Commit Graph

70 Commits

Author SHA256 Message Date
c4677b0c0c Accepting request 1061586 from home:kukuk:branches:devel:languages:python:Factory
- Disable NIS for new products, it's deprecated and gets removed

OBS-URL: https://build.opensuse.org/request/show/1061586
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=132
2023-01-27 16:15:01 +00:00
99c7e0b52b Accepting request 1058220 from home:marxin:branches:devel:languages:python:Factory
- Suppress warnings for Sphinx 6.0+.

OBS-URL: https://build.opensuse.org/request/show/1058220
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=130
2023-01-13 17:34:48 +00:00
2c04be55bd - Update to 3.9.16:
- python -m http.server no longer allows terminal control
    characters sent within a garbage request to be printed to the
    stderr server log.
    This is done by changing the http.server
    BaseHTTPRequestHandler .log_message method to replace control
    characters with a \xHH hex escape before printing.
  - Avoid publishing list of active per-interpreter audit hooks
    via the gc module
  - The IDNA codec decoder used on DNS hostnames by socket or
    asyncio related name resolution functions no longer involves
    a quadratic algorithm. This prevents a potential CPU denial
    of service if an out-of-spec excessive length hostname
    involving bidirectional characters were decoded. Some
    protocols such as urllib http 3xx redirects potentially allow
    for an attacker to supply such a name (CVE-2015-20107).
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - On Linux the multiprocessing module returns to using
    filesystem backed unix domain sockets for communication with
    the forkserver process instead of the Linux abstract socket
    namespace. Only code that chooses to use the “forkserver”
    start method is affected.
    Abstract sockets have no permissions and could allow any
    user on the system in the same network namespace (often
    the whole system) to inject code into the multiprocessing
    forkserver process. This was a potential privilege
    escalation. Filesystem based socket permissions restrict this
    to the forkserver process user as was the default in Python

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=126
2022-12-08 10:47:18 +00:00
80ef87d611 - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=124
2022-11-09 18:43:25 +00:00
ea87139f16 - Add CVE-2022-42919-loc-priv-mulitproc-forksrv.patch to avoid
CVE-2022-42919 (bsc#1204886) avoiding Linux specific local
  privilege escalation via the multiprocessing forkserver start
  method.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=122
2022-11-03 21:36:18 +00:00
d6d31d7ca3 Accepting request 1031398 from home:mcepl:branches:devel:languages:python:Factory
- Add 98437-sphinx.locale._-as-gettext-in-pyspecific.patch to
  allow building of documentation with the latest Sphinx 5.3.0
  (gh#python/cpython#98366).

OBS-URL: https://build.opensuse.org/request/show/1031398
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=120
2022-10-26 21:25:00 +00:00
0f6aeb04bb - Update to 3.8.15:
- Fix multiplying a list by an integer (list *= int): detect
    the integer overflow when the new allocated length is close
    to the maximum size.
  - Fix a shell code injection vulnerability in the
    get-remote-certificate.py example script. The script no
    longer uses a shell to run openssl commands. (originally
    filed as CVE-2022-37460, later withdrawn)
  - Fix command line parsing: reject -X int_max_str_digits option
    with no value (invalid) when the PYTHONINTMAXSTRDIGITS
    environment variable is set to a valid limit.
  - When ValueError is raised if an integer is larger than the
    limit, mention the sys.set_int_max_str_digits() function in
    the error message.
  - Update bundled libexpat to 2.4.9

