- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject domain
names containing square brackets ([ and ]). Square brackets
are only valid for IPv6 and IPvFuture hosts according to RFC
3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
gh#python/cpython#105704).
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so that
it spanned more than one line, the surrounding quotes and
internal escapes would be omitted. This could theoretically
be used to spoof header lines using a carefully constructed
quoted string if the resulting rendered email was transmitted
or re-parsed.
- gh-119511: Fix a potential denial of service in the imaplib
module. When connecting to a malicious server, it could
cause an arbitrary amount of memory to be allocated. On many
systems this is harmless as unused virtual memory is only
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=167
- Tools/Demos
- gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15
and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
- Tests
- gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlib’s software
implementation and the hardware-accelerated implementation.
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified.
- Library
- gh-124651: Properly quote template strings in venv
activation scripts (bsc#1232241, CVE-2024-9287).
- Removed upstreamed patches:
- CVE-2024-9287-venv_path_unquoted.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=154
- Security
- gh-123678: Upgrade libexpat to 2.6.3
- gh-121957: Fixed missing audit events around interactive
use of Python, now also properly firing for ``python -i``,
as well as for ``python -m asyncio``. The event in question
is ``cpython.run_stdin``.
- gh-122133: Authenticate the socket connection for the
``socket.socketpair()`` fallback on platforms where
``AF_UNIX`` is not available like Windows. Patch by
Gregory P. Smith <greg@krypto.org> and Seth Larson
<seth@python.org>. Reported by Ellie <el@horse64.org>
- gh-121285: Remove backtracking from tarfile header parsing
for ``hdrcharset``, PAX, and GNU sparse headers
(bsc#1230227, CVE-2024-6232).
- gh-118486: :func:`os.mkdir` on Windows now accepts
*mode* of ``0o700`` to restrict the new directory to
the current user. This fixes CVE-2024-4030 affecting
:func:`tempfile.mkdtemp` in scenarios where the base
temporary directory is more permissive than the default.
- gh-116741: Update bundled libexpat to 2.6.2
- Library
- gh-123270: Applied a more surgical fix for malformed
payloads in :class:`zipfile.Path` causing infinite loops
(gh-122905) without breaking contents using legitimate
characters (bsc#1229704, CVE-2024-8088).
- gh-123067: Fix quadratic complexity in parsing ``"``-quoted
cookie values with backslashes by :mod:`http.cookies`
(bsc#1229596, CVE-2024-7592).
- gh-122905: :class:`zipfile.Path` objects now sanitize names
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=142
uses features sniffing, not just comparing version
number. Include also support-expat-CVE-2022-25236-patched.patch.
- Refresh patches:
- CVE-2023-27043-email-parsing-errors.patch
- fix_configure_rst.patch
- skip_if_buildbot-extend.patch
- Remove included patch:
- support-expat-CVE-2022-25236-patched.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=123
- Remove not needed upstream patches:
* libexpat260.patch
* CVE-2023-6597-TempDir-cleaning-symlink.patch, bsc#1219666
- Update to 3.11.9:
* Security
- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
(CVE-2023-52425, bsc#1219559) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
- gh-115399: Update bundled libexpat to 2.6.0
- gh-115243: Fix possible crashes in collections.deque.index()
when the deque is concurrently modified.
- gh-114572: ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to the
certificate store, when the ssl.SSLContext is shared across
multiple threads.
* Core and Builtins
- gh-116296: Fix possible refleak in object.__reduce__() internal
error handling.
- gh-116034: Fix location of the error on a failed assertion.
- gh-115823: Properly calculate error ranges in the parser when
raising SyntaxError exceptions caused by invalid byte sequences.
Patch by Pablo Galindo
- gh-112087: For an empty reverse iterator for list will be
reduced to reversed(). Patch by Donghee Na.
- gh-115011: Setters for members with an unsigned integer type now
support the same range of valid values for objects that has a
OBS-URL: https://build.opensuse.org/request/show/1166573
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=119
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
which fails on slow machines in IBS (s390x).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=104
- Update to 3.11.8:
- Security
- gh-113659: Skip .pth files with names starting with a dot or
hidden file attribute.
- Core and Builtins
- gh-114887: Changed socket type validation in
create_datagram_endpoint() to accept all non-stream sockets.
