Commit Graph

105 Commits

Author SHA256 Message Date
36d04b865e - Update to 3.8.18 (bsc#1214692):
- gh-108310: Fixed an issue where instances of ssl.SSLSocket were
    vulnerable to a bypass of the TLS handshake and included
    protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
    Gregory P. Smith.
  - gh-107845: tarfile.data_filter() now takes the location of
    symlinks into account when determining their target, so it will no
    longer reject some valid tarballs with
    LinkOutsideDestinationError.
  - gh-107565: Update multissltests and GitHub CI workflows to use
    OpenSSL 1.1.1v, 3.0.10, and 3.1.2.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=137
2023-09-06 06:19:21 +00:00
0ec3738d87 - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API). (The patch is faulty,
  gh#python/cpython#106669, but upstream decided not to just
  revert it).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=135
2023-08-03 15:36:38 +00:00
4d0cce2058 Accepting request 1098688 from devel:languages:python:Factory
Revert faulty fix for CVE-2023-27043 (gh#python/cpython#106669)

OBS-URL: https://build.opensuse.org/request/show/1098688
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=134
2023-07-14 14:05:14 +00:00
ab9641870b Fix patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=133
2023-07-12 16:31:40 +00:00
ad4c4c8221 - (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=132
2023-07-12 15:22:03 +00:00
6037f4f429 - Update to 3.8.17:
- gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
  - CVE-2023-24329-blank-URL-bypass.patch
  - CVE-2007-4559-filter-tarfile_extractall.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=130
2023-06-28 19:33:18 +00:00
bb69159320 - Add 99366-patch.dict-can-decorate-async.patch fixing
gh#python/cpython#98086 (backport from Python 3.10 patch in
  gh#python/cpython!99366), fixing bsc#1211158.

- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
  CVE-2007-4559 (bsc#1203750) by adding the filter for
  tarfile.extractall (PEP 706).

- Why in the world we download from HTTP?

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=128
2023-06-03 08:20:52 +00:00
ffe74871f7 - Why in the world we download from HTTP?
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=127
2023-04-30 18:17:18 +00:00
Steve Kowalik
c602a4652d - Use python3 modules to build the documentation.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=125
2023-04-18 05:00:56 +00:00
193496d5b0 - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=123
2023-03-01 21:37:15 +00:00
93dd73b453 - Add provides for readline and sqlite3 to the main Python
package.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=121
2023-02-21 13:44:55 +00:00
134012c00e Accepting request 1061585 from home:kukuk:branches:devel:languages:python:Factory
- Disable NIS for new products, it's deprecated and gets removed

OBS-URL: https://build.opensuse.org/request/show/1061585
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=119
2023-01-27 16:14:58 +00:00
188f13580b Accepting request 1058145 from home:marxin:branches:devel:languages:python:Factory
- Suppress warnings for Sphinx 6.0+.

OBS-URL: https://build.opensuse.org/request/show/1058145
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=117
2023-01-13 10:28:20 +00:00
c462da06b7 - Update to 3.8.16:
- python -m http.server no longer allows terminal
    control characters sent within a garbage request to be
    printed to the stderr server log.
    This is done by changing the http.server
    BaseHTTPRequestHandler .log_message method to replace control
    characters with a \xHH hex escape before printing.
  - Avoid publishing list of active per-interpreter
    audit hooks via the gc module
  - The IDNA codec decoder used on DNS hostnames by
    socket or asyncio related name resolution functions no
    longer involves a quadratic algorithm. This prevents a
    potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were
    decoded. Some protocols such as urllib http 3xx redirects
    potentially allow for an attacker to supply such a
    name (CVE-2022-45061).
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - The deprecated mailcap module now refuses to inject
    unsafe text (filenames, MIME types, parameters) into shell
    commands. Instead of using such text, it will warn and act
    as if a match was not found (or for test commands, as if the
    test failed).
- Removed upstream patches:
  - CVE-2022-37454-sha3-buffer-overflow.patch
  - CVE-2022-45061-DoS-by-IDNA-decode.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=115
2022-12-08 10:36:29 +00:00
d73dddf910 - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=113
2022-11-09 18:40:43 +00:00
f1998cfdab - Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
  overflow in hashlib.sha3_* implementations (originally from the
  XKCP library).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=111
2022-10-28 19:44:10 +00:00
8e65405c86 Accepting request 1031399 from home:mcepl:branches:devel:languages:python:Factory
- Add 98437-sphinx.locale._-as-gettext-in-pyspecific.patch to
  allow building of documentation with the latest Sphinx 5.3.0
  (gh#python/cpython#98366).

