- Update to 3.12.11:
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
- CVE-2025-4516-DecodeError-handler.patch
- restrict PEP668 to ALP/Tumbleweed
* Support Expat >= 2.4.5
- allow build with Sphinx >= 3.x
OBS-URL: https://build.opensuse.org/request/show/1284283
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=34
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
- CVE-2025-4516-DecodeError-handler.patch
- restrict PEP668 to ALP/Tumbleweed
* Support Expat >= 2.4.5
- allow build with Sphinx >= 3.x
* remove importlib_resources and importlib-metadata
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=147
- Update to 3.12.10:
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages in
msgfmt.
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-119727: Add --single-process command line option to Python
test runner (regrtest). Patch by Victor Stinner.
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously, disk
spillover was only checked after the lines iterator had been
exhausted. This is now done after each line is written.
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-116608: undeprecate functional API for importlib.resources
- gh-132075: Fix possible use of socket address structures
with uninitialized members. Now all structure members are
initialized with zeroes by default.
- gh-132002: Fix crash when deallocating contextvars.ContextVar
OBS-URL: https://build.opensuse.org/request/show/1269059
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=30
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages in
msgfmt.
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-119727: Add --single-process command line option to Python
test runner (regrtest). Patch by Victor Stinner.
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously, disk
spillover was only checked after the lines iterator had been
exhausted. This is now done after each line is written.
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-116608: undeprecate functional API for importlib.resources
- gh-132075: Fix possible use of socket address structures
with uninitialized members. Now all structure members are
initialized with zeroes by default.
- gh-132002: Fix crash when deallocating contextvars.ContextVar
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=108
- Update to 3.12.9:
- Tests
- gh-127906: Test the limited C API in test_cppext. Patch by
Victor Stinner.
- gh-127906: Backport test_cext from the main branch. Patch
by Victor Stinner.
- gh-127637: Add tests for the dis command-line
interface. Patch by Bénédikt Tran.
- Security
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject
domain names containing square brackets ([ and ]). Square
brackets are only valid for IPv6 and IPvFuture hosts
according to RFC 3986 Section 3.2.2. (CVE-2025-0938,
bsc#1236705)
- gh-127655: Fixed the
asyncio.selector_events._SelectorSocketTransport
transport not pausing writes for the protocol when
the buffer reaches the high water mark when using
asyncio.WriteTransport.writelines() (CVE-2024-12254,
bsc#1234290).
- gh-126108: Fix a possible NULL pointer dereference in
PySys_AddWarnOptionUnicode().
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so
that it spanned more than one line, the surrounding
quotes and internal escapes would be omitted. This could
theoretically be used to spoof header lines using a
carefully constructed quoted string if the resulting
OBS-URL: https://build.opensuse.org/request/show/1244005
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python312?expand=0&rev=28
