Accepting request 1311759 from devel:languages:python:Factory

OBS-URL: https://build.opensuse.org/request/show/1311759
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=60

CVE-2023-27043-email-parsing-errors.patch

@@ -1,461 +0,0 @@
----
- Doc/library/email.utils.rst                                             |   19 -
- Lib/email/utils.py                                                      |  151 +++++++-
- Lib/test/test_email/test_email.py                                       |  187 +++++++++-
- Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst |    8 
- 4 files changed, 344 insertions(+), 21 deletions(-)
-
---- a/Doc/library/email.utils.rst
-+++ b/Doc/library/email.utils.rst
-@@ -60,13 +60,18 @@ of the new API.
-    begins with angle brackets, they are stripped off.
- 
- 
--.. function:: parseaddr(address)
-+.. function:: parseaddr(address, *, strict=True)
- 
-    Parse address -- which should be the value of some address-containing field such
-    as :mailheader:`To` or :mailheader:`Cc` -- into its constituent *realname* and
-    *email address* parts.  Returns a tuple of that information, unless the parse
-    fails, in which case a 2-tuple of ``('', '')`` is returned.
- 
-+   If *strict* is true, use a strict parser which rejects malformed inputs.
-+
-+   .. versionchanged:: 3.13
-+      Add *strict* optional parameter and reject malformed inputs by default.
-+
- 
- .. function:: formataddr(pair, charset='utf-8')
- 
-@@ -84,12 +89,15 @@ of the new API.
-       Added the *charset* option.
- 
- 
--.. function:: getaddresses(fieldvalues)
-+.. function:: getaddresses(fieldvalues, *, strict=True)
- 
-    This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
-    *fieldvalues* is a sequence of header field values as might be returned by
--   :meth:`Message.get_all <email.message.Message.get_all>`.  Here's a simple
--   example that gets all the recipients of a message::
-+   :meth:`Message.get_all <email.message.Message.get_all>`.
-+
-+   If *strict* is true, use a strict parser which rejects malformed inputs.
-+
-+   Here's a simple example that gets all the recipients of a message::
- 
-       from email.utils import getaddresses
- 
-@@ -99,6 +107,9 @@ of the new API.
-       resent_ccs = msg.get_all('resent-cc', [])
-       all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
- 
-+   .. versionchanged:: 3.13
-+      Add *strict* optional parameter and reject malformed inputs by default.
-+
- 
- .. function:: parsedate(date)
- 
---- a/Lib/email/utils.py
-+++ b/Lib/email/utils.py
-@@ -48,6 +48,7 @@ TICK = "'"
- specialsre = re.compile(r'[][\\()<>@,:;".]')
- escapesre = re.compile(r'[\\"]')
- 
-+
- def _has_surrogates(s):
-     """Return True if s may contain surrogate-escaped binary data."""
-     # This check is based on the fact that unless there are surrogates, utf8
-@@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'):
-     return address
- 
- 
-+def _iter_escaped_chars(addr):
-+    pos = 0
-+    escape = False
-+    for pos, ch in enumerate(addr):
-+        if escape:
-+            yield (pos, '\\' + ch)
-+            escape = False
-+        elif ch == '\\':
-+            escape = True
-+        else:
-+            yield (pos, ch)
-+    if escape:
-+        yield (pos, '\\')
-+
-+
-+def _strip_quoted_realnames(addr):
-+    """Strip real names between quotes."""
-+    if '"' not in addr:
-+        # Fast path
-+        return addr
-+
-+    start = 0
-+    open_pos = None
-+    result = []
-+    for pos, ch in _iter_escaped_chars(addr):
-+        if ch == '"':
-+            if open_pos is None:
-+                open_pos = pos
-+            else:
-+                if start != open_pos:
-+                    result.append(addr[start:open_pos])
-+                start = pos + 1
-+                open_pos = None
- 
--def getaddresses(fieldvalues):
--    """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
--    all = COMMASPACE.join(str(v) for v in fieldvalues)
--    a = _AddressList(all)
--    return a.addresslist
-+    if start < len(addr):
-+        result.append(addr[start:])
-+
-+    return ''.join(result)
-+
-+
-+supports_strict_parsing = True
-+
-+def getaddresses(fieldvalues, *, strict=True):
-+    """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
-+
-+    When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
-+    its place.
-+
-+    If strict is true, use a strict parser which rejects malformed inputs.
-+    """
-+
-+    # If strict is true, if the resulting list of parsed addresses is greater
-+    # than the number of fieldvalues in the input list, a parsing error has
-+    # occurred and consequently a list containing a single empty 2-tuple [('',
-+    # '')] is returned in its place. This is done to avoid invalid output.
-+    #
-+    # Malformed input: getaddresses(['alice@example.com <bob@example.com>'])
-+    # Invalid output: [('', 'alice@example.com'), ('', 'bob@example.com')]
-+    # Safe output: [('', '')]
-+
-+    if not strict:
-+        all = COMMASPACE.join(str(v) for v in fieldvalues)
-+        a = _AddressList(all)
-+        return a.addresslist
-+
-+    fieldvalues = [str(v) for v in fieldvalues]
-+    fieldvalues = _pre_parse_validation(fieldvalues)
-+    addr = COMMASPACE.join(fieldvalues)
-+    a = _AddressList(addr)
-+    result = _post_parse_validation(a.addresslist)
-+
-+    # Treat output as invalid if the number of addresses is not equal to the
-+    # expected number of addresses.
-+    n = 0
-+    for v in fieldvalues:
-+        # When a comma is used in the Real Name part it is not a deliminator.
-+        # So strip those out before counting the commas.
-+        v = _strip_quoted_realnames(v)
-+        # Expected number of addresses: 1 + number of commas
-+        n += 1 + v.count(',')
-+    if len(result) != n:
-+        return [('', '')]
-+
-+    return result
-+
-+
-+def _check_parenthesis(addr):
-+    # Ignore parenthesis in quoted real names.
-+    addr = _strip_quoted_realnames(addr)
-+
-+    opens = 0
-+    for pos, ch in _iter_escaped_chars(addr):
-+        if ch == '(':
-+            opens += 1
-+        elif ch == ')':
-+            opens -= 1
-+            if opens < 0:
-+                return False
-+    return (opens == 0)
-+
-+
-+def _pre_parse_validation(email_header_fields):
-+    accepted_values = []
-+    for v in email_header_fields:
-+        if not _check_parenthesis(v):
-+            v = "('', '')"
-+        accepted_values.append(v)
-+
-+    return accepted_values
-+
-+
-+def _post_parse_validation(parsed_email_header_tuples):
-+    accepted_values = []
-+    # The parser would have parsed a correctly formatted domain-literal
-+    # The existence of an [ after parsing indicates a parsing failure
-+    for v in parsed_email_header_tuples:
-+        if '[' in v[1]:
-+            v = ('', '')
-+        accepted_values.append(v)
-+
-+    return accepted_values
- 
- 
- def _format_timetuple_and_zone(timetuple, zone):
-@@ -205,16 +321,33 @@ def parsedate_to_datetime(data):
-             tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
- 
- 
--def parseaddr(addr):
-+def parseaddr(addr, *, strict=True):
-     """
-     Parse addr into its constituent realname and email address parts.
- 
-     Return a tuple of realname and email address, unless the parse fails, in
-     which case return a 2-tuple of ('', '').
-+
-+    If strict is True, use a strict parser which rejects malformed inputs.
-     """
--    addrs = _AddressList(addr).addresslist
--    if not addrs:
--        return '', ''
-+    if not strict:
-+        addrs = _AddressList(addr).addresslist
-+        if not addrs:
-+            return ('', '')
-+        return addrs[0]
-+
-+    if isinstance(addr, list):
-+        addr = addr[0]
-+
-+    if not isinstance(addr, str):
-+        return ('', '')
-+
-+    addr = _pre_parse_validation([addr])[0]
-+    addrs = _post_parse_validation(_AddressList(addr).addresslist)
-+
-+    if not addrs or len(addrs) > 1:
-+        return ('', '')
-+
-     return addrs[0]
- 
- 
---- a/Lib/test/test_email/test_email.py
-+++ b/Lib/test/test_email/test_email.py
-@@ -17,6 +17,7 @@ from unittest.mock import patch
- 
- import email
- import email.policy
-+import email.utils
- 
- from email.charset import Charset
- from email.generator import Generator, DecodedGenerator, BytesGenerator
-@@ -3336,15 +3337,137 @@ Foo
-            [('Al Person', 'aperson@dom.ain'),
-             ('Bud Person', 'bperson@dom.ain')])
- 
-+    def test_parsing_errors(self):
-+        """Test for parsing errors from CVE-2023-27043 and CVE-2019-16056"""
-+        alice = 'alice@example.org'
-+        bob = 'bob@example.com'
-+        empty = ('', '')
-+
-+        # Test utils.getaddresses() and utils.parseaddr() on malformed email
-+        # addresses: default behavior (strict=True) rejects malformed address,
-+        # and strict=False which tolerates malformed address.
-+        for invalid_separator, expected_non_strict in (
-+            ('(', [(f'<{bob}>', alice)]),
-+            (')', [('', alice), empty, ('', bob)]),
-+            ('<', [('', alice), empty, ('', bob), empty]),
-+            ('>', [('', alice), empty, ('', bob)]),
-+            ('[', [('', f'{alice}[<{bob}>]')]),
-+            (']', [('', alice), empty, ('', bob)]),
-+            ('@', [empty, empty, ('', bob)]),
-+            (';', [('', alice), empty, ('', bob)]),
-+            (':', [('', alice), ('', bob)]),
-+            ('.', [('', alice + '.'), ('', bob)]),
-+            ('"', [('', alice), ('', f'<{bob}>')]),
-+        ):
-+            address = f'{alice}{invalid_separator}<{bob}>'
-+            with self.subTest(address=address):
-+                self.assertEqual(utils.getaddresses([address]),
-+                                 [empty])
-+                self.assertEqual(utils.getaddresses([address], strict=False),
-+                                 expected_non_strict)
-+
-+                self.assertEqual(utils.parseaddr([address]),
-+                                 empty)
-+                self.assertEqual(utils.parseaddr([address], strict=False),
-+                                 ('', address))
-+
-+        # Comma (',') is treated differently depending on strict parameter.
-+        # Comma without quotes.
-+        address = f'{alice},<{bob}>'
-+        self.assertEqual(utils.getaddresses([address]),
-+                         [('', alice), ('', bob)])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('', alice), ('', bob)])
-+        self.assertEqual(utils.parseaddr([address]),
-+                         empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Real name between quotes containing comma.
-+        address = '"Alice, alice@example.org" <bob@example.com>'
-+        expected_strict = ('Alice, alice@example.org', 'bob@example.com')
-+        self.assertEqual(utils.getaddresses([address]), [expected_strict])
-+        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
-+        self.assertEqual(utils.parseaddr([address]), expected_strict)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Valid parenthesis in comments.
-+        address = 'alice@example.org (Alice)'
-+        expected_strict = ('Alice', 'alice@example.org')
-+        self.assertEqual(utils.getaddresses([address]), [expected_strict])
-+        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
-+        self.assertEqual(utils.parseaddr([address]), expected_strict)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Invalid parenthesis in comments.
-+        address = 'alice@example.org )Alice('
-+        self.assertEqual(utils.getaddresses([address]), [empty])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
-+        self.assertEqual(utils.parseaddr([address]), empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Two addresses with quotes separated by comma.
-+        address = '"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>'
-+        self.assertEqual(utils.getaddresses([address]),
-+                         [('Jane Doe', 'jane@example.net'),
-+                          ('John Doe', 'john@example.net')])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('Jane Doe', 'jane@example.net'),
-+                          ('John Doe', 'john@example.net')])
-+        self.assertEqual(utils.parseaddr([address]), empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Test email.utils.supports_strict_parsing attribute
-+        self.assertEqual(email.utils.supports_strict_parsing, True)
-+
-     def test_getaddresses_nasty(self):
--        eq = self.assertEqual
--        eq(utils.getaddresses(['foo: ;']), [('', '')])
--        eq(utils.getaddresses(
--           ['[]*-- =~$']),
--           [('', ''), ('', ''), ('', '*--')])
--        eq(utils.getaddresses(
--           ['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
--           [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
-+        for addresses, expected in (
-+            (['"Sürname, Firstname" <to@example.com>'],
-+             [('Sürname, Firstname', 'to@example.com')]),
-+
-+            (['foo: ;'],
-+             [('', '')]),
-+
-+            (['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>'],
-+             [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]),
-+
-+            ([r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>'],
-+             [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]),
-+
-+            (['(Empty list)(start)Undisclosed recipients  :(nobody(I know))'],
-+             [('', '')]),
-+
-+            (['Mary <@machine.tld:mary@example.net>, , jdoe@test   . example'],
-+             [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]),
-+
-+            (['John Doe <jdoe@machine(comment).  example>'],
-+             [('John Doe (comment)', 'jdoe@machine.example')]),
-+
-+            (['"Mary Smith: Personal Account" <smith@home.example>'],
-+             [('Mary Smith: Personal Account', 'smith@home.example')]),
-+
-+            (['Undisclosed recipients:;'],
-+             [('', '')]),
-+
-+            ([r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>'],
-+             [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]),
-+        ):
-+            with self.subTest(addresses=addresses):
-+                self.assertEqual(utils.getaddresses(addresses),
-+                                 expected)
-+                self.assertEqual(utils.getaddresses(addresses, strict=False),
-+                                 expected)
-+
-+        addresses = ['[]*-- =~$']
-+        self.assertEqual(utils.getaddresses(addresses),
-+                         [('', '')])
-+        self.assertEqual(utils.getaddresses(addresses, strict=False),
-+                         [('', ''), ('', ''), ('', '*--')])
- 
-     def test_getaddresses_embedded_comment(self):
-         """Test proper handling of a nested comment"""
-@@ -3535,6 +3658,54 @@ multipart/report
-                 m = cls(*constructor, policy=email.policy.default)
-                 self.assertIs(m.policy, email.policy.default)
- 
-+    def test_iter_escaped_chars(self):
-+        self.assertEqual(list(utils._iter_escaped_chars(r'a\\b\"c\\"d')),
-+                         [(0, 'a'),
-+                          (2, '\\\\'),
-+                          (3, 'b'),
-+                          (5, '\\"'),
-+                          (6, 'c'),
-+                          (8, '\\\\'),
-+                          (9, '"'),
-+                          (10, 'd')])
-+        self.assertEqual(list(utils._iter_escaped_chars('a\\')),
-+                         [(0, 'a'), (1, '\\')])
-+
-+    def test_strip_quoted_realnames(self):
-+        def check(addr, expected):
-+            self.assertEqual(utils._strip_quoted_realnames(addr), expected)
-+
-+        check('"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>',
-+              ' <jane@example.net>,  <john@example.net>')
-+        check(r'"Jane \"Doe\"." <jane@example.net>',
-+              ' <jane@example.net>')
-+
-+        # special cases
-+        check(r'before"name"after', 'beforeafter')
-+        check(r'before"name"', 'before')
-+        check(r'b"name"', 'b')  # single char
-+        check(r'"name"after', 'after')
-+        check(r'"name"a', 'a')  # single char
-+        check(r'"name"', '')
-+
-+        # no change
-+        for addr in (
-+            'Jane Doe <jane@example.net>, John Doe <john@example.net>',
-+            'lone " quote',
-+        ):
-+            self.assertEqual(utils._strip_quoted_realnames(addr), addr)
-+
-+
-+    def test_check_parenthesis(self):
-+        addr = 'alice@example.net'
-+        self.assertTrue(utils._check_parenthesis(f'{addr} (Alice)'))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} )Alice('))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} (Alice))'))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} ((Alice)'))
-+
-+        # Ignore real name between quotes
-+        self.assertTrue(utils._check_parenthesis(f'")Alice((" {addr}'))
-+
- 
- # Test the iterator/generators
- class TestIterators(TestEmailBase):
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-@@ -0,0 +1,8 @@
-+:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
-+return ``('', '')`` 2-tuples in more situations where invalid email
-+addresses are encountered instead of potentially inaccurate values. Add
-+optional *strict* parameter to these two functions: use ``strict=False`` to
-+get the old behavior, accept malformed inputs.
-+``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check
-+if the *strict* paramater is available. Patch by Thomas Dwyer and Victor
-+Stinner to improve the CVE-2023-27043 fix.

