Set link to python310.28117 via maintenance_release request

2023-03-15 19:34:05 +00:00
parent cb4ba88c9b
commit 85ed813980
13 changed files with 381 additions and 334 deletions
--- a/98437-sphinx.locale._-as-gettext-in-pyspecific.patch
+++ b/98437-sphinx.locale._-as-gettext-in-pyspecific.patch
@@ -1,54 +0,0 @@
 From 5775f51691d7d64fb676586e008b41261ce64ac2 Mon Sep 17 00:00:00 2001
 From: "Matt.Wang" <mattwang44@gmail.com>
 Date: Wed, 19 Oct 2022 14:49:08 +0800
 Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
 backward-compatibility in pyspecific.py
 [why] spinix 5.3 changed locale.translators from a defaultdict(gettext.NullTranslations) to a dict, which leads to failure of pyspecific.py. Use sphinx.locale._ as gettext to fix the issue.
 ---
 Doc/tools/extensions/pyspecific.py                                           |    8 ++++----
 Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst |    1 +
 2 files changed, 5 insertions(+), 4 deletions(-)
 --- a/Doc/tools/extensions/pyspecific.py
 +++ b/Doc/tools/extensions/pyspecific.py
@@ -26,7 +26,7 @@ try:
     from sphinx.errors import NoUri
 except ImportError:
     from sphinx.environment import NoUri
 -from sphinx.locale import translators
 +from sphinx.locale import _ as sphinx_gettext
 from sphinx.util import status_iterator, logging
 from sphinx.util.nodes import split_explicit_title
 from sphinx.writers.text import TextWriter, TextTranslator
@@ -109,7 +109,7 @@ class ImplementationDetail(Directive):
     def run(self):
         self.assert_has_content()
         pnode = nodes.compound(classes=['impl-detail'])
 -        label = translators['sphinx'].gettext(self.label_text)
 +        label = sphinx_gettext(self.label_text)
         content = self.content
         add_text = nodes.strong(label, label)
         self.state.nested_parse(content, self.content_offset, pnode)
@@ -203,7 +203,7 @@ class AuditEvent(Directive):
         else:
             args = []
 -        label = translators['sphinx'].gettext(self._label[min(2, len(args))])
 +        label = sphinx_gettext(self._label[min(2, len(args))])
         text = label.format(name="``{}``".format(name),
                             args=", ".join("``{}``".format(a) for a in args if a))
@@ -382,7 +382,7 @@ class DeprecatedRemoved(Directive):
         else:
             label = self._removed_label
 -        label = translators['sphinx'].gettext(label)
 +        label = sphinx_gettext(label)
         text = label.format(deprecated=self.arguments[0], removed=self.arguments[1])
         if len(self.arguments) == 3:
             inodes, messages = self.state.inline_text(self.arguments[2],
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst
@@ -0,0 +1 @@
 +Use sphinx.locale._ as the gettext function in pyspecific.py.
--- a/CVE-2015-20107-mailcap-unsafe-filenames.patch
+++ b/CVE-2015-20107-mailcap-unsafe-filenames.patch
@@ -1,54 +0,0 @@
 From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Wed, 27 Apr 2022 18:17:33 +0200
 Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe
 filenames/types/params
 ---
 Doc/library/mailcap.rst                                                 |   12 ++++++++++
 Lib/mailcap.py                                                          |    5 ++++
 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst |    4 +++
 3 files changed, 21 insertions(+)
 --- a/Doc/library/mailcap.rst
 +++ b/Doc/library/mailcap.rst
@@ -27,6 +27,18 @@ The mailcap format is documented in :rfc
 Mechanism For Multimedia Mail Format Information", but is not an internet
 standard.  However, mailcap files are supported on most Unix systems.
 +   .. versionchanged:: 3.11
 +
 +      To prevent security issues with shell metacharacters (symbols that have
 +      special effects in a shell command line), ``findmatch`` will refuse
 +      to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
 +      into the returned command line.
 +
 +      If a disallowed character appears in *filename*, ``findmatch`` will always
 +      return ``(None, None)`` as if no entry was found.
 +      If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
 +      ``findmatch`` will ignore all mailcap entries which use that value.
