- Update to 3.9.17:

- gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-101283: subprocess.Popen now uses a safer approach to find
    cmd.exe when launching with shell=True.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
  - gh-102126: Fixed a deadlock at shutdown when clearing thread
    states if any finalizer tries to acquire the runtime head
    lock.
  - gh-100892: Fixed a crash due to a race while iterating over

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=147

CVE-2023-24329-blank-URL-bypass.patch

@@ -1,55 +0,0 @@
-From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
-From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
-Date: Sat, 12 Nov 2022 15:43:33 -0500
-Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
- schemes that don't begin with an alphabetical ASCII character.
-
----
- Lib/test/test_urlparse.py                                              |   18 ++++++++++
- Lib/urllib/parse.py                                                    |    2 -
- Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |    2 +
- 3 files changed, 21 insertions(+), 1 deletion(-)
-
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -665,6 +665,24 @@ class UrlParseTestCase(unittest.TestCase
-                         with self.assertRaises(ValueError):
-                             p.port
- 
-+    def test_attributes_bad_scheme(self):
-+        """Check handling of invalid schemes."""
-+        for bytes in (False, True):
-+            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
-+                for scheme in (".", "+", "-", "0", "http&", "६http"):
-+                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
-+                        url = scheme + "://www.example.net"
-+                        if bytes:
-+                            if url.isascii():
-+                                url = url.encode("ascii")
-+                            else:
-+                                continue
-+                        p = parse(url)
-+                        if bytes:
-+                            self.assertEqual(p.scheme, b"")
-+                        else:
-+                            self.assertEqual(p.scheme, "")
-+
-     def test_attributes_without_netloc(self):
-         # This example is straight from RFC 3261.  It looks like it
-         # should allow the username, hostname, and port to be filled
---- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -470,7 +470,7 @@ def urlsplit(url, scheme='', allow_fragm
-         clear_cache()
-     netloc = query = fragment = ''
-     i = url.find(':')
--    if i > 0:
-+    if i > 0 and url[0].isascii() and url[0].isalpha():
-         for c in url[:i]:
-             if c not in scheme_chars:
-                 break
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
-@@ -0,0 +1,2 @@
-+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
-+with a digit, a plus sign, or a minus sign to be parsed incorrectly.

Python-3.9.16.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:22dddc099246dd2760665561e8adb7394ea0cc43a72684c6480f9380f7786439
-size 19738796

Python-3.9.16.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPjAQACgkQsmmV4xAl
-BWjzjQ//TQ9AtAs3RwRfGfJigHl3TG5lfYYdzAZIwEtt6NUw8tVKriCBMSvsJDjD
-rlFX64SPWaDlTggnatU88sj1y4AtGpf517GbYKwJ1oLQjcCSIs6WSxD7CZAfb4CL
-257KMANkT/n46luovTraqhAyLXp8fVWIEoSt3+6RgNYshjv00V6+L0HoE6jkzBRV
-si6KHDUCyIydOJEtAt79w5Ze/pFxJjIlGZ6WxyRVEy77cyQKh0g4dSdQ15HZAsfr
-fvv8rOmd8VXwIMi4xaUaHMddQxNrydDldDpKR4L1Lay/nY3OvSLI1AMw0D7n/FVO
-HxgYvxwkRqHPgbDIBLoHe7nsou0621ELS+j6M7cRoqAjsSfEOwpHOBw7k4+zOoa3
-4FHvru6TmT1p2iT6GSRllp/XspAzSelJeaFWA0Rs57MQ14gtXrw5hQHyZ1NgMzZi
-TMpnj0tGHufQYn2ZQqGUIySvtH3S5eIZgZGdPETJ5k09mcRVEKcdujTbkrIcOYtC
-GoPCw+3Qe7feVZLzElnsela9bDZi3uWfZh2kVyhZPAvxXJ0VNVCLvPlCKpr0R7t5
-JJ7jMpblsA05FT6ZanbqWNFZtCHMjlkK1259oST3BMbBSHTFgY/KGJEHQTkYU3M2
-U5OSn4za47qFBTVIXQsqkLGEBU/wrxtNmerJel8YW3ZIrkoTv2E=
-=dXB5
------END PGP SIGNATURE-----

Python-3.9.17.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:30ce057c44f283f8ed93606ccbdb8d51dd526bdc4c62cce5e0dc217bfa3e8cee
+size 19647312

