Commit Graph

163 Commits

Author SHA256 Message Date
Ana Guerrero
fdf4727713 Accepting request 1183507 from devel:languages:python:Factory
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
  (CVE-2024-4032) rearranging definition of private v global IP
  addresses.

OBS-URL: https://build.opensuse.org/request/show/1183507
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=49
2024-06-27 14:04:04 +00:00
d643820e38 - Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
  addresses.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=156
2024-06-26 22:43:09 +00:00
Ana Guerrero
d6dfaba499 Accepting request 1182492 from devel:languages:python:Factory
- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
  fixing bsc#1226447 (CVE-2024-0397) by removing memory race
  condition in ssl.SSLContext certificate store methods.

OBS-URL: https://build.opensuse.org/request/show/1182492
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=48
2024-06-22 11:23:28 +00:00
1225645d7f - Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
fixing bsc#1226447 (CVE-2024-0397) by removing memory race
  condition in ssl.SSLContext certificate store methods.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=154
2024-06-21 14:10:27 +00:00
Ana Guerrero
de045a908d Accepting request 1161073 from devel:languages:python:Factory
- Add old-libexpat.patch making the test suite work with
  libexpat < 2.6.0 (gh#python/cpython#117187).

OBS-URL: https://build.opensuse.org/request/show/1161073
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=47
2024-03-25 20:09:52 +00:00
68ee175f5e - Add old-libexpat.patch making the test suite work with
libexpat < 2.6.0 (gh#python/cpython#117187).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=152
2024-03-24 01:17:22 +00:00
Ana Guerrero
c8c768ab77 Accepting request 1160582 from devel:languages:python:Factory
- Update to 3.8.19:
  - Security
    - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
      (CVE-2023-52425, bsc#1219559) by adding five new methods:
        xml.etree.ElementTree.XMLParser.flush()
        xml.etree.ElementTree.XMLPullParser.flush()
        xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
        xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
        xml.sax.expatreader.ExpatParser.flush()
    - gh-115399: Update bundled libexpat to 2.6.0
    - gh-113659: Skip .pth files with names starting with a dot
      or hidden file attribute.
  - Core and Builtins
    - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
      codecs read out of bounds
  - Library
    - gh-115197: urllib.request no longer resolves the hostname
      before checking it against the system’s proxy bypass list
      on macOS and Windows.
    - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
    - gh-81194: Fix a crash in socket.if_indextoname() with
      specific value (UINT_MAX). Fix an integer overflow in
      socket.if_indextoname() on 64-bit non-Windows platforms.
    - gh-109858: Protect zipfile from “quoted-overlap”
      zipbomb. It now raises BadZipFile when try to read an entry
      that overlaps with other entry or central directory
      (CVE-2024-0450, bsc#1221854).
    - gh-107077: Seems that in some conditions, OpenSSL will
      return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
      when a certification verification has failed, but

OBS-URL: https://build.opensuse.org/request/show/1160582
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=46
2024-03-22 14:21:09 +00:00
1084a46358 Fix *.changes
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=150
2024-03-22 09:14:13 +00:00
9921186373 - Update to 3.8.19:
- Security
    - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
      (CVE-2023-52425) by adding five new methods:
        xml.etree.ElementTree.XMLParser.flush()
        xml.etree.ElementTree.XMLPullParser.flush()
        xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
        xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
        xml.sax.expatreader.ExpatParser.flush()
    - gh-115399: Update bundled libexpat to 2.6.0
    - gh-113659: Skip .pth files with names starting with a dot
      or hidden file attribute.
  - Core and Builtins
    - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
      codecs read out of bounds
  - Library
    - gh-115197: urllib.request no longer resolves the hostname
      before checking it against the system’s proxy bypass list
      on macOS and Windows.
    - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
    - gh-81194: Fix a crash in socket.if_indextoname() with
      specific value (UINT_MAX). Fix an integer overflow in
      socket.if_indextoname() on 64-bit non-Windows platforms.
    - gh-109858: Protect zipfile from “quoted-overlap”
      zipbomb. It now raises BadZipFile when try to read an entry
      that overlaps with other entry or central directory.
    - gh-107077: Seems that in some conditions, OpenSSL will
      return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
      when a certification verification has failed, but
      the error parameters will still contain ERR_LIB_SSL

