226 Commits

Author SHA256 Message Date
mcepl f5895c0f5c CVE-2026-7210: Use XML_SetHashSalt16Bytes in pyexpat/_elementtree when possible
bsc#1264962, gh#python/cpython#149018:
CVE-2026-7210-pyexpat-entropy-hash-flooding.patch
2026-07-07 22:39:44 +02:00
mcepl 0fb99fb774 CVE-2026-8328: Make ftplib not trust the PASV response (bsc#1265268)
Patch: CVE-2026-8328-ftplib-no-trust-PASV-resp.patch
2026-07-03 22:34:19 +02:00
mcepl 5a7ba243d3 CVE-2026-11940: fix the symlink escape via tarfile hardlink-extraction fallback (bsc#1268977)
Adds: CVE-2026-11940-tarfile-escape.patch
2026-07-02 12:10:05 +02:00
Jiri Slaby e85e112091 add test_UDPLITE_support.patch 2026-06-29 17:40:47 +02:00
mcepl 40ae616787 Keep unversioned Python 3 development pkg-config files in python3-devel
python313-devel no longer provides python3-devel and no longer owns
libpython3.so, python3-config, python3.pc, or python3-embed.pc.

Do not package versioned GIL pkg-config files in nogil-devel. Also, fix
regular expressions in rpmlintrc.
2026-06-06 22:34:58 +02:00
mcepl 6e500ca2ed Remove obsolete information. 2026-05-10 22:55:15 +02:00
mcepl 4dcbad71ad Remove macros.python3. 2026-05-06 19:46:53 +02:00
mcepl d72590da35 Fix the changelog 2026-04-28 22:51:51 +02:00
mcepl 68bc819937 Add CVE-2026-6019-Morsel-js_output.patch
It protects against HTML injection by Base64-encoding cookie values
embedded in JS (bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).
2026-04-27 18:46:15 +02:00
mcepl 3068133218 Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch
It rejects CR/LF in HTTP tunnel request headers (bsc#1261969,
CVE-2026-1502, gh#python/cpython#146211).
2026-04-25 19:07:10 +02:00
mcepl a11b83cef0 Add CVE-2026-4786-webbrowser-open-action.patch
It fixes webbrowser %action substitution bypass of dash-prefix check
(bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).
2026-04-25 12:59:52 +02:00
mcepl c0f2ff28da Add CVE-2026-6100-use-after-free-decompression.patch
It prevents a dangling pointer which can end in the use-after-free error
(CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).
2026-04-24 23:05:14 +02:00
mcepl be61ef98c6 Rewrite structure of Python interpreter packages
`python3*` symbols should be now provided by real python3 packages and
its subpackages instead of the virtual provides.

Includes many small fixes:

 * fixe the shebang of Tools/gdb/libpython.py to the versioned Python
 * skip rpm-build-python BuildRequires for the base flavor
   rpm-build-python (from python-rpm-packaging) has a runtime Requires
   on python3-base. Since the base flavor is what produces python3-base,
   this creates an unresolvable bootstrap cycle in OBS when the package
   is not yet present in the project repo. Guard the BuildRequires with
   %{without base} to break the cycle.
 * explicitly provide `python(abi)` symbol
   rpm-build-python (which auto-generates this) cannot be installed in
   the base flavor build root due to a bootstrap cycle: rpm-build-python
   -> python3-base -> (this package)