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=118
2022-10-19 07:31:04 +00:00
6fa3cda544 - Update to 3.9.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
    and str in bases other than 2 (binary), 4, 8 (octal), 16
    (hexadecimal), or 32 such as base 10 (decimal) now raises a
    ValueError if the number of digits in string form is above a
    limit to avoid potential denial of service attacks due to the
    algorithmic complexity.
    This new limit can be configured or disabled by environment
    variable, command line flag, or sys APIs. See the integer
    string conversion length limitation documentation. The
    default limit is 4300 digits in string form.
  - Also other bug fixes:
    - http.server: Fix an open redirection vulnerability in the
      HTTP server when an URI path starts with //. Vulnerability
      discovered, and initial fix proposed, by Hamza Avvan.
    - Fix contextvars HAMT implementation to handle iteration
      over deep trees. The bug was discovered and fixed by Eli
      Libman. See MagicStack/immutables#84 for more details.
    - Fix binding of unix socket to empty address on Linux to use
      an available address from the abstract namespace, instead
      of “0”.
    - Suppress writing an XML declaration in open files
      in ElementTree.write() with encoding='unicode' and
      xml_declaration=None.
    - Fix the formatting for await x and not x in the operator
      precedence table when using the help() system.
    - Fix ensurepip environment isolation for subprocess running
      pip.
    - Fix problem with test_ssl test_get_ciphers on systems that
      require perfect forward secrecy (PFS) ciphers.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=116
2022-09-11 08:54:55 +00:00
Steve Kowalik
a2b82842e5 - http.server: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=113
2022-09-01 03:50:33 +00:00
f343483635 Restore %primary_interpreter
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=111
2022-07-21 15:15:38 +00:00
d57ee42f22 - Switch from %primary_interpreter to prjconf-defined
%primary_python (gh#openSUSE/python-rpm-macros#127).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=110
2022-07-21 14:23:09 +00:00
2253eadce9 - Fix building of documentation and the universal configuration of the
%primary_interpreter.
- (bsc#1196784, CVE-2022-25236) Rename patch:
  support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch
  and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5
  as it was fully patched against CVE-2022-25236.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=103
2022-06-10 18:01:18 +00:00
c65f6c6577 - Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=102
2022-06-10 09:43:57 +00:00
c0ef92b69d Adjust SPEC file
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=100
2022-05-20 15:53:49 +00:00
0054c87fd3 - Update to 3.9.13:
- Core and Builtins
    - gh-92311: Fixed a bug where setting frame.f_lineno to jump
      over a list comprehension could misbehave or crash.
    - gh-92112: Fix crash triggered by an evil custom mro() on
      a metaclass.
    - gh-92036: Fix a crash in subinterpreters related to the
      garbage collector. When a subinterpreter is deleted,
      untrack all objects tracked by its GC. To prevent a crash
      in deallocator functions expecting objects to be tracked by
      the GC, leak a strong reference to these objects on
      purpose, so they are never deleted and their deallocator
      functions are not called. Patch by Victor Stinner.
    - gh-91421: Fix a potential integer overflow in
      _Py_DecodeUTF8Ex.
    - bpo-46775: Some Windows system error codes(>= 10000) are
      now mapped into the correct errno and may now raise
      a subclass of OSError. Patch by Dong-hee Na.
    - bpo-46962: Classes and functions that unconditionally
      declared their docstrings ignoring the
      --without-doc-strings compilation flag no longer do so.
    - The classes affected are pickle.PickleBuffer,
      testcapi.RecursingInfinitelyError, and types.GenericAlias.
    - The functions affected are 24 methods in ctypes.
    - Patch by Oleg Iarygin.
    - bpo-36819: Fix crashes in built-in encoders with error
      handlers that return position less or equal than the
      starting position of non-encodable characters.
  - Library
    - gh-91581: utcfromtimestamp() no longer attempts to resolve

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=98
2022-05-20 14:30:03 +00:00
660a10d613 - Update to 3.9.12:
- bpo-46968: Check for the existence of the “sys/auxv.h” header
    in faulthandler to avoid compilation problems in systems
    where this header doesn’t exist. Patch by Pablo Galindo
  - bpo-47101: hashlib.algorithms_available now lists only
    algorithms that are provided by activated crypto providers on
    OpenSSL 3.0. Legacy algorithms are not listed unless the
    legacy provider has been loaded into the default OSSL
    context.
  - bpo-23691: Protect the re.finditer() iterator from
    re-entering.
  - bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to
    avoid a “zipfile.BadZipFile: Bad CRC-32 for file” exception
    when reading a ZipFile from multiple threads.
  - bpo-38256: Fix binascii.crc32() when it is compiled to use
    zlib’c crc32 to work properly on inputs 4+GiB in length
    instead of returning the wrong result. The workaround prior
    to this was to always feed the function data in increments
    smaller than 4GiB or to just call the zlib module function.
  - bpo-39394: A warning about inline flags not at the start of
    the regular expression now contains the position of the flag.
  - bpo-47061: Deprecate the various modules listed by PEP 594:
  - aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt,
    imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd,
    sndhdr, spwd, sunau, telnetlib, uu, xdrlib
  - bpo-2604: Fix bug where doctests using globals would fail
    when run multiple times.
  - bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
  - bpo-47022: The asynchat, asyncore and smtpd modules have been
    deprecated since at least Python 3.6. Their documentation has

