From c596c85ff5a4ee9cce15bb341bad56970f5810c20aba5b04e545ee35a962410f Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 5 Feb 2025 09:57:45 +0000 Subject: [PATCH] =?UTF-8?q?-=20Update=20to=203.13.2:=20=20=20-=20Tools/Dem?= =?UTF-8?q?os=20=20=20=20=20-=20gh-128152:=20Fix=20a=20bug=20where=20Argum?= =?UTF-8?q?ent=20Clinic=E2=80=99s=20C=20=20=20=20=20=20=20pre-processor=20?= =?UTF-8?q?parser=20tried=20to=20parse=20pre-processor=20=20=20=20=20=20?= =?UTF-8?q?=20directives=20inside=20C=20comments.=20Patch=20by=20Erlend=20?= =?UTF-8?q?Aasland.=20=20=20-=20Tests=20=20=20=20=20-=20gh-127906:=20Test?= =?UTF-8?q?=20the=20limited=20C=20API=20in=20test=5Fcppext.=20Patch=20by?= =?UTF-8?q?=20=20=20=20=20=20=20Victor=20Stinner.=20=20=20=20=20-=20gh-127?= =?UTF-8?q?637:=20Add=20tests=20for=20the=20dis=20command-line=20=20=20=20?= =?UTF-8?q?=20=20=20interface.=20Patch=20by=20B=C3=A9n=C3=A9dikt=20Tran.?= =?UTF-8?q?=20=20=20=20=20-=20gh-126925:=20iOS=20test=20results=20are=20no?= =?UTF-8?q?w=20streamed=20during=20test=20=20=20=20=20=20=20execution,=20a?= =?UTF-8?q?nd=20the=20deprecated=20xcresulttool=20is=20no=20longer=20=20?= =?UTF-8?q?=20=20=20=20=20used.=20=20=20-=20Security=20=20=20=20=20-=20gh-?= =?UTF-8?q?105704:=20When=20using=20urllib.parse.urlsplit()=20and=20=20=20?= =?UTF-8?q?=20=20=20=20urllib.parse.urlparse()=20host=20parsing=20would=20?= =?UTF-8?q?not=20reject=20=20=20=20=20=20=20domain=20names=20containing=20?= =?UTF-8?q?square=20brackets=20([=20and=20]).=20Square=20=20=20=20=20=20?= =?UTF-8?q?=20brackets=20are=20only=20valid=20for=20IPv6=20and=20IPvFuture?= =?UTF-8?q?=20hosts=20=20=20=20=20=20=20according=20to=20RFC=203986=20Sect?= =?UTF-8?q?ion=203.2.2.=20(CVE-2025-0938,=20=20=20=20=20=20=20bsc#1236705)?= =?UTF-8?q?=20=20=20=20=20-=20gh-127655:=20Fixed=20the=20=20=20=20=20=20?= =?UTF-8?q?=20asyncio.selector=5Fevents.=5FSelectorSocketTransport=20=20?= =?UTF-8?q?=20=20=20=20=20transport=20not=20pausing=20writes=20for=20the?= =?UTF-8?q?=20protocol=20when=20=20=20=20=20=20=20the=20buffer=20reaches?= =?UTF-8?q?=20the=20high=20water=20mark=20when=20using=20=20=20=20=20=20?= =?UTF-8?q?=20asyncio.WriteTransport.writelines()=20(CVE-2024-12254,=20=20?= =?UTF-8?q?=20=20=20=20=20bsc#1234290).=20=20=20=20=20-=20gh-126108:=20Fix?= =?UTF-8?q?=20a=20possible=20NULL=20pointer=20dereference=20in=20=20=20=20?= =?UTF-8?q?=20=20=20PySys=5FAddWarnOptionUnicode().=20=20=20=20=20-=20gh-8?= =?UTF-8?q?0222:=20Fix=20bug=20in=20the=20folding=20of=20quoted=20strings?= =?UTF-8?q?=20=20=20=20=20=20=20when=20flattening=20an=20email=20message?= =?UTF-8?q?=20using=20a=20modern=20email?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=76 --- ...g-SelectorSocketTransport.writelines.patch | 46 --- Python-3.13.1.tar.xz | 3 - Python-3.13.1.tar.xz.sigstore | 1 - Python-3.13.2.tar.xz | 3 + Python-3.13.2.tar.xz.sigstore | 1 + bpo-31046_ensurepip_honours_prefix.patch | 4 +- python313.changes | 270 ++++++++++++++++++ python313.spec | 5 +- 8 files changed, 277 insertions(+), 56 deletions(-) delete mode 100644 CVE-2024-12254-unbound-mem-buffering-SelectorSocketTransport.writelines.patch delete mode 100644 Python-3.13.1.tar.xz delete mode 100644 Python-3.13.1.tar.xz.sigstore create mode 100644 Python-3.13.2.tar.xz create mode 100644 Python-3.13.2.tar.xz.sigstore diff --git a/CVE-2024-12254-unbound-mem-buffering-SelectorSocketTransport.writelines.patch b/CVE-2024-12254-unbound-mem-buffering-SelectorSocketTransport.writelines.patch deleted file mode 100644 index fc8d1ef..0000000 --- a/CVE-2024-12254-unbound-mem-buffering-SelectorSocketTransport.writelines.patch +++ /dev/null @@ -1,46 +0,0 @@ -From bfc2e93d755bf496e5ef4cae9609d2823122c909 Mon Sep 17 00:00:00 2001 -From: "J. Nick Koston" -Date: Thu, 5 Dec 2024 10:01:10 -0600 -Subject: [PATCH 01/10] Ensure writelines pauses the protocol if needed - ---- - Lib/asyncio/selector_events.py | 1 - Lib/test/test_asyncio/test_selector_events.py | 12 ++++++++++ - Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst | 1 - 3 files changed, 14 insertions(+) - ---- a/Lib/asyncio/selector_events.py -+++ b/Lib/asyncio/selector_events.py -@@ -1175,6 +1175,7 @@ class _SelectorSocketTransport(_Selector - # If the entire buffer couldn't be written, register a write handler - if self._buffer: - self._loop._add_writer(self._sock_fd, self._write_ready) -+ self._maybe_pause_protocol() - - def can_write_eof(self): - return True ---- a/Lib/test/test_asyncio/test_selector_events.py -+++ b/Lib/test/test_asyncio/test_selector_events.py -@@ -805,6 +805,18 @@ class SelectorSocketTransportTests(test_ - self.assertTrue(self.sock.send.called) - self.assertTrue(self.loop.writers) - -+ def test_writelines_pauses_protocol(self): -+ data = memoryview(b'data') -+ self.sock.send.return_value = 2 -+ self.sock.send.fileno.return_value = 7 -+ -+ transport = self.socket_transport() -+ transport._high_water = 1 -+ transport.writelines([data]) -+ self.assertTrue(self.protocol.pause_writing.called) -+ self.assertTrue(self.sock.send.called) -+ self.assertTrue(self.loop.writers) -+ - @unittest.skipUnless(selector_events._HAS_SENDMSG, 'no sendmsg') - def test_write_sendmsg_full(self): - data = memoryview(b'data') ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst -@@ -0,0 +1 @@ -+Fixed the :class:`!asyncio.selector_events._SelectorSocketTransport` transport not pausing writes for the protocol when the buffer reaches the high water mark when using :meth:`asyncio.WriteTransport.writelines`. diff --git a/Python-3.13.1.tar.xz b/Python-3.13.1.tar.xz deleted file mode 100644 index b7a3d58..0000000 --- a/Python-3.13.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9cf9427bee9e2242e3877dd0f6b641c1853ca461f39d6503ce260a59c80bf0d9 -size 22589692 diff --git a/Python-3.13.1.tar.xz.sigstore b/Python-3.13.1.tar.xz.sigstore deleted file mode 100644 index c3e3336..0000000 --- a/Python-3.13.1.tar.xz.sigstore +++ /dev/null @@ -1 +0,0 @@ -{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICyjCCAk+gAwIBAgIUfiRo0msP4Btyv4YsT7fbfQRyL44wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQxMjAzMTkwNzExWhcNMjQxMjAzMTkxNzExWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgyPfiH2kHYV7DceSflRFlp5btDS/pzMbY7rGcU3/C6c+yjG51eHdE3fUoe67CXuHOwbgIPQNHwVyA/dqkr29JKOCAW4wggFqMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUsEpdJycICdqLVYOxzZ+3oce6bZgwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERdGhvbWFzQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGTjetYvwAABAMARjBEAiBEl+lmHciXxSTROv68p7UQzS1OQoN18xhfAXwV0xLiKwIgAr+FYa/WMHhvwIr/LRmVCsEGM+drSpXc1TsRRKZUOe0wCgYIKoZIzj0EAwMDaQAwZgIxAOQBkKlywlTHYpHXwx7+W00RYgxWXXweL7k5hkOlyzyy+wxA9Z2EwkQ2K495VlzuQwIxAL7feRY0xgdEyHCUE7tOwjnmCc1Rx/DqU/IURk398WWzZgR02sVQks7Tbm6GknYBBg=="}, "tlogEntries": [{"logIndex": "153126388", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1733252831", "inclusionPromise": {"signedEntryTimestamp": "MEUCIEr6ERelNiQ0shguyVEIZr62jZOmkiRvFDab0vH/+TyPAiEA7wjmefhpgSGj9OZK5OLyFERJmCdOAyo0ugYvcvo/BRI="}, "inclusionProof": {"logIndex": "31222126", "rootHash": "bw8DUGFtTR8UX3p/PsDBTOd7+9XoUhpc9p9rx8iBudU=", "treeSize": "31222127", "hashes": ["VDJuQRvWiSGKYaVUeg1KQzTOcArB3z4zhlKXQiCXpBA=", "d4PXrjiAFZkT0q5LEqDIKdp/3LzyJNDT3ieTmTFo/hk=", "hpWulX1/EJ4WX5RZYHRuNoNQPY022IQxlvT6PQdo0zM=", "Der2RBJcWt5krDHF37vOqiTIMOPFBfJYHpEzH2AFz94=", "50fxHcr98Af7eRu0IaTdqt95Xr1ex/qKGF8Gp4SWOWg=", "Xdd/TFK+GoJvuW1nyelo2knYtds5k/Go6cPMSEa6MAg=", "6d4xqhjtBqvVigZuo5cpcPrzEjWB2pnhc9sKleMMhto=", "tH2CD4P6s9/APjnJWsTvHjNo8l825tfN4DUr+zItATY=", "AYwr74Bm2w383UnS7DdbZUUAhusq28JoxKpWrQ7OvGQ=", "u+yWmGIR6sAH32wiSy22mz1Yf+jfPdBTjFbyRISuTZw=", "3eFC7Gp4fWecybDOAw9uUTrM1xB7YRYRAGsfYkiQbV8=", "1uKk2qjOliHMiTk906jrchP8mXWsRG8apaU1sa0lfh0=", "oOecFfN3YqDOkbijS/ej1WF5Da/Gt/AZNhbwE9uoOE8=", "4lUF0YOu9XkIDXKXA0wMSzd6VeDY3TZAgmoOeWmS2+Y=", "gf+9m552B3PnkWnO0o4KdVvjcT3WVHLrCbf1DoVYKFw="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n31222127\nbw8DUGFtTR8UX3p/PsDBTOd7+9XoUhpc9p9rx8iBudU=\n\n\u2014 