This fixes a regression in compatibility with raw sockets.
- gh-114388: Fix a RuntimeWarning emitted when assign an
integer-like value that is not an instance of int to an
attribute that corresponds to a C struct member of type T_UINT
and T_ULONG. Fix a double RuntimeWarning emitted when assign a
negative integer value to an attribute that corresponds to a C
struct member of type T_UINT.
- gh-89811: Check for a valid tp_version_tag before performing
bytecode specializations that rely on this value being usable.
- gh-113602: Fix an error that was causing the parser to try to
overwrite existing errors and crashing in the process. Patch by
Pablo Galindo
- gh-113566: Fix a 3.11-specific crash when the repr of a Future
is requested after the module has already been
garbage-collected.
- gh-106905: Use per AST-parser state rather than global state to
track recursion depth within the AST parser to prevent potential
race condition due to simultaneous parsing.
- The issue primarily showed up in 3.11 by multithreaded users of
ast.parse(). In 3.12 a change to when garbage collection can be
triggered prevented the race condition from occurring.
- gh-112716: Fix SystemError in the import statement and in
__reduce__() methods of builtin types when __builtins__ is not a
dict.
- gh-105967: Workaround a bug in Apple’s macOS platform zlib
library where zlib.crc32() and binascii.crc32() could produce
incorrect results on multi-gigabyte inputs. Including when using
zipfile on zips containing large data.
- gh-94606: Fix UnicodeEncodeError when
email.message.get_payload() reads a message with a Unicode
surrogate character and the message content is not well-formed
for surrogateescape encoding. Patch by Sidney Markowitz.
- Library
- gh-114965: Update bundled pip to 24.0
- gh-114959: tarfile no longer ignores errors when trying to
extract a directory on top of a file.
- gh-109475: Fix support of explicit option value “–” in argparse
(e.g. --option=--).
- gh-110190: Fix ctypes structs with array on Windows ARM64
platform by setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by
Diego Russo
- gh-113280: Fix a leak of open socket in rare cases when error
occurred in ssl.SSLSocket creation.
- gh-77749: email.policy.EmailPolicy.fold() now always encodes
non-ASCII characters in headers if utf8 is false.
- gh-114492: Make the result of termios.tcgetattr() reproducible
on Alpine Linux. Previously it could leave a random garbage in
some fields.
- gh-75128: Ignore an OSError in
asyncio.BaseEventLoop.create_server() when IPv6 is available but
the interface cannot actually support it.
- gh-114257: Dismiss the FileNotFound error in
ctypes.util.find_library() and just return None on Linux.
- gh-101438: Avoid reference cycle in ElementTree.iterparse. The
iterator returned by ElementTree.iterparse may hold on to a file
descriptor. The reference cycle prevented prompt clean-up of the
file descriptor if the returned iterator was not exhausted.
- gh-104522: OSError raised when run a subprocess now only has
filename attribute set to cwd if the error was caused by a
failed attempt to change the current directory.
- gh-109534: Fix a reference leak in
asyncio.selector_events.BaseSelectorEventLoop when SSL
handshakes fail. Patch contributed by Jamie Phan.
- gh-114077: Fix possible OverflowError in
socket.socket.sendfile() when pass count larger than 2 GiB on
32-bit platform.
- gh-114014: Fixed a bug in fractions.Fraction where an invalid
string using d in the decimals part creates a different error
compared to other invalid letters/characters. Patch by Jeremiah
Gabriel Pascual.
- gh-113951: Fix the behavior of tag_unbind() methods of
tkinter.Text and tkinter.Canvas classes with three arguments.
Previously, widget.tag_unbind(tag, sequence, funcid) destroyed
the current binding for sequence, leaving sequence unbound, and
deleted the funcid command. Now it removes only funcid from the
binding for sequence, keeping other commands, and deletes the
funcid command. It leaves sequence unbound only if funcid was
the last bound command.
- gh-113877: Fix tkinter method winfo_pathname() on 64-bit
Windows.
- gh-113781: Silence unraisable AttributeError when warnings are
emitted during Python finalization.
- gh-113594: Fix UnicodeEncodeError in email when re-fold lines
that contain unknown-8bit encoded part followed by
non-unknown-8bit encoded part.