CVE-2023-52425-libexpat-2.6.0-backport.patch

@@ -6,9 +6,11 @@
  Lib/test/test_xml_etree.py   |   12 ------------
  5 files changed, 37 insertions(+), 44 deletions(-)
 
---- a/Lib/test/support/__init__.py
-+++ b/Lib/test/support/__init__.py
-@@ -8,6 +8,7 @@ import dataclasses
+Index: Python-3.11.12/Lib/test/support/__init__.py
+===================================================================
+--- Python-3.11.12.orig/Lib/test/support/__init__.py	2025-04-11 10:52:43.191010503 +0200
++++ Python-3.11.12/Lib/test/support/__init__.py	2025-04-11 10:52:44.802161741 +0200
+@@ -8,6 +8,7 @@
  import functools
  import os
  import re
@@ -16,7 +18,7 @@
  import stat
  import sys
  import sysconfig
-@@ -56,7 +57,7 @@ __all__ = [
+@@ -56,7 +57,7 @@
      "run_with_tz", "PGO", "missing_compiler_executable",
      "ALWAYS_EQ", "NEVER_EQ", "LARGEST", "SMALLEST",
      "LOOPBACK_TIMEOUT", "INTERNET_TIMEOUT", "SHORT_TIMEOUT", "LONG_TIMEOUT",
@@ -25,7 +27,7 @@
      ]
  
  
-@@ -2240,6 +2241,17 @@ def copy_python_src_ignore(path, names):
+@@ -2244,6 +2245,17 @@
          }
      return ignored
  
@@ -44,9 +46,11 @@
 +fails_with_expat_2_6_0 = (unittest.expectedFailure
 +                          if is_expat_2_6_0
 +                          else lambda test: test)
---- a/Lib/test/test_minidom.py
-+++ b/Lib/test/test_minidom.py
-@@ -6,7 +6,6 @@ import io
+Index: Python-3.11.12/Lib/test/test_minidom.py
+===================================================================
+--- Python-3.11.12.orig/Lib/test/test_minidom.py	2025-04-11 10:52:21.907086938 +0200
++++ Python-3.11.12/Lib/test/test_minidom.py	2025-04-11 10:52:44.802522893 +0200
+@@ -6,7 +6,6 @@
  from test import support
  import unittest
  
@@ -54,7 +58,7 @@
  import xml.dom.minidom
  
  from xml.dom.minidom import parse, Attr, Node, Document, parseString
-@@ -1163,13 +1162,11 @@ class MinidomTest(unittest.TestCase):
+@@ -1163,13 +1162,11 @@
  
          # Verify that character decoding errors raise exceptions instead
          # of crashing
@@ -73,7 +77,7 @@
                  b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
  
          doc.unlink()
-@@ -1631,12 +1628,10 @@ class MinidomTest(unittest.TestCase):
+@@ -1631,12 +1628,10 @@
          self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
  
      def testExceptionOnSpacesInXMLNSValue(self):
@@ -90,9 +94,11 @@
              parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
  
      def testDocRemoveChild(self):
---- a/Lib/test/test_pyexpat.py
-+++ b/Lib/test/test_pyexpat.py
-@@ -14,8 +14,7 @@ from test.support import os_helper
+Index: Python-3.11.12/Lib/test/test_pyexpat.py
+===================================================================
+--- Python-3.11.12.orig/Lib/test/test_pyexpat.py	2025-04-11 10:52:22.076696906 +0200
++++ Python-3.11.12/Lib/test/test_pyexpat.py	2025-04-11 10:52:44.803228085 +0200
+@@ -14,8 +14,7 @@
  from xml.parsers import expat
  from xml.parsers.expat import errors
  
@@ -102,7 +108,7 @@
  
  class SetAttributeTest(unittest.TestCase):
      def setUp(self):
-@@ -770,9 +769,8 @@ class ReparseDeferralTest(unittest.TestC
+@@ -770,9 +769,8 @@
          self.assertIs(parser.GetReparseDeferralEnabled(), enabled)
  
      def test_reparse_deferral_enabled(self):
@@ -114,7 +120,7 @@
  
          started = []
  
-@@ -801,9 +799,9 @@ class ReparseDeferralTest(unittest.TestC
+@@ -801,9 +799,9 @@
  
          parser = expat.ParserCreate()
          parser.StartElementHandler = start_element
@@ -126,9 +132,11 @@
  
          for chunk in (b'<doc', b'/>'):
              parser.Parse(chunk, False)
---- a/Lib/test/test_sax.py
-+++ b/Lib/test/test_sax.py
-@@ -19,13 +19,11 @@ from xml.sax.xmlreader import InputSourc
+Index: Python-3.11.12/Lib/test/test_sax.py
+===================================================================
+--- Python-3.11.12.orig/Lib/test/test_sax.py	2025-04-11 10:52:22.111440337 +0200
++++ Python-3.11.12/Lib/test/test_sax.py	2025-04-11 10:52:44.803567098 +0200
+@@ -19,13 +19,11 @@
  from io import BytesIO, StringIO
  import codecs
  import os.path
@@ -143,7 +151,7 @@
  from test.support.os_helper import FakePath, TESTFN
  
  
-@@ -1215,10 +1213,10 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1215,10 +1213,10 @@
  
          self.assertEqual(result.getvalue(), start + b"<doc>text</doc>")
  
@@ -157,7 +165,7 @@
          result = BytesIO()
          xmlgen = XMLGenerator(result)
          parser = create_parser()
-@@ -1241,6 +1239,9 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1241,6 +1239,9 @@
          self.assertEqual(result.getvalue(), start + b"<doc></doc>")
  
      def test_flush_reparse_deferral_disabled(self):
@@ -167,7 +175,7 @@
          result = BytesIO()
          xmlgen = XMLGenerator(result)
          parser = create_parser()
-@@ -1249,9 +1250,8 @@ class ExpatReaderTest(XmlTestBase):
+@@ -1249,9 +1250,8 @@
          for chunk in ("<doc", ">"):
              parser.feed(chunk)
  
@@ -179,9 +187,11 @@
  
          self.assertFalse(parser._parser.GetReparseDeferralEnabled())
  
---- a/Lib/test/test_xml_etree.py
-+++ b/Lib/test/test_xml_etree.py
-@@ -13,7 +13,6 @@ import itertools
+Index: Python-3.11.12/Lib/test/test_xml_etree.py
+===================================================================
+--- Python-3.11.12.orig/Lib/test/test_xml_etree.py	2025-04-11 10:52:22.425637912 +0200
++++ Python-3.11.12/Lib/test/test_xml_etree.py	2025-04-11 10:52:44.804234785 +0200
+@@ -13,7 +13,6 @@
  import operator
  import os
  import pickle
@@ -189,7 +199,7 @@
  import sys
  import textwrap
  import types
-@@ -1424,12 +1423,6 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1424,12 +1423,6 @@
          self.assert_event_tags(parser, [('end', 'root')])
          self.assertIsNone(parser.close())
  
@@ -202,7 +212,7 @@
      def test_simple_xml_chunk_22(self):
          self.test_simple_xml(chunk_size=22)
  
-@@ -1627,9 +1620,6 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1627,9 +1620,6 @@
          with self.assertRaises(ValueError):
              ET.XMLPullParser(events=('start', 'end', 'bogus'))
  
@@ -212,7 +222,7 @@
      def test_flush_reparse_deferral_enabled(self):
          parser = ET.XMLPullParser(events=('start', 'end'))
  
-@@ -1656,8 +1646,6 @@ class XMLPullParserTest(unittest.TestCas
+@@ -1656,8 +1646,6 @@
  
          for chunk in ("<doc", ">"):
              parser.feed(chunk)