rekor.sigstore.dev wNI9ajBDAh9aKBYaMe0sjCiN7C4kOKDmZcatnj6bJnRXihklmSI0AiAYKc0QI8JdydiiPPfM7JezFEypOIF9c7nD9OegcFT8mw==\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5Y2Y5NDI3YmVlOWUyMjQyZTM4NzdkZDBmNmI2NDFjMTg1M2NhNDYxZjM5ZDY1MDNjZTI2MGE1OWM4MGJmMGQ5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUROY0lGSlBMNEwwK25YVGtUSVZmVCtUd20yYUlleW9iNUYrenFFUWZVejdRSWhBS2JHTkFlbVp5VVdQYkNZb2lQTmNDYXpkWUpqWGNORGMxQzBSRmlicWwwRiIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVha05EUVdzclowRjNTVUpCWjBsVlptbFNiekJ0YzFBMFFuUjVkalJaYzFRM1ptSm1VVko1VERRMGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJlRTFxUVhwTlZHdDNUbnBGZUZkb1kwNU5hbEY0VFdwQmVrMVVhM2hPZWtWNFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZuZVZCbWFVZ3lhMGhaVmpkRVkyVlRabXhTUm14d05XSjBSRk12Y0hwTllsazNja2NLWTFVekwwTTJZeXQ1YWtjMU1XVklaRVV6WmxWdlpUWTNRMWgxU0U5M1ltZEpVRkZPU0hkV2VVRXZaSEZyY2pJNVNrdFBRMEZYTkhkblowWnhUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZ6UlhCa0NrcDVZMGxEWkhGTVZsbFBlSHBhS3pOdlkyVTJZbHBuZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoM1dVUldVakJTUVZGSUwwSkNWWGRGTkVWU1pFZG9kbUpYUm5wUlNFSTFaRWRvZG1KcE5YWmpiV04zUzFGWlMwdDNXVUpDUVVkRWRucEJRZ3BCVVZGaVlVaFNNR05JVFRaTWVUbG9XVEpPZG1SWE5UQmplVFZ1WWpJNWJtSkhWWFZaTWpsMFRVTnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVklVWGRpQ21GSVVqQmpTRTAyVEhrNWFGa3lUblprVnpVd1kzazFibUl5T1c1aVIxVjFXVEk1ZEUxSlIwcENaMjl5UW1kRlJVRmtXalZCWjFGRFFraHpSV1ZSUWpNS1FVaFZRVE5VTUhkaGMySklSVlJLYWtkU05HTnRWMk16UVhGS1MxaHlhbVZRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIVkdwbGRGbDJkMEZCUWtGTlFRcFNha0pGUVdsQ1JXd3JiRzFJWTJsWWVGTlVVazkyTmpod04xVlJlbE14VDFGdlRqRTRlR2htUVZoM1ZqQjRUR2xMZDBsblFYSXJSbGxoTDFkTlNHaDJDbmRKY2k5TVVtMVdRM05GUjAwclpISlRjRmhqTVZSelVsSkxXbFZQWlRCM1EyZFpTVXR2V2tsNmFqQkZRWGROUkdGUlFYZGFaMGw0UVU5UlFtdExiSGtLZDJ4VVNGbHdTRmgzZURjclZ6QXdVbGxuZUZkWVdIZGxURGRyTldoclQyeDVlbmw1SzNkNFFUbGFNa1YzYTFFeVN6UTVOVlpzZW5WUmQwbDRRVXczWmdwbFVsa3dlR2RrUlhsSVExVkZOM1JQZDJwdWJVTmpNVko0TDBSeFZTOUpWVkpyTXprNFYxZDZXbWRTTURKelZsRnJjemRVWW0wMlIydHVXVUpDWnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "nPlCe+6eIkLjh33Q9rZBwYU8pGHznWUDziYKWcgL8Nk="}, "signature": "MEYCIQDNcIFJPL4L0+nXTkTIVfT+Twm2aIeyob5F+zqEQfUz7QIhAKbGNAemZyUWPbCYoiPNcCazdYJjXcNDc1C0RFibql0F"}} diff --git a/Python-3.13.2.tar.xz b/Python-3.13.2.tar.xz new file mode 100644 index 0000000..a64a7f0 --- /dev/null +++ b/Python-3.13.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d984bcc57cd67caab26f7def42e523b1c015bbc5dc07836cf4f0b63fa159eb56 +size 22621108 diff --git a/Python-3.13.2.tar.xz.sigstore b/Python-3.13.2.tar.xz.sigstore new file mode 100644 index 0000000..8b40472 --- /dev/null +++ b/Python-3.13.2.tar.xz.sigstore @@ -0,0 +1 @@ +{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICyjCCAk+gAwIBAgIUD4NQdNCt1/K/JvAVyjbYigv67kIwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwMjA0MTg0NTIwWhcNMjUwMjA0MTg1NTIwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbqber3xDbIeHx40nXMQZcd3gsTxtq8e1TFD0eK7Im8V+dqVIRPey2E6BcnbwGMvL1q1qmTwGdUn5RPbFaehz7qOCAW4wggFqMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUSuhJIwDMV36A3eaykAuKcN4RnOEwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERdGhvbWFzQHB5dGhvbi5vcmcwKQYKKwYBBAGDvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGU0kf7wwAABAMARjBEAiAfqmC3I+sDSrXCjgOsO6Ur44c7jeAGRRwc7KdbXRBMzgIgAgcS4SWPdkxXIHicW4DulEn3ulaL3FVHBRLoNQW0JTcwCgYIKoZIzj0EAwMDaQAwZgIxAJ2T2M+pFCUERzOgZct1jxZpk9pgSQyuBU57U4/Hj3xKC12+PDgGcikx1FrC1wwr5wIxAJ156hL8usRvVGskEtmpiuTbaT9+zPgDjWfkvhx6b3Pdrn08XaQJ9EN9jiLrbeBM9g=="}, "tlogEntries": [{"logIndex": "168670065", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1738694720", "inclusionPromise": {"signedEntryTimestamp": "MEUCIAekV+blODko91xI2vm15TtdYBXhj8UF28Yt+cMx33rrAiEA0A6bc18P1q3drg9y9nR53/m8DXoKwsTEZm5yZ5+JFa4="}, "inclusionProof": {"logIndex": "46765803", "rootHash": "33ULyWL9ydLeQexNIooy3SJNY9i3ryqihkcOKvsQFF4=", "treeSize": "46765804", "hashes": ["3v2kqP/86p78AkWzBhXN+cNw9IypWJVk1oLovoNewtw=", "hymqDI9hjW2a2SKx04PIeTgJIL2IITHnQP5iCfIzoKM=", "om9oCy1VrcALPEQhPkoPogYSHHCAjFbWSLZJuHEfapo=", "opVQSZr0TT+f4kq/+ypm8ifo78VX/rg2sMxpk3Q6ZYQ=", "u+Mk6XwpHu128vzvk1pAczTT6FfryNB+dIhXYEj/H8c=", "625NsawEzZEukjE6mmJJ6hFySLGojGI4BGm8cRxwv68=", "5S8IyLnwlAhLZBEUNH1SaLO2dckc8NKwnGVgAO+3QQI=", "3onlfMyeVMDSIvH0BhkTTMYIWUuOZa+vitTl74eA7yo=", "TgYmpZ2JTTWko4kWZxTIAYkJpJpeOjVCg6ICKYnUS+8=", "PAMmlBIG22MGowjyiChYp5iB6NiTRa0xKI2vnvpExek=", "NS61TOUCaTiUJotPDnr7bTP/1ogKsWSnbgDlk1uvGzM=", "MvEBWaRrd43Pq04mjOFzGW9RiqBSzMBfuFXKBIVtQnc=", "Zse3BPkR/cJv62LvVuiDH+EpgIE5v3V3qXdG8HQFf1A=", "jU9+tgjTIKUYGeU7T7RjqyL+F+gFV9tCdwX2GZ1UtQs=", "vemyaMj0Na1LMjbB/9Dmkq8T+jAb3o+yCESgAayUABU="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n46765804\n33ULyWL9ydLeQexNIooy3SJNY9i3ryqihkcOKvsQFF4=\n\n\u2014 rekor.sigstore.dev wNI9ajBGAiEA+12Y0eYDOViIlr8UQrapNyarHE/PGGfC7iXrAHr0R2cCIQC0FJWVaUHoTxuMaM3KvZaY1toGa6U5sj9BcrhnwcEQ8A==\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkOTg0YmNjNTdjZDY3Y2FhYjI2ZjdkZWY0MmU1MjNiMWMwMTViYmM1ZGMwNzgzNmNmNGYwYjYzZmExNTllYjU2In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNMQXBvUGEvQ0FZbVAxS0FSQ3Vmb1J6L1V2RVJhbDRKcnNkNXl4NmtleHpnSWdicEFIaUFTSjBDY2FKZm5LczFzL0VtZW0ybDNyT2svODdITVZaR0gwUUlJPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjVha05EUVdzclowRjNTVUpCWjBsVlJEUk9VV1JPUTNReEwwc3ZTblpCVm5scVlsbHBaM1kyTjJ0SmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDFxUVRCTlZHY3dUbFJKZDFkb1kwNU5hbFYzVFdwQk1FMVVaekZPVkVsM1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZpY1dKbGNqTjRSR0pKWlVoNE5EQnVXRTFSV21Oa00yZHpWSGgwY1RobE1WUkdSREFLWlVzM1NXMDRWaXRrY1ZaSlVsQmxlVEpGTmtKamJtSjNSMDEyVERGeE1YRnRWSGRIWkZWdU5WSlFZa1poWldoNk4zRlBRMEZYTkhkblowWnhUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZUZFdoS0NrbDNSRTFXTXpaQk0yVmhlV3RCZFV0alRqUlNiazlGZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoM1dVUldVakJTUVZGSUwwSkNWWGRGTkVWU1pFZG9kbUpYUm5wUlNFSTFaRWRvZG1KcE5YWmpiV04zUzFGWlMwdDNXVUpDUVVkRWRucEJRZ3BCVVZGaVlVaFNNR05JVFRaTWVUbG9XVEpPZG1SWE5UQmplVFZ1WWpJNWJtSkhWWFZaTWpsMFRVTnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVklVWGRpQ21GSVVqQmpTRTAyVEhrNWFGa3lUblprVnpVd1kzazFibUl5T1c1aVIxVjFXVEk1ZEUxSlIwcENaMjl5UW1kRlJVRmtXalZCWjFGRFFraHpSV1ZSUWpNS1FVaFZRVE5VTUhkaGMySklSVlJLYWtkU05HTnRWMk16UVhGS1MxaHlhbVZRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIVlRCclpqZDNkMEZCUWtGTlFRcFNha0pGUVdsQlpuRnRRek5KSzNORVUzSllRMnBuVDNOUE5sVnlORFJqTjJwbFFVZFNVbmRqTjB0a1lsaFNRazE2WjBsblFXZGpVelJUVjFCa2EzaFlDa2xJYVdOWE5FUjFiRVZ1TTNWc1lVd3pSbFpJUWxKTWIwNVJWekJLVkdOM1EyZFpTVXR2V2tsNmFqQkZRWGROUkdGUlFYZGFaMGw0UVVveVZESk5LM0FLUmtOVlJWSjZUMmRhWTNReGFuaGFjR3M1Y0dkVFVYbDFRbFUxTjFVMEwwaHFNM2hMUXpFeUsxQkVaMGRqYVd0NE1VWnlRekYzZDNJMWQwbDRRVW94TlFvMmFFdzRkWE5TZGxaSGMydEZkRzF3YVhWVVltRlVPU3Q2VUdkRWFsZG1hM1pvZURaaU0xQmtjbTR3T0ZoaFVVbzVSVTQ1YW1sTWNtSmxRazA1WnowOUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19"}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "2YS8xXzWfKqyb33vQuUjscAVu8XcB4Ns9PC2P6FZ61Y="}, "signature": "MEUCIQCLApoPa/CAYmP1KARCufoRz/UvERal4Jrsd5yx6kexzgIgbpAHiASJ0CcaJfnKs1s/Emem2l3rOk/87HMVZGH0QII="}} diff --git a/bpo-31046_ensurepip_honours_prefix.patch