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=149
2024-03-21 20:34:23 +00:00
Ana Guerrero
8bca74942f Accepting request 1157647 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1157647
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=45
2024-03-13 21:21:14 +00:00
9e0baf2aee Accepting request 1155683 from home:pmonrealgonzalez:branches:devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1155683
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=147
2024-03-06 21:50:51 +00:00
Dominique Leuenberger
053e2753e4 Accepting request 1153058 from devel:languages:python:Factory
- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.

OBS-URL: https://build.opensuse.org/request/show/1153058
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=44
2024-02-29 20:49:40 +00:00
b2465b642f - (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=145
2024-02-28 23:22:48 +00:00
Ana Guerrero
bccd86cdcc Accepting request 1152788 from devel:languages:python:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1152788
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=43
2024-02-28 18:46:44 +00:00
540802ee0b - Remove double definition of /usr/bin/idle%%{version} in
%%files.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=143
2024-02-20 22:17:37 +00:00
Ana Guerrero
74bd53beae Accepting request 1146871 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1146871
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=42
2024-02-15 20:01:35 +00:00
e455bcb51a Accepting request 1146815 from home:dgarcia:branches:devel:languages:python:Factory
- Add upstream patch libexpat260.patch, Fix tests for XMLPullParser
  with Expat 2.6.0, gh#python/cpython#115289

OBS-URL: https://build.opensuse.org/request/show/1146815
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=141
2024-02-15 14:36:44 +00:00
Ana Guerrero
ad14c29c9a Accepting request 1143660 from devel:languages:python:Factory
- Refresh CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- Thus we can remove Revert-gh105127-left-tests.patch, which is
  now useless.

OBS-URL: https://build.opensuse.org/request/show/1143660
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=41
2024-02-04 18:07:22 +00:00
1dc7335dfc - Refresh CVE-2023-27043-email-parsing-errors.patch to
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- Thus we can remove Revert-gh105127-left-tests.patch, which is
  now useless.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=139
2024-02-02 11:48:17 +00:00
Ana Guerrero
0ab6b54fde Accepting request 1109196 from devel:languages:python:Factory
- Update to 3.8.18 (bsc#1214692):
  - gh-108310: Fixed an issue where instances of ssl.SSLSocket were
    vulnerable to a bypass of the TLS handshake and included
    protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
    Gregory P. Smith.
  - gh-107845: tarfile.data_filter() now takes the location of
    symlinks into account when determining their target, so it will no
    longer reject some valid tarballs with
    LinkOutsideDestinationError.
  - gh-107565: Update multissltests and GitHub CI workflows to use
    OpenSSL 1.1.1v, 3.0.10, and 3.1.2.

OBS-URL: https://build.opensuse.org/request/show/1109196
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=40
2023-09-06 16:59:26 +00:00
36d04b865e - Update to 3.8.18 (bsc#1214692):
- gh-108310: Fixed an issue where instances of ssl.SSLSocket were
    vulnerable to a bypass of the TLS handshake and included
    protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
    Gregory P. Smith.
  - gh-107845: tarfile.data_filter() now takes the location of
    symlinks into account when determining their target, so it will no
    longer reject some valid tarballs with
    LinkOutsideDestinationError.
  - gh-107565: Update multissltests and GitHub CI workflows to use
    OpenSSL 1.1.1v, 3.0.10, and 3.1.2.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=137
2023-09-06 06:19:21 +00:00
Dominique Leuenberger
a1dd924e47 Accepting request 1102235 from devel:languages:python:Factory
- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API). (The patch is faulty,
  gh#python/cpython#106669, but upstream decided not to just
  revert it).

