From 6315b7be306658261e33dbbabcf2e2a67de5068b6b55dee4a92988d944a36545 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Fri, 11 Apr 2025 08:56:48 +0000 Subject: [PATCH 1/2] - Update to 3.11.12: - gh-131809: Update bundled libexpat to 2.7.1 - gh-131261: Upgrade to libexpat 2.7.0 - gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse() host parsing would not reject domain names containing square brackets ([ and ]). Square brackets are only valid for IPv6 and IPvFuture hosts according to RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704). - gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening an email message using a modern email policy. Previously when an encoded-word was too long for a line, it would be decoded, split across lines, and re-encoded. But commas and other special characters in the original text could be left unencoded and unquoted. This could theoretically be used to spoof header lines using a carefully constructed encoded-word if the resulting rendered email was transmitted or re-parsed. - gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. - gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167 --- CVE-2023-52425-libexpat-2.6.0-backport.patch | 64 ++++++---- CVE-2025-0938-sq-brackets-domain-names.patch | 127 ------------------- Python-3.11.11.tar.xz | 3 - Python-3.11.11.tar.xz.sigstore | 1 - Python-3.11.12.tar.xz | 3 + Python-3.11.12.tar.xz.sigstore | 1 + fix_configure_rst.patch | 18 ++- python311.changes | 49 +++++++ python311.spec | 6 +- 9 files changed, 102 insertions(+), 170 deletions(-) delete mode 100644 CVE-2025-0938-sq-brackets-domain-names.patch delete mode 100644 Python-3.11.11.tar.xz delete mode 100644 Python-3.11.11.tar.xz.sigstore create mode 100644 Python-3.11.12.tar.xz create mode 100644 Python-3.11.12.tar.xz.sigstore diff --git a/CVE-2023-52425-libexpat-2.6.0-backport.patch b/CVE-2023-52425-libexpat-2.6.0-backport.patch index c1c66b7..1acc25a 100644 --- a/CVE-2023-52425-libexpat-2.6.0-backport.patch +++ b/CVE-2023-52425-libexpat-2.6.0-backport.patch @@ -6,9 +6,11 @@ Lib/test/test_xml_etree.py | 12 ------------ 5 files changed, 37 insertions(+), 44 deletions(-) ---- a/Lib/test/support/__init__.py -+++ b/Lib/test/support/__init__.py -@@ -8,6 +8,7 @@ import dataclasses +Index: Python-3.11.12/Lib/test/support/__init__.py +=================================================================== +--- Python-3.11.12.orig/Lib/test/support/__init__.py 2025-04-11 10:52:43.191010503 +0200 ++++ Python-3.11.12/Lib/test/support/__init__.py 2025-04-11 10:52:44.802161741 +0200 +@@ -8,6 +8,7 @@ import functools import os import re @@ -16,7 +18,7 @@ import stat import sys import sysconfig -@@ -56,7 +57,7 @@ __all__ = [ +@@ -56,7 +57,7 @@ "run_with_tz", "PGO", "missing_compiler_executable", "ALWAYS_EQ", "NEVER_EQ", "LARGEST", "SMALLEST", "LOOPBACK_TIMEOUT", "INTERNET_TIMEOUT", "SHORT_TIMEOUT", "LONG_TIMEOUT", @@ -25,7 +27,7 @@ ] -@@ -2240,6 +2241,17 @@ def copy_python_src_ignore(path, names): +@@ -2244,6 +2245,17 @@ } return ignored @@ -44,9 +46,11 @@ +fails_with_expat_2_6_0 = (unittest.expectedFailure + if is_expat_2_6_0 + else lambda test: test) ---- a/Lib/test/test_minidom.py -+++ b/Lib/test/test_minidom.py -@@ -6,7 +6,6 @@ import io +Index: Python-3.11.12/Lib/test/test_minidom.py +=================================================================== +--- Python-3.11.12.orig/Lib/test/test_minidom.py 