b/bpo-31046_ensurepip_honours_prefix.patch index d2a5ad9..98c61a0 100644 --- a/bpo-31046_ensurepip_honours_prefix.patch +++ b/bpo-31046_ensurepip_honours_prefix.patch @@ -139,7 +139,7 @@ Co-Authored-By: Xavier de Gaye --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -2157,7 +2157,7 @@ install: @FRAMEWORKINSTALLFIRST@ @INSTAL +@@ -2139,7 +2139,7 @@ install: @FRAMEWORKINSTALLFIRST@ @INSTAL install|*) ensurepip="" ;; \ esac; \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ @@ -148,7 +148,7 @@ Co-Authored-By: Xavier de Gaye fi .PHONY: altinstall -@@ -2168,7 +2168,7 @@ altinstall: commoninstall +@@ -2150,7 +2150,7 @@ altinstall: commoninstall install|*) ensurepip="--altinstall" ;; \ esac; \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ diff --git a/python313.changes b/python313.changes index b7fac87..59f94ad 100644 --- a/python313.changes +++ b/python313.changes @@ -1,3 +1,273 @@ +------------------------------------------------------------------- +Wed Feb 5 09:13:26 UTC 2025 - Matej Cepl + +- Update to 3.13.2: + - Tools/Demos + - gh-128152: Fix a bug where Argument Clinic’s C + pre-processor parser tried to parse pre-processor + directives inside C comments. Patch by Erlend Aasland. + - Tests + - gh-127906: Test the limited C API in test_cppext. Patch by + Victor Stinner. + - gh-127637: Add tests for the dis command-line + interface. Patch by Bénédikt Tran. + - gh-126925: iOS test results are now streamed during test + execution, and the deprecated xcresulttool is no longer + used. + - Security + - gh-105704: When using urllib.parse.urlsplit() and + urllib.parse.urlparse() host parsing would not reject + domain names containing square brackets ([ and ]). Square + brackets are only valid for IPv6 and IPvFuture hosts + according to RFC 3986 Section 3.2.2. (CVE-2025-0938, + bsc#1236705) + - gh-127655: Fixed the + asyncio.selector_events._SelectorSocketTransport + transport not pausing writes for the protocol when + the buffer reaches the high water mark when using + asyncio.WriteTransport.writelines() (CVE-2024-12254, + bsc#1234290). + - gh-126108: Fix a possible NULL pointer dereference in + PySys_AddWarnOptionUnicode(). + - gh-80222: Fix bug in the folding of quoted strings + when flattening an email message using a modern email + policy. Previously when a quoted string was folded so + that it spanned more than one line, the surrounding + quotes and internal escapes would be omitted. This could + theoretically be used to spoof header lines using a + carefully constructed quoted string if the resulting + rendered email was transmitted or re-parsed. + - gh-119511: Fix a potential denial of service in the imaplib + module. When connecting to a malicious server, it could + cause an arbitrary amount of memory to be allocated. On + many systems this is harmless as unused virtual memory is + only a mapping, but if this hit a virtual address size + limit it could lead to a MemoryError or other process + crash. On unusual systems or builds where all allocated + memory is touched and backed by actual ram or storage + it could’ve consumed resources doing so until similarly + crashing. + - Library + - gh-129502: Unlikely errors in preparing arguments for + ctypes callback are now handled in the same way as errors + raised in the callback of in converting the result of + the callback – using sys.unraisablehook() instead of + sys.excepthook() and not setting sys.last_exc and other + variables. + - gh-129403: Corrected ValueError message for asyncio.Barrier + and threading.Barrier. + - gh-129409: Fix an integer overflow in the csv module when + writing a data field larger than 2GB. + - gh-118761: Improve import time of subprocess by lazy + importing locale and