 +      A :mod:`warning <warnings>` will be raised in either case.
 .. function:: findmatch(caps, MIMEtype, key='view', filename='/dev/null', plist=[])
 --- a/Lib/mailcap.py
 +++ b/Lib/mailcap.py
@@ -19,6 +19,11 @@ _find_unsafe = re.compile(r'[^\xa1-\U001
 class UnsafeMailcapInput(Warning):
     """Warning raised when refusing unsafe input"""
 +_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
 +
 +class UnsafeMailcapInput(Warning):
 +    """Warning raised when refusing unsafe input"""
 +
 # Part 1: top-level interface.
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
@@ -0,0 +1,4 @@
 +The deprecated mailcap module now refuses to inject unsafe text (filenames,
 +MIME types, parameters) into shell commands. Instead of using such text, it
 +will warn and act as if a match was not found (or for test commands, as if
 +the test failed).
--- a/CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
+++ b/CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
@@ -1,59 +0,0 @@
 From 85178d5849a4d9b5b46e7b91b1ebad7425139b44 Mon Sep 17 00:00:00 2001
 From: "Gregory P. Smith" <greg@krypto.org>
 Date: Thu, 20 Oct 2022 15:30:09 -0700
 Subject: [PATCH] gh-97514: Don't use Linux abstract sockets for
 multiprocessing (GH-98501)
 Linux abstract sockets are insecure as they lack any form of filesystem
 permissions so their use allows anyone on the system to inject code into
 the process.
 This removes the default preference for abstract sockets in
 multiprocessing introduced in Python 3.9+ via
 https://github.com/python/cpython/pull/18866 while fixing
 https://github.com/python/cpython/issues/84031.
 Explicit use of an abstract socket by a user now generates a
 RuntimeWarning.  If we choose to keep this warning, it should be
 backported to the 3.7 and 3.8 branches.
 (cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
 Co-authored-by: Gregory P. Smith <greg@krypto.org>
 ---
 Lib/multiprocessing/connection.py                                       |    5 ---
 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst |   15 ++++++++++
 2 files changed, 15 insertions(+), 5 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
 --- a/Lib/multiprocessing/connection.py
 +++ b/Lib/multiprocessing/connection.py
@@ -73,11 +73,6 @@ def arbitrary_address(family):
     if family == 'AF_INET':
         return ('localhost', 0)
     elif family == 'AF_UNIX':
 -        # Prefer abstract sockets if possible to avoid problems with the address
 -        # size.  When coding portable applications, some implementations have
 -        # sun_path as short as 92 bytes in the sockaddr_un struct.
 -        if util.abstract_sockets_supported:
 -            return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
         return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
     elif family == 'AF_PIPE':
         return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
@@ -0,0 +1,15 @@
 +On Linux the :mod:`multiprocessing` module returns to using filesystem backed
 +unix domain sockets for communication with the *forkserver* process instead of
 +the Linux abstract socket namespace.  Only code that chooses to use the
 +:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
 +
 +Abstract sockets have no permissions and could allow any user on the system in
 +the same `network namespace
 +<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
 +whole system) to inject code into the multiprocessing *forkserver* process.
 +This was a potential privilege escalation. Filesystem based socket permissions
 +restrict this to the *forkserver* process user as was the default in Python 3.8
 +and earlier.
 +
 +This prevents Linux `CVE-2022-42919
 +<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
--- a/CVE-2022-45061-DoS-by-IDNA-decode.patch
+++ b/CVE-2022-45061-DoS-by-IDNA-decode.patch
@@ -1,88 +0,0 @@
 From b8f89940de09a51fdbd8fe4705d3d1d7f1bb0c6a Mon Sep 17 00:00:00 2001
 From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
 Date: Mon, 7 Nov 2022 18:57:10 -0800
 Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092)
 (GH-99222)
 There was an unnecessary quadratic loop in idna decoding. This restores
 the behavior to linear.
