2024-06-25 22:17:11 +00:00
346624a8d5Accepting request 1182484 from devel:languages:python:FactoryAna Guerrero2024-06-24 18:50:16 +00:00
1f90dc5291- Remove old-libexpat.patch, of course.Matej Cepl2024-06-21 09:50:19 +00:00
31dd9389f8- Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with patched libexpat below 2.6.0 that doesn't update the version number, just in SLE.Matej Cepl2024-06-21 09:49:34 +00:00
041ff70f73- Update 3.10.14: - gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0 to address CVE-2023-52425, and control of the new reparse deferral functionality was exposed with new APIs - gh-109858: zipfile is now protected from the “quoted-overlap” zipbomb to address CVE-2024-0450. It now raises BadZipFile when attempting to read an entry that overlaps with another entry or central directory - gh-91133: tempfile.TemporaryDirectory cleanup no longer dereferences symlinks when working around file system permission errors to address CVE-2023-6597 - gh-115197: urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows - gh-81194: a crash in socket.if_indextoname() with a specific value (UINT_MAX) was fixed. Relatedly, an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms was fixed - gh-113659: .pth files with names starting with a dot or containing the hidden file attribute are now skipped - gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer read out of bounds - gh-114572: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads - Remove upstreamed patches: - CVE-2023-6597-TempDir-cleaning-symlink.patch - Port to %autosetup and %autopatch.Matej Cepl2024-03-21 16:45:30 +00:00
a358b6b1ecAccepting request 1157645 from devel:languages:python:FactoryAna Guerrero2024-03-14 16:42:36 +00:00
9d2100328bAccepting request 1155683 from home:pmonrealgonzalez:branches:devel:languages:python:FactoryMatej Cepl2024-03-06 21:50:46 +00:00
ec6474e9bc- (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory.Matej Cepl2024-02-28 23:32:27 +00:00
f660687d3fAccepting request 1152786 from devel:languages:python:FactoryAna Guerrero2024-02-28 18:44:32 +00:00
3711a039e6- Remove double definition of /usr/bin/idle%%{version} in %%files.Matej Cepl2024-02-20 22:16:34 +00:00
f2acc64a8cAccepting request 1146869 from devel:languages:python:FactoryAna Guerrero2024-02-15 19:59:20 +00:00
951fa01e4bAccepting request 1146817 from home:dgarcia:branches:devel:languages:python:FactoryMatej Cepl2024-02-15 14:36:25 +00:00
9168347d4a- Refresh CVE-2023-27043-email-parsing-errors.patch to gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). - Thus we can remove Revert-gh105127-left-tests.patch, which is now useless.Matej Cepl2024-02-12 13:18:00 +00:00
83a7da7040Accepting request 1110597 from devel:languages:python:FactoryAna Guerrero2023-09-12 19:02:42 +00:00
dc236e4d07- Link to CVE-2023-40217 bug report in changelog, bsc#1214692Daniel Garcia2023-09-05 11:37:11 +00:00
044091027dAccepting request 1108911 from devel:languages:python:FactoryAna Guerrero2023-09-04 20:52:31 +00:00
310cd89462Accepting request 1108888 from home:dgarcia:branches:devel:languages:python:FactoryDirk Mueller2023-09-04 15:07:39 +00:00
4a7871d409- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669.Matej Cepl2023-08-03 14:14:37 +00:00
0d124ed5f4Accepting request 1099501 from devel:languages:python:FactoryAna Guerrero2023-07-24 16:12:32 +00:00
32717ebf00- Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for stabilizing FLAG_REF usage (required for reproduceability; bsc#1213463).Matej Cepl2023-07-19 11:19:26 +00:00
3c34744813Accepting request 1098690 from devel:languages:python:FactoryMatej Cepl2023-07-14 14:06:10 +00:00
18f6b99d17- (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API).Matej Cepl2023-07-12 10:49:44 +00:00
402f3ae924- Update to 3.10.12: - gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329. - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). - gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details. - Remove upstreamed patches: - CVE-2007-4559-filter-tarfile_extractall.patchMatej Cepl2023-06-28 17:56:56 +00:00
f21150c420- Add bpo-37596-make-set-marshalling.patch making marshalling of set and frozenset deterministic (bsc#1211765).Matej Cepl2023-06-20 21:41:03 +00:00