CVE-2024-4032-private-IP-addrs.patch

@@ -1,366 +0,0 @@
-From b47c766d6085d7918edd7715750d135868fdafd6 Mon Sep 17 00:00:00 2001
-From: Petr Viktorin <encukou@gmail.com>
-Date: Wed, 24 Apr 2024 14:29:30 +0200
-Subject: [PATCH] gh-113171: gh-65056: Fix "private" (non-global) IP address
- ranges (GH-113179) (GH-113186) (GH-118177)
-
-* GH-113171: Fix "private" (non-global) IP address ranges (GH-113179)
-
-The _private_networks variables, used by various is_private
-implementations, were missing some ranges and at the same time had
-overly strict ranges (where there are more specific ranges considered
-globally reachable by the IANA registries).
-
-This patch updates the ranges with what was missing or otherwise
-incorrect.
-
-100.64.0.0/10 is left alone, for now, as it's been made special in [1].
-
-The _address_exclude_many() call returns 8 networks for IPv4, 121
-networks for IPv6.
-
-[1] https://github.com/python/cpython/issues/61602
-
-* GH-65056: Improve the IP address' is_global/is_private documentation (GH-113186)
-
-It wasn't clear what the semantics of is_global/is_private are and, when
-one gets to the bottom of it, it's not quite so simple (hence the
-exceptions listed).
-
-(cherry picked from commit 2a4cbf17af19a01d942f9579342f77c39fbd23c4)
-(cherry picked from commit 40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f)
-
----------
-
-(cherry picked from commit f86b17ac511e68192ba71f27e752321a3252cee3)
-
-Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
----
- Doc/library/ipaddress.rst                                               |   43 +++-
- Doc/whatsnew/3.11.rst                                                   |    9 
- Lib/ipaddress.py                                                        |  105 +++++++---
- Lib/test/test_ipaddress.py                                              |   21 +-
- Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst |    9 
- 5 files changed, 160 insertions(+), 27 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst
-
---- a/Doc/library/ipaddress.rst
-+++ b/Doc/library/ipaddress.rst
-@@ -178,18 +178,53 @@ write code that handles both IP versions
- 
-    .. attribute:: is_private
- 
--      ``True`` if the address is allocated for private networks.  See
-+      ``True`` if the address is defined as not globally reachable by
-       iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
--      (for IPv6).
-+      (for IPv6) with the following exceptions:
-+
-+      * ``is_private`` is ``False`` for the shared address space (``100.64.0.0/10``)
-+      * For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
-+        semantics of the underlying IPv4 addresses and the following condition holds
-+        (see :attr:`IPv6Address.ipv4_mapped`)::
-+
-+            address.is_private == address.ipv4_mapped.is_private
-+
-+      ``is_private`` has value opposite to :attr:`is_global`, except for the shared address space
-+      (``100.64.0.0/10`` range) where they are both ``False``.
-+
-+      .. versionchanged:: 3.11.10
-+
-+         Fixed some false positives and false negatives.
-+
-+         * ``192.0.0.0/24`` is considered private with the exception of ``192.0.0.9/32`` and
-+           ``192.0.0.10/32`` (previously: only the ``192.0.0.0/29`` sub-range was considered private).
-+         * ``64:ff9b:1::/48`` is considered private.
-+         * ``2002::/16`` is considered private.
-+         * There are exceptions within ``2001::/23`` (otherwise considered private): ``2001:1::1/128``,
-+           ``2001:1::2/128``, ``2001:3::/32``, ``2001:4:112::/48``, ``2001:20::/28``, ``2001:30::/28``.
-+           The exceptions are not considered private.
- 
-    .. attribute:: is_global
- 
--      ``True`` if the address is allocated for public networks.  See
-+      ``True`` if the address is defined as globally reachable by
-       iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
--      (for IPv6).
-+      (for IPv6) with the following exception:
-+
-+      For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
-+      semantics of the underlying IPv4 addresses and the following condition holds
-+      (see :attr:`IPv6Address.ipv4_mapped`)::
-+
-+         address.is_global == address.ipv4_mapped.is_global
-+
-+      ``is_global`` has value opposite to :attr:`is_private`, except for the shared address space
-+      (``100.64.0.0/10`` range) where they are both ``False``.
- 
-       .. versionadded:: 3.4
- 
-+      .. versionchanged:: 3.11.10
-+
-+         Fixed some false positives and false negatives, see :attr:`is_private` for details.
-+
-    .. attribute:: is_unspecified
- 
-       ``True`` if the address is unspecified.  See :RFC:`5735` (for IPv4)
---- a/Doc/whatsnew/3.11.rst
-+++ b/Doc/whatsnew/3.11.rst
-@@ -2727,3 +2727,12 @@ OpenSSL
- * Windows builds and macOS installers from python.org now use OpenSSL 3.0.
- 
- .. _libb2: https://www.blake2.net/
-+
-+Notable changes in 3.11.10
-+==========================
-+
-+ipaddress
-+---------
-+
-+* Fixed ``is_global`` and ``is_private`` behavior in ``IPv4Address``,
-+  ``IPv6Address``, ``IPv4Network`` and ``IPv6Network``.
---- a/Lib/ipaddress.py
-+++ b/Lib/ipaddress.py
-@@ -1086,7 +1086,11 @@ class _BaseNetwork(_IPAddressBase):
-         """
-         return any(self.network_address in priv_network and
-                    self.broadcast_address in priv_network
--                   for priv_network in self._constants._private_networks)
-+                   for priv_network in self._constants._private_networks) and all(
-+                    self.network_address not in network and
-+                    self.broadcast_address not in network
-+                    for network in self._constants._private_networks_exceptions
-+                )
- 
-     @property
-     def is_global(self):
-@@ -1333,18 +1337,41 @@ class IPv4Address(_BaseV4, _BaseAddress)
-     @property
-     @functools.lru_cache()
-     def is_private(self):
--        """Test if this address is allocated for private networks.
--
--        Returns:
--            A boolean, True if the address is reserved per
--            iana-ipv4-special-registry.
--
--        """
--        return any(self in net for net in self._constants._private_networks)
-+        """``True`` if the address is defined as not globally reachable by
-+        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
-+        (for IPv6) with the following exceptions:
-+
-+        * ``is_private`` is ``False`` for ``100.64.0.0/10``
-+        * For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
-+            semantics of the underlying IPv4 addresses and the following condition holds
-+            (see :attr:`IPv6Address.ipv4_mapped`)::
-+
-+                address.is_private == address.ipv4_mapped.is_private
-+
-+        ``is_private`` has value opposite to :attr:`is_global`, except for the ``100.64.0.0/10``
-+        IPv4 range where they are both ``False``.
-+        """
-+        return (
-+            any(self in net for net in self._constants._private_networks)
-+            and all(self not in net for net in self._constants._private_networks_exceptions)
-+        )
- 
-     @property
-     @functools.lru_cache()
-     def is_global(self):
-+        """``True`` if the address is defined as globally reachable by
-+        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
-+        (for IPv6) with the following exception:
-+
-+        For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
-+        semantics of the underlying IPv4 addresses and the following condition holds
-+        (see :attr:`IPv6Address.ipv4_mapped`)::
-+
-+            address.is_global == address.ipv4_mapped.is_global
-+
-+        ``is_global`` has value opposite to :attr:`is_private`, except for the ``100.64.0.0/10``
-+        IPv4 range where they are both ``False``.
-+        """
-         return self not in self._constants._public_network and not self.is_private
- 
-     @property
-@@ -1548,13 +1575,15 @@ class _IPv4Constants:
- 
-     _public_network = IPv4Network('100.64.0.0/10')
- 
-+    # Not globally reachable address blocks listed on
-+    # https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
-     _private_networks = [
-         IPv4Network('0.0.0.0/8'),
-         IPv4Network('10.0.0.0/8'),
-         IPv4Network('127.0.0.0/8'),
-         IPv4Network('169.254.0.0/16'),
-         IPv4Network('172.16.0.0/12'),
--        IPv4Network('192.0.0.0/29'),
-+        IPv4Network('192.0.0.0/24'),
-         IPv4Network('192.0.0.170/31'),
-         IPv4Network('192.0.2.0/24'),
-         IPv4Network('192.168.0.0/16'),
-@@ -1565,6 +1594,11 @@ class _IPv4Constants:
-         IPv4Network('255.255.255.255/32'),
-         ]
- 
-+    _private_networks_exceptions = [
-+        IPv4Network('192.0.0.9/32'),
-+        IPv4Network('192.0.0.10/32'),
-+    ]
-+
-     _reserved_network = IPv4Network('240.0.0.0/4')
- 
-     _unspecified_address = IPv4Address('0.0.0.0')
-@@ -2010,27 +2044,42 @@ class IPv6Address(_BaseV6, _BaseAddress)
-     @property
-     @functools.lru_cache()
-     def is_private(self):
--        """Test if this address is allocated for private networks.
-+        """``True`` if the address is defined as not globally reachable by
-+        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
-+        (for IPv6) with the following exceptions:
-+
-+        * ``is_private`` is ``False`` for ``100.64.0.0/10``
-+        * For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
-+            semantics of the underlying IPv4 addresses and the following condition holds
-+            (see :attr:`IPv6Address.ipv4_mapped`)::
- 
--        Returns:
--            A boolean, True if the address is reserved per
--            iana-ipv6-special-registry, or is ipv4_mapped and is
--            reserved in the iana-ipv4-special-registry.
-+                address.is_private == address.ipv4_mapped.is_private
- 
-+        ``is_private`` has value opposite to :attr:`is_global`, except for the ``100.64.0.0/10``
-+        IPv4 range where they are both ``False``.
-         """
-         ipv4_mapped = self.ipv4_mapped
-         if ipv4_mapped is not None:
-             return ipv4_mapped.is_private
--        return any(self in net for net in self._constants._private_networks)
-+        return (
-+            any(self in net for net in self._constants._private_networks)
-+            and all(self not in net for net in self._constants._private_networks_exceptions)
-+        )
- 
-     @property
-     def is_global(self):
--        """Test if this address is allocated for public networks.
-+        """``True`` if the address is defined as globally reachable by
-+        iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_
-+        (for IPv6) with the following exception:
-+
-+        For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the
-+        semantics of the underlying IPv4 addresses and the following condition holds
-+        (see :attr:`IPv6Address.ipv4_mapped`)::
- 
--        Returns:
--            A boolean, true if the address is not reserved per
--            iana-ipv6-special-registry.
-+            address.is_global == address.ipv4_mapped.is_global
- 
-+        ``is_global`` has value opposite to :attr:`is_private`, except for the ``100.64.0.0/10``
-+        IPv4 range where they are both ``False``.
-         """
-         return not self.is_private
- 
-@@ -2271,19 +2320,31 @@ class _IPv6Constants:
- 
-     _multicast_network = IPv6Network('ff00::/8')
- 
-+    # Not globally reachable address blocks listed on
-+    # https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
-     _private_networks = [
-         IPv6Network('::1/128'),
-         IPv6Network('::/128'),
-         IPv6Network('::ffff:0:0/96'),
-+        IPv6Network('64:ff9b:1::/48'),
-         IPv6Network('100::/64'),
-         IPv6Network('2001::/23'),
--        IPv6Network('2001:2::/48'),
-         IPv6Network('2001:db8::/32'),
--        IPv6Network('2001:10::/28'),
-+        # IANA says N/A, let's consider it not globally reachable to be safe
-+        IPv6Network('2002::/16'),
-         IPv6Network('fc00::/7'),
-         IPv6Network('fe80::/10'),
-         ]
- 
-+    _private_networks_exceptions = [
-+        IPv6Network('2001:1::1/128'),
-+        IPv6Network('2001:1::2/128'),
-+        IPv6Network('2001:3::/32'),
-+        IPv6Network('2001:4:112::/48'),
-+        IPv6Network('2001:20::/28'),
-+        IPv6Network('2001:30::/28'),
-+    ]
-+
-     _reserved_networks = [
-         IPv6Network('::/8'), IPv6Network('100::/8'),
-         IPv6Network('200::/7'), IPv6Network('400::/6'),
---- a/Lib/test/test_ipaddress.py
-+++ b/Lib/test/test_ipaddress.py
-@@ -2269,6 +2269,10 @@ class IpaddrUnitTest(unittest.TestCase):
-         self.assertEqual(True, ipaddress.ip_address(
-                 '172.31.255.255').is_private)
-         self.assertEqual(False, ipaddress.ip_address('172.32.0.0').is_private)
-+        self.assertFalse(ipaddress.ip_address('192.0.0.0').is_global)
-+        self.assertTrue(ipaddress.ip_address('192.0.0.9').is_global)
-+        self.assertTrue(ipaddress.ip_address('192.0.0.10').is_global)
-+        self.assertFalse(ipaddress.ip_address('192.0.0.255').is_global)
- 
-         self.assertEqual(True,
-                          ipaddress.ip_address('169.254.100.200').is_link_local)
-@@ -2294,6 +2298,7 @@ class IpaddrUnitTest(unittest.TestCase):
-         self.assertEqual(True, ipaddress.ip_network("169.254.0.0/16").is_private)
-         self.assertEqual(True, ipaddress.ip_network("172.16.0.0/12").is_private)
-         self.assertEqual(True, ipaddress.ip_network("192.0.0.0/29").is_private)
-+        self.assertEqual(False, ipaddress.ip_network("192.0.0.9/32").is_private)
-         self.assertEqual(True, ipaddress.ip_network("192.0.0.170/31").is_private)
-         self.assertEqual(True, ipaddress.ip_network("192.0.2.0/24").is_private)
-         self.assertEqual(True, ipaddress.ip_network("192.168.0.0/16").is_private)
-@@ -2310,8 +2315,8 @@ class IpaddrUnitTest(unittest.TestCase):
-         self.assertEqual(True, ipaddress.ip_network("::/128").is_private)
-         self.assertEqual(True, ipaddress.ip_network("::ffff:0:0/96").is_private)
-         self.assertEqual(True, ipaddress.ip_network("100::/64").is_private)
--        self.assertEqual(True, ipaddress.ip_network("2001::/23").is_private)
-         self.assertEqual(True, ipaddress.ip_network("2001:2::/48").is_private)
-+        self.assertEqual(False, ipaddress.ip_network("2001:3::/48").is_private)
-         self.assertEqual(True, ipaddress.ip_network("2001:db8::/32").is_private)
-         self.assertEqual(True, ipaddress.ip_network("2001:10::/28").is_private)
-         self.assertEqual(True, ipaddress.ip_network("fc00::/7").is_private)
-@@ -2390,6 +2395,20 @@ class IpaddrUnitTest(unittest.TestCase):
-         self.assertEqual(True, ipaddress.ip_address('0::0').is_unspecified)
-         self.assertEqual(False, ipaddress.ip_address('::1').is_unspecified)
- 
-+        self.assertFalse(ipaddress.ip_address('64:ff9b:1::').is_global)
-+        self.assertFalse(ipaddress.ip_address('2001::').is_global)
-+        self.assertTrue(ipaddress.ip_address('2001:1::1').is_global)
-+        self.assertTrue(ipaddress.ip_address('2001:1::2').is_global)
-+        self.assertFalse(ipaddress.ip_address('2001:2::').is_global)
-+        self.assertTrue(ipaddress.ip_address('2001:3::').is_global)
-+        self.assertFalse(ipaddress.ip_address('2001:4::').is_global)
-+        self.assertTrue(ipaddress.ip_address('2001:4:112::').is_global)
-+        self.assertFalse(ipaddress.ip_address('2001:10::').is_global)
-+        self.assertTrue(ipaddress.ip_address('2001:20::').is_global)
-+        self.assertTrue(ipaddress.ip_address('2001:30::').is_global)
-+        self.assertFalse(ipaddress.ip_address('2001:40::').is_global)
-+        self.assertFalse(ipaddress.ip_address('2002::').is_global)
-+
-         # some generic IETF reserved addresses
-         self.assertEqual(True, ipaddress.ip_address('100::').is_reserved)
-         self.assertEqual(True, ipaddress.ip_network('4000::1/128').is_reserved)
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2024-03-14-01-38-44.gh-issue-113171.VFnObz.rst
-@@ -0,0 +1,9 @@
-+Fixed various false positives and false negatives in
-+
-+* :attr:`ipaddress.IPv4Address.is_private` (see these docs for details)
-+* :attr:`ipaddress.IPv4Address.is_global`
-+* :attr:`ipaddress.IPv6Address.is_private`
-+* :attr:`ipaddress.IPv6Address.is_global`
-+
-+Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network`
-+attributes.