signal. Patch by Taneli Hukkinen. + - gh-129346: In sqlite3, handle out-of-memory when creating + user-defined SQL functions. + - gh-129061: Fix FORCE_COLOR and NO_COLOR when empty + strings. Patch by Hugo van Kemenade. + - gh-128550: Removed an incorrect optimization relating + to eager tasks in asyncio.TaskGroup that resulted in + cancellations being missed. + - gh-128991: Release the enter frame reference within bdb + callback + - gh-128978: Fix a NameError in + sysconfig.expand_makefile_vars(). Patch by Bénédikt Tran. + - gh-128961: Fix a crash when setting state on an exhausted + array.array iterator. + - gh-128894: Fix + traceback.TracebackException._format_syntax_error not to + fail on exceptions with custom metadata. + - gh-128916: Do not attempt to set SO_REUSEPORT on sockets of + address families other than AF_INET and AF_INET6, as it is + meaningless with these address families, and the call with + fail with Linux kernel 6.12.9 and newer. + - gh-128679: Fix tracemalloc.stop() race condition. Fix + tracemalloc to support calling tracemalloc.stop() in + one thread, while another thread is tracing memory + allocations. Patch by Victor Stinner. + - gh-128636: Fix PyREPL failure when os.environ is + overwritten with an invalid value. + - gh-128562: Fix possible conflicts in generated tkinter + widget names if the widget class name ends with a digit. + - gh-128498: Default to stdout isatty for color detection + instead of stderr. Patch by Hugo van Kemenade. + - gh-128552: Fix cyclic garbage introduced + by asyncio.loop.create_task() and + asyncio.TaskGroup.create_task() holding a reference to the + created task if it is eager. + - gh-128479: Fix asyncio.staggered.staggered_race() leaking + tasks and issuing an unhandled exception. + - gh-128400: Fix crash when using + faulthandler.dump_traceback() while other threads are + active on the free threaded build. + - gh-88834: Unify the instance check for typing.Union and + types.UnionType: Union now uses the instance checks against + its parameters instead of the subclass checks. + - gh-128302: Fix + xml.dom.xmlbuilder.DOMEntityResolver.resolveEntity(), which + was broken by the Python 3.0 transition. + - gh-128302: Allow xml.dom.xmlbuilder.DOMParser.parse() + to correctly handle xml.dom.xmlbuilder.DOMInputSource + instances that only have a systemId attribute set. + - gh-112064: Fix incorrect handling of negative read sizes in + HTTPResponse.read. Patch by Yury Manushkin. + - gh-58956: Fixed a frame reference leak in bdb. + - gh-128131: Completely support random access of uncompressed + unencrypted read-only zip files obtained by ZipFile.open. + - gh-112328: enum.EnumDict can now be used without resorting + to private API. + - gh-127975: Avoid reusing quote types in ast.unparse() if + not needed. + - gh-128062: Revert the font of turtledemo’s menu bar to its + default value and display the shortcut keys in the correct + position. + - gh-128014: Fix resetting the default window icon by passing + default='' to the tkinter method wm_iconbitmap(). + - gh-115514: Fix exceptions and incomplete writes after + asyncio._SelectorTransport is closed before writes are + completed. + - gh-41872: Fix quick extraction of module docstrings from + a file in pydoc. It now supports docstrings with single + quotes, escape sequences, raw string literals, and other + Python syntax. + - gh-127060: Set TERM environment variable to “dumb” to + disable traceback colors in IDLE, since IDLE doesn’t + understand ANSI escape sequences. Patch by Victor Stinner. + - gh-126742: Fix support of localized error messages reported + by dlerror(3) and gdbm_strerror in ctypes and dbm.gnu + functions respectively. Patch by Bénédikt Tran. + - gh-127873: When -E is set, only