References: https://bugzilla.suse.com/show_bug.cgi?id=1258364
2026-04-19 00:55:21 +02:00
mcepl 3144c4f198 Add CVE-2026-3446-base64-padding.patch
Prevents ignoring excess Base64 data after the first padded quad
(bsc#1261970, CVE-2026-3446, gh#python/cpython#145264).
2026-04-16 01:37:50 +02:00
mcepl 74faae37ad docs: os.path.isreserved does not exist yet 2026-04-07 23:55:08 +02:00
mcepl f47a3c4448 Add CVE-2026-3479-pkgutil_get_data.patch
pkgutil.get_data() has the same security model as open(). The documented
limitations ensure compatibility with non-filesystem loaders; Python
doesn't check that. (bsc#1259989, CVE-2026-3479,
gh#python/cpython#146121).
2026-04-07 18:08:29 +02:00
mcepl 7ed16c509b Add CVE-2026-4519-webbrowser-open-dashes.patch
Reject leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
gh#python/cpython#143930).
2026-03-27 20:09:06 +01:00
mcepl 7ad561c244 Add CVE-2025-13462-tarinfo-header-parse.patch
Skips TarInfo DIRTYPE normalization during GNU long name handling
(bsc#1259611, CVE-2025-13462).
2026-03-26 00:14:09 +01:00
mcepl bcff17005f Add CVE-2026-4224-expat-unbound-C-recursion.patch
Avoid unbound C recursion in conv_content_model in pyexpat.c
(bsc#1259735, CVE-2026-4224).
2026-03-24 09:43:08 +01:00
mcepl da3d3aaa56 Add CVE-2026-3644-cookies-Morsel-update-II.patch
Reject control characters in http.cookies.Morsel.update() and
http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).
2026-03-23 18:44:37 +01:00
mcepl cd5d96d4db Add CVE-2026-2297-SourcelessFileLoader-io_open_code.patch
ensuring that `SourcelessFileLoader` uses `io.open_code` when
opening `.pyc` files (bsc#1259240, CVE-2026-2297).
2026-03-20 20:12:10 +01:00
mcepl d7ebe63704 Update to 3.11.15:
- Security
    - gh-144125: BytesGenerator will now refuse to serialize
      (write) headers that are unsafely folded or delimited; see
      verify_generated_headers. (Contributed by Bas Bloemsaat and
      Petr Viktorin in gh-121650).
    - gh-143935: Fixed a bug in the folding of comments when
      flattening an email message using a modern email policy.
      Comments consisting of a very long sequence of non-foldable
      characters could trigger a forced line wrap that omitted
      the required leading space on the continuation line,
      causing the remainder of the comment to be interpreted as
      a new header field. This enabled header injection with
      carefully crafted inputs (bsc#1257029 CVE-2025-11468).
    - gh-143925: Reject control characters in data: URL media
      types (bsc#1257046, CVE-2025-15282).
    - gh-143919: Reject control characters in http.cookies.Morsel
      fields and values (bsc#1257031, CVE-2026-0672).
    - gh-143916: Reject C0 control characters within
      wsgiref.headers.Headers fields, values, and parameters
      (bsc#1257042, CVE-2026-0865).
    - gh-142145: Remove quadratic behavior in xml.minidom node ID
      cache clearing. In order to do this without breaking
      existing users, we also add the ownerDocument attribute to
      xml.dom.minidom elements and attributes created by directly
      instantiating the Element or Attr class. Note that this way
      of creating nodes is not supported; creator functions like
      xml.dom.Document.documentElement() should be used instead
      (bsc#1254997, CVE-2025-12084).
    - gh-137836: Add support of the “plaintext” element, RAWTEXT
      elements “xmp”, “iframe”, “noembed” and “noframes”, and
      optionally RAWTEXT element “noscript” in
      html.parser.HTMLParser.
    - gh-136063: email.message: ensure linear complexity for
      legacy HTTP parameters parsing. Patch by Bénédikt Tran.
    - gh-136065: Fix quadratic complexity in
      os.path.expandvars() (bsc#1252974, CVE-2025-6075).
    - gh-119451: Fix a potential memory denial of service in the
      http.client module. When connecting to a malicious server,
      it could cause an arbitrary amount of memory to be
      allocated. This could have led to symptoms including
      a MemoryError, swapping, out of memory (OOM) killed
      processes or containers, or even system crashes
      (CVE-2025-13836, bsc#1254400).
    - gh-119452: Fix a potential memory denial of service in the
      http.server module. When a malicious user is connected to
      the CGI server on Windows, it could cause an arbitrary
      amount of memory to be allocated. This could have led to
      symptoms including a MemoryError, swapping, out of memory
      (OOM) killed processes or containers, or even system
      crashes.
    - gh-119342: Fix a potential memory denial of service in the
      plistlib module. When reading a Plist file received from
      untrusted source, it could cause an arbitrary amount of
      memory to be allocated. This could have led to symptoms
      including a MemoryError, swapping, out of memory (OOM)
      killed processes or containers, or even system crashes
      (bsc#1254401, CVE-2025-13837).
  - Library
    - gh-144833: Fixed a use-after-free in ssl when SSL_new()
      returns NULL in newPySSLSocket(). The error was reported
      via a dangling pointer after the object had already been
      freed.
    - gh-144363: Update bundled libexpat to 2.7.4
    - gh-90949: Add SetAllocTrackerActivationThreshold() and
      SetAllocTrackerMaximumAmplification() to xmlparser objects
      to prevent use of disproportional amounts of dynamic memory
      from within an Expat parser. Patch by Bénédikt Tran.
  - Core and Builtins
    - gh-120384: Fix an array out of bounds crash in
      list_ass_subscript, which could be invoked via some
      specificly tailored input: including concurrent
      modification of a list object, where one thread assigns
      a slice and another clears it.
    - gh-120298: Fix use-after free in list_richcompare_impl
      which can be invoked via some specificly tailored evil
      input.
Remove upstreamed patches:
  - CVE-2025-11468-email-hdr-fold-comment.patch
  - CVE-2025-12084-minidom-quad-search.patch
  - CVE-2025-13836-http-resp-cont-len.patch
  - CVE-2025-13837-plistlib-mailicious-length.patch
  - CVE-2025-6075-expandvars-perf-degrad.patch
  - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
  - CVE-2026-0865-wsgiref-ctrl-chars.patch
  - CVE-2025-15282-urllib-ctrl-chars.patch
2026-03-09 00:26:16 +01:00
mcepl 26a31005ec Merge branch 'factory' into sle-15-sp4 2026-02-24 09:14:57 +01:00
mcepl 02f09793e7 Fix seven CVEs
CVE-2025-11468: preserving parens when folding comments in
  email headers (bsc#1257029, gh#python/cpython#143935).
  CVE-2025-11468-email-hdr-fold-comment.patch
CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
CVE-2025-15282: basically the same as the previous patch for
  urllib library. (bsc#1257046, gh#python/cpython#143925)
  CVE-2025-15282-urllib-ctrl-chars.patch
CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch
CVE-2025-12781: fix decoding with non-standard Base64 alphabet
  (bsc#1257108, gh#python/cpython#125346)
  CVE-2025-12781-b64decode-alt-chars.patch
2026-02-13 00:45:50 +01:00
mcepl cd09787966 Fix CVE-2025-13836, CVE-2025-12084, and CVE-2025-13837.
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
  CVE-2025-13836) to prevent reading an HTTP response from
  a server, if no read amount is specified, with using
  Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
  behavior in node ID cache clearing (CVE-2025-12084,
  bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
  against OOM when loading malicious content (CVE-2025-13837,
  bsc#1254401).
2026-01-08 13:42:27 +01:00
mcepl 162a9695a4 Fix CVE-2025-13836, CVE-2025-12084, and CVE-2025-13837.
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
  CVE-2025-13836) to prevent reading an HTTP response from
  a server, if no read amount is specified, with using
  Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
  behavior in node ID cache clearing (CVE-2025-12084,
  bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
  against OOM when loading malicious content (CVE-2025-13837,
  bsc#1254401).
2025-12-19 23:09:22 +01:00
mcepl 48953809e4 Add CVE-2025-6075-expandvars-perf-degrad.patch
Avoid simple quadratic complexity vulnerabilities of os.path.expandvars()
  (CVE-2025-6075, bsc#1252974).
Readjusted patches:
  - CVE-2023-52425-libexpat-2.6.0-backport.patch
  - CVE-2023-52425-remove-reparse_deferral-tests.patch
  - fix_configure_rst.patch
  - skip_if_buildbot-extend.patch
2025-11-20 23:16:35 +01:00
mcepl 06d1a72674 Mark the upgrade to 3.11.14 as fixing CVE-2025-8291, bsc#1251305. 2025-11-12 00:49:37 +01:00
anag_factory c61cd14450 Accepting request 1311759 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1311759
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=60
2025-10-17 15:25:27 +00:00
mcepl c3b20ea06a - Update to 3.11.14:
- Security
    - gh-139700: Check consistency of the zip64 end of central
      directory record. Support records with “zip64 extensible data”
      if there are no bytes prepended to the ZIP file.
    - gh-139400: xml.parsers.expat: Make sure that parent Expat
      parsers are only garbage-collected once they are no longer
      referenced by subparsers created by
      ExternalEntityParserCreate(). Patch by Sebastian Pipping.
    - gh-135661: Fix parsing start and end tags in
      html.parser.HTMLParser according to the HTML5 standard.
      * Whitespaces no longer accepted between </ and the tag name. E.g.
        </ script> does not end the script section.
      * Vertical tabulation (\v) and non-ASCII whitespaces no longer
        recognized as whitespaces. The only whitespaces are \t\n\r\f and
        space.
      * Null character (U+0000) no longer ends the tag name.
      * Attributes and slashes after the tag name in end tags are now
        ignored, instead of terminating after the first > in quoted
        attribute value. E.g. </script/foo=">"/>.
      * Multiple slashes and whitespaces between the last attribute and
        closing > are now ignored in both start and end tags. E.g. <a
        foo=bar/ //>.
      * Multiple = between attribute name and value are no longer
        collapsed. E.g. <a foo==bar> produces attribute “foo” with value
        “=bar”.
    - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
      according to the HTML5 standard: ] ]> and ]] > no longer end the
      CDATA section. Add private method _set_support_cdata() which can
      be used to specify how to parse <[CDATA[ — as a CDATA section in