OBS-URL: https://build.opensuse.org/request/show/1031399
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=109
2022-10-26 21:24:58 +00:00
75d8efff80 Accepting request 1030164 from home:dgarcia:branches:devel:languages:python:Factory
- Add platlibdir-in-sys.patch to provide sys.platlibdir attribute. This is used
  by python-setuptools in distutils.sysconfig.get_python_lib bsc#1204395

OBS-URL: https://build.opensuse.org/request/show/1030164
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=107
2022-10-20 18:12:06 +00:00
b21d8c938d - Update to 3.8.15:
- Fix multiplying a list by an integer (list *= int): detect
    the integer overflow when the new allocated length is close
    to the maximum size.
  - Fix a shell code injection vulnerability in the
    get-remote-certificate.py example script. The script no
    longer uses a shell to run openssl commands. (originally
    filed as CVE-2022-37460, later withdrawn)
  - Fix command line parsing: reject -X int_max_str_digits option
    with no value (invalid) when the PYTHONINTMAXSTRDIGITS
    environment variable is set to a valid limit.
  - When ValueError is raised if an integer is larger than the
    limit, mention the sys.set_int_max_str_digits() function in
    the error message.
  - Update bundled libexpat to 2.4.9
  - Fixes a potential buffer overrun in msilib.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=106
2022-10-19 07:18:07 +00:00
07285bcb8c - Update to 3.8.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
    and str in bases other than 2 (binary), 4, 8 (octal), 16
    (hexadecimal), or 32 such as base 10 (decimal) now raises a
    ValueError if the number of digits in string form is above a
    limit to avoid potential denial of service attacks due to the
    algorithmic complexity.
    This new limit can be configured or disabled by environment
    variable, command line flag, or sys APIs. See the integer
    string conversion length limitation documentation. The
    default limit is 4300 digits in string form.
  - (CVE-2021-28861, bsc#1202624) http.server: Fix an open
    redirection vulnerability in the HTTP server when an URI path
    starts with //. Vulnerability discovered, and initial fix
    proposed, by Hamza Avvan.
  - Also other bugfixes:
    - Fix contextvars HAMT implementation to handle iteration
      over deep trees. The bug was discovered and fixed by Eli
      Libman. See MagicStack/immutables#84 for more details.
    - Fix ensurepip environment isolation for subprocess running
      pip.
    - Raise ProgrammingError instead of segfaulting on recursive
      usage of cursors in sqlite3 converters. Patch by Sergey
      Fedoseev.
    - Add a new gh role to the documentation to link to GitHub
      issues.
    - Pin Jinja to a version compatible with Sphinx version
      2.4.4.
    - test_ssl is now checking for supported TLS version and
      protocols in more tests.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=104
2022-09-11 09:16:44 +00:00
d36b19ed64 Don't mess with Sphinx
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=103
2022-09-10 19:51:56 +00:00
05d6c15465 Better docs BRs?
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=102
2022-09-07 10:45:51 +00:00
c3b8b22402 Better docs BRs?
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=101
2022-09-07 09:46:41 +00:00
34ae254cff Better docs BRs?
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=100
2022-09-06 22:49:37 +00:00
eab98dbd82 Better docs BRs?
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=99
2022-09-06 22:06:30 +00:00
452f54cf1b - (bsc#1196784, CVE-2022-25236) Add patch
support-expat-CVE-2022-25236-patched.patch to allow working
  with different versions of libexpat.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=97
2022-09-03 02:23:54 +00:00
Steve Kowalik
d58978abbd Fix changelog entry
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=96
2022-09-02 05:08:55 +00:00
Steve Kowalik
3ea01e31b6 - http.server: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=95
2022-09-01 04:20:31 +00:00
825dab796f - Add conditional for requiring rpm-build-python, so we should be
compilable on SLE/Leap.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=94
2022-08-31 21:37:06 +00:00
a384b79efb - Add bpo34990-2038-problem-compileall.patch making compileall.py
compliant with year 2038 (bsc#1202666, gh#python/cpython#79171),
  backport of fix to Python 3.8.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=93
2022-08-31 09:50:12 +00:00
b2d593bc85 Restore %primary_interpreter
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=91
2022-07-21 15:15:33 +00:00
471da3977b Fix changelog
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=90
2022-07-21 14:22:45 +00:00
822856d8bd - Switch from %primary_interpreter to prjconf-defined %primary_python (gh#openSUSE/python-rpm-macros#127).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=89
2022-07-21 14:22:29 +00:00
5493df1c9c - Switch primary_interpreter from python38 to python310
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=87
2022-05-05 14:35:19 +00:00
8f9c4e7712 - Update to 3.8.13:
Core and Builtins
    bpo-46794: Bump up the libexpat version into 2.4.6
    bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
    bpo-46932: Update bundled libexpat to 2.4.7
    bpo-46811: Make test suite support Expat >=2.4.5
    bpo-46784: Fix libexpat symbols collisions with user
      dynamically loaded or statically linked libexpat in embedded
      Python.
    bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
    bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid
      potential REDoS by limiting ambiguity in consecutive
      whitespace.
    bpo-44849: Fix the os.set_inheritable() function on FreeBSD
      14 for file descriptor opened with the O_PATH flag: ignore
      the EBADF error on ioctl(), fallback on the fcntl()
      implementation.
    bpo-41028: Language and version switchers, previously
      maintained in every cpython branches, are now handled by
      docsbuild-script.
    bpo-45195: Fix test_readline.test_nonascii(): sometimes, the
      newline character is not written at the end, so don’t
      expect it in the output.
    bpo-44949: Fix auto history tests of test_readline:
      sometimes, the newline character is not written at the end,
      so don’t expect it in the output.
    bpo-45405: Prevent internal configure error when running
      configure with recent versions of clang.
- Remove upstreamed patches:
  - support-expat-245.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=85
2022-03-26 22:17:57 +00:00
Steve Kowalik
d1acfb84ff - Add patch support-expat-245.patch:
* Support Expat >= 2.4.5

