forked from pool/python310
Set link to python310.38050 via maintenance_release request
This commit is contained in:
@@ -1,3 +1,107 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 9 16:53:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Update to 3.10.18:
|
||||
- Security
|
||||
- gh-135034: Fixes multiple issues that allowed tarfile
|
||||
extraction filters (filter="data" and filter="tar") to be
|
||||
bypassed using crafted symlinks and hard links.
|
||||
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
|
||||
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
|
||||
CVE-2025-4517 (bsc#1244032).
|
||||
- gh-133767: Fix use-after-free in the “unicode-escape”
|
||||
decoder with a non-“strict” error handler (CVE-2025-4516,
|
||||
bsc#1243273).
|
||||
- gh-128840: Short-circuit the processing of long IPv6
|
||||
addresses early in ipaddress to prevent excessive memory
|
||||
consumption and a minor denial-of-service.
|
||||
- Library
|
||||
- gh-128840: Fix parsing long IPv6 addresses with embedded
|
||||
IPv4 address.
|
||||
- gh-134062: ipaddress: fix collisions in __hash__() for
|
||||
IPv4Network and IPv6Network objects.
|
||||
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
|
||||
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
|
||||
- bpo-43633: Improve the textual representation of
|
||||
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
|
||||
in ipaddress. Patch by Oleksandr Pavliuk.
|
||||
- Remove upstreamed patches:
|
||||
- gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
|
||||
- CVE-2025-4516-DecodeError-handler.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 22 13:01:17 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Add CVE-2025-4516-DecodeError-handler.patch fixing
|
||||
CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
|
||||
vulnerability, which could lead to DoS.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat May 17 10:02:27 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Use extended %autopatch.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat May 10 11:38:22 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Remove python-3.3.0b1-test-posix_fadvise.patch (not needed
|
||||
since kernel 3.6-rc1)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 11 08:12:14 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Update to 3.10.17:
|
||||
- gh-131809: Update bundled libexpat to 2.7.1
|
||||
- gh-131261: Upgrade to libexpat 2.7.0
|
||||
- gh-105704: When using urllib.parse.urlsplit() and
|
||||
urllib.parse.urlparse() host parsing would not reject domain
|
||||
names containing square brackets ([ and ]). Square brackets
|
||||
are only valid for IPv6 and IPvFuture hosts according to RFC
|
||||
3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
|
||||
gh#python/cpython#105704).
|
||||
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
|
||||
when flattening an email message using a modern email
|
||||
policy. Previously when an encoded-word was too long for
|
||||
a line, it would be decoded, split across lines, and
|
||||
re-encoded. But commas and other special characters in the
|
||||
original text could be left unencoded and unquoted. This
|
||||
could theoretically be used to spoof header lines using a
|
||||
carefully constructed encoded-word if the resulting rendered
|
||||
email was transmitted or re-parsed.
|
||||
- gh-80222: Fix bug in the folding of quoted strings
|
||||
when flattening an email message using a modern email
|
||||
policy. Previously when a quoted string was folded so that
|
||||
it spanned more than one line, the surrounding quotes and
|
||||
internal escapes would be omitted. This could theoretically
|
||||
be used to spoof header lines using a carefully constructed
|
||||
quoted string if the resulting rendered email was transmitted
|
||||
or re-parsed.
|
||||
- gh-119511: Fix a potential denial of service in the imaplib
|
||||
module. When connecting to a malicious server, it could
|
||||
cause an arbitrary amount of memory to be allocated. On many
|
||||
systems this is harmless as unused virtual memory is only
|
||||
a mapping, but if this hit a virtual address size limit
|
||||
it could lead to a MemoryError or other process crash. On
|
||||
unusual systems or builds where all allocated memory is
|
||||
touched and backed by actual ram or storage it could’ve
|
||||
consumed resources doing so until similarly crashing.
|
||||
- gh-127257: In ssl, system call failures that OpenSSL reports
|
||||
using ERR_LIB_SYS are now raised as OSError.
|
||||
- gh-121277: Writers of CPython’s documentation can now use
|
||||
next as the version for the versionchanged, versionadded,
|
||||
deprecated directives.
|
||||
- Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
|
||||
which makes test_ssl not to stop ThreadedEchoServer on OSError,
|
||||
which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067,
|
||||
gh#python/cpython!126572)
|
||||
- Remote upstreamed patch:
|
||||
- CVE-2025-0938-sq-brackets-domain-names.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 10 15:44:31 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
|
||||
|
||||
- Skip PGO with %want_reproducible_builds (bsc#1239210)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 4 14:43:13 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
@@ -288,7 +392,7 @@ Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
|
||||
Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Remove double definition of /usr/bin/idle%%{version} in
|
||||
%%files.
|
||||
%%files.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 15 10:29:07 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
|
||||
|
||||
Reference in New Issue
Block a user