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=96
2022-03-26 22:43:50 +00:00
Steve Kowalik
f7ad0c8e9b - Add patch support-expat-245.patch:
* Support Expat >= 2.4.5

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=95
2022-02-22 05:55:44 +00:00
77fd8b492b Fix version of python-docs-theme module
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=94
2022-01-20 00:18:47 +00:00
1cea88a1fa - Update to 3.9.10:
Bugfix-only release

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=93
2022-01-19 21:56:33 +00:00
df2471a1fa Run spec-cleaner
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=92
2021-11-29 21:19:34 +00:00
14c194c885 - Remove shebangs from from python-base libraries in _libdir
(bsc#1193179).
- Readjust patches:
  - bpo-31046_ensurepip_honours_prefix.patch
  - decimal.patch
  - python-3.3.0b1-fix_date_time_compiler.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=91
2021-11-29 16:33:18 +00:00
41195dffc1 - Don't collect automatic Requires from python-base libraries in
%%_libdir.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=89
2021-11-29 00:33:07 +00:00
ed4a6bb277 Accepting request 933934 from home:mcepl:branches:devel:languages:python
- rpm-build-python dependency is available on the current
  Factory, not with SLE.

OBS-URL: https://build.opensuse.org/request/show/933934
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=88
2021-11-25 22:24:19 +00:00
Steve Kowalik
a87cc20a6a - Update to 3.9.9:
* Core and Builtins
    + bpo-30570: Fixed a crash in issubclass() from infinite recursion when searching pathological __bases__ tuples.
    + bpo-45494: Fix parser crash when reporting errors involving invalid continuation characters. Patch by Pablo Galindo.
    + bpo-45385: Fix reference leak from descr_check. Patch by Dong-hee Na.
    + bpo-45167: Fix deepcopying of types.GenericAlias objects.
    + bpo-44219: Release the GIL while performing isatty system calls on arbitrary file descriptors. In particular, this affects os.isatty(), os.device_encoding() and io.TextIOWrapper. By extension, io.open() in text mode is also affected. This change solves a deadlock in os.isatty(). Patch by Vincent Michel in bpo-44219.
    + bpo-44959: Added fallback to extension modules with ‘.sl’ suffix on HP-UX
    + bpo-44050: Extensions that indicate they use global state (by setting m_size to -1) can again be used in multiple interpreters. This reverts to behavior of Python 3.8.
    + bpo-45121: Fix issue where Protocol.__init__ raises RecursionError when it’s called directly or via super(). Patch provided by Yurii Karabas.
    + bpo-45083: When the interpreter renders an exception, its name now has a complete qualname. Previously only the class name was concatenated to the module name, which sometimes resulted in an incorrect full name being displayed.
    + bpo-45738: Fix computation of error location for invalid continuation characters in the parser. Patch by Pablo Galindo.
    + Library
    + bpo-45678: Fix bug in Python 3.9 that meant functools.singledispatchmethod failed to properly wrap the attributes of the target method. Patch by Alex Waygood.
    + bpo-45679: Fix caching of multi-value typing.Literal. Literal[True, 2] is no longer equal to Literal[1, 2].
    + bpo-45438: Fix typing.Signature string representation for generic builtin types.
    + bpo-45581: sqlite3.connect() now correctly raises MemoryError if the underlying SQLite API signals memory error. Patch by Erlend E. Aasland.
    + bpo-39679: Fix bug in functools.singledispatchmethod that caused it to fail when attempting to register a classmethod() or staticmethod() using type annotations. Patch contributed by Alex Waygood.
    + bpo-45515: Add references to zoneinfo in the datetime documentation, mostly replacing outdated references to dateutil.tz. Change by Paul Ganssle.
    + bpo-45467: Fix incremental decoder and stream reader in the “raw-unicode-escape” codec. Previously they failed if the escape sequence was split.
    + bpo-45461: Fix incremental decoder and stream reader in the “unicode-escape” codec. Previously they failed if the escape sequence was split.
    + bpo-45239: Fixed email.utils.parsedate_tz() crashing with UnboundLocalError on certain invalid input instead of returning None. Patch by Ben Hoyt.
    + bpo-44904: Fix bug in the doctest module that caused it to fail if a docstring included an example with a classmethod property. Patch by Alex Waygood.
    + bpo-45406: Make inspect.getmodule() catch FileNotFoundError raised by :’func:inspect.getabsfile, and return None to indicate that the module could not be determined.
    + bpo-45262: Prevent use-after-free in asyncio. Make sure the cached running loop holder gets cleared on dealloc to prevent use-after-free in get_running_loop
    + bpo-45386: Make xmlrpc.client more robust to C runtimes where the underlying C strftime function results in a ValueError when testing for year formatting options.
    + bpo-45371: Fix clang rpath issue in distutils. The UnixCCompiler now uses correct clang option to add a runtime library directory (rpath) to a shared library.
    + bpo-20028: Improve error message of csv.Dialect when initializing. Patch by Vajrasky Kok and Dong-hee Na.
    + bpo-45343: Update bundled pip to 21.2.4 and setuptools to 58.1.0
    + bpo-41710: On Unix, if the sem_clockwait() function is available in the C library (glibc 2.30 and newer), the threading.Lock.acquire() method now uses the monotonic clock (time.CLOCK_MONOTONIC) for the timeout, rather than using the system clock (time.CLOCK_REALTIME), to not be affected by system clock changes. Patch by Victor Stinner.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=87
2021-11-17 09:51:06 +00:00
415beff858 - Add incorrect-deprecation-warn-asyncio.patch to fix bpo#45097
(from gh#python/cpython#28153) to remove incorrect deprecation
  warnings in asyncio.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=86
2021-10-30 12:44:12 +00:00
90e6506490 Accepting request 925038 from home:dimstar:Factory
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.