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=84
2022-02-22 05:55:24 +00:00
e80a36de55 Run spec-cleaner
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=83
2021-11-29 21:18:48 +00:00
8daf777a48 - Remove shebangs from from python-base libraries in _libdir
(bsc#1193179).
- Readjust patches:
  - bpo-31046_ensurepip_honours_prefix.patch
  - decimal.patch
  - python-3.3.0b1-fix_date_time_compiler.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=82
2021-11-29 21:16:35 +00:00
3a1f3da6b5 Accepting request 924860 from home:dimstar:Factory
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.

OBS-URL: https://build.opensuse.org/request/show/924860
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=81
2021-10-12 19:01:27 +00:00
708a7675a4 Accepting request 915148 from home:fusionfuture:branches:devel:languages:python:Factory
- Update to 3.8.12
  * Complete list of changes is available at
    https://docs.python.org/release/3.8.12/whatsnew/changelog.html
  * Security
    - bpo-42278: Replaced usage of tempfile.mktemp() with
      TemporaryDirectory to avoid a potential race condition.
    - bpo-44394: Update the vendored copy of libexpat to 2.4.1
      (from 2.2.8) to get the fix for the CVE-2013-0340 “Billion
      Laughs” vulnerability. This copy is most used on Windows and
      macOS.
    - bpo-43124: Made the internal putcmd function in smtplib
      sanitize input for presence of \r and \n characters to avoid
      (unlikely) command injection.
    - bpo-36384: ipaddress module no longer accepts any leading
      zeros in IPv4 address strings. Leading zeros are ambiguous
      and interpreted as octal notation by some libraries. For
      example the legacy function socket.inet_aton() treats leading
      zeros as octal notation. glibc implementation of modern
      inet_pton() does not accept any leading zeros. For a while
      the ipaddress module used to accept ambiguous leading zeros.
- Refreshed patch:
  * decimal-3.8.patch

OBS-URL: https://build.opensuse.org/request/show/915148
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=80
2021-08-31 15:13:54 +00:00
db054e258d Accepting request 914696 from home:mcepl:python-libmpdec
- Add decimal-3.8.patch to add building with --with-system-libmpdec
  option (bsc#1189356).

OBS-URL: https://build.opensuse.org/request/show/914696
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=79
2021-08-30 10:14:02 +00:00
24200752c4 Accepting request 914829 from home:Andreas_Schwab:Factory
- test_faulthandler is still problematic under qemu linux-user emulation,
  disable it there
- Reenable profileopt with qemu emulation, test_faulthandler is no longer
  run during profiling

OBS-URL: https://build.opensuse.org/request/show/914829
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=78
2021-08-29 06:01:55 +00:00
59e479a405 Accepting request 911124 from home:fusionfuture:branches:devel:languages:python:Factory
- Update to 3.8.11
  * Security
    - bpo-44022 (boo#1189241): mod:http.client now avoids
      infinitely reading potential HTTP headers after a 100
      Continue status response from the server.
    - bpo-43882: The presence of newline or tab characters in parts
      of a URL could allow some forms of attacks.
      Following the controlling specification for URLs defined by
      WHATWG urllib.parse() now removes ASCII newlines and tabs
      from URLs, preventing such attacks.
    - bpo-42800: Audit hooks are now fired for frame.f_code,
      traceback.tb_frame, and generator code/frame attribute
      access.
  * Core and Builtins
    - bpo-44070: No longer eagerly makes import filenames absolute,
      except for extension modules, which was introduced in 3.8.10.
  * Library
    - bpo-44061: Fix regression in previous release when calling
      pkgutil.iter_modules() with a list of pathlib.Path objects

OBS-URL: https://build.opensuse.org/request/show/911124
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=77
2021-08-10 04:45:47 +00:00
65288618bd - Use versioned python-Sphinx to avoid dependency on other
version of Python (bsc#1183858).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=76
2021-08-02 12:35:59 +00:00
e5fcdbe941 Fix metadata
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=74
2021-06-18 23:02:50 +00:00
ad0975bae5 - Add bpo44426-complex-keyword-sphinx.patch allowing generating
documentation with Sphinx 4 (bpo#44426).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=73
2021-06-18 23:00:45 +00:00
1419092212 revert
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=72
2021-06-18 21:21:26 +00:00
bab078237e - add 22198.patch to build with Sphinx 4
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=71
2021-06-18 21:11:16 +00:00
2aa8e57714 Accepting request 898393 from home:dirkmueller:Factory
- allow building against sphinx 3.x+

OBS-URL: https://build.opensuse.org/request/show/898393
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=69
2021-06-08 16:39:27 +00:00
c38e8596de - Stop providing "python" symbol (bsc#1185588), which means
python2 currently.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=68
2021-05-21 15:17:16 +00:00