 (cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
 (cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
 Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
 Co-authored-by: Gregory P. Smith <greg@krypto.org>
 ---
 Lib/encodings/idna.py                                                   |   32 ++++------
 Lib/test/test_codecs.py                                                 |    6 +
 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst |    6 +
 3 files changed, 27 insertions(+), 17 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
 --- a/Lib/encodings/idna.py
 +++ b/Lib/encodings/idna.py
@@ -39,23 +39,21 @@ def nameprep(label):
     # Check bidi
     RandAL = [stringprep.in_table_d1(x) for x in label]
 -    for c in RandAL:
 -        if c:
 -            # There is a RandAL char in the string. Must perform further
 -            # tests:
 -            # 1) The characters in section 5.8 MUST be prohibited.
 -            # This is table C.8, which was already checked
 -            # 2) If a string contains any RandALCat character, the string
 -            # MUST NOT contain any LCat character.
 -            if any(stringprep.in_table_d2(x) for x in label):
 -                raise UnicodeError("Violation of BIDI requirement 2")
 -
 -            # 3) If a string contains any RandALCat character, a
 -            # RandALCat character MUST be the first character of the
 -            # string, and a RandALCat character MUST be the last
 -            # character of the string.
 -            if not RandAL[0] or not RandAL[-1]:
 -                raise UnicodeError("Violation of BIDI requirement 3")
 +    if any(RandAL):
 +        # There is a RandAL char in the string. Must perform further
 +        # tests:
 +        # 1) The characters in section 5.8 MUST be prohibited.
 +        # This is table C.8, which was already checked
 +        # 2) If a string contains any RandALCat character, the string
 +        # MUST NOT contain any LCat character.
 +        if any(stringprep.in_table_d2(x) for x in label):
 +            raise UnicodeError("Violation of BIDI requirement 2")
 +        # 3) If a string contains any RandALCat character, a
 +        # RandALCat character MUST be the first character of the
 +        # string, and a RandALCat character MUST be the last
 +        # character of the string.
 +        if not RandAL[0] or not RandAL[-1]:
 +            raise UnicodeError("Violation of BIDI requirement 3")
     return label
 --- a/Lib/test/test_codecs.py
 +++ b/Lib/test/test_codecs.py
@@ -1534,6 +1534,12 @@ class IDNACodecTest(unittest.TestCase):
         self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org")
         self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.")
 +    def test_builtin_decode_length_limit(self):
 +        with self.assertRaisesRegex(UnicodeError, "too long"):
 +            (b"xn--016c"+b"a"*1100).decode("idna")
 +        with self.assertRaisesRegex(UnicodeError, "too long"):
 +            (b"xn--016c"+b"a"*70).decode("idna")
 +
     def test_stream(self):
         r = codecs.getreader("idna")(io.BytesIO(b"abc"))
         r.read(3)
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
@@ -0,0 +1,6 @@
 +The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
 +related name resolution functions no longer involves a quadratic algorithm.
 +This prevents a potential CPU denial of service if an out-of-spec excessive
 +length hostname involving bidirectional characters were decoded. Some protocols
 +such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
 +to supply such a name.
--- a/CVE-2023-24329-blank-URL-bypass.patch
+++ b/CVE-2023-24329-blank-URL-bypass.patch
@@ -0,0 +1,55 @@
 From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
 From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
 Date: Sat, 12 Nov 2022 15:43:33 -0500
 Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
 schemes that don't begin with an alphabetical ASCII character.
 ---
 Lib/test/test_urlparse.py                                              |   18 ++++++++++
 Lib/urllib/parse.py                                                    |    2 -
 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |    2 +
 3 files changed, 21 insertions(+), 1 deletion(-)
 --- a/Lib/test/test_urlparse.py
 +++ b/Lib/test/test_urlparse.py
@@ -668,6 +668,24 @@ class UrlParseTestCase(unittest.TestCase
                         with self.assertRaises(ValueError):
                             p.port
 +    def test_attributes_bad_scheme(self):
 +        """Check handling of invalid schemes."""