ignore PYTHON_COLORS + and not FORCE_COLOR/NO_COLOR/TERM when colourising + output. Patch by Hugo van Kemenade. + - gh-127870: Detect recursive calls in ctypes _as_parameter_ + handling. Patch by Victor Stinner. + - gh-127847: Fix the position when doing interleaved seeks + and reads in uncompressed, unencrypted zip files returned + by zipfile.ZipFile.open(). + - gh-127732: The platform module now correctly detects + Windows Server 2025. + - gh-126821: macOS and iOS apps can now choose to redirect + stdout and stderr to the system log during interpreter + configuration. + - gh-93312: Include to get os.PIDFD_NONBLOCK + constant. Patch by Victor Stinner. + - gh-83662: Add missing __class_getitem__ method to the + Python implementation of functools.partial(), to make it + compatible with the C version. This is mainly relevant for + alternative Python implementations like PyPy and GraalPy, + because CPython will usually use the C-implementation of + that function. + - gh-127586: multiprocessing.pool.Pool now properly restores + blocked signal handlers of the parent thread when creating + processes via either spawn or forkserver. + - gh-98188: Fix an issue in + email.message.Message.get_payload() where data cannot be + decoded if the Content Transfer Encoding mechanism contains + trailing whitespaces or additional junk text. Patch by Hui + Liu. + - gh-127257: In ssl, system call failures that OpenSSL + reports using ERR_LIB_SYS are now raised as OSError. + - gh-127096: Do not recreate unnamed section on every read in + configparser.ConfigParser. Patch by Andrey Efremov. + - gh-127196: Fix crash when dict with keys in invalid + encoding were passed to several functions in _interpreters + module. + - gh-126775: Make linecache.checkcache() thread safe and GC + re-entrancy safe. + - gh-126332: Fix _pyrepl crash when entering a double CTRL-Z + on an overflowing line. + - gh-126225: getopt and optparse are no longer marked as + deprecated. There are legitimate reasons to use one of + these modules in preference to argparse, and none of these + modules are at risk of being removed from the standard + library. Of the three, argparse remains the recommended + default choice, unless one of the concerns noted at the top + of the optparse module documentation applies. + - gh-125553: Fix round-trip invariance for backslash + continuations in tokenize.untokenize(). + - gh-123987: Fixed issue in NamespaceReader where a non-path + item in a namespace path, such as a sentinel added by an + editable installer, would break resource loading. + - gh-123401: The http.cookies module now supports parsing + obsolete RFC 850 date formats, in accordance with RFC 9110 + requirements. Patch by Nano Zheng. + - gh-122431: readline.append_history_file() now raises a + ValueError when given a negative value. + - gh-119257: Show tab completions menu below the current + line, which results in less janky behaviour, and fixes a + cursor movement bug. Patch by Daniel Hollas + - Documentation + - gh-125722: Require Sphinx 8.1.3 or later to build the + Python documentation. Patch by Adam Turner. + - gh-67206: Document that string.printable is not + printable in the POSIX sense. In particular, + string.printable.isprintable() returns False. Patch by + Bénédikt Tran. + - Core and Builtins + - gh-129345: Fix null pointer dereference in syslog.openlog() + when an audit hook raises an exception. + - gh-129093: Fix f-strings such as f'{expr=}' sometimes not + displaying the full expression when the expression contains + !