diff --git a/CVE-2024-6923-follow-up-EOL-email-headers.patch b/CVE-2024-6923-follow-up-EOL-email-headers.patch deleted file mode 100644 index 0491c18..0000000 --- a/CVE-2024-6923-follow-up-EOL-email-headers.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 5a8bfd878f086e28f0849bbc3970ad92f6ba37dc Mon Sep 17 00:00:00 2001 -From: Seth Michael Larson -Date: Fri, 23 Jan 2026 08:59:35 -0600 -Subject: [PATCH] gh-144125: email: verify headers are sound in BytesGenerator - (cherry picked from commit 052e55e7d44718fe46cbba0ca995cb8fcc359413) - -Co-authored-by: Seth Michael Larson -Co-authored-by: Denis Ledoux -Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com> -Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com> -Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com> ---- - Lib/email/generator.py | 12 +++++++++- - Lib/test/test_email/test_generator.py | 4 ++- - Lib/test/test_email/test_policy.py | 6 ++++- - Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst | 4 +++ - 4 files changed, 23 insertions(+), 3 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst - -Index: Python-3.14.2/Lib/email/generator.py -=================================================================== ---- Python-3.14.2.orig/Lib/email/generator.py 2026-01-28 22:15:51.075267925 +0100 -+++ Python-3.14.2/Lib/email/generator.py 2026-01-28 22:15:56.251194626 +0100 -@@ -22,6 +22,7 @@ - NLCRE = re.compile(r'\r\n|\r|\n') - fcre = re.compile(r'^From ', re.MULTILINE) - NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') -+NEWLINE_WITHOUT_FWSP_BYTES = re.compile(br'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') - - - class Generator: -@@ -429,7 +430,16 @@ - # This is almost the same as the string version, except for handling - # strings with 8bit bytes. - for h, v in msg.raw_items(): -- self._fp.write(self.policy.fold_binary(h, v)) -+ folded = self.policy.fold_binary(h, v) -+ if self.policy.verify_generated_headers: -+ linesep = self.policy.linesep.encode() -+ if not folded.endswith(linesep): -+ raise HeaderWriteError( -+ f'folded header does not end with {linesep!r}: {folded!r}') -+ if NEWLINE_WITHOUT_FWSP_BYTES.search(folded.removesuffix(linesep)): -+ raise HeaderWriteError( -+ f'folded header contains newline: {folded!r}') -+ self._fp.write(folded) - # A blank line always separates headers from body - self.write(self._NL) - -Index: Python-3.14.2/Lib/test/test_email/test_generator.py -=================================================================== ---- Python-3.14.2.orig/Lib/test/test_email/test_generator.py 2026-01-28 22:15:52.693627763 +0100 -+++ Python-3.14.2/Lib/test/test_email/test_generator.py 2026-01-28 22:15:56.251344799 +0100 -@@ -313,7 +313,7 @@ - self.assertEqual(s.getvalue(), self.typ(expected)) - - def test_verify_generated_headers(self): -- """gh-121650: by default the generator prevents header injection""" -+ # gh-121650: by default the generator prevents header injection - class LiteralHeader(str): - name = 'Header' - def fold(self, **kwargs): -@@ -334,6 +334,8 @@ - - with self.assertRaises(email.errors.HeaderWriteError): - message.as_string() -+ with self.assertRaises(email.errors.HeaderWriteError): -+ message.as_bytes() - - - class TestBytesGenerator(TestGeneratorBase, TestEmailBase): -Index: Python-3.14.2/Lib/test/test_email/test_policy.py -=================================================================== ---- Python-3.14.2.orig/Lib/test/test_email/test_policy.py 2026-01-28 22:15:52.703671956 +0100 -+++ Python-3.14.2/Lib/test/test_email/test_policy.py 2026-01-28 22:15:56.251499922 +0100 -@@ -296,7 +296,7 @@ - policy.fold("Subject", subject) - - def test_verify_generated_headers(self): -- """Turning protection off allows header injection""" -+ # Turning protection off allows header injection - policy = email.policy.default.clone(verify_generated_headers=False) - for text in ( - 'Header: Value\r\nBad: Injection\r\n', -@@ -319,6 +319,10 @@ - message.as_string(), - f"{text}\nBody", - ) -+ self.assertEqual( -+ message.as_bytes(), -+ f"{text}\nBody".encode(), -+ ) - - # XXX: Need subclassing tests. - # For adding subclassed objects, make sure the usual rules apply (subclass -Index: Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst 2026-01-28 22:15:56.251667056 +0100 -@@ -0,0 +1,4 @@ -+:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers -+that are unsafely folded or delimited; see -+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas -+Bloemsaat and Petr Viktorin in :gh:`121650`). diff --git a/CVE-2025-11468-email-hdr-fold-comment.patch b/CVE-2025-11468-email-hdr-fold-comment.patch deleted file mode 100644 index e9b79e3..0000000 --- a/CVE-2025-11468-email-hdr-fold-comment.patch +++ /dev/null @@ -1,109 +0,0 @@ -From df45bd1aafc3b6792d43661207d2b7eb3a14d214 Mon Sep 17 00:00:00 2001 -From: Seth Michael Larson -Date: Mon, 19 Jan 2026 06:38:22 -0600 -Subject: [PATCH] gh-143935: Email preserve parens when folding comments - (GH-143936) - -Fix a bug in the folding of comments when flattening an email message -using a modern email policy. Comments consisting of a very long sequence of -non-foldable characters could trigger a forced line wrap that omitted the -required leading space on the continuation line, causing the remainder of -the comment to be interpreted as a new header field. This enabled header -injection with carefully crafted inputs. -(cherry picked from commit 17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2) - -Co-authored-by: Seth Michael Larson -Co-authored-by: Denis Ledoux ---- - Lib/email/_header_value_parser.py | 15 +++++++++++- - .../test_email/test__header_value_parser.py | 23 +++++++++++++++++++ - ...