 +        for bytes in (False, True):
 +            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
 +                for scheme in (".", "+", "-", "0", "http&", "६http"):
 +                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
 +                        url = scheme + "://www.example.net"
 +                        if bytes:
 +                            if url.isascii():
 +                                url = url.encode("ascii")
 +                            else:
 +                                continue
 +                        p = parse(url)
 +                        if bytes:
 +                            self.assertEqual(p.scheme, b"")
 +                        else:
 +                            self.assertEqual(p.scheme, "")
 +
     def test_attributes_without_netloc(self):
         # This example is straight from RFC 3261.  It looks like it
         # should allow the username, hostname, and port to be filled
 --- a/Lib/urllib/parse.py
 +++ b/Lib/urllib/parse.py
@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragm
         clear_cache()
     netloc = query = fragment = ''
     i = url.find(':')
 -    if i > 0:
 +    if i > 0 and url[0].isascii() and url[0].isalpha():
         for c in url[:i]:
             if c not in scheme_chars:
                 break
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
@@ -0,0 +1,2 @@
 +Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
 +with a digit, a plus sign, or a minus sign to be parsed incorrectly.
--- a/Python-3.10.10.tar.xz
+++ b/Python-3.10.10.tar.xz
--- a/Python-3.10.10.tar.xz.asc
+++ b/Python-3.10.10.tar.xz.asc
@@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmPiQfoACgkQ/+h0BBaL
 2EcB8hAAmFEIHZopWn+A4tDxd001eViLrOmjygqPn1doAQ3dAgyESt4Z/HDtN6rB
 +6z5rsx+qdcP9kfb/+3V0gKBh/3V4bEpnD+EQtpONWhKbCcqOfq1ok1V+uNH8uOF
 ixxWkY+MWJzPPhlQiW/sm9FP6CdnaeriKf1JMCUt9aiganpo2CQv5gPE/0PlSGO5
 BEKjCcyHHPIEAxC6jLm/+33PSzbhGq+YstK/1tcqUrJfkifipovmSZeFyzULPonK
 MATPyliOupo3ixPs3LoJUjNpGD4fH+p2Lg1ZOgYv7vGmeLcadNVanRlqRg76m+ke
 zvp/MAqQg4Fr75m2+mfDG/Md+PrSMvz71i55a1Q1NcYdW6QR62m08FCZg7/+t5pD
 H91ywhMqTv1nySsEZGfuETPTs7gMCtyBeDjIhXBMcfbhGivd7r5zZJ8MUD/FSASC
 fQ/vEVeHWQeWpfFgxLfLmRnkjIS7JCGlM9z6zsZqbppWqeA94sBIf4ka2JG2DnGP
 1Pvn+ragiHt1++i2yVhmoAB0t44/SgXacCce5AT3yB71brT21cOXQs0Gq80MwVPI
 nVbzdOtuGNGcvEi2fbO2IEcgegSHaOHo9PvYTRropSz3V7A95x8mA1xjZf2y77H5
 /mfJ4687YIItCIcNE5Zzj6GspWlWP31OvRFIIefnKYf2JuU+qt8=
 =B3xo
 -----END PGP SIGNATURE-----
--- a/Python-3.10.8.tar.xz.asc
+++ b/Python-3.10.8.tar.xz.asc
@@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmNFVREACgkQ/+h0BBaL
 2EfmBhAAlIlx22S5RL7ehPDOWlEj06uK87EKEfMXch2DMapEXsrBR2Z+Q3Kb0Le+
 T3vru6k9MUbDGI0pei+o5k621jvg8Gj+0rUKTydAd46Pt9ZoCPWuIdyWKaJBknLu
 XsYs6Xiv6Ug7Q3JGy67j8ei6bFoqATyYEe45ljReVfug7VmisjMXHdiyZoAkAFMO
 fDZvtfXRY/ZwLcCfK5SkaJqSRVfYowAh1lQqiXDnbfaX40BVCw78YKFsYN//PCpU
 DrsE7JFapXQGvCJmcZ+WC8A/WMjyLoKI36w2WDcy8AFKsf49xQWPEWnUzXcJyF2n
 zKGxn6kUEMdzelSWWWqMYlckL6Xf87E+CRTRS0MRX6OIrf+zJkeEoWRW8cGT/U8I
 1o0hawm9O50nSIjMGzaXGKjWsHLSIeOA9ToLz19TzzO7VikNkXAx5gQcHQu3bJyT
 SrMCw/VXJy+0BinBpSX/qZoptX2+6lFfArb/xOZGX2ZhU44+ecPrUHxB8xiw0qr8
 pw16k6nCkW3f0aZ0jrlsfNLsXr9G/ZRu+ugrcTTQ53rfXO0pQ5nxm0CJ5O9twDjw
 DIKvuqnOHlSGEcFM4bNDvpqskDnXrK6oyqBvtVhsjdFAp8YHYoM0yALTBlS4v2Xt
 Em1BPUXHps0M1AY59KrXe0OpwibJjKhvWoogAS5bqe/mYInBE/Y=
 =2vcv
 -----END PGP SIGNATURE-----
--- a/bpo-31046_ensurepip_honours_prefix.patch
+++ b/bpo-31046_ensurepip_honours_prefix.patch
@@ -15,7 +15,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
 --- a/Doc/library/ensurepip.rst
 +++ b/Doc/library/ensurepip.rst
-@@ -56,8 +56,9 @@ is at least as recent as the one availab
+@@ -58,8 +58,9 @@ is at least as recent as the one availab
 By default, ``pip`` is installed into the current virtual environment
 (if one is active) or into the system site packages (if there is no
 active virtual environment). The installation location can be controlled
@@ -26,7 +26,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
 * ``--root <dir>``: Installs ``pip`` relative to the given root directory
   rather than the root of the currently active virtual environment (if any)
   or the default root for the current Python installation.