OBS-URL: https://build.opensuse.org/request/show/1102235
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=39
2023-08-04 13:03:43 +00:00
0ec3738d87 - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API). (The patch is faulty,
  gh#python/cpython#106669, but upstream decided not to just
  revert it).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=135
2023-08-03 15:36:38 +00:00
4d0cce2058 Accepting request 1098688 from devel:languages:python:Factory
Revert faulty fix for CVE-2023-27043 (gh#python/cpython#106669)

OBS-URL: https://build.opensuse.org/request/show/1098688
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=134
2023-07-14 14:05:14 +00:00
ab9641870b Fix patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=133
2023-07-12 16:31:40 +00:00
ad4c4c8221 - (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=132
2023-07-12 15:22:03 +00:00
Dominique Leuenberger
85a5883af2 Accepting request 1095964 from devel:languages:python:Factory
- Update to 3.8.17:
  - gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
  - CVE-2023-24329-blank-URL-bypass.patch
  - CVE-2007-4559-filter-tarfile_extractall.patch

OBS-URL: https://build.opensuse.org/request/show/1095964
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=38
2023-06-29 15:29:29 +00:00
6037f4f429 - Update to 3.8.17:
- gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
  - CVE-2023-24329-blank-URL-bypass.patch
  - CVE-2007-4559-filter-tarfile_extractall.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=130
2023-06-28 19:33:18 +00:00
Dominique Leuenberger
dc848e1ea4 Accepting request 1090625 from devel:languages:python:Factory
- Add 99366-patch.dict-can-decorate-async.patch fixing
  gh#python/cpython#98086 (backport from Python 3.10 patch in
  gh#python/cpython!99366), fixing bsc#1211158.
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
  CVE-2007-4559 (bsc#1203750) by adding the filter for
  tarfile.extractall (PEP 706).

OBS-URL: https://build.opensuse.org/request/show/1090625
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=37
2023-06-03 22:13:23 +00:00
bb69159320 - Add 99366-patch.dict-can-decorate-async.patch fixing
gh#python/cpython#98086 (backport from Python 3.10 patch in
  gh#python/cpython!99366), fixing bsc#1211158.

- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
  CVE-2007-4559 (bsc#1203750) by adding the filter for
  tarfile.extractall (PEP 706).

- Why in the world we download from HTTP?

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=128
2023-06-03 08:20:52 +00:00
ffe74871f7 - Why in the world we download from HTTP?
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=127
2023-04-30 18:17:18 +00:00
Dominique Leuenberger
477aeca3cf Accepting request 1080040 from devel:languages:python:Factory
- Use python3 modules to build the documentation.

OBS-URL: https://build.opensuse.org/request/show/1080040
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=36
2023-04-18 13:53:05 +00:00
Steve Kowalik
c602a4652d - Use python3 modules to build the documentation.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=125
2023-04-18 05:00:56 +00:00
Dominique Leuenberger
c4e259cd47 Accepting request 1068563 from devel:languages:python:Factory
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

OBS-URL: https://build.opensuse.org/request/show/1068563
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=35
2023-03-03 21:24:10 +00:00
193496d5b0 - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=123
2023-03-01 21:37:15 +00:00
Dominique Leuenberger
6de0cca667 Accepting request 1067029 from devel:languages:python:Factory
- Add provides for readline and sqlite3 to the main Python
  package.

OBS-URL: https://build.opensuse.org/request/show/1067029
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=34
2023-02-22 14:21:10 +00:00
93dd73b453 - Add provides for readline and sqlite3 to the main Python
package.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=121
2023-02-21 13:44:55 +00:00
Dominique Leuenberger
87d61894a0 Accepting request 1061592 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1061592
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=33
2023-01-29 13:10:07 +00:00
134012c00e Accepting request 1061585 from home:kukuk:branches:devel:languages:python:Factory
- Disable NIS for new products, it's deprecated and gets removed

OBS-URL: https://build.opensuse.org/request/show/1061585
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=119
2023-01-27 16:14:58 +00:00
Dominique Leuenberger
70a582039b Accepting request 1058190 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1058190
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=32
2023-01-15 16:57:53 +00:00
188f13580b Accepting request 1058145 from home:marxin:branches:devel:languages:python:Factory
- Suppress warnings for Sphinx 6.0+.