CVE-2024-6923-email-hdr-inject.patch

@@ -1,368 +0,0 @@
-From f9ddc53ea850fb02d640a9b3263756d43fb6d868 Mon Sep 17 00:00:00 2001
-From: Petr Viktorin <encukou@gmail.com>
-Date: Wed, 31 Jul 2024 00:19:48 +0200
-Subject: [PATCH] [3.11] gh-121650: Encode newlines in headers, and verify
- headers are sound (GH-122233)
-
-GH-GH- Encode header parts that contain newlines
-
-Per RFC 2047:
-
-> [...] these encoding schemes allow the
-> encoding of arbitrary octet values, mail readers that implement this
-> decoding should also ensure that display of the decoded data on the
-> recipient's terminal will not cause unwanted side-effects
-
-It seems that the "quoted-word" scheme is a valid way to include
-a newline character in a header value, just like we already allow
-undecodable bytes or control characters.
-They do need to be properly quoted when serialized to text, though.
-
-GH-GH- Verify that email headers are well-formed
-
-This should fail for custom fold() implementations that aren't careful
-about newlines.
-
-(cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384)
-
-Co-authored-by: Petr Viktorin <encukou@gmail.com>
-Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org>
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
----
- Doc/library/email.errors.rst                                            |    7 +
- Doc/library/email.policy.rst                                            |   18 ++
- Doc/whatsnew/3.11.rst                                                   |   13 ++
- Lib/email/_header_value_parser.py                                       |   12 +
- Lib/email/_policybase.py                                                |    8 +
- Lib/email/errors.py                                                     |    4 
- Lib/email/generator.py                                                  |   13 +-
- Lib/test/test_email/test_generator.py                                   |   62 ++++++++++
- Lib/test/test_email/test_policy.py                                      |   26 ++++
- Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst |    5 
- 10 files changed, 164 insertions(+), 4 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
-
-Index: Python-3.11.9/Doc/library/email.errors.rst
-===================================================================
---- Python-3.11.9.orig/Doc/library/email.errors.rst
-+++ Python-3.11.9/Doc/library/email.errors.rst
-@@ -58,6 +58,13 @@ The following exception classes are defi
-    :class:`~email.mime.nonmultipart.MIMENonMultipart` (e.g.
-    :class:`~email.mime.image.MIMEImage`).
- 
-+
-+.. exception:: HeaderWriteError()
-+
-+   Raised when an error occurs when the :mod:`~email.generator` outputs
-+   headers.
-+
-+
- .. exception:: MessageDefect()
- 
-    This is the base class for all defects found when parsing email messages.
-Index: Python-3.11.9/Doc/library/email.policy.rst
-===================================================================
---- Python-3.11.9.orig/Doc/library/email.policy.rst
-+++ Python-3.11.9/Doc/library/email.policy.rst
-@@ -228,6 +228,24 @@ added matters.  To illustrate::
- 
-       .. versionadded:: 3.6
- 
-+
-+   .. attribute:: verify_generated_headers
-+
-+      If ``True`` (the default), the generator will raise
-+      :exc:`~email.errors.HeaderWriteError` instead of writing a header
-+      that is improperly folded or delimited, such that it would
-+      be parsed as multiple headers or joined with adjacent data.
-+      Such headers can be generated by custom header classes or bugs
-+      in the ``email`` module.
-+
-+      As it's a security feature, this defaults to ``True`` even in the
-+      :class:`~email.policy.Compat32` policy.
-+      For backwards compatible, but unsafe, behavior, it must be set to
-+      ``False`` explicitly.
-+
-+      .. versionadded:: 3.11.10
-+
-+
-    The following :class:`Policy` method is intended to be called by code using
-    the email library to create policy instances with custom settings:
- 
-Index: Python-3.11.9/Doc/whatsnew/3.11.rst
-===================================================================
---- Python-3.11.9.orig/Doc/whatsnew/3.11.rst
-+++ Python-3.11.9/Doc/whatsnew/3.11.rst
-@@ -2728,6 +2728,7 @@ OpenSSL
- 
- .. _libb2: https://www.blake2.net/
- 
-+
- Notable changes in 3.11.10
- ==========================
- 
-@@ -2736,3 +2737,15 @@ ipaddress
- 
- * Fixed ``is_global`` and ``is_private`` behavior in ``IPv4Address``,
-   ``IPv6Address``, ``IPv4Network`` and ``IPv6Network``.
-+
-+email
-+-----
-+
-+* Headers with embedded newlines are now quoted on output.
-+
-+  The :mod:`~email.generator` will now refuse to serialize (write) headers
-+  that are improperly folded or delimited, such that they would be parsed as
-+  multiple headers or joined with adjacent data.
-+  If you need to turn this safety feature off,
-+  set :attr:`~email.policy.Policy.verify_generated_headers`.
-+  (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`.)
-Index: Python-3.11.9/Lib/email/_header_value_parser.py
-===================================================================
---- Python-3.11.9.orig/Lib/email/_header_value_parser.py
-+++ Python-3.11.9/Lib/email/_header_value_parser.py
-@@ -92,6 +92,8 @@ TOKEN_ENDS = TSPECIALS | WSP
- ASPECIALS = TSPECIALS | set("*'%")
- ATTRIBUTE_ENDS = ASPECIALS | WSP
- EXTENDED_ATTRIBUTE_ENDS = ATTRIBUTE_ENDS - set('%')
-+NLSET = {'\n', '\r'}
-+SPECIALSNL = SPECIALS | NLSET
- 
- def quote_string(value):
-     return '"'+str(value).replace('\\', '\\\\').replace('"', r'\"')+'"'
-@@ -2780,9 +2782,13 @@ def _refold_parse_tree(parse_tree, *, po
-             wrap_as_ew_blocked -= 1
-             continue
-         tstr = str(part)
--        if part.token_type == 'ptext' and set(tstr) & SPECIALS:
--            # Encode if tstr contains special characters.
--            want_encoding = True
-+        if not want_encoding:
-+            if part.token_type == 'ptext':
-+                # Encode if tstr contains special characters.
-+                want_encoding = not SPECIALSNL.isdisjoint(tstr)
-+            else:
-+                # Encode if tstr contains newlines.
-+                want_encoding = not NLSET.isdisjoint(tstr)
-         try:
-             tstr.encode(encoding)
-             charset = encoding
-Index: Python-3.11.9/Lib/email/_policybase.py
-===================================================================
---- Python-3.11.9.orig/Lib/email/_policybase.py
-+++ Python-3.11.9/Lib/email/_policybase.py
-@@ -157,6 +157,13 @@ class Policy(_PolicyBase, metaclass=abc.
-     message_factory     -- the class to use to create new message objects.
-                            If the value is None, the default is Message.
- 
-+    verify_generated_headers
-+                        -- if true, the generator verifies that each header
-+                           they are properly folded, so that a parser won't
-+                           treat it as multiple headers, start-of-body, or
-+                           part of another header.
-+                           This is a check against custom Header & fold()
-+                           implementations.
-     """
- 
-     raise_on_defect = False
-@@ -165,6 +172,7 @@ class Policy(_PolicyBase, metaclass=abc.
-     max_line_length = 78
-     mangle_from_ = False
-     message_factory = None
-+    verify_generated_headers = True
- 
-     def handle_defect(self, obj, defect):
-         """Based on policy, either raise defect or call register_defect.
-Index: Python-3.11.9/Lib/email/errors.py
-===================================================================
---- Python-3.11.9.orig/Lib/email/errors.py
-+++ Python-3.11.9/Lib/email/errors.py
-@@ -29,6 +29,10 @@ class CharsetError(MessageError):
-     """An illegal charset was given."""
- 
- 
-+class HeaderWriteError(MessageError):
-+    """Error while writing headers."""
-+
-+
- # These are parsing defects which the parser was able to work around.
- class MessageDefect(ValueError):
-     """Base class for a message defect."""
-Index: Python-3.11.9/Lib/email/generator.py
-===================================================================
---- Python-3.11.9.orig/Lib/email/generator.py
-+++ Python-3.11.9/Lib/email/generator.py
-@@ -14,12 +14,14 @@ import random
- from copy import deepcopy
- from io import StringIO, BytesIO
- from email.utils import _has_surrogates
-+from email.errors import HeaderWriteError
- 
- UNDERSCORE = '_'
- NL = '\n'  # XXX: no longer used by the code below.
- 
- NLCRE = re.compile(r'\r\n|\r|\n')
- fcre = re.compile(r'^From ', re.MULTILINE)
-+NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
- 
- 
- class Generator:
-@@ -222,7 +224,16 @@ class Generator:
- 
-     def _write_headers(self, msg):
-         for h, v in msg.raw_items():
--            self.write(self.policy.fold(h, v))
-+            folded = self.policy.fold(h, v)
-+            if self.policy.verify_generated_headers:
-+                linesep = self.policy.linesep
-+                if not folded.endswith(self.policy.linesep):
-+                    raise HeaderWriteError(
-+                        f'folded header does not end with {linesep!r}: {folded!r}')
-+                if NEWLINE_WITHOUT_FWSP.search(folded.removesuffix(linesep)):
-+                    raise HeaderWriteError(
-+                        f'folded header contains newline: {folded!r}')
-+            self.write(folded)
-         # A blank line always separates headers from body
-         self.write(self._NL)
- 
-Index: Python-3.11.9/Lib/test/test_email/test_generator.py
-===================================================================
---- Python-3.11.9.orig/Lib/test/test_email/test_generator.py
-+++ Python-3.11.9/Lib/test/test_email/test_generator.py
-@@ -6,6 +6,7 @@ from email.message import EmailMessage
- from email.generator import Generator, BytesGenerator
- from email.headerregistry import Address
- from email import policy
-+import email.errors
- from test.test_email import TestEmailBase, parameterize
- 
- 
-@@ -216,6 +217,44 @@ class TestGeneratorBase:
-         g.flatten(msg)
-         self.assertEqual(s.getvalue(), self.typ(expected))
- 
-+    def test_keep_encoded_newlines(self):
-+        msg = self.msgmaker(self.typ(textwrap.dedent("""\
-+            To: nobody
-+            Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
-+
-+            None
-+            """)))
-+        expected = textwrap.dedent("""\
-+            To: nobody
-+            Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
-+
-+            None
-+            """)
-+        s = self.ioclass()
-+        g = self.genclass(s, policy=self.policy.clone(max_line_length=80))
-+        g.flatten(msg)
-+        self.assertEqual(s.getvalue(), self.typ(expected))
-+
-+    def test_keep_long_encoded_newlines(self):
-+        msg = self.msgmaker(self.typ(textwrap.dedent("""\
-+            To: nobody
-+            Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
-+
-+            None
-+            """)))
-+        expected = textwrap.dedent("""\
-+            To: nobody
-+            Subject: Bad subject
-+             =?utf-8?q?=0A?=Bcc:
-+             injection@example.com
-+
-+            None
-+            """)
-+        s = self.ioclass()
-+        g = self.genclass(s, policy=self.policy.clone(max_line_length=30))
-+        g.flatten(msg)
-+        self.assertEqual(s.getvalue(), self.typ(expected))
-+
- 
- class TestGenerator(TestGeneratorBase, TestEmailBase):
- 
-@@ -224,6 +263,29 @@ class TestGenerator(TestGeneratorBase, T
-     ioclass = io.StringIO
-     typ = str
- 
-+    def test_verify_generated_headers(self):
-+        """gh-121650: by default the generator prevents header injection"""
-+        class LiteralHeader(str):
-+            name = 'Header'
-+            def fold(self, **kwargs):
-+                return self
-+
-+        for text in (
-+            'Value\r\nBad Injection\r\n',
-+            'NoNewLine'
-+        ):
-+            with self.subTest(text=text):
-+                message = message_from_string(
-+                    "Header: Value\r\n\r\nBody",
-+                    policy=self.policy,
-+                )
-+
-+                del message['Header']
-+                message['Header'] = LiteralHeader(text)
-+
-+                with self.assertRaises(email.errors.HeaderWriteError):
-+                    message.as_string()
-+
- 
- class TestBytesGenerator(TestGeneratorBase, TestEmailBase):
- 
-Index: Python-3.11.9/Lib/test/test_email/test_policy.py
-===================================================================
---- Python-3.11.9.orig/Lib/test/test_email/test_policy.py
-+++ Python-3.11.9/Lib/test/test_email/test_policy.py
-@@ -26,6 +26,7 @@ class PolicyAPITests(unittest.TestCase):
-         'raise_on_defect':          False,
-         'mangle_from_':             True,
-         'message_factory':          None,
-+        'verify_generated_headers': True,
-         }
-     # These default values are the ones set on email.policy.default.
-     # If any of these defaults change, the docs must be updated.
-@@ -294,6 +295,31 @@ class PolicyAPITests(unittest.TestCase):
-                 with self.assertRaises(email.errors.HeaderParseError):
-                     policy.fold("Subject", subject)
- 
-+    def test_verify_generated_headers(self):
-+        """Turning protection off allows header injection"""
-+        policy = email.policy.default.clone(verify_generated_headers=False)
-+        for text in (
-+            'Header: Value\r\nBad: Injection\r\n',
-+            'Header: NoNewLine'
-+        ):
-+            with self.subTest(text=text):
-+                message = email.message_from_string(
-+                    "Header: Value\r\n\r\nBody",
-+                    policy=policy,
-+                )
-+                class LiteralHeader(str):
-+                    name = 'Header'
-+                    def fold(self, **kwargs):
-+                        return self
-+
-+                del message['Header']
-+                message['Header'] = LiteralHeader(text)
-+
-+                self.assertEqual(
-+                    message.as_string(),
-+                    f"{text}\nBody",
-+                )
-+
-     # XXX: Need subclassing tests.
-     # For adding subclassed objects, make sure the usual rules apply (subclass
-     # wins), but that the order still works (right overrides left).
-Index: Python-3.11.9/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
-===================================================================
---- /dev/null
-+++ Python-3.11.9/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
-@@ -0,0 +1,5 @@
-+:mod:`email` headers with embedded newlines are now quoted on output. The
-+:mod:`~email.generator` will now refuse to serialize (write) headers that
-+are unsafely folded or delimited; see
-+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
-+Bloemsaat and Petr Viktorin in :gh:`121650`.)