-@@ -89,7 +90,7 @@ Module API
+@@ -91,7 +92,7 @@ Module API
    Returns a string specifying the available version of pip that will be
    installed when bootstrapping an environment.
@@ -35,7 +35,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
                         altinstall=False, default_pip=False, \
                         verbosity=0)
-@@ -99,6 +100,8 @@ Module API
+@@ -101,6 +102,8 @@ Module API
    If *root* is ``None``, then installation uses the default install location
    for the current environment.
@@ -44,7 +44,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
    *upgrade* indicates whether or not to upgrade an existing installation
    of an earlier version of ``pip`` to the available version.
-@@ -119,6 +122,8 @@ Module API
+@@ -121,6 +124,8 @@ Module API
    *verbosity* controls the level of output to :data:`sys.stdout` from the
    bootstrapping operation.
--- a/fix_configure_rst.patch
+++ b/fix_configure_rst.patch
@@ -29,7 +29,7 @@
    Create a Python.framework rather than a traditional Unix install. Optional
 --- a/Misc/NEWS
 +++ b/Misc/NEWS
-@@ -2979,7 +2979,7 @@ C API
+@@ -3422,7 +3422,7 @@ C API
 -----
 - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name
--- a/invalid-json.patch
+++ b/invalid-json.patch
@@ -0,0 +1,44 @@
 ---
 Doc/howto/logging-cookbook.rst |   24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)
 --- a/Doc/howto/logging-cookbook.rst
 +++ b/Doc/howto/logging-cookbook.rst
@@ -340,10 +340,12 @@ adding a ``filters`` section parallel to
 .. code-block:: json
 -    "filters": {
 -        "warnings_and_below": {
 -            "()" : "__main__.filter_maker",
 -            "level": "WARNING"
 +    {
 +        "filters": {
 +            "warnings_and_below": {
 +                "()" : "__main__.filter_maker",
 +                "level": "WARNING"
 +            }
         }
     }
@@ -351,12 +353,14 @@ and changing the section on the ``stdout
 .. code-block:: json
 -    "stdout": {
 -        "class": "logging.StreamHandler",
 -        "level": "INFO",
 -        "formatter": "simple",
 -        "stream": "ext://sys.stdout",
 -        "filters": ["warnings_and_below"]
 +    {
 +        "stdout": {
 +            "class": "logging.StreamHandler",
 +            "level": "INFO",
 +            "formatter": "simple",
 +            "stream": "ext://sys.stdout",
 +            "filters": ["warnings_and_below"]
 +        }
     }
 A filter is just a function, so we can define the ``filter_maker`` (a factory
--- a/python310.changes
+++ b/python310.changes
@@ -1,3 +1,206 @@
 -------------------------------------------------------------------
 Mon Mar 13 08:39:53 UTC 2023 - Matej Cepl <mcepl@suse.com>
 - Add invalid-json.patch fixing invalid JSON in
  Doc/howto/logging-cookbook.rst (somehow similar to
  gh#python/cpython#102582).