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=199
2025-10-16 16:27:30 +00:00
anag_factory 4fd1005be3 Accepting request 1308253 from devel:languages:python:Factory
- Add gh139257-Support-docutils-0.22.patch to fix build with latest
  docutils (>=0.22) gh#python/cpython#139257

OBS-URL: https://build.opensuse.org/request/show/1308253
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=59
2025-10-02 17:19:31 +00:00
mcepl 09df53c2ab - Add gh139257-Support-docutils-0.22.patch to fix build with latest
docutils (>=0.22) gh#python/cpython#139257

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=197
2025-09-30 16:22:12 +00:00
anag_factory e11e1b86fe Accepting request 1306450 from devel:languages:python:Factory
OBS-URL: https://build.opensuse.org/request/show/1306450
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=58
2025-09-23 14:05:55 +00:00
mcalabkova e86b781354 - Drop AppStream buildrequires and don't run appstreamcli validate
as part of the build process: the appdata.xml is not updated by
  source directly, so we have more contol. Having Appstream or the
  deprecated appstream-glib result in a build cycle.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=195
2025-09-22 09:07:56 +00:00
mcepl 5c22d91c83 - Require AppStream to validate appdata file instead of deprecated
appstream-glib.
- Update idle3.appdata.xml to pass the more pedantic appstreamcli.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=194
2025-09-18 13:55:02 +00:00
dimstar_suse 6ec5a86d6c Accepting request 1297128 from devel:languages:python:Factory
- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now
  validates archives to ensure member offsets are non-negative
  (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).

OBS-URL: https://build.opensuse.org/request/show/1297128
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=57
2025-08-04 13:22:22 +00:00
mcepl 6077f92a3d update the patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=192
2025-08-01 20:22:03 +00:00
mcepl 0c195902dd - Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now
validates archives to ensure member offsets are non-negative
  (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=191
2025-08-01 20:18:10 +00:00
anag_factory e06b229157 Accepting request 1294514 from devel:languages:python:Factory
DEPENDS ON SR#1294511, THEY HAVE TO GO TOGETHER!!!

- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
  case quadratic complexity when processing certain crafted
  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).

- Use one core to build doc. This will make sphinx doc build
  reproducible.
  bsc#1243155
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
  case quadratic complexity when processing certain crafted
  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).

- Use one core to build doc. This will make sphinx doc build
  reproducible.
  bsc#1243155

OBS-URL: https://build.opensuse.org/request/show/1294514
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=56
2025-07-20 13:28:51 +00:00
mcepl 1bf3058aba Fix tests
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=189
2025-07-02 16:13:50 +00:00
mcepl 420a5bd2d2 - Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
case quadratic complexity when processing certain crafted
  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=188
2025-07-02 15:58:03 +00:00
mcepl 4cd370afa9 Accepting request 1289839 from home:dgarcia:branches:devel:languages:python:Factory
- Use one core to build doc. This will make sphinx doc build
  reproducible.
  bsc#1243155

OBS-URL: https://build.opensuse.org/request/show/1289839
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=187
2025-07-02 14:13:50 +00:00
anag_factory 3701c69ddb Accepting request 1288599 from devel:languages:python:Factory
Also addresses CVE-2025-4435 (gh#135034, bsc#1244061).

OBS-URL: https://build.opensuse.org/request/show/1288599
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=55
2025-06-26 09:38:07 +00:00
mcepl b51967df3e Also addresses CVE-2025-4435 (gh#135034, bsc#1244061).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=185
2025-06-25 19:49:10 +00:00
anag_factory 6b34ffaa68 Accepting request 1284263 from devel:languages:python:Factory
- Update to 3.11.13:
  - Security
    - gh-135034: Fixes multiple issues that allowed tarfile
      extraction filters (filter="data" and filter="tar") to be
      bypassed using crafted symlinks and hard links.
      Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
      (bsc#1244059), CVE-2025-4330 (bsc#1244060), and
      CVE-2025-4517 (bsc#1244032).
    - gh-133767: Fix use-after-free in the “unicode-escape”
      decoder with a non-“strict” error handler (CVE-2025-4516,
      bsc#1243273).
    - gh-128840: Short-circuit the processing of long IPv6
      addresses early in ipaddress to prevent excessive memory
      consumption and a minor denial-of-service.
  - Library
    - gh-128840: Fix parsing long IPv6 addresses with embedded
      IPv4 address.
    - gh-134062: ipaddress: fix collisions in __hash__() for
      IPv4Network and IPv6Network objects.
    - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
      according to RFC 3596, §2.5. Patch by Bénédikt Tran.
    - bpo-43633: Improve the textual representation of
      IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
      in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
  - gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
  - CVE-2025-4516-DecodeError-handler.patch

OBS-URL: https://build.opensuse.org/request/show/1284263
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=54
2025-06-11 14:20:10 +00:00
mcepl 28749a59dd - Update to 3.11.13:
- Security
    - gh-135034: Fixes multiple issues that allowed tarfile
      extraction filters (filter="data" and filter="tar") to be
      bypassed using crafted symlinks and hard links.
      Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
      (bsc#1244059), CVE-2025-4330 (bsc#1244060), and
      CVE-2025-4517 (bsc#1244032).
    - gh-133767: Fix use-after-free in the “unicode-escape”
      decoder with a non-“strict” error handler (CVE-2025-4516,
      bsc#1243273).
    - gh-128840: Short-circuit the processing of long IPv6
      addresses early in ipaddress to prevent excessive memory
      consumption and a minor denial-of-service.
  - Library
    - gh-128840: Fix parsing long IPv6 addresses with embedded
      IPv4 address.
    - gh-134062: ipaddress: fix collisions in __hash__() for
      IPv4Network and IPv6Network objects.
    - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
      according to RFC 3596, §2.5. Patch by Bénédikt Tran.
    - bpo-43633: Improve the textual representation of
      IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
      in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
  - gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
  - CVE-2025-4516-DecodeError-handler.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=183
2025-06-09 17:26:24 +00:00
anag_factory ebd01e5a57 Accepting request 1281358 from devel:languages:python:Factory
- Add CVE-2025-4516-DecodeError-handler.patch fixing
  CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
  vulnerability, which could lead to DoS.

- Use extended %autopatch.

  attributes on /usr/bin/ scripts (bsc#1227378).
  %%files.
- restrict PEP668 to ALP/Tumbleweed
- add externally_managed.in to label this build as PEP-668 managed
  * Support Expat >= 2.4.5
- allow build with Sphinx >= 3.x
  * remove importlib_resources and importlib-metadata
  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused
  - bpo-29778: Ensure python3.dll is loaded from correct locations
  - bpo-39603: Prevent http header injection by rejecting control
    “__setattr__” in a multi-inheritance setup and
  - bpo-41247: Always cache the running loop holder when running
  - bpo-41252: Fix incorrect refcounting in
  - bpo-41215: Use non-NULL default values in the PEG parser
  - bpo-41218: Python 3.8.3 had a regression where compiling with
    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
  - bpo-41175: Guard against a NULL pointer dereference within
  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s
    __setattr__() by calling the superclass method was
  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
  - bpo-39017: Avoid infinite loop when reading specially crafted
  - bpo-41207: In distutils.spawn, restore expectation that
  - bpo-41194: Fix a crash in the _ast module: it can no longer be
  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a

OBS-URL: https://build.opensuse.org/request/show/1281358
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=53
2025-06-02 19:58:44 +00:00
mcepl c1db13ef0f Update the patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=181
2025-05-29 16:42:17 +00:00
mcepl 4e3f0dd903 remove trailing spaces
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=180
2025-05-28 09:17:38 +00:00
mcepl 69fa4c8b8f Use the upstream patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=179
2025-05-27 14:13:40 +00:00