Commit Graph

182 Commits

Author SHA256 Message Date
Ana Guerrero
05835693e8 Accepting request 1202275 from devel:languages:python:Factory
- Add sphinx-802.patch to overcome working both with the most
  recent and older Sphinx versions.
- Update CVE-2023-52425-libexpat-2.6.0-backport.patch
  so that it uses features sniffing, not just
  comparing version number. Include also
  support-expat-CVE-2022-25236-patched.patch.

OBS-URL: https://build.opensuse.org/request/show/1202275
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=55
2024-09-22 09:06:19 +00:00
39e8b959f4 - Add sphinx-802.patch to overcome working both with the most
recent and older Sphinx versions.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=175
2024-09-20 22:20:44 +00:00
1bf9488238 Fix patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=174
2024-09-19 01:15:31 +00:00
763b1dde4d - Update CVE-2023-52425-libexpat-2.6.0-backport.patch
so that it uses features sniffing, not just
  comparing version number. Include also
  support-expat-CVE-2022-25236-patched.patch.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=173
2024-09-19 00:29:56 +00:00
Ana Guerrero
387acaaa01 Accepting request 1201476 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1201476
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=54
2024-09-17 16:18:12 +00:00
101efeb9ac - Update to 3.8.20:
- Tests
    - gh-112769: The tests now correctly compare zlib version when
      :const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For
      example zlib-ng defines the version as ``1.3.0.zlib-ng``.
    - gh-117187: Fix XML tests for vanilla Expat <2.6.0.
  - Security
    - gh-123678: Upgrade libexpat to 2.6.3
    - gh-121957: Fixed missing audit events around interactive use of Python,
      now also properly firing for ``python -i``, as well as for ``python -m
      asyncio``. The event in question is ``cpython.run_stdin``.
    - gh-122133: Authenticate the socket connection for the
      ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not
      available like Windows.
      Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson
      <seth@python.org>. Reported by Ellie <el@horse64.org>
    - gh-121285: Remove backtracking from tarfile header parsing for
      ``hdrcharset``, PAX, and GNU sparse headers
      (bsc#1230227, CVE-2024-6232).
    - gh-118486: :func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to
      restrict the new directory to the current user. This fixes CVE-2024-4030
      affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary
      directory is more permissive than the default.
    - gh-114572: :meth:`ssl.SSLContext.cert_store_stats` and
      :meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the
      certificate store, when the :class:`ssl.SSLContext` is shared across
      multiple threads (bsc#1226447, CVE-2024-0397).
    - gh-116741: Update bundled libexpat to 2.6.2
  - Library
    - gh-123270: Applied a more surgical fix for malformed payloads in

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=171
2024-09-09 20:47:14 +00:00
037a7134ec - Add CVE-2024-6232-cookies-quad-complex.patch to avoid quadratic
complexity in parsing "-quoted cookie values with backslashes
  (bsc#1229596, CVE-2024-6232).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=170
2024-09-05 13:50:55 +00:00
bda5141050 - Add gh120226-fix-sendfile-test-kernel-610.patch to avoid
failing test_sendfile_close_peer_in_the_middle_of_receiving
  tests on Linux >= 6.10 (GH-120227).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=169
2024-09-02 12:39:16 +00:00
Dominique Leuenberger
e74115a0ef Accepting request 1197121 from devel:languages:python:Factory
- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent
  malformed payload to cause infinite loops in zipfile.Path
  (bsc#1229704, CVE-2024-8088).

OBS-URL: https://build.opensuse.org/request/show/1197121
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=53
2024-08-29 13:43:26 +00:00
17d5df370f - Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent
malformed payload to cause infinite loops in zipfile.Path
  (bsc#1229704, CVE-2024-8088).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=167
2024-08-28 16:55:40 +00:00
fd788dae46 Add back qemu_user_space_build condition
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=166
2024-08-28 16:41:06 +00:00
Dominique Leuenberger
99694cf810 Accepting request 1193121 from devel:languages:python:Factory
- Adding bso1227999-reproducible-builds.patch fixing bsc#1227999
  adding reproducibility patches from gh#python/cpython!121872
  and gh#python/cpython!121883.
- Add CVE-2024-6923-email-hdr-inject.patch to prevent email
  header injection due to unquoted newlines (bsc#1228780,
  CVE-2024-6923).
- Add CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch removing
  support for anything but OpenSSL 1.1.1 or newer (bsc#1227233,
  CVE-2024-5642).
- %{profileopt} variable is set according to the variable
  %{do_profiling} (bsc#1227999)