 -------------------------------------------------------------------
 Wed Mar  1 20:59:04 UTC 2023 - Matej Cepl <mcepl@suse.com>
 - Update to 3.10.10:
  Bug fixes and regressions handling, no change of behaviour and
  no security bugs fixed.
 - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters
 -------------------------------------------------------------------
 Tue Feb 21 11:34:49 UTC 2023 - Matej Cepl <mcepl@suse.com>
 - Add provides for readline and sqlite3 to the main Python
  package.
 -------------------------------------------------------------------
 Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 - Disable NIS for new products, it's deprecated and gets removed
 -------------------------------------------------------------------
 Thu Dec  8 14:42:15 UTC 2022 - Matej Cepl <mcepl@suse.com>
 - Update to 3.10.9:
  - python -m http.server no longer allows terminal
    control characters sent within a garbage request to be
    printed to the stderr server lo This is done by changing
    the http.server BaseHTTPRequestHandler .log_message method
    to replace control characters with a \xHH hex escape before
    printin
  - Avoid publishing list of active per-interpreter
    audit hooks via the gc module
  - The IDNA codec decoder used on DNS hostnames by
    socket or asyncio related name resolution functions no
    longer involves a quadratic algorithm. This prevents a
    potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were
    decoded. Some protocols such as urllib http 3xx redirects
    potentially allow for an attacker to supply such a name.
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - On Linux the multiprocessing module returns
    to using filesystem backed unix domain sockets for
    communication with the forkserver process instead of the
    Linux abstract socket namespace. Only code that chooses
    to use the “forkserver” start method is affected Abstract
    sockets have no permissions and could allow any user
    on the system in the same network namespace (often the
    whole system) to inject code into the multiprocessing
    forkserver process. This was a potential privilege
    escalation. Filesystem based socket permissions restrict
    this to the forkserver process user as was the default in
    Python 3.8 and earlier This prevents Linux CVE-2022-42919
  - Fix a reference bug in _imp.create_builtin()
    after the creation of the first sub-interpreter for modules
    builtins and sys. Patch by Victor Stinner.
  - Fixed a bug that was causing a buffer overflow if
    the tokenizer copies a line missing the newline caracter
    from a file that is as long as the available tokenizer
    buffer. Patch by Pablo galindo
  - Update faulthandler to emit an error message with
    the proper unexpected signal number. Patch by Dong-hee Na.
  - Fix subscription of types.GenericAlias instances
    containing bare generic types: for example tuple[A, T][int],
    where A is a generic type, and T is a type variable.
  - Fix detection of MAC addresses for uuid on certain
    OSs. Patch by Chaim Sanders
  - Print exception class name instead of its string
    representation when raising errors from ctypes calls.
  - Allow pdb to locate source for frozen modules in
    the standard library.
  - Raise ValueError instead of SystemError when
    methods of uninitialized io.IncrementalNewlineDecoder objects
    are called. Patch by Oren Milman.
  - Fix a possible assertion failure in io.FileIO when
    the opener returns an invalid file descriptor.
  - Also escape s in the http.server
    BaseHTTPRequestHandler.log_message so that it is technically
    possible to parse the line and reconstruct what the original
    data was. Without this a xHH is ambiguious as to if it is a
    hex replacement we put in or the characters r”x” came through
    in the original request line.
  - asyncio.get_event_loop() now only emits a
    deprecation warning when a new event loop was created
    implicitly. It no longer emits a deprecation warning if the
    current event loop was set.
  - Fix bug when calling trace.CoverageResults with
    valid infile.
  - Fix a bug in handling class cleanups in
    unittest.TestCase. Now addClassCleanup() uses separate lists
    for different TestCase subclasses, and doClassCleanups() only
    cleans up the particular class.
  - Release the GIL when calling termios APIs to avoid
    blocking threads.
  - Fix ast.increment_lineno() to also cover
    ast.TypeIgnore when changing line numbers.
  - Fixed bug where inspect.signature() reported
    incorrect arguments for decorated methods.
  - Fix SystemError in ctypes when exception was not
    set during __initsubclass__.
  - Fix statistics.NormalDist pickle with 0 and 1
    protocols.