2025-04-11 10:52:21.907086938 +0200 ++++ Python-3.11.12/Lib/test/test_minidom.py 2025-04-11 10:52:44.802522893 +0200 +@@ -6,7 +6,6 @@ from test import support import unittest @@ -54,7 +58,7 @@ import xml.dom.minidom from xml.dom.minidom import parse, Attr, Node, Document, parseString -@@ -1163,13 +1162,11 @@ class MinidomTest(unittest.TestCase): +@@ -1163,13 +1162,11 @@ # Verify that character decoding errors raise exceptions instead # of crashing @@ -73,7 +77,7 @@ b'Comment \xe7a va ? Tr\xe8s bien ?') doc.unlink() -@@ -1631,12 +1628,10 @@ class MinidomTest(unittest.TestCase): +@@ -1631,12 +1628,10 @@ self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) def testExceptionOnSpacesInXMLNSValue(self): @@ -90,9 +94,11 @@ parseString('') def testDocRemoveChild(self): ---- a/Lib/test/test_pyexpat.py -+++ b/Lib/test/test_pyexpat.py -@@ -14,8 +14,7 @@ from test.support import os_helper +Index: Python-3.11.12/Lib/test/test_pyexpat.py +=================================================================== +--- Python-3.11.12.orig/Lib/test/test_pyexpat.py 2025-04-11 10:52:22.076696906 +0200 ++++ Python-3.11.12/Lib/test/test_pyexpat.py 2025-04-11 10:52:44.803228085 +0200 +@@ -14,8 +14,7 @@ from xml.parsers import expat from xml.parsers.expat import errors @@ -102,7 +108,7 @@ class SetAttributeTest(unittest.TestCase): def setUp(self): -@@ -770,9 +769,8 @@ class ReparseDeferralTest(unittest.TestC +@@ -770,9 +769,8 @@ self.assertIs(parser.GetReparseDeferralEnabled(), enabled) def test_reparse_deferral_enabled(self): @@ -114,7 +120,7 @@ started = [] -@@ -801,9 +799,9 @@ class ReparseDeferralTest(unittest.TestC +@@ -801,9 +799,9 @@ parser = expat.ParserCreate() parser.StartElementHandler = start_element @@ -126,9 +132,11 @@ for chunk in (b''): parser.Parse(chunk, False) ---- a/Lib/test/test_sax.py -+++ b/Lib/test/test_sax.py -@@ -19,13 +19,11 @@ from xml.sax.xmlreader import InputSourc +Index: Python-3.11.12/Lib/test/test_sax.py +=================================================================== +--- Python-3.11.12.orig/Lib/test/test_sax.py 2025-04-11 10:52:22.111440337 +0200 ++++ Python-3.11.12/Lib/test/test_sax.py 2025-04-11 10:52:44.803567098 +0200 +@@ -19,13 +19,11 @@ from io import BytesIO, StringIO import codecs import os.path @@ -143,7 +151,7 @@ from test.support.os_helper import FakePath, TESTFN -@@ -1215,10 +1213,10 @@ class ExpatReaderTest(XmlTestBase): +@@ -1215,10 +1213,10 @@ self.assertEqual(result.getvalue(), start + b"text") @@ -157,7 +165,7 @@ result = BytesIO() xmlgen = XMLGenerator(result) parser = create_parser() -@@ -1241,6 +1239,9 @@ class ExpatReaderTest(XmlTestBase): +@@ -1241,6 +1239,9 @@ self.assertEqual(result.getvalue(), start + b"") def test_flush_reparse_deferral_disabled(self): @@ -167,7 +175,7 @@ result = BytesIO() xmlgen = XMLGenerator(result) parser = create_parser() -@@ -1249,9 +1250,8 @@ class ExpatReaderTest(XmlTestBase): +@@ -1249,9 +1250,8 @@ for chunk in (""): parser.feed(chunk) @@ -179,9 +187,11 @@ self.assertFalse(parser._parser.GetReparseDeferralEnabled()) ---- a/Lib/test/test_xml_etree.py -+++ b/Lib/test/test_xml_etree.py -@@ -13,7 +13,6 @@ import itertools +Index: Python-3.11.12/Lib/test/test_xml_etree.py +=================================================================== +--- Python-3.11.12.orig/Lib/test/test_xml_etree.py 2025-04-11 10:52:22.425637912 +0200 ++++ Python-3.11.12/Lib/test/test_xml_etree.py 2025-04-11 10:52:44.804234785 +0200 +@@ -13,7 +13,6 @@ import operator import os import pickle @@ -189,7 +199,7 @@ import sys import textwrap import types -@@ -1424,12 +1423,6 @@ class XMLPullParserTest(unittest.TestCas +@@ -1424,12 +1423,6 @@ self.assert_event_tags(parser, [('end', 'root')]) self.assertIsNone(parser.close()) @@ -202,7 +212,7 @@ def test_simple_xml_chunk_22(self): self.test_simple_xml(chunk_size=22) -@@ -1627,9 +1620,6 @@ class XMLPullParserTest(unittest.TestCas +@@ -1627,9 +1620,6 @@ with self.assertRaises(ValueError): ET.XMLPullParser(events=('start', 'end', 'bogus')) @@ -212,7 +222,7 @@ def test_flush_reparse_deferral_enabled(self): parser = ET.XMLPullParser(events=('start', 'end')) -@@ -1656,8 +1646,6 @@ class XMLPullParserTest(unittest.TestCas +@@ -1656,8 +1646,6 @@ for chunk in (""): parser.feed(chunk) diff --git a/CVE-2025-0938-sq-brackets-domain-names.patch b/CVE-2025-0938-sq-brackets-domain-names.patch deleted file mode 100644 index 7db4656..0000000 --- a/CVE-2025-0938-sq-brackets-domain-names.patch +++ /dev/null @@ -1,127 +0,0 @@ -From d91e2c740890837edafaee24d68112b776cda9c5 Mon Sep 17 00:00:00 2001 -From: Seth Michael Larson -Date: Fri, 31 Jan 2025 11:41:34 -0600 -Subject: [PATCH] gh-105704: Disallow square brackets (`[` and `]`) in domain - names for parsed URLs (GH-129418) - -* gh-105704: Disallow square brackets ( and ) in domain names for parsed URLs - -* Use Sphinx references - -Co-authored-by: Peter Bierma - -* Add mismatched bracket test cases, fix news format - -* Add more test coverage for ports - ---------- - -(cherry picked from commit d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a) - -Co-authored-by: Seth Michael Larson -Co-authored-by: Peter Bierma ---- - Lib/test/test_urlparse.py | 37 +++++++++- - Lib/urllib/parse.py | 20 ++++- - Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst | 4 + - 3 files changed, 58 insertions(+), 3 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst - ---- a/Lib/test/test_urlparse.py -+++ b/Lib/test/test_urlparse.py -@@ -1224,16 +1224,51 @@ class UrlParseTestCase(unittest.TestCase - self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query') - self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query') - self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix') - - def test_splitting_bracketed_hosts(self): -- p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query') -+ p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query') - self.assertEqual(p1.hostname, 'v6a.ip') - self.assertEqual(p1.username, 'user') - self.assertEqual(p1.path, '/path') -+ self.assertEqual(p1.port, 1234) - p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query') - self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test') - self.assertEqual(p2.username, 'user') - self.assertEqual(p2.path, '/path') -+ self.assertIs(p2.port, None) - p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query') - self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test') - self.assertEqual(p3.username, 'user') ---- a/Lib/urllib/parse.py -+++ b/Lib/urllib/parse.py -@@ -436,6 +436,23 @@ def _checknetloc(netloc): - raise ValueError("netloc '" + netloc + "' contains invalid " + - "characters under NFKC normalization") - -+def _check_bracketed_netloc(netloc): -+ # Note that this function must mirror