OBS-URL: https://build.opensuse.org/request/show/1193121
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=52
2024-08-10 17:08:15 +00:00
88ff22d131 - Add CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch removing
support for anything but OpenSSL 1.1.1 or newer (bsc#1227233,
  CVE-2024-5642).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=164
2024-08-08 20:05:24 +00:00
91f49896e0 - Add CVE-2024-6923-email-hdr-inject.patch to prevent email
header injection due to unquoted newlines (bsc#1228780,
  CVE-2024-6923).
- %{profileopt} variable is set according to the variable
  %{do_profiling} (bsc#1227999)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=163
2024-08-08 19:37:01 +00:00
7199bebb4c - Adding bso1227999-reproducible-builds.patch fixing bsc#1227999
adding reproducibility patches from gh#python/cpython!121872
  and gh#python/cpython!121883.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=162
2024-08-08 19:32:27 +00:00
Dominique Leuenberger
ac7a8d9ced Accepting request 1190345 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1190345
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=51
2024-07-30 09:55:02 +00:00
394799feb0 - Remove %suse_update_desktop_file macro as it is not useful any
more.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=160
2024-07-22 21:23:07 +00:00
Ana Guerrero
007712f397 Accepting request 1189044 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1189044
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=50
2024-07-22 15:19:12 +00:00
964c03b239 - Stop using %%defattr, it seems to be breaking proper executable
attributes on /usr/bin/ scripts (bsc#1227378).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=158
2024-07-15 12:18:05 +00:00
Ana Guerrero
fdf4727713 Accepting request 1183507 from devel:languages:python:Factory
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
  (CVE-2024-4032) rearranging definition of private v global IP
  addresses.

OBS-URL: https://build.opensuse.org/request/show/1183507
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=49
2024-06-27 14:04:04 +00:00
d643820e38 - Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
  addresses.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=156
2024-06-26 22:43:09 +00:00
Ana Guerrero
d6dfaba499 Accepting request 1182492 from devel:languages:python:Factory
- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
  fixing bsc#1226447 (CVE-2024-0397) by removing memory race
  condition in ssl.SSLContext certificate store methods.

OBS-URL: https://build.opensuse.org/request/show/1182492
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=48
2024-06-22 11:23:28 +00:00
1225645d7f - Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
fixing bsc#1226447 (CVE-2024-0397) by removing memory race
  condition in ssl.SSLContext certificate store methods.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=154
2024-06-21 14:10:27 +00:00
Ana Guerrero
de045a908d Accepting request 1161073 from devel:languages:python:Factory
- Add old-libexpat.patch making the test suite work with
  libexpat < 2.6.0 (gh#python/cpython#117187).

OBS-URL: https://build.opensuse.org/request/show/1161073
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=47
2024-03-25 20:09:52 +00:00
68ee175f5e - Add old-libexpat.patch making the test suite work with
libexpat < 2.6.0 (gh#python/cpython#117187).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=152
2024-03-24 01:17:22 +00:00
Ana Guerrero
c8c768ab77 Accepting request 1160582 from devel:languages:python:Factory
- Update to 3.8.19:
  - Security
    - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
      (CVE-2023-52425, bsc#1219559) by adding five new methods:
        xml.etree.ElementTree.XMLParser.flush()
        xml.etree.ElementTree.XMLPullParser.flush()
        xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
        xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
        xml.sax.expatreader.ExpatParser.flush()
    - gh-115399: Update bundled libexpat to 2.6.0
    - gh-113659: Skip .pth files with names starting with a dot
      or hidden file attribute.
  - Core and Builtins
    - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
      codecs read out of bounds
  - Library
    - gh-115197: urllib.request no longer resolves the hostname
      before checking it against the system’s proxy bypass list
      on macOS and Windows.
    - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
    - gh-81194: Fix a crash in socket.if_indextoname() with
      specific value (UINT_MAX). Fix an integer overflow in
      socket.if_indextoname() on 64-bit non-Windows platforms.
    - gh-109858: Protect zipfile from “quoted-overlap”
      zipbomb. It now raises BadZipFile when try to read an entry
      that overlaps with other entry or central directory
      (CVE-2024-0450, bsc#1221854).
    - gh-107077: Seems that in some conditions, OpenSSL will
      return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
      when a certification verification has failed, but