=. + - gh-124363: Treat debug expressions in f-string as raw + strings. Patch by Pablo Galindo + - gh-128799: Add frame of except* to traceback when it wraps + a naked exception. + - gh-128078: Fix a SystemError when using anext() with a + default tuple value. Patch by Bénédikt Tran. + - gh-128717: Fix a crash when setting the recursion limit + while other threads are active on the free threaded build. + - gh-128330: Restore terminal control characters on REPL + exit. + - gh-128079: Fix a bug where except* does not properly check + the return value of an ExceptionGroup’s split() function, + leading to a crash in some cases. Now when split() returns + an invalid object, except* raises a TypeError with the + original raised ExceptionGroup object chained to it. + - gh-128030: Avoid error from calling + PyModule_GetFilenameObject on a non-module object when + importing a non-existent symbol from a non-module object. + - gh-127903: Objects/unicodeobject.c: fix a crash on DEBUG + builds in _copy_characters when there is nothing to copy. + - gh-127599: Fix statistics for increments of object + reference counts (in particular, when a reference count was + increased by more than 1 in a single operation). + - gh-127651: When raising ImportError for missing symbols + in from imports, use __file__ in the error message if + __spec__.origin is not a location + - gh-127582: Fix non-thread-safe object resurrection when + calling finalizers and watcher callbacks in the free + threading build. + - gh-127434: The iOS compiler shims can now accept arguments + with spaces. + - gh-127536: Add missing locks around some list assignment + operations in the free threading build. + - gh-126862: Fix a possible overflow when a class inherits + from an absurd number of super-classes. Reported by Valery + Fedorenko. Patch by Bénédikt Tran. + - gh-127349: Fixed the error when resizing terminal in Python + REPL. Patch by Semyon Moroz. + - gh-126076: Relocated objects such as tuple, bytes and + str objects are properly tracked by tracemalloc and its + associated hooks. Patch by Pablo Galindo. + - C API + - gh-127791: Fix loss of callbacks after more than one call + to PyUnstable_AtExit(). + - Build + - gh-129539: Don’t redefine EX_OK when the system has the + sysexits.h header. + - gh-128472: Skip BOLT optimization of functions using + computed gotos, fixing errors on build with LLVM 19. + - gh-123925: Fix building the curses module on platforms with + libncurses but without libncursesw. + - gh-128321: Set LIBS instead of LDFLAGS when checking if + sqlite3 library functions are available. This fixes the + ordering of linked libraries during checks, which was + incorrect when using a statically linked libsqlite3. + - gh-127865: Fix build failure on systems without + thread-locals support. +- Remove upstreamed patches: + - CVE-2024-12254-unbound-mem-buffering-SelectorSocketTransport.writelines.patch + ------------------------------------------------------------------- Mon Jan 27 09:09:00 UTC 2025 - Daniel Garcia diff --git a/python313.spec b/python313.spec index fb445e3..9d4e19f 100644 --- a/python313.spec +++ b/python313.spec @@ -157,7 +157,7 @@ # _md5.cpython-38m-x86_64-linux-gnu.so %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so Name: %{python_pkg_name}%{psuffix} -Version: 3.13.1 +Version: 3.13.2 %define tarversion %{version} %define tarname Python-%{tarversion} Release: 0 @@ -214,9 +214,6 @@ Patch09: skip-test_pyobject_freed_is_freed.patch # PATCH-FIX-OPENSUSE fix-test-recursion-limit-15.6.patch gh#python/cpython#115083 # Skip some failing tests in test_compile for i586 arch in 15.6. Patch40: fix-test-recursion-limit-15.6.patch -# PATCH-FIX-UPSTREAM CVE-2024-12254-unbound-mem-buffering-SelectorSocketTransport.writelines.patch bsc#1234290 mcepl@suse.com -# prevents exhaustion of memory -Patch41: CVE-2024-12254-unbound-mem-buffering-SelectorSocketTransport.writelines.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes