pool/python311
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory
pool:devel
testing:factory
testing:devel
testing:main
..
compare: testing:main
Branches Tags
testing:factory
testing:devel
testing:main
pool:factory
pool:devel

No commits in common. "factory" and "main" have entirely different histories.
factory ... main

8 changed files with 25 additions and 257 deletions
Show Stats Expand all files Collapse all files

127
CVE-2025-0938-sq-brackets-domain-names.patch
View File

@ -1,127 +0,0 @@
From d91e2c740890837edafaee24d68112b776cda9c5 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 31 Jan 2025 11:41:34 -0600
Subject: [PATCH] gh-105704: Disallow square brackets (`[` and `]`) in domain
names for parsed URLs (GH-129418)
* gh-105704: Disallow square brackets ( and ) in domain names for parsed URLs
* Use Sphinx references
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
* Add mismatched bracket test cases, fix news format
* Add more test coverage for ports
---------
(cherry picked from commit d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a)
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
---
Lib/test/test_urlparse.py | 37 +++++++++-
Lib/urllib/parse.py | 20 ++++-
Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst | 4 +
3 files changed, 58 insertions(+), 3 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -1224,16 +1224,51 @@ class UrlParseTestCase(unittest.TestCase
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix')
def test_splitting_bracketed_hosts(self):
- p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
+ p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query')
self.assertEqual(p1.hostname, 'v6a.ip')
self.assertEqual(p1.username, 'user')
self.assertEqual(p1.path, '/path')
+ self.assertEqual(p1.port, 1234)
p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
self.assertEqual(p2.username, 'user')
self.assertEqual(p2.path, '/path')
+ self.assertIs(p2.port, None)
p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
self.assertEqual(p3.username, 'user')
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -436,6 +436,23 @@ def _checknetloc(netloc):
raise ValueError("netloc '" + netloc + "' contains invalid " +
"characters under NFKC normalization")
+def _check_bracketed_netloc(netloc):
+ # Note that this function must mirror the splitting
+ # done in NetlocResultMixins._hostinfo().
+ hostname_and_port = netloc.rpartition('@')[2]
+ before_bracket, have_open_br, bracketed = hostname_and_port.partition('[')
+ if have_open_br:
+ # No data is allowed before a bracket.
+ if before_bracket:
+ raise ValueError("Invalid IPv6 URL")
+ hostname, _, port = bracketed.partition(']')
+ # No data is allowed after the bracket but before the port delimiter.
+ if port and not port.startswith(":"):
+ raise ValueError("Invalid IPv6 URL")
+ else:
+ hostname, _, port = hostname_and_port.partition(':')
+ _check_bracketed_host(hostname)
+
# Valid bracketed hosts are defined in
# https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
def _check_bracketed_host(hostname):
@@ -496,8 +513,7 @@ def urlsplit(url, scheme='', allow_fragm
(']' in netloc and '[' not in netloc)):
raise ValueError("Invalid IPv6 URL")
if '[' in netloc and ']' in netloc:
- bracketed_host = netloc.partition('[')[2].partition(']')[0]
- _check_bracketed_host(bracketed_host)
+ _check_bracketed_netloc(netloc)
if allow_fragments and '#' in url:
url, fragment = url.split('#', 1)
if '?' in url:
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
@@ -0,0 +1,4 @@
+When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host
+parsing would not reject domain names containing square brackets (``[`` and
+``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to
+`RFC 3986 Section 3.2.2 <https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__.

3
Python-3.11.10.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372
size 20067656

16
Python-3.11.10.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmbbrO0ACgkQ/+h0BBaL
2Ec+YBAAnQJLKYPjj7Yr7xkFU655Sv86JxeRAdWjnIapbiIuWg3Up8Pd8FTRgHGf
3XdTHw7b03lSjtzJwavzdnDklqAlBIGn9dVieljUIN7NYyNxoYOr/AiatimgSwv7
dI5mfun5fLKV6ZcdNdQN5PJ3RZtF3I7VfkN2mlfZJHtxl1agdU/TfW2L+qJ7+JPY
cayjq2xKTLRNXOf2iV29GRRovLiqA+Dx0+cAwsScwreHMp3U4k3GkeHVoR6fldV4
bVAM8GRl3CYVFePiqAbamKP1BSys44JOINWbWyd94JxzEAwXWz//Es0h73AzeRfK
ueORqzdoOGrVc74+HGlAHhqO1Gg7jMMmtkzCEuav+cGHYnMRMOngGR3q47aTJTVb
5UdP0oD4OlADPFVa6q0LCqN/IFlebWMh9pXYw7Wpek63oNuZHTfNPq4S1AUM2HJm
C3yzaOG9VAdYfLneJC4ldY4CVt1FKckfaXp5OAaMr71DI74e4CcEswlUupZJLZKV
TJRjQD15bnXGhHDqU4w3RmzpCWMh2mf4m4VMYQyObl3TtlX+gVvzIhDS5+mXqutB
F1pdXwaHHkTb2PLLxpwOGrnsp8XoW74tsylcYirQg8jSFMbgxfwgIjEIuRGXeDkT
B4QzmQ4SxsbLiH7etV6Fznl1h569Z4DO9OOs4i0ZzIjdhPDQtAs=
=TatG
-----END PGP SIGNATURE-----

BIN
Python-3.11.11.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

1
Python-3.11.11.tar.xz.sigstore
View File

@ -1 +0,0 @@
{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzDCCAlOgAwIBAgIUWcRolJPsPmtJKA6VkjHSj7PtjY8wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQxMjAzMTgxOTA1WhcNMjQxMjAzMTgyOTA1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEN+fBJCRZIAZiWPBdjyQVD+x5vgmjuuVct1HkPHIBMuEe7wI4mBG2BhJ3fHkpr97efIH6ELMmPV99edyAIZFXR6OCAXIwggFuMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUkutZdHfCCSvGI87mjnBRwZB8ihYwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wIgYDVR0RAQH/BBgwFoEUcGFibG9nc2FsQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGTjb9QlwAABAMARzBFAiEA4ddSINhYM+p0+DGzRqnA8rVtJF9YgI+9znXiq9fqQNkCIEErcSnQmN8jjErhwWWtcTM5GgH4ka/uk5kdHTycwxj3MAoGCCqGSM49BAMDA2cAMGQCMFmkCEH2pCBpFeFiUi2uA4opcJP6vh/zqb+D0tbxqd+jwbBkuDxDqA9/Ao3UWop+twIwO9o71KAlYWPSPYMeZERM4R8zWlp9mVJPiK3tgOJJi40MNmxwtfsQeQtncqiQLBAH"}, "tlogEntries": [{"logIndex": "153122039", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1733249946", "inclusionPromise": {"signedEntryTimestamp": "MEUCIBL9zpVJtljIuZtAe8uptLfDmakmbAjy5ELp2q8WJTQ7AiEAv6lIpyJZycHwTS+JHYJFzMVv0SmA8yQ0eMneBivMhPY="}, "inclusionProof": {"logIndex": "31217777", "rootHash": "BMKHBPePzSbNqf2NyF/Ejuyy3troRGpNS41Dqe43nZ0=", "treeSize": "31217778", "hashes": ["lrr8dxmtgD09fnZTo1tMTY00HNKc2ZIpbZa1djDeTes=", "yFxGSg1RDbtZ/eNftnMdBJGNEZmmLyx2ZRDFtAIMHAk=", "GeqsQGnvgc+gcuaIC+vQ5b0RdTyBxBnYTpbeW2AeD+Q=", "dMTPeN/a9xCQQP+Hz7sddW0pPj8n54sfkhcf3XhjrMM=", "XjayhjKU3shP7q7lhmhKDv3Vpi4gJgAPCu0KlEzc9Qo=", "go1dmexQYS5etu69upRRX7IFvuA0rIcT9aYjMstmPIU=", "AYwr74Bm2w383UnS7DdbZUUAhusq28JoxKpWrQ7OvGQ=", "u+yWmGIR6sAH32wiSy22mz1Yf+jfPdBTjFbyRISuTZw=", "3eFC7Gp4fWecybDOAw9uUTrM1xB7YRYRAGsfYkiQbV8=", "1uKk2qjOliHMiTk906jrchP8mXWsRG8apaU1sa0lfh0=", "oOecFfN3YqDOkbijS/ej1WF5Da/Gt/AZNhbwE9uoOE8=", "4lUF0YOu9XkIDXKXA0wMSzd6VeDY3TZAgmoOeWmS2+Y=", "gf+9m552B3PnkWnO0o4KdVvjcT3WVHLrCbf1DoVYKFw="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n31217778\nBMKHBPePzSbNqf2NyF/Ejuyy3troRGpNS41Dqe43nZ0=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiA7ed0HqugBwVpmxDAR1VN35J91/+DeRdj09y5lFY+bRwIgYe07JnZlJvp3MfAMXX3i4XBsZoDRZoXtwfBaRj/8x8s=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIyYTk5MjBjN2EwY2QyMzZkZTMzNjQ0ZWQ5ODBhMTNjYmJjMjEwNThiZmRjNTI4ZmViYjYwODE1NzVlZDczYmUzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJRU5KSGllaWs5WkVibW83a0p4ZUhWY2FvVDVYOUxyWG1zRTVxc1I5R1JpSEFpRUFtcHZyV21vUHF5YzRpQ09VYXVmY3dKTllMK1lPTWU0b0NOaWRLVGduT1FBPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZSRU5EUVd4UFowRjNTVUpCWjBsVlYyTlNiMnhLVUhOUWJYUktTMEUyVm10cVNGTnFOMUIwYWxrNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJlRTFxUVhwTlZHZDRUMVJCTVZkb1kwNU5hbEY0VFdwQmVrMVVaM2xQVkVFeFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZPSzJaQ1NrTlNXa2xCV21sWFVFSmthbmxSVmtRcmVEVjJaMjFxZFhWV1kzUXhTR3NLVUVoSlFrMTFSV1UzZDBrMGJVSkhNa0pvU2pObVNHdHdjamszWldaSlNEWkZURTF0VUZZNU9XVmtlVUZKV2taWVVqWlBRMEZZU1hkblowWjFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZyZFhSYUNtUklaa05EVTNaSFNUZzNiV3B1UWxKM1drSTRhV2haZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBsbldVUldVakJTUVZGSUwwSkNaM2RHYjBWVlkwZEdhV0pIT1c1ak1rWnpVVWhDTldSSGFIWmlhVFYyWTIxamQwdFJXVXRMZDFsQ1FrRkhSQXAyZWtGQ1FWRlJZbUZJVWpCalNFMDJUSGs1YUZreVRuWmtWelV3WTNrMWJtSXlPVzVpUjFWMVdUSTVkRTFEYzBkRGFYTkhRVkZSUW1jM09IZEJVV2RGQ2toUmQySmhTRkl3WTBoTk5reDVPV2haTWs1MlpGYzFNR041Tlc1aU1qbHVZa2RWZFZreU9YUk5TVWRMUW1kdmNrSm5SVVZCWkZvMVFXZFJRMEpJZDBVS1pXZENORUZJV1VFelZEQjNZWE5pU0VWVVNtcEhValJqYlZkak0wRnhTa3RZY21wbFVFc3pMMmcwY0hsblF6aHdOMjgwUVVGQlIxUnFZamxSYkhkQlFRcENRVTFCVW5wQ1JrRnBSVUUwWkdSVFNVNW9XVTByY0RBclJFZDZVbkZ1UVRoeVZuUktSamxaWjBrck9YcHVXR2x4T1daeFVVNXJRMGxGUlhKalUyNVJDbTFPT0dwcVJYSm9kMWRYZEdOVVRUVkhaMGcwYTJFdmRXczFhMlJJVkhsamQzaHFNMDFCYjBkRFEzRkhVMDAwT1VKQlRVUkJNbU5CVFVkUlEwMUdiV3NLUTBWSU1uQkRRbkJHWlVacFZXa3lkVUUwYjNCalNsQTJkbWd2ZW5GaUswUXdkR0o0Y1dRcmFuZGlRbXQxUkhoRWNVRTVMMEZ2TTFWWGIzQXJkSGRKZHdwUE9XODNNVXRCYkZsWFVGTlFXVTFsV2tWU1RUUlNPSHBYYkhBNWJWWktVR2xMTTNSblQwcEthVFF3VFU1dGVIZDBabk5SWlZGMGJtTnhhVkZNUWtGSUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "Kpkgx6DNI23jNkTtmAoTy7whBYv9xSj+u2CBV17XO+M="}, "signature": "MEUCIENJHieik9ZEbmo7kJxeHVcaoT5X9LrXmsE5qsR9GRiHAiEAmpvrWmoPqyc4iCOUaufcwJNYL+YOMe4oCNidKTgnOQA="}}

25
add-loongarch64-support.patch
View File

@ -1,25 +0,0 @@
Description: Add platform triplets for LoongArch.
--- a/configure.ac
+++ b/configure.ac
@@ -976,6 +976,20 @@ cat > conftest.c <<EOF
hppa-linux-gnu
# elif defined(__ia64__)
ia64-linux-gnu
+# elif defined(__loongarch__)
+# if defined(__loongarch_lp64)
+# if defined(__loongarch_soft_float)
+ loongarch64-linux-gnusf
+# elif defined(__loongarch_single_float)
+ loongarch64-linux-gnuf32
+# elif defined(__loongarch_double_float)
+ loongarch64-linux-gnu
+# else
+# error unknown platform triplet
+# endif
+# else
+# error unknown platform triplet
+# endif
# elif defined(__m68k__) && !defined(__mcoldfire__)
m68k-linux-gnu
# elif defined(__mips_hard_float) && defined(__mips_isa_rev) && (__mips_isa_rev >=6) && defined(_MIPSEL)

74
python311.changes
View File

@ -1,70 +1,3 @@
-------------------------------------------------------------------
Tue Feb 4 14:43:13 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-0938-sq-brackets-domain-names.patch which
disallows square brackets ([ and ]) in domain names for parsed
URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
-------------------------------------------------------------------
Mon Jan 27 09:00:48 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
- Configure externally_managed with a bcond
https://en.opensuse.org/openSUSE:Python:Externally_managed
bsc#1228165
-------------------------------------------------------------------
Wed Dec 4 21:40:41 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.11.11:
- Tools/Demos
- gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
- Tests
- gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlibs software
implementation and the hardware-accelerated implementation.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-124651: Properly quote template strings in venv
activation scripts (bsc#1232241, CVE-2024-9287).
- Removed upstreamed patches:
- CVE-2024-9287-venv_path_unquoted.patch
-------------------------------------------------------------------
Tue Dec 3 08:21:35 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Add add-loongarch64-support.patch to support loongarch64
-------------------------------------------------------------------
Mon Dec 2 22:50:07 UTC 2024 - Matej Cepl <mcepl@suse.com>
- Fix changelog
-------------------------------------------------------------------
Mon Nov 11 12:43:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Remove -IVendor/ from python-config boo#1231795
-------------------------------------------------------------------
Fri Nov 1 16:32:10 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
path names provided when creating a virtual environment
(bsc#1232241, CVE-2024-9287)
-------------------------------------------------------------------
Wed Oct 2 16:18:29 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Drop .pyc files from docdir for reproducible builds
(bsc#1230906).
-------------------------------------------------------------------
Mon Sep 9 16:53:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
@ -148,9 +81,6 @@ Mon Sep 9 16:53:07 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- CVE-2024-4032-private-IP-addrs.patch
- CVE-2024-6923-email-hdr-inject.patch
- CVE-2024-8088-inf-loop-zipfile_Path.patch
(renamed from CVE-2024-8088-zipfile-Path-sanitization.patch)
- CVE-2024-6232-ReDOS-backtrack-tarfile.patch
- CVE-2024-7592-quad-complex-cookies.patch
-------------------------------------------------------------------
Mon Sep 2 09:44:26 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
@ -237,7 +167,6 @@ Mon Apr 8 05:44:04 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Remove not needed upstream patches:
* libexpat260.patch
* CVE-2023-6597-TempDir-cleaning-symlink.patch, bsc#1219666
* CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
- Update to 3.11.9:
* Security
@ -790,8 +719,7 @@ Thu Feb 8 07:27:40 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
METH_FASTCALL | METH_KEYWORDS calling convention. Only the
positional parameter count was checked; any keyword argument
passed would be silently accepted.
- Remove upstreamed patches:
- CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
- Refresh all patches:
- CVE-2023-27043-email-parsing-errors.patch
- F00251-change-user-install-location.patch

33
python311.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package python311
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -42,14 +42,6 @@
%bcond_with profileopt
%endif
# Only for Tumbleweed
# https://en.opensuse.org/openSUSE:Python:Externally_managed
%if 0%{?suse_version} > 1600
%bcond_without externally_managed
%else
%bcond_with externally_managed
%endif
%define python_pkg_name python311
%if "%{python_pkg_name}" == "%{primary_python}"
%define primary_interpreter 1
@ -108,13 +100,13 @@
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
Version: 3.11.11
Version: 3.11.10
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
URL: https://www.python.org/
Source0: https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz
Source1: https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.sigstore
Source1: https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.asc
Source2: baselibs.conf
Source3: README.SUSE
Source4: externally_managed.in
@ -187,11 +179,6 @@ Patch19: bso1227999-reproducible-builds.patch
# PATCH-FIX-UPSTREAM gh120226-fix-sendfile-test-kernel-610.patch gh#python/cpython#120226 mcepl@suse.com
# Fix test_sendfile_close_peer_in_the_middle_of_receiving on Linux >= 6.10 (GH-120227)
Patch22: gh120226-fix-sendfile-test-kernel-610.patch
# PATCH-FIX-UPSTREAM Add platform triplets for 64-bit LoongArch gh#python/cpython#30939 glaubitz@suse.com
Patch24: add-loongarch64-support.patch
# PATCH-FIX-UPSTREAM CVE-2025-0938-sq-brackets-domain-names.patch bsc#1236705 mcepl@suse.com
# functions `urllib.parse.urlsplit` and `urlparse` accept domain names including square brackets
Patch25: CVE-2025-0938-sq-brackets-domain-names.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@ -454,8 +441,6 @@ other applications.
%patch -p1 -P 17
%patch -p1 -P 19
%patch -p1 -P 22
%patch -p1 -P 24
%patch -p1 -P 25
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@ -738,7 +723,7 @@ rm %{buildroot}%{_libdir}/libpython3.so
rm %{buildroot}%{_libdir}/pkgconfig/{python3,python3-embed}.pc
%endif
%if %{with externally_managed}
%if %{suse_version} > 1550
# PEP-0668 mark this as a distro maintained python
sed -e 's,__PYTHONPREFIX__,%{python_pkg_name},' -e 's,__PYTHON__,python%{python_version},' < %{SOURCE4} > %{buildroot}%{sitedir}/EXTERNALLY-MANAGED
%endif
@ -779,9 +764,6 @@ install -m 755 -D Tools/gdb/libpython.py %{buildroot}%{_datadir}/gdb/auto-load/%
# install devel files to /config
#cp Makefile Makefile.pre.in Makefile.pre $RPM_BUILD_ROOT%%{sitedir}/config-%%{python_abi}/
# Remove -IVendor/ from python-config boo#1231795
sed -i 's/-IVendor\///' %{buildroot}%{_bindir}/python%{python_abi}-config
# RPM macros
%if %{primary_interpreter}
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d/
@ -810,11 +792,6 @@ LD_LIBRARY_PATH=. ./python -O -c "from py_compile import compile; compile('$FAIL
echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-import-failed-hooks.pth
%endif
# For the purposes of reproducibility, it is necessary to eliminate any *.pyc files inside documentation dirs
if [ -d %{buildroot}%{_defaultdocdir} ] ; then
find %{buildroot}%{_defaultdocdir} -type f -name \*.pyc -ls -exec rm -vf '{}' \;
fi
%if %{with general}
%files -n %{python_pkg_name}-tk
%{sitedir}/tkinter
@ -934,7 +911,7 @@ fi
%{_mandir}/man1/python3.1%{?ext_man}
%endif
%{_mandir}/man1/python%{python_version}.1%{?ext_man}
%if %{with externally_managed}
%if 0%{?suse_version} > 1550
# PEP-0668
%{sitedir}/EXTERNALLY-MANAGED
%endif