- Tools/Demos
- gh-139330: SBOM generation tool didn’t cross-check the version
and checksum values against the Modules/expat/refresh.sh script,
leading to the values becoming out-of-date during routine
updates.
- Security
- gh-139700: Check consistency of the zip64 end of central
directory record. Support records with “zip64 extensible data”
if there are no bytes prepended to the ZIP file.
- gh-139400: xml.parsers.expat: Make sure that parent Expat
parsers are only garbage-collected once they are no longer
referenced by subparsers created by
ExternalEntityParserCreate(). Patch by Sebastian Pipping.
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
* Whitespaces no longer accepted between </ and the tag name.
E.g. </ script> does not end the script section.
* Vertical tabulation (\v) and non-ASCII whitespaces no longer
recognized as whitespaces. The only whitespaces are \t\n\r\f
and space.
* Null character (U+0000) no longer ends the tag name.
* Attributes and slashes after the tag name in end tags are now
ignored, instead of terminating after the first > in quoted
attribute value. E.g. </script/foo=">"/>.
* Multiple slashes and whitespaces between the last attribute
and closing > are now ignored in both start and end tags. E.g.
<a foo=bar/ //>.
* Multiple = between attribute name and value are no longer
collapsed. E.g. <a foo==bar> produces attribute “foo” with
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=162
- Add gh139257-Support-docutils-0.22.patch to fix build with latest
docutils (>=0.22) gh#python/cpython#139257
- Drop AppStream: this results in a different cycle than
appstream-glib. As the appdata.xml is controlled by ourselves, we
can get away with just manually validating it when changing it.
- Require AppStream to validate appdata file instead of deprecated
appstream-glib.
- Update idle3.appdata.xml to pass the more pedantic appstreamcli.
OBS-URL: https://build.opensuse.org/request/show/1308661
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=38
DEPENDS ON SR#1294511, THEY HAVE TO GO TOGETHER!!!
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
case quadratic complexity when processing certain crafted
malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
- Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to
generate ids for audit_events using docname (reproducible
builds).
- Use one core to build doc. This will make sphinx doc build
reproducible.
bsc#1243155
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
case quadratic complexity when processing certain crafted
malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
- Add bsc1243155-sphinx-non-determinism.patch (bsc#1243155) to
generate ids for audit_events using docname (reproducible
builds).
- Use one core to build doc. This will make sphinx doc build
reproducible.
bsc#1243155
OBS-URL: https://build.opensuse.org/request/show/1294513
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=36
- Update to 3.12.11:
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
- CVE-2025-4516-DecodeError-handler.patch
- restrict PEP668 to ALP/Tumbleweed
* Support Expat >= 2.4.5
- allow build with Sphinx >= 3.x
OBS-URL: https://build.opensuse.org/request/show/1284283
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=34
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
- CVE-2025-4516-DecodeError-handler.patch
- restrict PEP668 to ALP/Tumbleweed
* Support Expat >= 2.4.5
- allow build with Sphinx >= 3.x
* remove importlib_resources and importlib-metadata
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=147