  - Update the bundled copy of pip to version 22.3.1.
  - Apply bugfixes from importlib_metadata 4.11.4,
    namely: In PathDistribution._name_from_stem, avoid
    including parts of the extension in the result. In
    PathDistribution._normalized_name, ensure names loaded from
    the stem of the filename are also normalized, ensuring
    duplicate entry points by packages varying only by
    non-normalized name are hidden.
  - Clean up refleak on failed module initialisation in
    _zoneinfo
  - Clean up refleaks on failed module initialisation
    in in _pickle
  - Clean up refleak on failed module initialisation in
    _io.
  - Fix memory leak in math.dist() when both points
    don’t have the same dimension. Patch by Kumar Aditya.
  - Fix argument typechecks in _overlapped.WSAConnect()
    and _overlapped.Overlapped.WSASendTo() functions.
  - Fix internal error in the re module which in
    very rare circumstances prevented compilation of a regular
    expression containing a conditional expression without the
    “else” branch.
  - Fix asyncio.StreamWriter.drain() to call
    protocol.connection_lost callback only once on Windows.
  - Add a mutex to unittest.mock.NonCallableMock to
    protect concurrent access to mock attributes.
  - Fix hang on Windows in subprocess.wait_closed() in
    asyncio with ProactorEventLoop. Patch by Kumar Aditya.
  - Fix infinite loop in unittest when a
    self-referencing chained exception is raised
  - tkinter.Text.count() raises now an exception for
    options starting with “-” instead of silently ignoring them.
  - On uname_result, restored expectation that _fields
    and _asdict would include all six properties including
    processor.
  - Update the bundled copies of pip and setuptools to
    versions 22.3 and 65.5.0 respectively.
  - Fix bug in urllib.parse.urlparse() that causes
    certain port numbers containing whitespace, underscores,
    plus and minus signs, or non-ASCII digits to be incorrectly
    accepted.
  - Allow venv to pass along PYTHON* variables to
    ensurepip and pip when they do not impact path resolution
  - On macOS, fix a crash in syslog.syslog() in
    multi-threaded applications. On macOS, the libc syslog()
    function is not thread-safe, so syslog.syslog() no longer
    releases the GIL to call it. Patch by Victor Stinner.
  - Allow BUILTINS to be a valid field name for frozen
    dataclasses.
  - Make sure patch.dict() can be applied on async
    functions.
  - To avoid apparent memory leaks when
    asyncio.open_connection() raises, break reference cycles
    generated by local exception and future instances (which has
    exception instance as its member var). Patch by Dong Uk,
    Kang.
  - Prevent error when activating venv in nested fish
    instances.
  - Restrict use of sockets instead of pipes for stdin
    of subprocesses created by asyncio to AIX platform only.
  - shutil.copytree() now applies the
    ignore_dangling_symlinks argument recursively.
  - Fix IndexError in argparse.ArgumentParser when a
    store_true action is given an explicit argument.
  - Document that calling variadic functions with
    ctypes requires special care on macOS/arm64 (and possibly
    other platforms).
  - Skip test_normalization() of test_unicodedata
    if it fails to download NormalizationTest.txt file from
    pythontest.net. Patch by Victor Stinner.
  - Some C API tests were moved into the new
    Lib/test/test_capi/ directory.
  - Fix -Wimplicit-int, -Wstrict-prototypes, and
    -Wimplicit-function-declaration compiler warnings in
    configure checks.
  - Fix -Wimplicit-int compiler warning in configure
    check for PTHREAD_SCOPE_SYSTEM.
  - Specify the full path to the source location for
    make docclean (needed for cross-builds).
  - Fix NO_MISALIGNED_ACCESSES being not defined
    for the SHA3 extension when HAVE_ALIGNED_REQUIRED is
    set. Allowing builds on hardware that unaligned memory
    accesses are not allowed.
  - Fix handling of module docstrings in
    Tools/i18n/pygettext.py.