CVE-2024-8088-inf-loop-zipfile_Path.patch

@@ -1,136 +0,0 @@
----
- Lib/test/test_zipfile.py                                                |   75 ++++++++++
- Lib/zipfile.py                                                          |   10 +
- Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst |    1 
- Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst |    3 
- 4 files changed, 87 insertions(+), 2 deletions(-)
-
---- a/Lib/test/test_zipfile.py
-+++ b/Lib/test/test_zipfile.py
-@@ -3651,6 +3651,81 @@ with zipfile.ZipFile(io.BytesIO(), "w")
-         zipfile.Path(zf)
-         zf.extractall(source_path.parent)
- 
-+    def test_malformed_paths(self):
-+        """
-+        Path should handle malformed paths gracefully.
-+
-+        Paths with leading slashes are not visible.
-+
-+        Paths with dots are treated like regular files.
-+        """
-+        data = io.BytesIO()
-+        zf = zipfile.ZipFile(data, "w")
-+        zf.writestr("../parent.txt", b"content")
-+        zf.filename = ''
-+        root = zipfile.Path(zf)
-+        assert list(map(str, root.iterdir())) == ['../']
-+        assert root.joinpath('..').joinpath('parent.txt').read_bytes() == b'content'
-+
-+    def test_unsupported_names(self):
-+        """
-+        Path segments with special characters are readable.
-+
-+        On some platforms or file systems, characters like
-+        ``:`` and ``?`` are not allowed, but they are valid
-+        in the zip file.
-+        """
-+        data = io.BytesIO()
-+        zf = zipfile.ZipFile(data, "w")
-+        zf.writestr("path?", b"content")
-+        zf.writestr("V: NMS.flac", b"fLaC...")
-+        zf.filename = ''
-+        root = zipfile.Path(zf)
-+        contents = root.iterdir()
-+        assert next(contents).name == 'path?'
-+        assert next(contents).name == 'V: NMS.flac'
-+        assert root.joinpath('V: NMS.flac').read_bytes() == b"fLaC..."
-+
-+    def test_backslash_not_separator(self):
-+        """
-+        In a zip file, backslashes are not separators.
-+        """
-+        data = io.BytesIO()
-+        zf = zipfile.ZipFile(data, "w")
-+        zf.writestr(DirtyZipInfo.for_name("foo\\bar", zf), b"content")
-+        zf.filename = ''
-+        root = zipfile.Path(zf)
-+        (first,) = root.iterdir()
-+        assert not first.is_dir()
-+        assert first.name == 'foo\\bar'
-+
-+
-+class DirtyZipInfo(zipfile.ZipInfo):
-+    """
-+    Bypass name sanitization.
-+    """
-+
-+    def __init__(self, filename, *args, **kwargs):
-+        super().__init__(filename, *args, **kwargs)
-+        self.filename = filename
-+
-+    @classmethod
-+    def for_name(cls, name, archive):
-+        """
-+        Construct the same way that ZipFile.writestr does.
-+
-+        TODO: extract this functionality and re-use
-+        """
-+        self = cls(filename=name, date_time=time.localtime(time.time())[:6])
-+        self.compress_type = archive.compression
-+        self.compress_level = archive.compresslevel
-+        if self.filename.endswith('/'):  # pragma: no cover
-+            self.external_attr = 0o40775 << 16  # drwxrwxr-x
-+            self.external_attr |= 0x10  # MS-DOS directory flag
-+        else:
-+            self.external_attr = 0o600 << 16  # ?rw-------
-+        return self
-+
- 
- class EncodedMetadataTests(unittest.TestCase):
-     file_names = ['\u4e00', '\u4e8c', '\u4e09']  # Han 'one', 'two', 'three'
---- a/Lib/zipfile.py
-+++ b/Lib/zipfile.py
-@@ -9,6 +9,7 @@ import io
- import itertools
- import os
- import posixpath
-+import re
- import shutil
- import stat
- import struct
-@@ -2212,7 +2213,7 @@ def _parents(path):
- def _ancestry(path):
-     """
-     Given a path with elements separated by
--    posixpath.sep, generate all elements of that path
-+    posixpath.sep, generate all elements of that path.
- 
-     >>> list(_ancestry('b/d'))
-     ['b/d', 'b']
-@@ -2224,9 +2225,14 @@ def _ancestry(path):
-     ['b']
-     >>> list(_ancestry(''))
-     []
-+
-+    Multiple separators are treated like a single.
-+
-+    >>> list(_ancestry('//b//d///f//'))
-+    ['//b//d///f', '//b//d', '//b']
-     """
-     path = path.rstrip(posixpath.sep)
--    while path and path != posixpath.sep:
-+    while path.rstrip(posixpath.sep):
-         yield path
-         path, tail = posixpath.split(path)
- 
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
-@@ -0,0 +1 @@
-+:class:`zipfile.Path` objects now sanitize names from the zipfile.
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst
-@@ -0,0 +1,3 @@
-+Applied a more surgical fix for malformed payloads in :class:`zipfile.Path`
-+causing infinite loops (gh-122905) without breaking contents using
-+legitimate characters.

Python-3.11.14.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8d3ed8ec5c88c1c95f5e558612a725450d2452813ddad5e58fdb1a53b1209b78
+size 20326860

Python-3.11.9.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmYNMEcACgkQ/+h0BBaL
-2EeHhxAAuuIM9bl0dgAWOjbgRjCeXR8aFdfcI4dkO7bZrUy8eKbM+XCvPUUvloRJ
-vzGkxYyTmI4kcNPOHfscUwH7AVVij8nGv7WeaXBUZGIXNwfHwvqOxvYvSsNNNFnr
-70yJB7Df8/2s0XqFx3X1aWcnyMDerWKpfJ/VI/NPmCVxkYXGshuTTSFcCMTSFBQB
-sNrIb5NWAsBF4R85uRQDlCg1AoyaKOdJNQkPo1Nrjol1ExJ+MHE7+E+QL9pQkUWG
-SBISPUhJySBAegxolw6YR5dz1L4nukueQDJz3NizUeQGDvH7h1ImY8cypRi44U61
-SUUHhBfmUBiC2dS/tTQawySULWcgbkV4GJ6cJZfDd95uffd4S/GDJCa2wCE2UTlA
-XzQHwbcnIeoL064gX7ruBuFHJ6n/Oz7nZkFqbH2aqLTAWgLiUq31xH3HY734sL6X
-zIJQRbcK1EM7cnNjKMVPlnHpAeKbsbHbU6yzWwZ7reIoyWlZ7vEGrfXO7Kmul93K
-wVaWu0AiOY566ugekdDx4cKV+FQN6oppAN63yTfPJ2Ddcmxs4KNrtozw9OAgDTPE
-GTPFD6V1CMuyQj/jOpAmbj+4bRD4Mx3u2PSittvrIeopxrXPsGGSZ5kdl62Xa2+A
-DzKyYNXzcmxqS9lGdFb+OWCTyAIXxwZrdz1Q61g5xDvR9z/wZiI=
-=Br9/
------END PGP SIGNATURE-----

add-loongarch64-support.patch

@@ -0,0 +1,29 @@
+Description: Add platform triplets for LoongArch.
+
+---
+ configure.ac |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -976,6 +976,20 @@ cat > conftest.c <<EOF
+         hppa-linux-gnu
+ # elif defined(__ia64__)
+         ia64-linux-gnu
++# elif defined(__loongarch__)
++#  if defined(__loongarch_lp64)
++#   if defined(__loongarch_soft_float)
++        loongarch64-linux-gnusf
++#   elif defined(__loongarch_single_float)
++        loongarch64-linux-gnuf32
++#   elif defined(__loongarch_double_float)
++        loongarch64-linux-gnu
++#   else
++#    error unknown platform triplet
++#   endif
++#  else
++#   error unknown platform triplet
++#  endif
+ # elif defined(__m68k__) && !defined(__mcoldfire__)
+         m68k-linux-gnu
+ # elif defined(__mips_hard_float) && defined(__mips_isa_rev) && (__mips_isa_rev >=6) && defined(_MIPSEL)

fix_configure_rst.patch

@@ -29,7 +29,7 @@
     Create a Python.framework rather than a traditional Unix install. Optional
 --- a/Misc/NEWS
 +++ b/Misc/NEWS
-@@ -9768,7 +9768,7 @@ C API
+@@ -9911,7 +9911,7 @@ C API
  - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
  
  - bpo-43795: The list in :ref:`limited-api-list` now shows the public name

gh120226-fix-sendfile-test-kernel-610.patch

@@ -0,0 +1,35 @@
+From 1b3f6523a5c83323cdc44031b33a1c062e5dc698 Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry111@xry111.site>
+Date: Fri, 7 Jun 2024 23:51:32 +0800
+Subject: [PATCH] gh-120226: Fix
+ test_sendfile_close_peer_in_the_middle_of_receiving on Linux >= 6.10
+ (GH-120227)
+
+The worst case is that the kernel buffers 17 pages with a page size of 64k.
+(cherry picked from commit a7584245661102a5768c643fbd7db8395fd3c90e)
+
+Co-authored-by: Xi Ruoyao <xry111@xry111.site>
+---
+ Lib/test/test_asyncio/test_sendfile.py |   11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/Lib/test/test_asyncio/test_sendfile.py
++++ b/Lib/test/test_asyncio/test_sendfile.py
+@@ -93,13 +93,10 @@ class MyProto(asyncio.Protocol):
+ 
+ class SendfileBase:
+ 
+-    # 256 KiB plus small unaligned to buffer chunk
+-    # Newer versions of Windows seems to have increased its internal
+-    # buffer and tries to send as much of the data as it can as it
+-    # has some form of buffering for this which is less than 256KiB
+-    # on newer server versions and Windows 11.
+-    # So DATA should be larger than 256 KiB to make this test reliable.
+-    DATA = b"x" * (1024 * 256 + 1)
++    # Linux >= 6.10 seems buffering up to 17 pages of data.
++    # So DATA should be large enough to make this test reliable even with a
++    # 64 KiB page configuration.
++    DATA = b"x" * (1024 * 17 * 64 + 1)
+     # Reduce socket buffer size to test on relative small data sets.
+     BUF_SIZE = 4 * 1024   # 4 KiB
+ 

gh139257-Support-docutils-0.22.patch

@@ -0,0 +1,36 @@
+From 19b61747df3d62c822285c488753d6fbdf91e3ac Mon Sep 17 00:00:00 2001
+From: Daniel Garcia Moreno <daniel.garcia@suse.com>
+Date: Tue, 23 Sep 2025 10:20:16 +0200
+Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22
+
+---
+ Doc/tools/extensions/pyspecific.py |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+Index: Python-3.11.13/Doc/tools/extensions/pyspecific.py
+===================================================================
+--- Python-3.11.13.orig/Doc/tools/extensions/pyspecific.py	2025-06-03 20:38:25.000000000 +0200
++++ Python-3.11.13/Doc/tools/extensions/pyspecific.py	2025-09-30 18:20:10.096471679 +0200
+@@ -48,11 +48,21 @@
+ SOURCE_URI = 'https://github.com/python/cpython/tree/3.11/%s'
+ 
+ # monkey-patch reST parser to disable alphabetic and roman enumerated lists
++def _disable_alphabetic_and_roman(text):
++    try:
++        # docutils >= 0.22
++        from docutils.parsers.rst.states import InvalidRomanNumeralError
++        raise InvalidRomanNumeralError(text)
++    except ImportError:
++        # docutils < 0.22
++        return None
++
++
+ from docutils.parsers.rst.states import Body
+ Body.enum.converters['loweralpha'] = \
+     Body.enum.converters['upperalpha'] = \
+     Body.enum.converters['lowerroman'] = \
+-    Body.enum.converters['upperroman'] = lambda x: None
++    Body.enum.converters['upperroman'] = _disable_alphabetic_and_roman
+ 
+ # monkey-patch the productionlist directive to allow hyphens in group names
+ # https://github.com/sphinx-doc/sphinx/issues/11854

idle3.appdata.xml

@@ -1,16 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<!-- Copyright 2017 Zbigniew Jędrzejewski-Szmek -->
-<application>
-  <id type="desktop">idle3.desktop</id>
+<component type="desktop-application">
+  <id>org.python.IDLE3</id>
+  <launchable type="desktop-id">idle3.desktop</launchable>
+
   <name>IDLE3</name>
-  <metadata_licence>CC0</metadata_licence>
-  <project_license>Python-2.0</project_license>
   <summary>Python 3 Integrated Development and Learning Environment</summary>
+
   <description>
     <p>
       IDLE is Python’s Integrated Development and Learning Environment.
-      The GUI is uniform between Windows, Unix, and Mac OS X.
+      The GUI is uniform between Windows, Unix, and macOS.
       IDLE provides an easy way to start writing, running, and debugging
       Python code.
     </p>
@@ -19,17 +19,33 @@
       It provides:
     </p>
     <ul>
-       <li>a Python shell window (interactive interpreter) with colorizing of code input, output, and error messages,</li>
-       <li>a multi-window text editor with multiple undo, Python colorizing, smart indent, call tips, auto completion, and other features,</li>
-       <li>search within any window, replace within editor windows, and search through multiple files (grep),</li>
-       <li>a debugger with persistent breakpoints, stepping, and viewing of global and local namespaces.</li>
+      <li>a Python shell window (interactive interpreter) with colorizing of code input, output, and error messages,</li>
+      <li>a multi-window text editor with multiple undo, Python colorizing, smart indent, call tips, auto completion, and other features,</li>
+      <li>search within any window, replace within editor windows, and search through multiple files (grep),</li>
+      <li>a debugger with persistent breakpoints, stepping, and viewing of global and local namespaces.</li>
     </ul>
   </description>
+
+  <developer id="org.python">
+    <name>Python Software Foundation</name>
+  </developer>
+
   <url type="homepage">https://docs.python.org/3/library/idle.html</url>
+
   <screenshots>
-    <screenshot type="default">http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-main-window.png</screenshot>
-    <screenshot>http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-class-browser.png</screenshot>
-    <screenshot>http://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-code-viewer.png</screenshot>
+    <screenshot type="default">
+      <image>https://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-main-window.png</image>
+    </screenshot>
+    <screenshot>
+      <image>https://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-class-browser.png</image>
+    </screenshot>
+    <screenshot>
+      <image>https://in.waw.pl/~zbyszek/fedora/idle3-appdata/idle3-code-viewer.png</image>
+    </screenshot>
   </screenshots>
+
+  <project_license>Python-2.0</project_license>
+  <metadata_license>CC0-1.0</metadata_license>
   <update_contact>zbyszek@in.waw.pl</update_contact>
-</application>
+</component>
+

python-3.3.0b1-test-posix_fadvise.patch

@@ -1,17 +0,0 @@
----
- Lib/test/test_posix.py |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: Python-3.11.8/Lib/test/test_posix.py
-===================================================================
---- Python-3.11.8.orig/Lib/test/test_posix.py
-+++ Python-3.11.8/Lib/test/test_posix.py
-@@ -430,7 +430,7 @@ class PosixTester(unittest.TestCase):
-     def test_posix_fadvise(self):
-         fd = os.open(os_helper.TESTFN, os.O_RDONLY)
-         try:
--            posix.posix_fadvise(fd, 0, 0, posix.POSIX_FADV_WILLNEED)
-+            posix.posix_fadvise(fd, 0, 0, posix.POSIX_FADV_RANDOM)
-         finally:
-             os.close(fd)
- 

python311-rpmlintrc

@@ -1,3 +1,4 @@
 addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem")
 addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c")
 addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp")
+addFilter("python-bytecode-inconsistent-mtime.*\.pyc")

python311.changes

@@ -1,3 +1,378 @@
+-------------------------------------------------------------------
+Wed Oct 15 08:52:35 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 3.11.14:
+  - Security
+    - gh-139700: Check consistency of the zip64 end of central
+      directory record. Support records with “zip64 extensible data”
+      if there are no bytes prepended to the ZIP file.
+    - gh-139400: xml.parsers.expat: Make sure that parent Expat
+      parsers are only garbage-collected once they are no longer
+      referenced by subparsers created by
+      ExternalEntityParserCreate(). Patch by Sebastian Pipping.
+    - gh-135661: Fix parsing start and end tags in
+      html.parser.HTMLParser according to the HTML5 standard.
+      * Whitespaces no longer accepted between </ and the tag name. E.g.
+        </ script> does not end the script section.
+      * Vertical tabulation (\v) and non-ASCII whitespaces no longer
+        recognized as whitespaces. The only whitespaces are \t\n\r\f and
+        space.
+      * Null character (U+0000) no longer ends the tag name.
+      * Attributes and slashes after the tag name in end tags are now
+        ignored, instead of terminating after the first > in quoted
+        attribute value. E.g. </script/foo=">"/>.
+      * Multiple slashes and whitespaces between the last attribute and
+        closing > are now ignored in both start and end tags. E.g. <a
+        foo=bar/ //>.
+      * Multiple = between attribute name and value are no longer
+        collapsed. E.g. <a foo==bar> produces attribute “foo” with value
+        “=bar”.
+    - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
+      according to the HTML5 standard: ] ]> and ]] > no longer end the
+      CDATA section. Add private method _set_support_cdata() which can
+      be used to specify how to parse <[CDATA[ — as a CDATA section in
+      foreign content (SVG or MathML) or as a bogus comment in the
+      HTML namespace.
+    - gh-102555: Fix comment parsing in html.parser.HTMLParser
+      according to the HTML5 standard. --!> now ends the comment. -- >
+      no longer ends the comment. Support abnormally ended empty
+      comments <--> and <--->.
+    - gh-135462: Fix quadratic complexity in processing specially
+      crafted input in html.parser.HTMLParser. End-of-file errors are
+      now handled according to the HTML5 specs – comments and
+      declarations are automatically closed, tags are ignored.
+    - gh-118350: Fix support of escapable raw text mode (elements
+      “textarea” and “title”) in html.parser.HTMLParser.
+    - gh-86155: html.parser.HTMLParser.close() no longer loses data
+      when the <script> tag is not closed. Patch by Waylan Limberg.
+  - Library
+    - gh-139312: Upgrade bundled libexpat to 2.7.3
+    - gh-138998: Update bundled libexpat to 2.7.2
+    - gh-130577: tarfile now validates archives to ensure member
+      offsets are non-negative. (Contributed by Alexander Enrique
+      Urieles Nieto in gh-130577.)
+    - gh-135374: Update the bundled copy of setuptools to 79.0.1.
+
+- Drop upstreamed patches:
+  - CVE-2025-8194-tarfile-no-neg-offsets.patch
+  - CVE-2025-6069-quad-complex-HTMLParser.patch
+
+-------------------------------------------------------------------
+Mon Sep 29 06:52:07 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add gh139257-Support-docutils-0.22.patch to fix build with latest
+  docutils (>=0.22) gh#python/cpython#139257
+
+-------------------------------------------------------------------
+Fri Sep 19 14:38:03 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop AppStream buildrequires and don't run appstreamcli validate
+  as part of the build process: the appdata.xml is not updated by
+  source directly, so we have more contol. Having Appstream or the
+  deprecated appstream-glib result in a build cycle.
+
+-------------------------------------------------------------------
+Thu Sep 18 08:15:31 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Require AppStream to validate appdata file instead of deprecated
+  appstream-glib.
+- Update idle3.appdata.xml to pass the more pedantic appstreamcli.
+
+-------------------------------------------------------------------
+Fri Aug  1 20:09:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now
+  validates archives to ensure member offsets are non-negative
+  (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).
+
+-------------------------------------------------------------------
+Wed Jul  2 14:47:20 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
+  case quadratic complexity when processing certain crafted
+  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
+
+-------------------------------------------------------------------
+Tue Jul  1 08:19:52 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Use one core to build doc. This will make sphinx doc build
+  reproducible.
+  bsc#1243155
+
+-------------------------------------------------------------------
+Mon Jun  9 17:19:32 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.13:
+  - Security
+    - gh-135034: Fixes multiple issues that allowed tarfile
+      extraction filters (filter="data" and filter="tar")
+      to be bypassed using crafted symlinks and hard links.
+      Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
+      (bsc#1244059), CVE-2025-4330 (bsc#1244060), and
+      CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
+      (gh#135034, bsc#1244061).
+    - gh-133767: Fix use-after-free in the “unicode-escape”
+      decoder with a non-“strict” error handler (CVE-2025-4516,
+      bsc#1243273).
+    - gh-128840: Short-circuit the processing of long IPv6
+      addresses early in ipaddress to prevent excessive memory
+      consumption and a minor denial-of-service.
+  - Library
+    - gh-128840: Fix parsing long IPv6 addresses with embedded
+      IPv4 address.
+    - gh-134062: ipaddress: fix collisions in __hash__() for
+      IPv4Network and IPv6Network objects.
+    - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
+      according to RFC 3596, §2.5. Patch by Bénédikt Tran.
+    - bpo-43633: Improve the textual representation of
+      IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
+      in ipaddress. Patch by Oleksandr Pavliuk.
+- Remove upstreamed patches:
+  - gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
+  - CVE-2025-4516-DecodeError-handler.patch
+
+-------------------------------------------------------------------
+Thu May 22 13:01:17 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-4516-DecodeError-handler.patch fixing
+  CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
+  vulnerability, which could lead to DoS.
+
+-------------------------------------------------------------------
+Sat May 17 10:02:27 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Use extended %autopatch.
+
+-------------------------------------------------------------------
+Sat May 10 11:38:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Remove python-3.3.0b1-test-posix_fadvise.patch (not needed
+  since kernel 3.6-rc1)
+
+-------------------------------------------------------------------
+Fri Apr 18 14:05:38 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.12:
+  - gh-131809: Update bundled libexpat to 2.7.1
+  - gh-131261: Upgrade to libexpat 2.7.0
+  - gh-105704: When using urllib.parse.urlsplit() and
+    urllib.parse.urlparse() host parsing would not reject domain
+    names containing square brackets ([ and ]). Square brackets
+    are only valid for IPv6 and IPvFuture hosts according to RFC
+    3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
+    gh#python/cpython#105704).
+  - gh-121284: Fix bug in the folding of rfc2047 encoded-words
+    when flattening an email message using a modern email
+    policy. Previously when an encoded-word was too long for
+    a line, it would be decoded, split across lines, and
+    re-encoded. But commas and other special characters in the
+    original text could be left unencoded and unquoted. This
+    could theoretically be used to spoof header lines using a
+    carefully constructed encoded-word if the resulting rendered
+    email was transmitted or re-parsed.
+  - gh-80222: Fix bug in the folding of quoted strings
+    when flattening an email message using a modern email
+    policy. Previously when a quoted string was folded so that
+    it spanned more than one line, the surrounding quotes and
+    internal escapes would be omitted. This could theoretically
+    be used to spoof header lines using a carefully constructed
+    quoted string if the resulting rendered email was transmitted
+    or re-parsed.
+  - gh-119511: Fix a potential denial of service in the imaplib
+    module. When connecting to a malicious server, it could
+    cause an arbitrary amount of memory to be allocated. On many
+    systems this is harmless as unused virtual memory is only
+    a mapping, but if this hit a virtual address size limit
+    it could lead to a MemoryError or other process crash. On
+    unusual systems or builds where all allocated memory is
+    touched and backed by actual ram or storage it could’ve
+    consumed resources doing so until similarly crashing.
+  - gh-127257: In ssl, system call failures that OpenSSL reports
+    using ERR_LIB_SYS are now raised as OSError.
+  - gh-121277: Writers of CPython’s documentation can now use
+    next as the version for the versionchanged, versionadded,
+    deprecated directives.
+  - gh-106883: Disable GC during the _PyThread_CurrentFrames()
+    and _PyThread_CurrentExceptions() calls to avoid the
+    interpreter to deadlock.
+- Remove upstreamed patch:
+  - CVE-2025-0938-sq-brackets-domain-names.patch
+- Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
+  which makes test_ssl not to stop ThreadedEchoServer on OSError,
+  which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067,
+  gh#python/cpython!126572)
+
+-------------------------------------------------------------------
+Wed Mar 12 15:05:46 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Allow to disable PGO
+
+-------------------------------------------------------------------
+Mon Mar 10 15:44:31 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Skip PGO with %want_reproducible_builds (bsc#1239210)
+
+-------------------------------------------------------------------
+Tue Feb  4 14:43:13 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2025-0938-sq-brackets-domain-names.patch which
+  disallows square brackets ([ and ]) in domain names for parsed
+  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
+
+-------------------------------------------------------------------
+Mon Jan 27 09:00:48 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Configure externally_managed with a bcond
+  https://en.opensuse.org/openSUSE:Python:Externally_managed
+  bsc#1228165
+
+-------------------------------------------------------------------
+Wed Dec  4 21:40:41 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.11:
+  - Tools/Demos
+    - gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
+      and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
+  - Tests
+    - gh-125041: Re-enable skipped tests for zlib on the
+      s390x architecture: only skip checks of the compressed
+      bytes, which can be different between zlib’s software
+      implementation and the hardware-accelerated implementation.
+  - Security
+    - gh-126623: Upgrade libexpat to 2.6.4
+    - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
+      consistently use the mapped IPv4 address value for deciding
+      properties. Properties which have their behavior fixed are
+      is_multicast, is_reserved, is_link_local, is_global, and
+      is_unspecified.
+  - Library
+    - gh-124651: Properly quote template strings in venv
+      activation scripts (bsc#1232241, CVE-2024-9287).
+- Removed upstreamed patches:
+  - CVE-2024-9287-venv_path_unquoted.patch
+
+-------------------------------------------------------------------
+Tue Dec  3 08:21:35 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Add add-loongarch64-support.patch to support loongarch64
+
+-------------------------------------------------------------------
+Mon Dec  2 22:50:07 UTC 2024 - Matej Cepl <mcepl@suse.com>
+
+- Fix changelog
+
+-------------------------------------------------------------------
+Mon Nov 11 12:43:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Remove -IVendor/ from python-config boo#1231795
+
+-------------------------------------------------------------------
+Fri Nov  1 16:32:10 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
+  path names provided when creating a virtual environment
+  (bsc#1232241, CVE-2024-9287)
+
+-------------------------------------------------------------------
+Wed Oct  2 16:18:29 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Drop .pyc files from docdir for reproducible builds
+  (bsc#1230906).
+
+-------------------------------------------------------------------
+Mon Sep  9 16:53:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 3.11.10:
+  - Security
+    - gh-123678: Upgrade libexpat to 2.6.3
+    - gh-121957: Fixed missing audit events around interactive
+      use of Python, now also properly firing for ``python -i``,
+      as well as for ``python -m asyncio``. The event in question
+      is ``cpython.run_stdin``.
+    - gh-122133: Authenticate the socket connection for the
+      ``socket.socketpair()`` fallback on platforms where
+      ``AF_UNIX`` is not available like Windows. Patch by
+      Gregory P. Smith <greg@krypto.org> and Seth Larson
+      <seth@python.org>. Reported by Ellie <el@horse64.org>
+    - gh-121285: Remove backtracking from tarfile header parsing
+      for ``hdrcharset``, PAX, and GNU sparse headers
+      (bsc#1230227, CVE-2024-6232).
+    - gh-118486: :func:`os.mkdir` on Windows now accepts
+      *mode* of ``0o700`` to restrict the new directory to
+      the current user. This fixes CVE-2024-4030 affecting
+      :func:`tempfile.mkdtemp` in scenarios where the base
+      temporary directory is more permissive than the default.
+    - gh-116741: Update bundled libexpat to 2.6.2
+  - Library
+    - gh-123270: Applied a more surgical fix for malformed
+      payloads in :class:`zipfile.Path` causing infinite loops
+      (gh-122905) without breaking contents using legitimate
+      characters (bsc#1229704, CVE-2024-8088).
+    - gh-123067: Fix quadratic complexity in parsing ``"``-quoted
+      cookie values with backslashes by :mod:`http.cookies`
+      (bsc#1229596, CVE-2024-7592).
+    - gh-122905: :class:`zipfile.Path` objects now sanitize names
+      from the zipfile.
+    - gh-121650: :mod:`email` headers with embedded newlines are
+      now quoted on output. The :mod:`~email.generator` will now
+      refuse to serialize (write) headers that are unsafely folded
+      or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`.
+      (Contributed by Bas Bloemsaat and Petr Viktorin in
+      :gh:`121650`; CVE-2024-6923, bsc#1228780).
+    - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method
+      breaks internal buffer when the method is called again
+      during flushing internal buffer.
+    - gh-118643: Fix an AttributeError in the :mod:`email` module
+      when re-fold a long address list. Also fix more cases of
+      incorrect encoding of the address separator in the address
+      list.
+    - gh-113171: Fixed various false positives and false
+      negatives in * :attr:`ipaddress.IPv4Address.is_private`
+      (see these docs for details) *
+      :attr:`ipaddress.IPv4Address.is_global` *
+      :attr:`ipaddress.IPv6Address.is_private` *
+      :attr:`ipaddress.IPv6Address.is_global` Also in the
+      corresponding :class:`ipaddress.IPv4Network` and
+      :class:`ipaddress.IPv6Network` attributes.
+      Fixes bsc#1226448 (CVE-2024-4032).
+    - gh-102988: :func:`email.utils.getaddresses` and
+      :func:`email.utils.parseaddr` now return ``('', '')``
+      2-tuples in more situations where invalid email addresses
+      are encountered instead of potentially inaccurate
+      values. Add optional *strict* parameter to these two
+      functions: use ``strict=False`` to get the old behavior,
+      accept malformed inputs. ``getattr(email.utils,
+      'supports_strict_parsing', False)`` can be use to check if
+      the *strict* paramater is available. Patch by Thomas Dwyer
+      and Victor Stinner to improve the CVE-2023-27043 fix
+      (bsc#1210638).
+    - gh-67693: Fix :func:`urllib.parse.urlunparse` and
+      :func:`urllib.parse.urlunsplit` for URIs with path starting
+      with multiple slashes and no authority. Based on patch by
+      Ashwin Ramaswami.
+  - Core and Builtins
+    - gh-112275: A deadlock involving ``pystate.c``'s
+      ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now
+      fixed. Patch by ChuBoning based on previous Python 3.12 fix
+      by Victor Stinner.
+    - gh-109120: Added handle of incorrect star expressions, e.g
+      ``f(3, *)``. Patch by Grigoryev Semyon
+- Removed upstreamed patches:
+  - CVE-2023-27043-email-parsing-errors.patch
+  - CVE-2024-4032-private-IP-addrs.patch
+  - CVE-2024-6923-email-hdr-inject.patch
+  - CVE-2024-8088-inf-loop-zipfile_Path.patch
+    (renamed from CVE-2024-8088-zipfile-Path-sanitization.patch)
+  - CVE-2024-6232-ReDOS-backtrack-tarfile.patch
+  - CVE-2024-7592-quad-complex-cookies.patch
+
+-------------------------------------------------------------------
+Mon Sep  2 09:44:26 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Add gh120226-fix-sendfile-test-kernel-610.patch to avoid
+  failing test_sendfile_close_peer_in_the_middle_of_receiving
+  tests on Linux >= 6.10 (GH-120227).
+
 -------------------------------------------------------------------
 Wed Aug 28 16:54:34 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 
@@ -31,7 +406,7 @@ Thu Jul 18 22:37:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 Mon Jul 15 12:14:05 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 
 - Stop using %%defattr, it seems to be breaking proper executable
-  attributes on /usr/bin/ scripts (bsc#1227378). 
+  attributes on /usr/bin/ scripts (bsc#1227378).
 