- gh-113538: In asyncio.StreamReaderProtocol.connection_made(),
there is callback that logs an error if the task wrapping the
“connected callback” fails. This callback would itself fail if
the task was cancelled. Prevent this by checking whether the
task was cancelled first. If so, close the transport but don’t
log an error.
- gh-85567: Fix resource warnings for unclosed files in pickle and
pickletools command line interfaces.
- gh-101225: Increase the backlog for
multiprocessing.connection.Listener objects created by
multiprocessing.manager and multiprocessing.resource_sharer to
significantly reduce the risk of getting a connection refused
error when creating a multiprocessing.connection.Connection to
them.
- gh-113543: Make sure that webbrowser.MacOSXOSAScript sends
webbrowser.open audit event.
- gh-113028: When a second reference to a string appears in the
input to pickle, and the Python implementation is in use, we are
guaranteed that a single copy gets pickled and a single object
is shared when reloaded. Previously, in protocol 0, when a
string contained certain characters (e.g. newline) it resulted
in duplicate objects.
- gh-113421: Fix multiprocessing logger for %(filename)s.
- gh-113358: Fix rendering tracebacks for exceptions with a broken
__getattr__.
- gh-113214: Fix an AttributeError during asyncio SSL protocol
aborts in SSL-over-SSL scenarios.
- gh-113246: Update bundled pip to 23.3.2.
- gh-113199: Make http.client.HTTPResponse.read1 and
http.client.HTTPResponse.readline close IO after reading all
data when content length is known. Patch by Illia Volochii.
- gh-113188: Fix shutil.copymode() and shutil.copystat() on
Windows. Previously they worked differenly if dst is a symbolic
link: they modified the permission bits of dst itself rather
than the file it points to if follow_symlinks is true or src is
not a symbolic link, and did not modify the permission bits if
follow_symlinks is false and src is a symbolic link.
- gh-61648: Detect line numbers of properties in doctests.
- gh-112559: signal.signal() and signal.getsignal() no longer call
repr on callable handlers. asyncio.run() and
asyncio.Runner.run() no longer call repr on the task results.
Patch by Yilei Yang.
- gh-110190: Fix ctypes structs with array on PPC64LE platform by
setting MAX_STRUCT_SIZE to 64 in stgdict. Patch by Diego Russo.
- gh-79429: Ignore FileNotFoundError when remove a temporary
directory in the multiprocessing finalizer.
- gh-79325: Fix an infinite recursion error in
tempfile.TemporaryDirectory() cleanup on Windows.
- gh-110190: Fix ctypes structs with array on Arm platform by
setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by Diego Russo.
- gh-81194: Fix a crash in socket.if_indextoname() with specific
value (UINT_MAX). Fix an integer overflow in
socket.if_indextoname() on 64-bit non-Windows platforms.
- gh-75666: Fix the behavior of tkinter widget’s unbind() method
with two arguments. Previously, widget.unbind(sequence, funcid)
destroyed the current binding for sequence, leaving sequence
unbound, and deleted the funcid command. Now it removes only
funcid from the binding for sequence, keeping other commands,
and deletes the funcid command. It leaves sequence unbound only
if funcid was the last bound command.
- gh-110345: Show the Tcl/Tk patchlevel (rather than version) in
tkinter._test().
- gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now
raises BadZipFile when try to read an entry that overlaps with
other entry or central directory.
- gh-38807: Fix race condition in trace. Instead of checking if a
directory exists and creating it, directly call os.makedirs()
with the kwarg exist_ok=True.
- gh-75705: Set unixfrom envelope in mailbox.mbox and
mailbox.MMDF.
- gh-105102: Allow ctypes.Union to be nested in ctypes.Structure
when the system endianness is the opposite of the classes.
- gh-104282: Fix null pointer dereference in
lzma._decode_filter_properties() due to improper handling of BCJ
filters with properties of zero length. Patch by Radislav
Chugunov.
- gh-102512: When os.fork() is called from a foreign thread (aka
_DummyThread), the type of the thread in a child process is
changed to _MainThread. Also changed its name and daemonic
status, it can be now joined.
- gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
which now no longer dereferences symlinks when working around
file system permission errors.