Python-3.9.17.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmR/AFcACgkQsmmV4xAl
+BWg7Fg/7Bq3qKbUD+4LYCOEESdu1MQm4bxfySqFLrzfe0YML/Xvei3ot/MsoTxY+
+9dwLivBab6YVDw3x65Zm2Y1sKAwcKn80qcwfxkxKPFVzeFAIYaO48zACJ5gvNEwk
+tXxEcDV0Nirs5ksqjs439eWXFFSZJJjHUxrBKwVVXoVTl9P3wbvKzeAUGuWMdvBt
+8RYtaHMt24w+mtFBdBM5ODl9qHD30HvEdHItF1HFtnnIR2mvE5W3dNkytrEWckq7
+urrQZlIFqSffnK89oNrQBGQC1dipzfgb3Vdk52usIVq+3J9VeWEmw8my/HUtf6LM
+uSETKCDM6POcC1Hjn3Zar8pVg/5IrGfag2aOWPQwRf5+py+nHO9a8P0nAz1TvygJ
+Q4FPcGCRyxa6gw9TEoO3zutQrHG2q+bvr61hSx3bcnlTk5EwTgblxOw9A5L++uzQ
+JK6vkPIaid4KboIOgpgw2xYWu8uVl2KtEyOeNrvZubuYqKh3xy25lNZT0tT6Axtv
+jOKC84FSvp5fLRAAHAr9B6uycKRlNY2Ca6t8FkkD0v2NgsRVM2Mc11/i/NS+EFKc
+hCZgAvbIEX17DQQNcmki1FWeJ0LfoE7PZgte7f6o1J9lcBYhmfC6nIWJ6Q3zZX/y
+96EESfeEshigdMEwlkCtYSJTc5/WpdiZ0LQyI0x/RQFb8Q4XHS0=
+=xjRt
+-----END PGP SIGNATURE-----

python39.changes

@@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Wed Jun 28 19:12:12 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Update to 3.9.17:
+  - gh-103142: The version of OpenSSL used in Windows and
+    Mac installers has been upgraded to 1.1.1u to address
+    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
+    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
+    fixed previously in 1.1.1t (gh-101727).
+  - gh-102153: urllib.parse.urlsplit() now strips leading C0
+    control and space characters following the specification for
+    URLs defined by WHATWG in response to CVE-2023-24329
+    (bsc#1208471).
+  - gh-99889: Fixed a security in flaw in uu.decode() that could
+    allow for directory traversal based on the input if no
+    out_file was specified.
+  - gh-104049: Do not expose the local on-disk
+    location in directory indexes produced by
+    http.client.SimpleHTTPRequestHandler.
+  - gh-101283: subprocess.Popen now uses a safer approach to find
+    cmd.exe when launching with shell=True.
+  - gh-103935: trace.__main__ now uses io.open_code() for files
+    to be executed instead of raw open().
+  - gh-102953: The extraction methods in tarfile, and
+    shutil.unpack_archive(), have a new filter argument that
+    allows limiting tar features than may be surprising or
+    dangerous, such as creating files outside the destination
+    directory. See Extraction filters for details (fixing
+    CVE-2007-4559, bsc#1203750).
+  - gh-102126: Fixed a deadlock at shutdown when clearing thread
+    states if any finalizer tries to acquire the runtime head
+    lock.
+  - gh-100892: Fixed a crash due to a race while iterating over
+    thread states in clearing threading.local.
+- Remove upstreamed patches:
+  - CVE-2023-24329-blank-URL-bypass.patch
+  - CVE-2007-4559-filter-tarfile_extractall.patch
+
 -------------------------------------------------------------------
 Sat May  6 17:31:35 UTC 2023 - Matej Cepl <mcepl@suse.com>
 

python39.spec

@@ -93,7 +93,7 @@
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.9.16
+Version:        3.9.17
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@@ -161,13 +161,6 @@ Patch35:        support-expat-CVE-2022-25236-patched.patch
 # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
 # this patch makes things totally awesome
 Patch37:        98437-sphinx.locale._-as-gettext-in-pyspecific.patch
-# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
-# blocklist bypass via the urllib.parse component when supplying
-# a URL that starts with blank characters
-Patch38:        CVE-2023-24329-blank-URL-bypass.patch
-# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mcepl@suse.com
-# Implement PEP-706 to filter outcome of the tarball extracing
-Patch39:        CVE-2007-4559-filter-tarfile_extractall.patch
 # PATCH-FIX-UPSTREAM 99366-patch.dict-can-decorate-async.patch bsc#[0-9]+ mcepl@suse.com
 # Patch for gh#python/cpython#98086
 Patch40:        99366-patch.dict-can-decorate-async.patch
@@ -429,8 +422,6 @@ other applications.
 %endif
 %patch35 -p1
 %patch37 -p1
-%patch38 -p1
-%patch39 -p1
 %patch40 -p1
 
 # drop Autoconf version requirement