OBS-URL: https://build.opensuse.org/request/show/925038
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=85
2021-10-13 12:05:12 +00:00
cddb7279e5 - Update to 3.9.7:
- Security
    - Replaced usage of tempfile.mktemp() with TemporaryDirectory
      to avoid a potential race condition.
    - Add auditing events to the marshal module, and stop raising
      code.__init__ events for every unmarshalled code object.
      Directly instantiated code objects will continue to raise
      an event, and audit event handlers should inspect or
      collect the raw marshal data. This reduces a significant
      performance overhead when loading from .pyc files.
    - Made the internal putcmd function in smtplib sanitize input
      for presence of \r and \n characters to avoid (unlikely)
      command injection.
  - Core and Builtins
    - Fixed pickling of range iterators that iterated for over
      2**32 times.
    - Fix a race in WeakKeyDictionary, WeakValueDictionary and
      WeakSet when two threads attempt to commit the last pending
      removal. This fixes asyncio.create_task and fixes a data
      loss in asyncio.run where shutdown_asyncgens is not run
    - Fixed a corner case bug where the result of
      float.fromhex('0x.8p-1074') was rounded the wrong way.
    - Refine the syntax error for trailing commas in import
      statements. Patch by Pablo Galindo.
    - Restore behaviour of complex exponentiation with
      integer-valued exponent of type float or complex.
    - Correct the ast locations of f-strings with format specs
      and repeated expressions. Patch by Pablo Galindo
    - Use new trashcan macros (Py_TRASHCAN_BEGIN/END) in
      frameobject.c instead of the old ones

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=83
2021-08-31 15:10:59 +00:00
0150e36f11 Accepting request 915024 from home:mcepl:python-libmpdec
- Add decimal.patch to add building with --with-system-libmpdec
  option (bsc#1189356).

OBS-URL: https://build.opensuse.org/request/show/915024
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=82
2021-08-30 11:54:55 +00:00
6a5249892f Accepting request 914686 from home:Andreas_Schwab:Factory
- test_faulthandler is still problematic under qemu linux-user emulation,
  disable it there
- Reenable profileopt with qemu emulation, test_faulthandler is no longer
  run during profiling