the splitting -+ # done in NetlocResultMixins._hostinfo(). -+ hostname_and_port = netloc.rpartition('@')[2] -+ before_bracket, have_open_br, bracketed = hostname_and_port.partition('[') -+ if have_open_br: -+ # No data is allowed before a bracket. -+ if before_bracket: -+ raise ValueError("Invalid IPv6 URL") -+ hostname, _, port = bracketed.partition(']') -+ # No data is allowed after the bracket but before the port delimiter. -+ if port and not port.startswith(":"): -+ raise ValueError("Invalid IPv6 URL") -+ else: -+ hostname, _, port = hostname_and_port.partition(':') -+ _check_bracketed_host(hostname) -+ - # Valid bracketed hosts are defined in - # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/ - def _check_bracketed_host(hostname): -@@ -496,8 +513,7 @@ def urlsplit(url, scheme='', allow_fragm - (']' in netloc and '[' not in netloc)): - raise ValueError("Invalid IPv6 URL") - if '[' in netloc and ']' in netloc: -- bracketed_host = netloc.partition('[')[2].partition(']')[0] -- _check_bracketed_host(bracketed_host) -+ _check_bracketed_netloc(netloc) - if allow_fragments and '#' in url: - url, fragment = url.split('#', 1) - if '?' in url: ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst -@@ -0,0 +1,4 @@ -+When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host -+parsing would not reject domain names containing square brackets (``[`` and -+``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to -+`RFC 3986 Section 3.2.2 `__. diff --git a/Python-3.11.11.tar.xz b/Python-3.11.11.tar.xz deleted file mode 100644 index e0581b1..0000000 --- a/Python-3.11.11.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2a9920c7a0cd236de33644ed980a13cbbc21058bfdc528febb6081575ed73be3 -size 20085792 diff --git a/Python-3.11.11.tar.xz.sigstore b/Python-3.11.11.tar.xz.sigstore deleted file mode 100644 index 782816a..0000000 --- a/Python-3.11.11.tar.xz.sigstore +++ /dev/null @@ -1 +0,0 @@ -{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzDCCAlOgAwIBAgIUWcRolJPsPmtJKA6VkjHSj7PtjY8wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQxMjAzMTgxOTA1WhcNMjQxMjAzMTgyOTA1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEN+fBJCRZIAZiWPBdjyQVD+x5vgmjuuVct1HkPHIBMuEe7wI4mBG2BhJ3fHkpr97efIH6ELMmPV99edyAIZFXR6OCAXIwggFuMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUkutZdHfCCSvGI87mjnBRwZB8ihYwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wIgYDVR0RAQH/BBgwFoEUcGFibG9nc2FsQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGTjb9QlwAABAMARzBFAiEA4ddSINhYM+p0+DGzRqnA8rVtJF9YgI+9znXiq9fqQNkCIEErcSnQmN8jjErhwWWtcTM5GgH4ka/uk5kdHTycwxj3MAoGCCqGSM49BAMDA2cAMGQCMFmkCEH2pCBpFeFiUi2uA4opcJP6vh/zqb+D0tbxqd+jwbBkuDxDqA9/Ao3UWop+twIwO9o71KAlYWPSPYMeZERM4R8zWlp9mVJPiK3tgOJJi40MNmxwtfsQeQtncqiQLBAH"}, "tlogEntries": [{"logIndex": "153122039", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1733249946", "inclusionPromise": {"signedEntryTimestamp": "MEUCIBL9zpVJtljIuZtAe8uptLfDmakmbAjy5ELp2q8WJTQ7AiEAv6lIpyJZycHwTS+JHYJFzMVv0SmA8yQ0eMneBivMhPY="}, "inclusionProof": {"logIndex": "31217777", "rootHash": "BMKHBPePzSbNqf2NyF/Ejuyy3troRGpNS41Dqe43nZ0=", "treeSize": "31217778", "hashes": ["lrr8dxmtgD09fnZTo1tMTY00HNKc2ZIpbZa1djDeTes=", "yFxGSg1RDbtZ/eNftnMdBJGNEZmmLyx2ZRDFtAIMHAk=", "GeqsQGnvgc+gcuaIC+vQ5b0RdTyBxBnYTpbeW2AeD+Q=", "dMTPeN/a9xCQQP+Hz7sddW0pPj8n54sfkhcf3XhjrMM=", "XjayhjKU3shP7q7lhmhKDv3Vpi4gJgAPCu0KlEzc9Qo=", "go1dmexQYS5etu69upRRX7IFvuA0rIcT9aYjMstmPIU=", "AYwr74Bm2w383UnS7DdbZUUAhusq28JoxKpWrQ7OvGQ=", "u+yWmGIR6sAH32wiSy22mz1Yf+jfPdBTjFbyRISuTZw=", "3eFC7Gp4fWecybDOAw9uUTrM1xB7YRYRAGsfYkiQbV8=", "1uKk2qjOliHMiTk906jrchP8mXWsRG8apaU1sa0lfh0=", "oOecFfN3YqDOkbijS/ej1WF5Da/Gt/AZNhbwE9uoOE8=", "4lUF0YOu9XkIDXKXA0wMSzd6VeDY3TZAgmoOeWmS2+Y=", "gf+9m552B3PnkWnO0o4KdVvjcT3WVHLrCbf1DoVYKFw="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n31217778\nBMKHBPePzSbNqf2NyF/Ejuyy3troRGpNS41Dqe43nZ0=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiA7ed0HqugBwVpmxDAR1VN35J91/+DeRdj09y5lFY+bRwIgYe07JnZlJvp3MfAMXX3i4XBsZoDRZoXtwfBaRj/8x8s=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIyYTk5MjBjN2EwY2QyMzZkZTMzNjQ0ZWQ5ODBhMTNjYmJjMjEwNThiZmRjNTI4ZmViYjYwODE1NzVlZDczYmUzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJRU5KSGllaWs5WkVibW83a0p4ZUhWY2FvVDVYOUxyWG1zRTVxc1I5R1JpSEFpRUFtcHZyV21vUHF5YzRpQ09VYXVmY3dKTllMK1lPTWU0b0NOaWRLVGduT1FBPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZSRU5EUVd4UFowRjNTVUpCWjBsVlYyTlNiMnhLVUhOUWJYUktTMEUyVm10cVNGTnFOMUIwYWxrNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJlRTFxUVhwTlZHZDRUMVJCTVZkb1kwNU5hbEY0VFdwQmVrMVVaM2xQVkVFeFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZPSzJaQ1NrTlNXa2xCV21sWFVFSmthbmxSVmtRcmVEVjJaMjFxZFhWV1kzUXhTR3NLVUVoSlFrMTFSV1UzZDBrMGJVSkhNa0pvU2pObVNHdHdjamszWldaSlNEWkZURTF0VUZZNU9XVmtlVUZKV2taWVVqWlBRMEZZU1hkblowWjFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZyZFhSYUNtUklaa05EVTNaSFNUZzNiV3B1UWxKM1drSTRhV2haZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBsbldVUldVakJTUVZGSUwwSkNaM2RHYjBWVlkwZEdhV0pIT1c1ak1rWnpVVWhDTldSSGFIWmlhVFYyWTIxamQwdFJXVXRMZDFsQ1FrRkhSQXAyZWtGQ1FWRlJZbUZJVWpCalNFMDJUSGs1YUZreVRuWmtWelV3WTNrMWJtSXlPVzVpUjFWMVdUSTVkRTFEYzBkRGFYTkhRVkZSUW1jM09IZEJVV2RGQ2toUmQySmhTRkl3WTBoTk5reDVPV2haTWs1MlpGYzFNR041Tlc1aU1qbHVZa2RWZFZreU9YUk5TVWRMUW1kdmNrSm5SVVZCWkZvMVFXZFJRMEpJZDBVS1pXZENORUZJV1VFelZEQjNZWE5pU0VWVVNtcEhValJqYlZkak0wRnhTa3RZY21wbFVFc3pMMmcwY0hsblF6aHdOMjgwUVVGQlIxUnFZamxSYkhkQlFRcENRVTFCVW5wQ1JrRnBSVUUwWkdSVFNVNW9XVTByY0RBclJFZDZVbkZ1UVRoeVZuUktSamxaWjBrck9YcHVXR2x4T1daeFVVNXJRMGxGUlhKalUyNVJDbTFPT0dwcVJYSm9kMWRYZEdOVVRUVkhaMGcwYTJFdmRXczFhMlJJVkhsamQzaHFNMDFCYjBkRFEzRkhVMDAwT1VKQlRVUkJNbU5CVFVkUlEwMUdiV3NLUTBWSU1uQkRRbkJHWlVacFZXa3lkVUUwYjNCalNsQTJkbWd2ZW5GaUswUXdkR0o0Y1dRcmFuZGlRbXQxUkhoRWNVRTVMMEZ2TTFWWGIzQXJkSGRKZHdwUE9XODNNVXRCYkZsWFVGTlFXVTFsV2tWU1RUUlNPSHBYYkhBNWJWWktVR2xMTTNSblQwcEthVFF3VFU1dGVIZDBabk5SWlZGMGJtTnhhVkZNUWtGSUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "Kpkgx6DNI23jNkTtmAoTy7whBYv9xSj+u2CBV17XO+M="}, "signature": "MEUCIENJHieik9ZEbmo7kJxeHVcaoT5X9LrXmsE5qsR9GRiHAiEAmpvrWmoPqyc4iCOUaufcwJNYL+YOMe4oCNidKTgnOQA="}} diff --git a/Python-3.11.12.tar.xz b/Python-3.11.12.tar.xz new file mode 100644 index 0000000..e2b3c80 --- /dev/null +++ b/Python-3.11.12.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:849da87af4df137710c1796e276a955f7a85c9f971081067c8f565d15c352a09 +size 20112232 diff --git a/Python-3.11.12.tar.xz.sigstore b/Python-3.11.12.tar.xz.sigstore new file mode 100644 index 0000000..36fb8a6 --- /dev/null +++ b/Python-3.11.12.tar.xz.sigstore @@ -0,0 +1 @@ +{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzDCCAlOgAwIBAgIUdXXo3kfUuTRxhwfBaDz2hbLdc00wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNDA4MTUwMzI1WhcNMjUwNDA4MTUxMzI1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEChWB96w27HEQAug03xOuj5aVvdcEBkLaseC6PKbhc3lq1vL78o96RMSdWdBSmBQ4OrRHKvop8VRwn4SI6KPIN6OCAXIwggFuMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUDQFNdUPu8lJprLgYTWMF//JnS0owHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wIgYDVR0RAQH/BBgwFoEUcGFibG9nc2FsQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGKBgorBgEEAdZ5AgQCBHwEegB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGWFe1zcgAABAMARzBFAiAMLue9b86BfjeZl9ML7LekLskkUPTEhI2ciiZrYgaF/gIhAIt66OYOVpC39L+bRXJd1K+T39IGMxYcKoaDrMk0DX59MAoGCCqGSM49BAMDA2cAMGQCMEJ+IEScHRIlOwToBZxVVJjrSxOVvqRSfUO5hvYNkqhYz97LxxUFWpcB/DMiQJOUbwIwKJRh5d7c30z1XyE5zsjOZZmz37ah6aJtyuHLCn3QKJniWBMxIMy9lbXlRZWZgsf0"}, "tlogEntries": [{"logIndex": "193896942", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1744124605", "inclusionPromise": {"signedEntryTimestamp": "MEUCIQDBvc4N4pmeJKalSbAgT5X5MiHnHfiFJ3q/ifYIUDQORwIgNCMUBexEGM4B8VSSWkSDK8uZDGqzA7bgurZdWE0z/vc="}, "inclusionProof": {"logIndex": "71992680", "rootHash": "jow4GaqK8wgGK0YaQkHyINNk1eJRvrgCUSax5oC+bgc=", "treeSize": "71992683", "hashes": ["V5p0el9OkIku5PMpzeGtSeSQLNkd4d0DVh6qNlixrlk=", "CbJfH60w3vsS3xzOzbMZQaokwVM+6efm7OCLjQ5og/k=", "fJZsSVsDo+dpw5484/+8Rm3EH3JostySBfLMVDBUZOU=", "/C+wK2WU/SrXLMnuHDzeBP4K+Jlt/S0nAvzvcXJPp30=", "m6j5meZeKpBfFqNeI7qiCogWjT2IT5NZkgJYwot9sRo=", "V7VMIiqIq7yvzO+ic8vLqIJr3+iGA6whYAGN7YvWhsQ=", "2ap6N1WIsMWGC/Zrnzsx//K9223/3B9lLpJP87M+rXE=", "2kwW2rqY/EMS68q/rOjagVYsEMybFHgxIfbokSa8yKU=", "QReFEOB9XSZtDKsjRtA0fGnYGMYD2Z7qn50auG1YlWo=", "K26LG80DXyb+bC58c4Nw00WigG52v0PCsZGY3ExGsts=", "WEm5OgPzJpYROv+4CcrieexCYyQKrLUH3hbxmcQQ+DM=", "7v8qPHNDLerpduaMx06eb/MwgoQwczTn/cYGKX/9wZ4="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n71992683\njow4GaqK8wgGK0YaQkHyINNk1eJRvrgCUSax5oC+bgc=\n\n\u2014 rekor.sigstore.dev wNI9ajBGAiEA7u1b4P659JpwuXMf6lhvC1RhOj/ZH7CpYcAQbitQSwUCIQDJrflW8FGweaiB88lSuLfpfD/a6l6jWhUyOQB/mIJ9rA==\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4NDlkYTg3YWY0ZGYxMzc3MTBjMTc5NmUyNzZhOTU1ZjdhODVjOWY5NzEwODEwNjdjOGY1NjVkMTVjMzUyYTA5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRnMzQi9oTk9OMVY2TXFaUkxzRmNHNlU2Qjkza2FsL1VLZWsvYkRVb3o2MUFpQWZydmsrWXpjK0hHZGJYemRRQ203cjlKU2RNUCtuR1BOblVCZzFoSnAySVE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZSRU5EUVd4UFowRjNTVUpCWjBsVlpGaFliek5yWmxWMVZGSjRhSGRtUW1GRWVqSm9Za3hrWXpBd2QwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDVFUVRSTlZGVjNUWHBKTVZkb1kwNU5hbFYzVGtSQk5FMVVWWGhOZWtreFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZEYUZkQ09UWjNNamRJUlZGQmRXY3dNM2hQZFdvMVlWWjJaR05GUW10TVlYTmxRellLVUV0aWFHTXpiSEV4ZGt3M09HODVObEpOVTJSWFpFSlRiVUpSTkU5eVVraExkbTl3T0ZaU2QyNDBVMGsyUzFCSlRqWlBRMEZZU1hkblowWjFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZFVVVaT0NtUlZVSFU0YkVwd2NreG5XVlJYVFVZdkwwcHVVekJ2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBsbldVUldVakJTUVZGSUwwSkNaM2RHYjBWVlkwZEdhV0pIT1c1ak1rWnpVVWhDTldSSGFIWmlhVFYyWTIxamQwdFJXVXRMZDFsQ1FrRkhSQXAyZWtGQ1FWRlJZbUZJVWpCalNFMDJUSGs1YUZreVRuWmtWelV3WTNrMWJtSXlPVzVpUjFWMVdUSTVkRTFEYzBkRGFYTkhRVkZSUW1jM09IZEJVV2RGQ2toUmQySmhTRkl3WTBoTk5reDVPV2haTWs1MlpGYzFNR041Tlc1aU1qbHVZa2RWZFZreU9YUk5TVWRMUW1kdmNrSm5SVVZCWkZvMVFXZFJRMEpJZDBVS1pXZENORUZJV1VFelZEQjNZWE5pU0VWVVNtcEhValJqYlZkak0wRnhTa3RZY21wbFVFc3pMMmcwY0hsblF6aHdOMjgwUVVGQlIxZEdaVEY2WTJkQlFRcENRVTFCVW5wQ1JrRnBRVTFNZFdVNVlqZzJRbVpxWlZwc09VMU1OMHhsYTB4emEydFZVRlJGYUVreVkybHBXbkpaWjJGR0wyZEphRUZKZERZMlQxbFBDbFp3UXpNNVRDdGlVbGhLWkRGTEsxUXpPVWxIVFhoWlkwdHZZVVJ5VFdzd1JGZzFPVTFCYjBkRFEzRkhVMDAwT1VKQlRVUkJNbU5CVFVkUlEwMUZTaXNLU1VWVFkwaFNTV3hQZDFSdlFscDRWbFpLYW5KVGVFOVdkbkZTVTJaVlR6Vm9kbGxPYTNGb1dYbzVOMHg0ZUZWR1YzQmpRaTlFVFdsUlNrOVZZbmRKZHdwTFNsSm9OV1EzWXpNd2VqRlllVVUxZW5OcVQxcGFiWG96TjJGb05tRktkSGwxU0V4RGJqTlJTMHB1YVZkQ1RYaEpUWGs1YkdKWWJGSmFWMXBuYzJZd0NpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "hJ2oevTfE3cQwXluJ2qVX3qFyflxCBBnyPVl0Vw1Kgk="}, "signature": "MEQCIFs3B/hNON1V6MqZRLsFcG6U6B93kal/UKek/bDUoz61AiAfrvk+Yzc+HGdbXzdQCm7r9JSdMP+nGPNnUBg1hJp2IQ=="}} diff --git a/fix_configure_rst.patch b/fix_configure_rst.patch index 7c6fd0e..b3f5e0c 100644 --- a/fix_configure_rst.patch +++ b/fix_configure_rst.patch @@ -3,9 +3,11 @@ Misc/NEWS | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) ---- a/Doc/using/configure.rst -+++ b/Doc/using/configure.rst -@@ -43,7 +43,6 @@ General Options +Index: Python-3.11.12/Doc/using/configure.rst +=================================================================== +--- Python-3.11.12.orig/Doc/using/configure.rst 2025-04-08 16:15:29.000000000 +0200 ++++ Python-3.11.12/Doc/using/configure.rst 2025-04-11 10:52:39.419877561 +0200 +@@ -43,7 +43,6 @@ See :data:`sys.int_info.bits_per_digit `. @@ -13,7 +15,7 @@ .. option:: --with-cxx-main=COMPILER Compile the Python ``main()`` function and link Python executable with C++ -@@ -529,13 +528,11 @@ macOS Options +@@ -529,13 +528,11 @@ See ``Mac/README.rst``. @@ -27,9 +29,11 @@ .. option:: --enable-framework=INSTALLDIR Create a Python.framework rather than a traditional Unix install. Optional ---- a/Misc/NEWS -+++ b/Misc/NEWS -@@ -9774,7 +9774,7 @@ C API +Index: Python-3.11.12/Misc/NEWS +=================================================================== +--- Python-3.11.12.orig/Misc/NEWS 2025-04-08 16:15:29.000000000 +0200 ++++ Python-3.11.12/Misc/NEWS 2025-04-11 10:52:39.425550531 +0200 +@@ -9872,7 +9872,7 @@ - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API. - bpo-43795: The list in :ref:`limited-api-list` now shows the public name diff --git a/python311.changes b/python311.changes index 9a15ce8..f3694cf 100644 --- a/python311.changes +++ b/python311.changes @@ -1,3 +1,52 @@ +------------------------------------------------------------------- +Fri Apr 11 08:54:19 UTC 2025 - Matej Cepl + +- Update to 3.11.12: + - gh-131809: Update bundled libexpat to 2.7.1 + - gh-131261: Upgrade to libexpat 2.7.0 + - gh-105704: When using urllib.parse.urlsplit() and + urllib.parse.urlparse() host parsing would not reject domain + names containing square brackets ([ and ]). Square brackets + are only valid for IPv6 and IPvFuture hosts according to RFC + 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, + gh#python/cpython#105704). + - gh-121284: Fix bug in the folding of rfc2047 encoded-words + when flattening an email message using a modern email + policy. Previously when an encoded-word was too long for + a line, it would be decoded, split across lines, and + re-encoded. But commas and other special characters in the + original text could be left unencoded and unquoted. This + could theoretically be used to spoof header lines using a + carefully constructed encoded-word if the resulting rendered + email was transmitted or re-parsed. + - gh-80222: Fix bug in the folding of quoted strings + when flattening an email message using a modern email + policy. Previously when a quoted string was folded so that + it spanned more than one line, the surrounding quotes and + internal escapes would be omitted. This could theoretically + be used to spoof header lines using a carefully constructed + quoted string if the resulting rendered email was transmitted + or re-parsed. + - gh-119511: Fix a potential denial of service in the imaplib + module. When connecting to a malicious server, it could + cause an arbitrary amount of memory to be allocated. On many + systems this is harmless as unused virtual memory is only + a mapping, but if this hit a virtual address size limit + it could lead to a MemoryError or other process crash. On + unusual systems or builds where all allocated memory is + touched and backed by actual ram or storage it could’ve + consumed resources doing so until similarly crashing. + - gh-127257: In ssl, system call failures that OpenSSL reports + using ERR_LIB_SYS are now raised as OSError. + - gh-121277: Writers of CPython’s documentation can now use + next as the version for the versionchanged, versionadded, + deprecated directives. + - gh-106883: Disable GC during the _PyThread_CurrentFrames() + and _PyThread_CurrentExceptions() calls to avoid the + interpreter to deadlock. +- Remote upstreamed patch: + - CVE-2025-0938-sq-brackets-domain-names.patch + ------------------------------------------------------------------- Wed Mar 12 15:05:46 UTC 2025 - Bernhard Wiedemann diff --git a/python311.spec b/python311.spec index 3cce41e..592223c 100644 --- a/python311.spec +++ b/python311.spec @@ -107,7 +107,7 @@ # _md5.cpython-38m-x86_64-linux-gnu.so %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so Name: %{python_pkg_name}%{psuffix} -Version: 3.11.11 +Version: 3.11.12 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -188,9 +188,6 @@ Patch19: bso1227999-reproducible-builds.patch Patch22: gh120226-fix-sendfile-test-kernel-610.patch # PATCH-FIX-UPSTREAM Add platform triplets for 64-bit LoongArch gh#python/cpython#30939 glaubitz@suse.com Patch24: add-loongarch64-support.patch -# PATCH-FIX-UPSTREAM CVE-2025-0938-sq-brackets-domain-names.patch bsc#1236705 mcepl@suse.com -# functions `urllib.parse.urlsplit` and `urlparse` accept domain names including square brackets -Patch25: CVE-2025-0938-sq-brackets-domain-names.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -454,7 +451,6 @@ other applications. %patch -p1 -P 19 %patch -p1 -P 22 %patch -p1 -P 24 -%patch -p1 -P 25 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac From 1e953d46a0105a9e913f1a6ea969e5a84ba2035ba69eb9d997caad0614a030e6 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Tue, 15 Apr 2025 13:00:57 +0000 Subject: [PATCH 2/2] Fix changelog OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=168 --- python311.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python311.changes b/python311.changes index f3694cf..8cee3dc 100644 --- a/python311.changes +++ b/python311.changes @@ -44,7 +44,7 @@ Fri Apr 11 08:54:19 UTC 2025 - Matej Cepl - gh-106883: Disable GC during the _PyThread_CurrentFrames() and _PyThread_CurrentExceptions() calls to avoid the interpreter to deadlock. -- Remote upstreamed patch: +- Remove upstreamed patch: - CVE-2025-0938-sq-brackets-domain-names.patch -------------------------------------------------------------------