OBS-URL: https://build.opensuse.org/request/show/1058145
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=117
2023-01-13 10:28:20 +00:00
Dominique Leuenberger
a9fe505070 Accepting request 1041645 from devel:languages:python:Factory
- Update to 3.8.16:
  - python -m http.server no longer allows terminal
    control characters sent within a garbage request to be
    printed to the stderr server log.
    This is done by changing the http.server
    BaseHTTPRequestHandler .log_message method to replace control
    characters with a \xHH hex escape before printing.
  - Avoid publishing list of active per-interpreter
    audit hooks via the gc module
  - The IDNA codec decoder used on DNS hostnames by
    socket or asyncio related name resolution functions no
    longer involves a quadratic algorithm. This prevents a
    potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were
    decoded. Some protocols such as urllib http 3xx redirects
    potentially allow for an attacker to supply such a
    name (CVE-2022-45061).
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - The deprecated mailcap module now refuses to inject
    unsafe text (filenames, MIME types, parameters) into shell
    commands. Instead of using such text, it will warn and act
    as if a match was not found (or for test commands, as if the
    test failed).
- Removed upstream patches:
  - CVE-2022-37454-sha3-buffer-overflow.patch
  - CVE-2022-45061-DoS-by-IDNA-decode.patch

OBS-URL: https://build.opensuse.org/request/show/1041645
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=31
2022-12-09 12:16:47 +00:00
c462da06b7 - Update to 3.8.16:
- python -m http.server no longer allows terminal
    control characters sent within a garbage request to be
    printed to the stderr server log.
    This is done by changing the http.server
    BaseHTTPRequestHandler .log_message method to replace control
    characters with a \xHH hex escape before printing.
  - Avoid publishing list of active per-interpreter
    audit hooks via the gc module
  - The IDNA codec decoder used on DNS hostnames by
    socket or asyncio related name resolution functions no
    longer involves a quadratic algorithm. This prevents a
    potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were
    decoded. Some protocols such as urllib http 3xx redirects
    potentially allow for an attacker to supply such a
    name (CVE-2022-45061).
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - The deprecated mailcap module now refuses to inject
    unsafe text (filenames, MIME types, parameters) into shell
    commands. Instead of using such text, it will warn and act
    as if a match was not found (or for test commands, as if the
    test failed).
- Removed upstream patches:
  - CVE-2022-37454-sha3-buffer-overflow.patch
  - CVE-2022-45061-DoS-by-IDNA-decode.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=115
2022-12-08 10:36:29 +00:00
Dominique Leuenberger
20c2782eea Accepting request 1034964 from devel:languages:python:Factory
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
  CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.

OBS-URL: https://build.opensuse.org/request/show/1034964
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=30
2022-11-12 16:39:54 +00:00
d73dddf910 - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=113
2022-11-09 18:40:43 +00:00
Dominique Leuenberger
a7cf9db7d6 Accepting request 1032060 from devel:languages:python:Factory
- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
  bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
  overflow in hashlib.sha3_* implementations (originally from the
  XKCP library).

OBS-URL: https://build.opensuse.org/request/show/1032060
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=29
2022-10-29 18:16:09 +00:00
f1998cfdab - Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
  overflow in hashlib.sha3_* implementations (originally from the
  XKCP library).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=111
2022-10-28 19:44:10 +00:00
Dominique Leuenberger
000043d01c Accepting request 1031407 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1031407
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=28
2022-10-28 17:28:32 +00:00
8e65405c86 Accepting request 1031399 from home:mcepl:branches:devel:languages:python:Factory
- Add 98437-sphinx.locale._-as-gettext-in-pyspecific.patch to
  allow building of documentation with the latest Sphinx 5.3.0
  (gh#python/cpython#98366).

OBS-URL: https://build.opensuse.org/request/show/1031399
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=109
2022-10-26 21:24:58 +00:00
Dominique Leuenberger
50231d7d05 Accepting request 1030237 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1030237
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=27
2022-10-22 12:11:58 +00:00