OBS-URL: https://build.opensuse.org/request/show/914686
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=81
2021-08-28 08:25:54 +00:00
861dbc7cda Make documentation build on SLE-15 as well
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=80
2021-08-12 12:13:59 +00:00
c524d26818 Accepting request 910899 from home:fusionfuture:branches:devel:languages:python:Factory
- Update to 3.9.6:
  * Security
    - bpo-44022: mod:http.client now avoids infinitely reading
      potential HTTP headers after a 100 Continue status response
      from the server.
  * Core and Builtins
    - bpo-44409: Fix error location information for tokenizer
      errors raised on initialization of the tokenizer. Patch by
      Pablo Galindo.
    - bpo-43667: Improve Unicode support in non-UTF locales on
      Oracle Solaris. This issue does not affect other Solaris
      systems.
    - bpo-44168: Fix error message in the parser involving keyword
      arguments with invalid expressions. Patch by Pablo Galindo
    - bpo-44114: Fix incorrect dictkeys_reversed and
      dictitems_reversed function signatures in C code, which broke
      webassembly builds.
    - bpo-44070: No longer eagerly makes import filenames absolute,
      except for extension modules, which was introduced in 3.9.5.
    - bpo-28146: Fix a confusing error message in str.format().
    - bpo-11105: When compiling ast.AST objects with recursive
      references through compile(), the interpreter doesn’t crash
      anymore instead it raises a RecursionError.
  * Library
    - bpo-44516: Update vendored pip to 21.1.3
    - bpo-44482: Fix very unlikely resource leak in glob in
      alternate Python implementations.
    - bpo-44439: Fix in bz2.BZ2File.write() / lzma.LZMAFile.write()
      methods, when the input data is an object that supports the
      buffer protocol, the file length may be wrong.

OBS-URL: https://build.opensuse.org/request/show/910899
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=76
2021-08-09 13:05:39 +00:00
1fb9f9d47e - Use versioned python-Sphinx to avoid dependency on other
version of Python (bsc#1183858).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=75
2021-08-02 12:39:29 +00:00
2fa8f8d6ae - Add bpo44426-complex-keyword-sphinx.patch allowing generating
documentation with Sphinx 4 (bpo#44426).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=73
2021-06-19 00:25:52 +00:00
4ae49af4ba Accepting request 898147 from home:mcepl:branches:devel:languages:python:Factory
- Revert previous skip over test_capi
- Add skip-test_pyobject_freed_is_freed.patch to skip failing
  test on SLE-15.

OBS-URL: https://build.opensuse.org/request/show/898147
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=71
2021-06-07 14:28:29 +00:00
d412267ee4 Accepting request 897590 from home:dirkmueller:Factory
- allow build with Sphinx >= 3.x

OBS-URL: https://build.opensuse.org/request/show/897590
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=70
2021-06-05 07:02:53 +00:00
1e1de10cdd Accepting request 896921 from home:dancermak:branches:devel:languages:python:Factory
Exclude test_capi on Leap (test fails there)

OBS-URL: https://build.opensuse.org/request/show/896921
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=69
2021-06-03 12:22:24 +00:00
143e377b2e - Stop providing "python" symbol (bsc#1185588), which means
python2 currently.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=68
2021-05-21 15:18:30 +00:00
85067059b6 Accepting request 890779 from home:mcepl:branches:devel:languages:python:Factory
- Update to 3.9.5:
  * Security
    - bpo-43434: Creating a sqlite3.Connection object now also
      produces a sqlite3.connect auditing event. Previously this
      event was only produced by sqlite3.connect() calls. Patch
      by Erlend E. Aasland.
    - bpo-43882: The presence of newline or tab characters in
      parts of a URL could allow some forms of attacks.
    - Following the controlling specification for URLs defined by
      WHATWG urllib.parse() now removes ASCII newlines and tabs
      from URLs, preventing such attacks.
    - bpo-43472: Ensures interpreter-level audit hooks receive
      the cpython.PyInterpreterState_New event when called
      through the _xxsubinterpreters module.
    - bpo-36384: ipaddress module no longer accepts any leading
      zeros in IPv4 address strings. Leading zeros are ambiguous
      and interpreted as octal notation by some libraries. For
      example the legacy function socket.inet_aton() treats
      leading zeros as octal notatation. glibc implementation of
      modern inet_pton() does not accept any leading zeros. For
      a while the ipaddress module used to accept ambiguous
      leading zeros.
    - bpo-43075: Fix Regular Expression Denial of Service (ReDoS)
      vulnerability in urllib.request.AbstractBasicAuthHandler.
      The ReDoS-vulnerable regex has quadratic worst-case
      complexity and it allows cause a denial of service when
      identifying crafted invalid RFCs. This ReDoS issue is on
      the client side and needs remote attackers to control the
      HTTP server.
    - bpo-42800: Audit hooks are now fired for frame.f_code,
      traceback.tb_frame, and generator code/frame attribute
      access.
  * Core and Builtins
    - bpo-43105: Importlib now resolves relative paths when
      creating module spec objects from file locations.
    - bpo-42924: Fix bytearray repetition incorrectly copying
      data from the start of the buffer, even if the data is
      offset within the buffer (e.g. after reassigning a slice at
      the start of the bytearray to a shorter byte string).
  * Library
    - bpo-43993: Update bundled pip to 21.1.1.
    - bpo-43937: Fixed the turtle module working with non-default
      root window.
    - bpo-43930: Update bundled pip to 21.1 and setuptools to
      56.0.0
    - bpo-43920: OpenSSL 3.0.0: load_verify_locations() now
      returns a consistent error message when cadata contains no
      valid certificate.
    - bpo-43607: urllib can now convert Windows paths with \\?\
      prefixes into URL paths.
    - bpo-43284: platform.win32_ver derives the windows version
      from sys.getwindowsversion().platform_version which in turn
      derives the version from kernel32.dll (which can be of
      a different version than Windows itself). Therefore change
      the platform.win32_ver to determine the version using the
      platform module’s _syscmd_ver private function to return an
      accurate version.
    - bpo-42248: [Enum] ensure exceptions raised in _missing__
      are released
    - bpo-43799: OpenSSL 3.0.0: define OPENSSL_API_COMPAT 1.1.1
      to suppress deprecation warnings. Python requires OpenSSL
      1.1.1 APIs.
    - bpo-43794: Add ssl.OP_IGNORE_UNEXPECTED_EOF constants
      (OpenSSL 3.0.0)
    - bpo-43789: OpenSSL 3.0.0: Don’t call the password callback
      function a second time when first call has signaled an
      error condition.
    - bpo-43788: The header files for ssl error codes are now
      OpenSSL version-specific. Exceptions will now show correct
      reason and library codes. The make_ssl_data.py script has
      been rewritten to use OpenSSL’s text file with error codes.
    - bpo-43655: tkinter dialog windows are now recognized as
      dialogs by window managers on macOS and X Window.
    - bpo-43534: turtle.textinput() and turtle.numinput() create
      now a transient window working on behalf of the canvas
      window.
    - bpo-43522: Fix problem with hostname_checks_common_name.
      OpenSSL does not copy hostflags from struct SSL_CTX to
      struct SSL.
    - bpo-42967: Allow bytes separator argument in
      urllib.parse.parse_qs and urllib.parse.parse_qsl when
      parsing str query strings. Previously, this raised
      a TypeError.
    - bpo-43176: Fixed processing of a dataclass that inherits
      from a frozen dataclass with no fields. It is now correctly
      detected as an error.
    - bpo-41735: Fix thread locks in zlib module may go wrong in
      rare case. Patch by Ma Lin.
    - bpo-36470: Fix dataclasses with InitVars and replace().
      Patch by Claudiu Popa.
    - bpo-32745: Fix a regression in the handling of ctypes’
      ctypes.c_wchar_p type: embedded null characters would cause
      a ValueError to be raised. Patch by Zackery Spytz.
  * Documentation
    - bpo-43959: The documentation on the PyContextVar C-API was
      clarified.
    - bpo-43938: Update dataclasses documentation to express that
      FrozenInstanceError is derived from AttributeError.
    - bpo-43755: Update documentation to reflect that
      unparenthesized lambda expressions can no longer be the
      expression part in an if clause in comprehensions and
      generator expressions since Python 3.9.
    - bpo-43739: Fixing the example code in
      Doc/extending/extending.rst to declare and initialize the
      pmodule variable to be of the right type.
  * Tests
    - bpo-43961: Fix
      test_logging.test_namer_rotator_inheritance() on Windows:
      use os.replace() rather than os.rename(). Patch by Victor
      Stinner.
    - bpo-43842: Fix a race condition in the SMTP test of
      test_logging. Don’t close a file descriptor (socket) from
      a different thread while asyncore.loop() is polling the
      file descriptor. Patch by Victor Stinner.
    - bpo-43811: Tests multiple OpenSSL versions on GitHub
      Actions. Use ccache to speed up testing.
    - bpo-43791: OpenSSL 3.0.0: Disable testing of legacy
      protocols TLS 1.0 and 1.1. Tests are failing with
      TLSV1_ALERT_INTERNAL_ERROR.
- Refreshed patches:
  - bpo-31046_ensurepip_honours_prefix.patch
  - python-3.3.0b1-fix_date_time_compiler.patch
- Add vendorized files from bluez-devel to enable building support for
  Bluetooth.

OBS-URL: https://build.opensuse.org/request/show/890779
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=66
2021-05-05 16:46:47 +00:00
40e9d58763 Add BR autoconf-archive
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=63
2021-04-28 17:28:00 +00:00
0cf7e4ca96 - Update to 3.9.4:
- bpo#43710: Reverted the fix for https://bugs.python.org/issue42500
    as it changed the PyThreadState struct size and broke the 3.9.x ABI
    in the 3.9.3 release (visible on 32-bit platforms using binaries
    compiled using an earlier version of Python 3.9.x headers).
  - bpo#26053: Fixed bug where the pdb interactive run command echoed
    the args from the shell command line, even if those have been
    overridden at the pdb prompt.
  - bpo#42988 (bsc#1183374) CVE-2021-3426: Remove the getfile
    feature of the pydoc module which could be abused to read
    arbitrary files on the disk (directory traversal
    vulnerability). Moreover, even source code of Python modules
    can contain sensitive data like passwords. Vulnerability
    reported by David Schwörer.
  - bpo#43285: ftplib no longer trusts the IP address value
    returned from the server in response to the PASV command by
    default. This prevents a malicious FTP server from using the
    response to probe IPv4 address and port combinations on the
    client network. Code that requires the former vulnerable
    behavior may set a trust_server_pasv_ipv4_address attribute
    on their ftplib.FTP instances to True to re-enable it.
  - bpo#43439: Add audit hooks for gc.get_objects(),
    gc.get_referrers() and gc.get_referents(). Patch by Pablo
    Galindo.
  - bpo#43660: Fix crash that happens when replacing sys.stderr
    with a callable that can remove the object while an exception
    is being printed. Patch by Pablo Galindo.
  - bpo#43555: Report the column offset for SyntaxError for
    invalid line continuation characters. Patch by Pablo Galindo.
  - bpo#43517: Fix misdetection of circular imports when using

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=62
2021-04-28 16:57:12 +00:00
9559d22979 Update patches
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=57
2021-02-21 14:40:01 +00:00
d3bad64b2f Test on PPC*
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=56
2021-02-21 10:16:48 +00:00
ca899a3e2a Fix patches
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=54
2021-02-20 17:33:07 +00:00
771e6fa592 - Update to 3.9.2:
- bpo#42938 (bsc#1181126): Avoid static buffers when computing
    the repr of ctypes.c_double and ctypes.c_longdouble
    values. This issue was assigned CVE-2021-3177.
  - bpo#42967 (bso#1182379): Fix web cache poisoning
    vulnerability by defaulting the query args separator to &,
    and allowing the user to choose a custom separator. This
    issue was assigned CVE-2021-23336.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=53
2021-02-19 23:09:18 +00:00
Steve Kowalik
910c55d10c - Add Obsoletes for python3-base when primary interpreter is set to
properly replace it during upgrades.  (bsc#1181324)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=51
2021-02-09 09:51:49 +00:00
12d62b8ab0 - Update to 3.9.1:
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=49
2021-02-08 22:22:59 +00:00
499bf81eab - Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=47
2021-01-30 00:29:18 +00:00
ddccfc5ed2 - (bsc#1180125) We really don't Require python-rpm-macros package.
Unnecessary dependency.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=44
2021-01-06 15:10:34 +00:00
4a7f7a3418 - Make python39-doc building again
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=43
2020-12-16 19:19:53 +00:00
83e48f46d5 - Last try before this results in an editwar:
* remove importlib_resources and importlib-metadata 
    provides/obsoletes
  * import importlib_resources is not the same as
    import importlib.resources, same for metadata
  * The backport packages from PyPI needed for older flavors are
    specified as such for setuptools or in pyproject.toml. If a
    package requires them they typically add them with a python
    version qualifier and the packages have their own version
    numbers.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=40
2020-12-10 11:03:11 +00:00