 - Remove upstreamed patches:
  - 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
  - CVE-2015-20107-mailcap-unsafe-filenames.patch
  - CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
  - CVE-2022-45061-DoS-by-IDNA-decode.patch
 -------------------------------------------------------------------
 Wed Nov  9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
--- a/python310.spec
+++ b/python310.spec
@@ -1,7 +1,7 @@
 #
 # spec file
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -103,7 +103,7 @@ Obsoletes:      python39%{?1:-%{1}}
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.10.8
+Version:        3.10.10
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@@ -166,18 +166,13 @@ Patch35:        fix_configure_rst.patch
 # PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com
 # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
 Patch36:        support-expat-CVE-2022-25236-patched.patch
-# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
-# avoid the command injection in the mailcap module.
+# blocklist bypass via the urllib.parse component when supplying
-Patch37:        CVE-2015-20107-mailcap-unsafe-filenames.patch
+# a URL that starts with blank characters
-# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
+Patch37:        CVE-2023-24329-blank-URL-bypass.patch
-# this patch makes things totally awesome
+# PATCH-FIX-UPSTREAM invalid-json.patch gh#python/cpython#102582 mcepl@suse.com
-Patch38:        98437-sphinx.locale._-as-gettext-in-pyspecific.patch
+# We require valid JSON in documentation
-# PATCH-FIX-UPSTREAM CVE-2022-42919-loc-priv-mulitproc-forksrv.patch bsc#1204886 mcepl@suse.com
+Patch38:        invalid-json.patch
 # Avoid Linux specific local privilege escalation via the multiprocessing forkserver start method
 Patch39:        CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
 # PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com
 # Avoid DoS by decoding IDNA for too long domain names
 Patch40:        CVE-2022-45061-DoS-by-IDNA-decode.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -197,7 +192,7 @@ BuildRequires:  pkgconfig(zlib)
 # The provider for python(abi) is in rpm-build-python
 BuildRequires:  rpm-build-python
 %endif
-%if 0%{?suse_version} >= 1500
+%if 0%{?suse_version} >= 1500 && 0%{?suse_version} < 1599
 BuildRequires:  pkgconfig(libnsl)
 BuildRequires:  pkgconfig(libtirpc)
 %endif
@@ -228,12 +223,16 @@ BuildRequires:  pkgconfig(ncurses)
 BuildRequires:  pkgconfig(tk)
 BuildRequires:  pkgconfig(x11)
 Requires:       %{python_pkg_name}-base = %{version}
 Provides:       %{python_pkg_name}-readline
 Provides:       %{python_pkg_name}-sqlite3
 Recommends:     %{python_pkg_name}-curses
 Recommends:     %{python_pkg_name}-dbm
 Recommends:     %{python_pkg_name}-pip
 %obsolete_python_versioned
 %if %{primary_interpreter}
 Provides:       python3 = %{python_version}
 Provides:       python3-readline
 Provides:       python3-sqlite3
 %endif
 %endif
@@ -448,8 +447,6 @@ other applications.
 %patch36 -p1
 %patch37 -p1
 %patch38 -p1
 %patch39 -p1
 %patch40 -p1
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -645,7 +642,7 @@ for library in \
    _posixsubprocess _queue _random resource select _ssl _socket spwd \
    _statistics _struct syslog termios _testbuffer _testimportmultiple \
    _testmultiphase unicodedata zlib _ctypes_test _testinternalcapi _testcapi \
-    xxlimited xxlimited_35 \
+    _testclinic xxlimited xxlimited_35 \
    _xxtestfuzz _xxsubinterpreters _elementtree pyexpat _md5 _sha1 \
    _sha256 _sha512 _blake2 _sha3 _uuid _zoneinfo
 do
@@ -809,7 +806,9 @@ echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-impo
 %exclude %{sitedir}/sqlite3/test
 %{dynlib readline}
 %{dynlib _sqlite3}
 %if 0%{?suse_version} >= 1500 && 0%{?suse_version} < 1599
 %{dynlib nis}
 %endif
 %files -n %{python_pkg_name}-idle
 %defattr(644, root, root, 755)
@@ -892,6 +891,7 @@ echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-impo
 %{dynlib _ctypes_test}
 %{dynlib _testbuffer}
 %{dynlib _testcapi}
 %{dynlib _testclinic}
 %{dynlib _testinternalcapi}
 %{dynlib _testimportmultiple}
 %{dynlib _testmultiphase}