 -------------------------------------------------------------------
 Tue Jul  2 10:32:58 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
@@ -76,6 +451,7 @@ Mon Apr  8 05:44:04 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
 - Remove not needed upstream patches:
   * libexpat260.patch
   * CVE-2023-6597-TempDir-cleaning-symlink.patch, bsc#1219666
+  * CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
 
 - Update to 3.11.9:
   * Security
@@ -245,8 +621,9 @@ Mon Apr  8 05:44:04 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
     - gh-60346: Fix ArgumentParser inconsistent with parse_known_args.
     - gh-100985: Update HTTPSConnection to consistently wrap IPv6
       Addresses when using a proxy.
-    - gh-100884: email: fix misfolding of comma in address-lists over
-      multiple lines in combination with unicode encoding.
+    - gh-100884: email: fix misfolding of comma in address-lists
+      over multiple lines in combination with unicode encoding
+      (bsc#1238450 CVE-2025-1795)
     - gh-95782: Fix io.BufferedReader.tell(),
       io.BufferedReader.seek(), _pyio.BufferedReader.tell(),
       io.BufferedRandom.tell(), io.BufferedRandom.seek() and
@@ -370,7 +747,7 @@ Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
 Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 
 - Remove double definition of /usr/bin/idle%%{version} in
-  %%files. 
+  %%files.
 
 -------------------------------------------------------------------
 Thu Feb 15 10:29:07 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
@@ -628,7 +1005,8 @@ Thu Feb  8 07:27:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
       METH_FASTCALL | METH_KEYWORDS calling convention. Only the
       positional parameter count was checked; any keyword argument
       passed would be silently accepted.
-
+- Remove upstreamed patches:
+  - CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
 - Refresh all patches:
   - CVE-2023-27043-email-parsing-errors.patch
   - F00251-change-user-install-location.patch
@@ -1289,12 +1667,12 @@ Wed Sep  6 07:52:11 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
 -------------------------------------------------------------------
 Thu Aug 10 09:33:26 UTC 2023 - Dirk Müller <dmueller@suse.com>
 
-- restrict PEP668 to ALP/Tumbleweed 
+- restrict PEP668 to ALP/Tumbleweed
 
 -------------------------------------------------------------------
 Fri Aug  4 06:37:41 UTC 2023 - Dirk Müller <dmueller@suse.com>
 
-- add externally_managed.in to label this build as PEP-668 managed 
+- add externally_managed.in to label this build as PEP-668 managed
 
 -------------------------------------------------------------------
 Thu Aug  3 14:53:38 UTC 2023 - Matej Cepl <mcepl@suse.com>
@@ -2649,7 +3027,7 @@ Sat Mar 26 22:52:45 UTC 2022 - Matej Cepl <mcepl@suse.com>
 Tue Feb 22 05:53:06 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
 
 - Add patch support-expat-245.patch:
-  * Support Expat >= 2.4.5 
+  * Support Expat >= 2.4.5
 
 -------------------------------------------------------------------
 Tue Feb 15 23:05:55 UTC 2022 - Matej Cepl <mcepl@suse.com>
@@ -2839,7 +3217,7 @@ Sat Jun  5 21:21:38 UTC 2021 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Fri Jun  4 21:36:30 UTC 2021 - Dirk Müller <dmueller@suse.com>
 
-- allow build with Sphinx >= 3.x 
+- allow build with Sphinx >= 3.x
 
 -------------------------------------------------------------------
 Wed Jun  2 13:12:04 UTC 2021 - Dan Čermák <dcermak@suse.com>
@@ -3391,7 +3769,7 @@ Sat Dec 12 14:29:33 UTC 2020 - Matej Cepl <mcepl@suse.com>
 Thu Dec 10 00:26:51 UTC 2020 - Benjamin Greiner <code@bnavigator.de>
 
 - Last try before this results in an editwar:
-  * remove importlib_resources and importlib-metadata 
+  * remove importlib_resources and importlib-metadata
     provides/obsoletes
   * import importlib_resources is not the same as
     import importlib.resources, same for metadata
@@ -3508,54 +3886,54 @@ Tue Jul 21 09:53:06 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
 - Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream
 - Removed recursion.tar: contained in upstream
 - Update to 3.9.0b5:
-  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused 
+  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused
     by the fix for bpo-29778 (CVE-2020-15801).
   - bpo-41162: Audit hooks are now cleared later during
     finalization to avoid missing events.
-  - bpo-29778: Ensure python3.dll is loaded from correct locations 
+  - bpo-29778: Ensure python3.dll is loaded from correct locations
     when Python is embedded (CVE-2020-15523).
-  - bpo-39603: Prevent http header injection by rejecting control 
+  - bpo-39603: Prevent http header injection by rejecting control
     characters in http.client.putrequest(…).
   - bpo-41295: Resolve a regression in CPython 3.8.4 where defining
-    “__setattr__” in a multi-inheritance setup and 
+    “__setattr__” in a multi-inheritance setup and
     calling up the hierarchy chain could fail if builtins/extension
     types were involved in the base types.
-  - bpo-41247: Always cache the running loop holder when running 
+  - bpo-41247: Always cache the running loop holder when running
     asyncio.set_running_loop.
-  - bpo-41252: Fix incorrect refcounting in 
+  - bpo-41252: Fix incorrect refcounting in
     _ssl.c’s _servername_callback().
-  - bpo-41215: Use non-NULL default values in the PEG parser 
+  - bpo-41215: Use non-NULL default values in the PEG parser
     keyword list to overcome a bug that was '
     preventing Python from being properly compiled when using the
     XLC compiler. Patch by Pablo Galindo.
-  - bpo-41218: Python 3.8.3 had a regression where compiling with 
-    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would 
+  - bpo-41218: Python 3.8.3 had a regression where compiling with
+    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
     aggressively mark list comprehension with CO_COROUTINE. Now only
     list comprehension making use of async/await will tagged as so.
-  - bpo-41175: Guard against a NULL pointer dereference within 
+  - bpo-41175: Guard against a NULL pointer dereference within
     bytearrayobject triggered by the bytearray() + bytearray() operation.
-  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s 
-    __setattr__() by calling the superclass method was 
+  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s
+    __setattr__() by calling the superclass method was
     rewritten to allow C implemented heap types.
-  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the 
+  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
     C implementation raises now UnpicklingError instead of crashing.
-  - bpo-39017: Avoid infinite loop when reading specially crafted 
+  - bpo-39017: Avoid infinite loop when reading specially crafted
     TAR files using the tarfile module (CVE-2019-20907, bsc#1174091).
   - bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
-  - bpo-41207: In distutils.spawn, restore expectation that 
+  - bpo-41207: In distutils.spawn, restore expectation that
     DistutilsExecError is raised when the command is not found.
   - bpo-39168: Remove the __new__ method of typing.Generic.
-  - bpo-41194: Fix a crash in the _ast module: it can no longer be 
+  - bpo-41194: Fix a crash in the _ast module: it can no longer be
     loaded more than once. It now uses a global state rather than a module state.
-  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a 
+  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a
     null string.
-  - bpo-41300: Save files with non-ascii chars. 
+  - bpo-41300: Save files with non-ascii chars.
     Fix regression released in 3.9.0b4 and 3.8.4.
-  - bpo-37765: Add keywords to module name completion list. 
+  - bpo-37765: Add keywords to module name completion list.
     Rewrite Completions section of IDLE doc.
-  - bpo-40170: Revert PyType_HasFeature() change: it reads 
-    again directly the PyTypeObject.tp_flags 
-    member when the limited C API is not used, rather than always calling 
+  - bpo-40170: Revert PyType_HasFeature() change: it reads
+    again directly the PyTypeObject.tp_flags
+    member when the limited C API is not used, rather than always calling
     PyType_GetFlags() which hides implementation details.
 
 -------------------------------------------------------------------
@@ -4076,7 +4454,7 @@ Wed Jun  5 12:19:09 CEST 2019 - Matej Cepl <mcepl@suse.com>
     pickling costs between processes
   - typed_ast is merged back to CPython
   - LOAD_GLOBAL is now 40% faster
-  - pickle now uses Protocol 4 by default, improving performance 
+  - pickle now uses Protocol 4 by default, improving performance
 - Remove patches which were included in the upstream:
   - 00251-change-user-install-location.patch
   - 00316-mark-bdist_wininst-unsupported.patch
@@ -4221,7 +4599,7 @@ Mon Dec 17 17:24:49 CET 2018 - mcepl@suse.com
 
 - Upgrade to 3.7.2rc1:
     * bugfix release, for the full list of all changes see
-      https://docs.python.org/3.7/whatsnew/changelog.html#changelog 
+      https://docs.python.org/3.7/whatsnew/changelog.html#changelog
 - Make run of the test suite more verbose
 
 -------------------------------------------------------------------
@@ -4648,7 +5026,7 @@ Mon Mar 13 14:04:22 UTC 2017 - jmatejek@suse.com
 Sat Feb 25 20:55:57 UTC 2017 - bwiedemann@suse.com
 
 - Add 0001-allow-for-reproducible-builds-of-python-packages.patch
-  upstream https://github.com/python/cpython/pull/296 
+  upstream https://github.com/python/cpython/pull/296
 
 -------------------------------------------------------------------
 Wed Feb  8 12:30:20 UTC 2017 - jmatejek@suse.com
@@ -4714,7 +5092,7 @@ Mon Mar  7 20:38:11 UTC 2016 - toddrme2178@gmail.com
 
 - Add  Python-3.5.1-fix_lru_cache_copying.patch
   Fix copying the lru_cache() wrapper object.
-  Fixes deep-copying lru_cache regression, which worked on 
+  Fixes deep-copying lru_cache regression, which worked on
   previous versions of python but fails on python 3.5.
   This fixes a bunch of packages in devel:languages:python3.
   See: https://bugs.python.org/issue25447
@@ -4852,7 +5230,7 @@ Sun Jan 11 13:01:30 UTC 2015 - p.drouand@gmail.com
 -------------------------------------------------------------------
 Sat Oct 18 20:14:54 UTC 2014 - crrodriguez@opensuse.org
 
-- Only pkgconfig(x11) is required for build, not the whole 
+- Only pkgconfig(x11) is required for build, not the whole
   set of packages provided by xorg-x11-devel metapackage.
 