OBS-URL: https://build.opensuse.org/request/show/1160582
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=46
2024-03-22 14:21:09 +00:00
1084a46358 Fix *.changes
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=150
2024-03-22 09:14:13 +00:00
9921186373 - Update to 3.8.19:
- Security
    - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
      (CVE-2023-52425) by adding five new methods:
        xml.etree.ElementTree.XMLParser.flush()
        xml.etree.ElementTree.XMLPullParser.flush()
        xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
        xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
        xml.sax.expatreader.ExpatParser.flush()
    - gh-115399: Update bundled libexpat to 2.6.0
    - gh-113659: Skip .pth files with names starting with a dot
      or hidden file attribute.
  - Core and Builtins
    - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
      codecs read out of bounds
  - Library
    - gh-115197: urllib.request no longer resolves the hostname
      before checking it against the system’s proxy bypass list
      on macOS and Windows.
    - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
    - gh-81194: Fix a crash in socket.if_indextoname() with
      specific value (UINT_MAX). Fix an integer overflow in
      socket.if_indextoname() on 64-bit non-Windows platforms.
    - gh-109858: Protect zipfile from “quoted-overlap”
      zipbomb. It now raises BadZipFile when try to read an entry
      that overlaps with other entry or central directory.
    - gh-107077: Seems that in some conditions, OpenSSL will
      return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
      when a certification verification has failed, but
      the error parameters will still contain ERR_LIB_SSL

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=149
2024-03-21 20:34:23 +00:00
Ana Guerrero
8bca74942f Accepting request 1157647 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1157647
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=45
2024-03-13 21:21:14 +00:00
9e0baf2aee Accepting request 1155683 from home:pmonrealgonzalez:branches:devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1155683
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=147
2024-03-06 21:50:51 +00:00
Dominique Leuenberger
053e2753e4 Accepting request 1153058 from devel:languages:python:Factory
- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.

OBS-URL: https://build.opensuse.org/request/show/1153058
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=44
2024-02-29 20:49:40 +00:00
b2465b642f - (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=145
2024-02-28 23:22:48 +00:00
Ana Guerrero
bccd86cdcc Accepting request 1152788 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1152788
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=43
2024-02-28 18:46:44 +00:00
540802ee0b - Remove double definition of /usr/bin/idle%%{version} in
%%files.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=143
2024-02-20 22:17:37 +00:00
Ana Guerrero
74bd53beae Accepting request 1146871 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1146871
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=42
2024-02-15 20:01:35 +00:00
e455bcb51a Accepting request 1146815 from home:dgarcia:branches:devel:languages:python:Factory
- Add upstream patch libexpat260.patch, Fix tests for XMLPullParser
  with Expat 2.6.0, gh#python/cpython#115289

OBS-URL: https://build.opensuse.org/request/show/1146815
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=141
2024-02-15 14:36:44 +00:00
Ana Guerrero
ad14c29c9a Accepting request 1143660 from devel:languages:python:Factory
- Refresh CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- Thus we can remove Revert-gh105127-left-tests.patch, which is
  now useless.

OBS-URL: https://build.opensuse.org/request/show/1143660
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=41
2024-02-04 18:07:22 +00:00
1dc7335dfc - Refresh CVE-2023-27043-email-parsing-errors.patch to
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- Thus we can remove Revert-gh105127-left-tests.patch, which is
  now useless.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=139
2024-02-02 11:48:17 +00:00
Ana Guerrero
0ab6b54fde Accepting request 1109196 from devel:languages:python:Factory
- Update to 3.8.18 (bsc#1214692):
  - gh-108310: Fixed an issue where instances of ssl.SSLSocket were
    vulnerable to a bypass of the TLS handshake and included
    protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
    Gregory P. Smith.
  - gh-107845: tarfile.data_filter() now takes the location of
    symlinks into account when determining their target, so it will no
    longer reject some valid tarballs with
    LinkOutsideDestinationError.
  - gh-107565: Update multissltests and GitHub CI workflows to use
    OpenSSL 1.1.1v, 3.0.10, and 3.1.2.

OBS-URL: https://build.opensuse.org/request/show/1109196
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=40
2023-09-06 16:59:26 +00:00
36d04b865e - Update to 3.8.18 (bsc#1214692):
- gh-108310: Fixed an issue where instances of ssl.SSLSocket were
    vulnerable to a bypass of the TLS handshake and included
    protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
    Gregory P. Smith.
  - gh-107845: tarfile.data_filter() now takes the location of
    symlinks into account when determining their target, so it will no
    longer reject some valid tarballs with
    LinkOutsideDestinationError.
  - gh-107565: Update multissltests and GitHub CI workflows to use
    OpenSSL 1.1.1v, 3.0.10, and 3.1.2.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=137
2023-09-06 06:19:21 +00:00
Dominique Leuenberger
a1dd924e47 Accepting request 1102235 from devel:languages:python:Factory
- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API). (The patch is faulty,
  gh#python/cpython#106669, but upstream decided not to just
  revert it).

OBS-URL: https://build.opensuse.org/request/show/1102235
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=39
2023-08-04 13:03:43 +00:00
0ec3738d87 - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API). (The patch is faulty,
  gh#python/cpython#106669, but upstream decided not to just
  revert it).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=135
2023-08-03 15:36:38 +00:00
4d0cce2058 Accepting request 1098688 from devel:languages:python:Factory
Revert faulty fix for CVE-2023-27043 (gh#python/cpython#106669)

OBS-URL: https://build.opensuse.org/request/show/1098688
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=134
2023-07-14 14:05:14 +00:00
ab9641870b Fix patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=133
2023-07-12 16:31:40 +00:00
ad4c4c8221 - (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=132
2023-07-12 15:22:03 +00:00
Dominique Leuenberger
85a5883af2 Accepting request 1095964 from devel:languages:python:Factory
- Update to 3.8.17:
  - gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
  - CVE-2023-24329-blank-URL-bypass.patch
  - CVE-2007-4559-filter-tarfile_extractall.patch

OBS-URL: https://build.opensuse.org/request/show/1095964
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=38
2023-06-29 15:29:29 +00:00
6037f4f429 - Update to 3.8.17:
- gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
  - CVE-2023-24329-blank-URL-bypass.patch
  - CVE-2007-4559-filter-tarfile_extractall.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=130
2023-06-28 19:33:18 +00:00
Dominique Leuenberger
dc848e1ea4 Accepting request 1090625 from devel:languages:python:Factory
- Add 99366-patch.dict-can-decorate-async.patch fixing
  gh#python/cpython#98086 (backport from Python 3.10 patch in
  gh#python/cpython!99366), fixing bsc#1211158.
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
  CVE-2007-4559 (bsc#1203750) by adding the filter for
  tarfile.extractall (PEP 706).

OBS-URL: https://build.opensuse.org/request/show/1090625
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=37
2023-06-03 22:13:23 +00:00
bb69159320 - Add 99366-patch.dict-can-decorate-async.patch fixing
gh#python/cpython#98086 (backport from Python 3.10 patch in
  gh#python/cpython!99366), fixing bsc#1211158.

- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
  CVE-2007-4559 (bsc#1203750) by adding the filter for
  tarfile.extractall (PEP 706).

- Why in the world we download from HTTP?

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=128
2023-06-03 08:20:52 +00:00
ffe74871f7 - Why in the world we download from HTTP?
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=127
2023-04-30 18:17:18 +00:00