- bpo#43710: Reverted the fix for https://bugs.python.org/issue42500
as it changed the PyThreadState struct size and broke the 3.9.x ABI
in the 3.9.3 release (visible on 32-bit platforms using binaries
compiled using an earlier version of Python 3.9.x headers).
- bpo#26053: Fixed bug where the pdb interactive run command echoed
the args from the shell command line, even if those have been
overridden at the pdb prompt.
- bpo#42988 (bsc#1183374) CVE-2021-3426: Remove the getfile
feature of the pydoc module which could be abused to read
arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
- bpo#43285: ftplib no longer trusts the IP address value
returned from the server in response to the PASV command by
default. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the
client network. Code that requires the former vulnerable
behavior may set a trust_server_pasv_ipv4_address attribute
on their ftplib.FTP instances to True to re-enable it.
- bpo#43439: Add audit hooks for gc.get_objects(),
gc.get_referrers() and gc.get_referents(). Patch by Pablo
Galindo.
- bpo#43660: Fix crash that happens when replacing sys.stderr
with a callable that can remove the object while an exception
is being printed. Patch by Pablo Galindo.
- bpo#43555: Report the column offset for SyntaxError for
invalid line continuation characters. Patch by Pablo Galindo.
- bpo#43517: Fix misdetection of circular imports when using
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=62
- bpo#42938 (bsc#1181126): Avoid static buffers when computing
the repr of ctypes.c_double and ctypes.c_longdouble
values. This issue was assigned CVE-2021-3177.
- bpo#42967 (bso#1182379): Fix web cache poisoning
vulnerability by defaulting the query args separator to &,
and allowing the user to choose a custom separator. This
issue was assigned CVE-2021-23336.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=53
* remove importlib_resources and importlib-metadata
provides/obsoletes
* import importlib_resources is not the same as
import importlib.resources, same for metadata
* The backport packages from PyPI needed for older flavors are
specified as such for setuptools or in pyproject.toml. If a
package requires them they typically add them with a python
version qualifier and the packages have their own version
numbers.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=40
* Core and Builtins
- bpo-38156: Handle interrupts that come after EOF
correctly in PyOS_StdioReadline.
* Library
- bpo-41497: Fix potential UnicodeDecodeError in dis
module.
- bpo-41490: Update ensurepip to install pip 20.2.1 and
setuptools 49.2.1.
- bpo-41467: On Windows, fix asyncio recv_into() return
value when the socket/pipe is closed (BrokenPipeError):
return 0 rather than an empty byte string (b'').
- bpo-41425: Make tkinter doc example runnable.
- bpo-41384: Raise TclError instead of TypeError when an
unknown option is passed to tkinter.OptionMenu.
- bpo-38731: Fix NameError in command-line interface of
py_compile.
- bpo-41317: Use add_done_callback() in
asyncio.loop.sock_accept() to unsubscribe reader early on
cancellation.
- bpo-41364: Reduce import overhead of uuid.
- bpo-41341: Recursive evaluation of typing.ForwardRef in
get_type_hints.
- bpo-41182: selector: use DefaultSelector based upon
implementation
- bpo-40726: Handle cases where the end_lineno is None on
ast.increment_lineno().
* Documentation
- bpo-41045: Add documentation for debug feature of
f-strings.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=26
- Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream
- Removed recursion.tar: contained in upstream
- Update to 3.9.0b5:
- bpo-41304: Fixes python3x._pth being ignored on Windows, caused
by the fix for bpo-29778 (CVE-2020-15801).
- bpo-41162: Audit hooks are now cleared later during
finalization to avoid missing events.
- bpo-29778: Ensure python3.dll is loaded from correct locations
when Python is embedded (CVE-2020-15523).
- bpo-39603: Prevent http header injection by rejecting control
characters in http.client.putrequest(…).
- bpo-41295: Resolve a regression in CPython 3.8.4 where defining
“__setattr__” in a multi-inheritance setup and
calling up the hierarchy chain could fail if builtins/extension
types were involved in the base types.
- bpo-41247: Always cache the running loop holder when running
asyncio.set_running_loop.
- bpo-41252: Fix incorrect refcounting in
_ssl.c’s _servername_callback().
- bpo-41215: Use non-NULL default values in the PEG parser
keyword list to overcome a bug that was '
preventing Python from being properly compiled when using the
XLC compiler. Patch by Pablo Galindo.
- bpo-41218: Python 3.8.3 had a regression where compiling with
ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
aggressively mark list comprehension with CO_COROUTINE. Now only
list comprehension making use of async/await will tagged as so.
- bpo-41175: Guard against a NULL pointer dereference within
bytearrayobject triggered by the bytearray() + bytearray() operation.
- bpo-39960: The “hackcheck” that prevents sneaking around a type’s
__setattr__() by calling the superclass method was
rewritten to allow C implemented heap types.
- bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
C implementation raises now UnpicklingError instead of crashing.
- bpo-39017: Avoid infinite loop when reading specially crafted
TAR files using the tarfile module (CVE-2019-20907, bsc#1174091).
- bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
- bpo-41207: In distutils.spawn, restore expectation that
DistutilsExecError is raised when the command is not found.
- bpo-39168: Remove the __new__ method of typing.Generic.
- bpo-41194: Fix a crash in the _ast module: it can no longer be
loaded more than once. It now uses a global state rather than a module state.
- bpo-39384: Fixed email.contentmanager to allow set_content() to set a
null string.
- bpo-41300: Save files with non-ascii chars.
Fix regression released in 3.9.0b4 and 3.8.4.
- bpo-37765: Add keywords to module name completion list.
Rewrite Completions section of IDLE doc.
- bpo-40170: Revert PyType_HasFeature() change: it reads
again directly the PyTypeObject.tp_flags
member when the limited C API is not used, rather than always calling
PyType_GetFlags() which hides implementation details.
OBS-URL: https://build.opensuse.org/request/show/822056
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=18
- Remove upstreamed patches:
- F00102-lib64.patch
- SUSE-FEDORA-multilib.patch
- OBS_dev-shm.patch
- subprocess-raise-timeout.patch
- bpo36302-sort-module-sources.patch
- bpo40784-Fix-sqlite3-deterministic-test.patch
- Update pre_checkin.sh and regenerate
- Convert few dependencies to their pkgconfig counterparts
- Remove release requirement on libpython, it is not really needed
to be equal as the abi changes with versions
- Add provides python3-bla on all the subpkgs in case we are
primary provider of the functionality
- Remove unversioned files from devel subpkg too
- Remove main python3 files from -base based whether we are
primary interpreter or not
- Fix idle to be co-installable
- Add condition to be primary to provide/obsolete python3-*
- Fix doc to build in versioned folder so the pythons can be
installed next to each other
- Revert the full versioning of calls on the macros. These
are generic so they should really just call python3 X
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=3