 -------------------------------------------------------------------
@@ -4912,7 +5290,7 @@ Wed Mar 26 15:24:46 UTC 2014 - jmatejek@suse.com
 -------------------------------------------------------------------
 Mon Mar 24 17:29:31 UTC 2014 - dmueller@suse.com
 
-- remove blacklisting of test_posix on aarch64: qemu bug is fixed 
+- remove blacklisting of test_posix on aarch64: qemu bug is fixed
 
 -------------------------------------------------------------------
 Mon Mar 17 18:26:58 UTC 2014 - jmatejek@suse.com
@@ -5015,7 +5393,7 @@ Tue Nov 19 14:28:41 UTC 2013 - jmatejek@suse.com
 -------------------------------------------------------------------
 Tue Oct 15 17:44:08 UTC 2013 - crrodriguez@opensuse.org
 
-- build with -DOPENSSL_LOAD_CONF for the same reasons 
+- build with -DOPENSSL_LOAD_CONF for the same reasons
   described in the python2 package.
 
 -------------------------------------------------------------------
@@ -5027,7 +5405,7 @@ Fri Aug 16 11:35:15 UTC 2013 - jmatejek@suse.com
 -------------------------------------------------------------------
 Thu Aug  8 14:54:49 UTC 2013 - dvaleev@suse.com
 
-- Exclue test_faulthandler from tests on powerpc due to bnc#831629 
+- Exclue test_faulthandler from tests on powerpc due to bnc#831629
 
 -------------------------------------------------------------------
 Thu Jun 13 15:05:34 UTC 2013 - jmatejek@suse.com
@@ -5086,7 +5464,7 @@ Fri Mar  1 07:42:21 UTC 2013 - dmueller@suse.com
 
 - add ctypes-libffi-aarch64.patch:
   * import aarch64 support for libffi in _ctypes module
-- add aarch64 to the list of lib64 based archs 
+- add aarch64 to the list of lib64 based archs
 - add movetogetdents64.diff:
   * port to getdents64, as SYS_getdents is not implemented everywhere
 
@@ -5140,9 +5518,9 @@ Mon Oct 29 18:21:45 UTC 2012 - dmueller@suse.com
 -------------------------------------------------------------------
 Thu Oct 25 08:14:36 UTC 2012 - Rene.vanPaassen@gmail.com
 
-- exclude test_math for SLE 11; math library fails on negative 
+- exclude test_math for SLE 11; math library fails on negative
   gamma function values close to integers and 0, probably
-  due to imprecision in -lm on SLE_11_SP2. 
+  due to imprecision in -lm on SLE_11_SP2.
 
 -------------------------------------------------------------------
 Tue Oct 16 12:15:34 UTC 2012 - coolo@suse.com
@@ -5166,7 +5544,7 @@ Mon Oct  1 08:53:03 UTC 2012 - idonmez@suse.com
 -------------------------------------------------------------------
 Thu Sep 27 12:35:01 UTC 2012 - idonmez@suse.com
 
-- Correct dependency for python3-testsuite, 
+- Correct dependency for python3-testsuite,
   python3-tkinter -> python3-tk
 
 -------------------------------------------------------------------
@@ -5199,7 +5577,7 @@ Fri Aug  3 12:09:34 UTC 2012 - jmatejek@suse.com
 -------------------------------------------------------------------
 Fri Jul 27 09:02:41 UTC 2012 - dvaleev@suse.com
 
-- skip test_io on ppc 
+- skip test_io on ppc
 - drop test_io ppc patch
 
 -------------------------------------------------------------------
@@ -5248,8 +5626,8 @@ Wed Jan 18 15:49:47 UTC 2012 - jmatejek@suse.com
 -------------------------------------------------------------------
 Sun Dec 25 13:25:01 UTC 2011 - idonmez@suse.com
 
-- Use system ffi, included one is broken see 
-  http://bugs.python.org/issue11729 and 
+- Use system ffi, included one is broken see
+  http://bugs.python.org/issue11729 and
   http://bugs.python.org/issue12081
 
 -------------------------------------------------------------------

python311.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python311
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -36,12 +36,20 @@
 %bcond_without general
 %endif
 
-%if 0%{?do_profiling}
+%if 0%{?do_profiling} && !0%{?want_reproducible_builds}
 %bcond_without profileopt
 %else
 %bcond_with profileopt
 %endif
 
+# Only for Tumbleweed
+# https://en.opensuse.org/openSUSE:Python:Externally_managed
+%if 0%{?suse_version} > 1600
+%bcond_without externally_managed
+%else
+%bcond_with externally_managed
+%endif
+
 %define         python_pkg_name python311
 %if "%{python_pkg_name}" == "%{primary_python}"
 %define primary_interpreter 1
@@ -98,15 +106,14 @@
 # pyexpat.cpython-35m-armv7-linux-gnueabihf
 # _md5.cpython-38m-x86_64-linux-gnu.so
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
-%bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.11.9
+Version:        3.11.14
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
 URL:            https://www.python.org/
 Source0:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz
-Source1:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.asc
+Source1:        https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.sigstore
 Source2:        baselibs.conf
 Source3:        README.SUSE
 Source4:        externally_managed.in
@@ -145,8 +152,6 @@ Patch03:        distutils-reproducible-compile.patch
 Patch04:        python-3.3.0b1-localpath.patch
 # replace DATE, TIME and COMPILER by fixed definitions to aid reproducible builds
 Patch05:        python-3.3.0b1-fix_date_time_compiler.patch
-# POSIX_FADV_WILLNEED throws EINVAL. Use a different constant in test
-Patch06:        python-3.3.0b1-test-posix_fadvise.patch
 # Raise timeout value for test_subprocess
 Patch07:        subprocess-raise-timeout.patch
 # PATCH-FEATURE-UPSTREAM bpo-31046_ensurepip_honours_prefix.patch bpo#31046 mcepl@suse.com
@@ -164,10 +169,6 @@ Patch11:        fix_configure_rst.patch
 # PATCH-FIX-UPSTREAM skip_if_buildbot-extend.patch gh#python/cpython#103053 mcepl@suse.com
 # Skip test_freeze_simple_script
 Patch13:        skip_if_buildbot-extend.patch
-# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
-# Detect email address parsing errors and return empty tuple to
-# indicate the parsing error (old API)
-Patch14:        CVE-2023-27043-email-parsing-errors.patch
 # PATCH-FIX-UPSTREAM bsc1221260-test_asyncio-ResourceWarning.patch bsc#1221260 mcepl@suse.com
 # prevent ResourceWarning in test_asyncio tests
 Patch15:        bsc1221260-test_asyncio-ResourceWarning.patch
@@ -177,20 +178,19 @@ Patch15:        bsc1221260-test_asyncio-ResourceWarning.patch
 # by SUSE
 Patch16:        CVE-2023-52425-libexpat-2.6.0-backport.patch
 Patch17:        CVE-2023-52425-remove-reparse_deferral-tests.patch
-# PATCH-FIX-UPSTREAM CVE-2024-4032-private-IP-addrs.patch bsc#1226448 mcepl@suse.com
-# rearrange definition of private v global IP addresses
-Patch18:        CVE-2024-4032-private-IP-addrs.patch
 # PATCH-FIX-UPSTREAM bso1227999-reproducible-builds.patch bsc#1227999 mcepl@suse.com
 # reproducibility patches
 Patch19:        bso1227999-reproducible-builds.patch
-# PATCH-FIX-UPSTREAM CVE-2024-6923-email-hdr-inject.patch bsc#1228780 mcepl@suse.com
-# prevent email header injection, patch from gh#python/cpython!122608
-Patch20:        CVE-2024-6923-email-hdr-inject.patch
-# PATCH-FIX-UPSTREAM CVE-2024-8088-inf-loop-zipfile_Path.patch bsc#1229704 mcepl@suse.com
-# avoid denial of service in zipfile
-Patch21:        CVE-2024-8088-inf-loop-zipfile_Path.patch
+# PATCH-FIX-UPSTREAM gh120226-fix-sendfile-test-kernel-610.patch gh#python/cpython#120226 mcepl@suse.com
+# Fix test_sendfile_close_peer_in_the_middle_of_receiving on Linux >= 6.10 (GH-120227)
+Patch22:        gh120226-fix-sendfile-test-kernel-610.patch
+# PATCH-FIX-UPSTREAM Add platform triplets for 64-bit LoongArch gh#python/cpython#30939 glaubitz@suse.com
+Patch24:        add-loongarch64-support.patch
+# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
+Patch25:        gh139257-Support-docutils-0.22.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
+BuildRequires:  crypto-policies-scripts
 BuildRequires:  fdupes
 BuildRequires:  gmp-devel
 BuildRequires:  lzma-devel
@@ -222,8 +222,6 @@ BuildRequires:  python3-python-docs-theme >= 2022.1
 %endif
 %endif
 %if %{with general}
-# required for idle3 (.desktop and .appdata.xml files)
-BuildRequires:  appstream-glib
 BuildRequires:  gcc-c++
 BuildRequires:  gdbm-devel
 BuildRequires:  gettext
@@ -431,29 +429,11 @@ other applications.
 %prep
 %setup -q -n %{tarname}
 
-%patch -p1 -P 02
-%patch -p1 -P 03
-%patch -p1 -P 04
-%patch -p1 -P 05
-%patch -p1 -P 06
-%patch -p1 -P 07
-%patch -p1 -P 08
-
+%autopatch -p1 -M 08
 %if 0%{?suse_version} <= 1500
 %patch -P 09 -p1
 %endif
-
-%patch -p1 -P 10
-%patch -p1 -P 11
-%patch -p1 -P 13
-%patch -p1 -P 14
-%patch -p1 -P 15
-%patch -p1 -P 16
-%patch -p1 -P 17
-%patch -p1 -P 18
-%patch -p1 -P 19
-%patch -p1 -P 20
-%patch -p1 -P 21
+%autopatch -p1 -m 10
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -498,7 +478,7 @@ TODAY_DATE=`date -r %{SOURCE0} "+%%B %%d, %%Y"`
 
 cd Doc
 sed -i "s/^today = .*/today = '$TODAY_DATE'/" conf.py
-%make_build -j1 html
+%make_build -j1 JOBS=1 html
 
 # Build also devhelp files
 sphinx-build -a -b devhelp . build/devhelp
@@ -699,7 +679,6 @@ install -m 644 -D -t %{buildroot}%{_datadir}/applications idle%{python_version}.
 cp %{SOURCE20} idle%{python_version}.appdata.xml
 sed -i -e 's:idle3.desktop:idle%{python_version}.desktop:g' idle%{python_version}.appdata.xml
 install -m 644 -D -t %{buildroot}%{_datadir}/metainfo idle%{python_version}.appdata.xml
-appstream-util validate-relax --nonet %{buildroot}%{_datadir}/metainfo/idle%{python_version}.appdata.xml
 
 %fdupes %{buildroot}/%{_libdir}/python%{python_version}
 %endif
@@ -736,7 +715,7 @@ rm %{buildroot}%{_libdir}/libpython3.so
 rm %{buildroot}%{_libdir}/pkgconfig/{python3,python3-embed}.pc
 %endif
 
-%if %{suse_version} > 1550
+%if %{with externally_managed}
 # PEP-0668 mark this as a distro maintained python
 sed -e 's,__PYTHONPREFIX__,%{python_pkg_name},' -e 's,__PYTHON__,python%{python_version},' < %{SOURCE4} > %{buildroot}%{sitedir}/EXTERNALLY-MANAGED
 %endif
@@ -777,6 +756,9 @@ install -m 755 -D Tools/gdb/libpython.py %{buildroot}%{_datadir}/gdb/auto-load/%
 # install devel files to /config
 #cp Makefile Makefile.pre.in Makefile.pre $RPM_BUILD_ROOT%%{sitedir}/config-%%{python_abi}/
 
+# Remove -IVendor/ from python-config boo#1231795
+sed -i 's/-IVendor\///' %{buildroot}%{_bindir}/python%{python_abi}-config
+
 # RPM macros
 %if %{primary_interpreter}
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d/
@@ -805,6 +787,11 @@ LD_LIBRARY_PATH=. ./python -O -c "from py_compile import compile; compile('$FAIL
 echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-import-failed-hooks.pth
 %endif
 
+# For the purposes of reproducibility, it is necessary to eliminate any *.pyc files inside documentation dirs
+if [ -d %{buildroot}%{_defaultdocdir} ] ; then
+find %{buildroot}%{_defaultdocdir} -type f -name \*.pyc -ls -exec rm -vf '{}' \;
+fi
+
 %if %{with general}
 %files -n %{python_pkg_name}-tk
 %{sitedir}/tkinter
@@ -924,7 +911,7 @@ echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-impo
 %{_mandir}/man1/python3.1%{?ext_man}
 %endif
 %{_mandir}/man1/python%{python_version}.1%{?ext_man}
-%if 0%{?suse_version} > 1550
+%if %{with externally_managed}
 # PEP-0668
 %{sitedir}/EXTERNALLY-MANAGED
 %endif