- bpo-43153: On Windows, tempfile.TemporaryDirectory previously
masked a PermissionError with NotADirectoryError during
directory cleanup. It now correctly raises PermissionError if
errors are not ignored. Patch by Andrei Kulakov and Ken Jin.
- bpo-35332: The shutil.rmtree() function now ignores errors when
calling os.close() when ignore_errors is True, and os.close() no
longer retried after error.
- bpo-35928: io.TextIOWrapper now correctly handles the decoding
buffer after read() and write().
- bpo-26791: shutil.move() now moves a symlink into a directory
when that directory is the target of the symlink. This provides
the same behavior as the mv shell command. The previous behavior
raised an exception. Patch by Jeffrey Kintscher.
- bpo-36959: Fix some error messages for invalid ISO format string
combinations in strptime() that referred to directives not
contained in the format string. Patch by Gordon P. Hemsley.
- bpo-18060: Fixed a class inheritance issue that can cause
segfaults when deriving two or more levels of subclasses from a
base class of Structure or Union.
- Documentation
- gh-110746: Improved markup for valid options/values for methods
ttk.treeview.column and ttk.treeview.heading, and for Layouts.
- gh-95649: Document that the asyncio module contains code taken
from v0.16.0 of the uvloop project, as well as the required MIT
licensing information.
- Tests
- gh-109980: Fix test_tarfile_vs_tar in test_shutil for macOS,
where system tar can include more information in the archive
than shutil.make_archive.
- gh-112769: The tests now correctly compare zlib version when
zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For
example zlib-ng defines the version as 1.3.0.zlib-ng.
- gh-105089: Fix
test.test_zipfile.test_core.TestWithDirectory.test_create_directory_with_write
test in AIX by doing a bitwise AND of 0xFFFF on mode , so that
it will be in sync with zinfo.external_attr
- bpo-40648: Test modes that file can get with chmod() on Windows.
- Build
- gh-101778: Fix build error when there’s a dangling symlink in
the directory containing ffi.h.
- gh-112305: Fixed the check-clean-src step performed on out of
tree builds to detect errant $(srcdir)/Python/frozen_modules/*.h
files and recommend appropriate source tree cleanup steps to get
a working build again.
- bpo-11102: The os.major(), os.makedev(), and os.minor()
functions are now available on HP-UX v3.
- bpo-36351: Do not set ipv6type when cross-compiling.
- IDLE
- gh-96905: In idlelib code, stop redefining built-ins ‘dict’ and
‘object’.
- gh-72284: Improve the lists of features, editor key bindings,
and shell key bingings in the IDLE doc.
- gh-113903: Fix rare failure of test.test_idle, in
test_configdialog.
- gh-113729: Fix the “Help -> IDLE Doc” menu bug in 3.11.7 and
3.12.1.
- gh-113269: Fix test_editor hang on macOS Catalina.
- gh-112898: Fix processing unsaved files when quitting IDLE on
macOS.
- gh-103820: Revise IDLE bindings so that events from mouse button
4/5 on non-X11 windowing systems (i.e. Win32 and Aqua) are not
mistaken for scrolling.
- bpo-13586: Enter the selected text when opening the “Replace”
dialog.
- Tools/Demos
- gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.13 and
multissltests to use 1.1.1w, 3.0.13, 3.1.5, and 3.2.1.
- gh-115015: Fix a bug in Argument Clinic that generated incorrect
code for methods with no parameters that use the METH_METHOD |
METH_FASTCALL | METH_KEYWORDS calling convention. Only the
positional parameter count was checked; any keyword argument
passed would be silently accepted.
- Refresh all patches:
- CVE-2023-27043-email-parsing-errors.patch
- F00251-change-user-install-location.patch
- bpo-31046_ensurepip_honours_prefix.patch
- distutils-reproducible-compile.patch
- fix_configure_rst.patch
- python-3.3.0b1-fix_date_time_compiler.patch
- python-3.3.0b1-localpath.patch
- python-3.3.0b1-test-posix_fadvise.patch
- skip_if_buildbot-extend.patch
- subprocess-raise-timeout.patch
- support-expat-CVE-2022-25236-patched.patch
OBS-URL: https://build.opensuse.org/request/show/1145174
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=99