-01-16-14-40-31.gh-issue-143935.U2YtKl.rst | 6 +++++ - 3 files changed, 43 insertions(+), 1 deletion(-) - create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst - -diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py -index 68c2cf9585c5b4..51727688c059ed 100644 ---- a/Lib/email/_header_value_parser.py -+++ b/Lib/email/_header_value_parser.py -@@ -101,6 +101,12 @@ def make_quoted_pairs(value): - return str(value).replace('\\', '\\\\').replace('"', '\\"') - - -+def make_parenthesis_pairs(value): -+ """Escape parenthesis and backslash for use within a comment.""" -+ return str(value).replace('\\', '\\\\') \ -+ .replace('(', '\\(').replace(')', '\\)') -+ -+ - def quote_string(value): - escaped = make_quoted_pairs(value) - return f'"{escaped}"' -@@ -939,7 +945,7 @@ def value(self): - return ' ' - - def startswith_fws(self): -- return True -+ return self and self[0] in WSP - - - class ValueTerminal(Terminal): -@@ -2959,6 +2965,13 @@ def _refold_parse_tree(parse_tree, *, policy): - [ValueTerminal(make_quoted_pairs(p), 'ptext') - for p in newparts] + - [ValueTerminal('"', 'ptext')]) -+ if part.token_type == 'comment': -+ newparts = ( -+ [ValueTerminal('(', 'ptext')] + -+ [ValueTerminal(make_parenthesis_pairs(p), 'ptext') -+ if p.token_type == 'ptext' else p -+ for p in newparts] + -+ [ValueTerminal(')', 'ptext')]) - if not part.as_ew_allowed: - wrap_as_ew_blocked += 1 - newparts.append(end_ew_not_allowed) -diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py -index 426ec4644e3096..e28fe3892015b9 100644 ---- a/Lib/test/test_email/test__header_value_parser.py -+++ b/Lib/test/test_email/test__header_value_parser.py -@@ -3294,6 +3294,29 @@ def test_address_list_with_specials_in_long_quoted_string(self): - with self.subTest(to=to): - self._test(parser.get_address_list(to)[0], folded, policy=policy) - -+ def test_address_list_with_long_unwrapable_comment(self): -+ policy = self.policy.clone(max_line_length=40) -+ cases = [ -+ # (to, folded) -+ ('(loremipsumdolorsitametconsecteturadipi)', -+ '(loremipsumdolorsitametconsecteturadipi)\n'), -+ ('(loremipsumdolorsitametconsecteturadipi)', -+ '(loremipsumdolorsitametconsecteturadipi)\n'), -+ ('(loremipsum dolorsitametconsecteturadipi)', -+ '(loremipsum dolorsitametconsecteturadipi)\n'), -+ ('(loremipsum dolorsitametconsecteturadipi)', -+ '(loremipsum\n dolorsitametconsecteturadipi)\n'), -+ ('(Escaped \\( \\) chars \\\\ in comments stay escaped)', -+ '(Escaped \\( \\) chars \\\\ in comments stay\n escaped)\n'), -+ ('((loremipsum)(loremipsum)(loremipsum)(loremipsum))', -+ '((loremipsum)(loremipsum)(loremipsum)(loremipsum))\n'), -+ ('((loremipsum)(loremipsum)(loremipsum) (loremipsum))', -+ '((loremipsum)(loremipsum)(loremipsum)\n (loremipsum))\n'), -+ ] -+ for (to, folded) in cases: -+ with self.subTest(to=to): -+ self._test(parser.get_address_list(to)[0], folded, policy=policy) -+ - # XXX Need tests with comments on various sides of a unicode token, - # and with unicode tokens in the comments. Spaces inside the quotes - # currently don't do the right thing. -diff --git a/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst b/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst -new file mode 100644 -index 00000000000000..c3d864936884ac ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst -@@ -0,0 +1,6 @@ -+Fixed a bug in the folding of comments when flattening an email message -+using a modern email policy. Comments consisting of a very long sequence of -+non-foldable characters could trigger a forced line wrap that omitted the -+required leading space on the continuation line, causing the remainder of -+the comment to be interpreted as a new header field. This enabled header -+injection with carefully crafted inputs. diff --git a/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch b/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch deleted file mode 100644 index 76351cc..0000000 --- a/CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 2bb0ca857e7d2593da6f6936187465a49a63c2d5 Mon Sep 17 00:00:00 2001 -From: Seth Michael Larson -Date: Tue, 20 Jan 2026 15:23:42 -0600 -Subject: [PATCH] gh-143919: Reject control characters in http cookies (cherry - picked from commit 95746b3a13a985787ef53b977129041971ed7f70) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Co-authored-by: Seth Michael Larson -Co-authored-by: Bartosz Sławecki -Co-authored-by: sobolevn ---- - Doc/library/http.cookies.rst | 4 - Lib/http/cookies.py | 25 ++++ - Lib/test/support/__init__.py | 10 + - Lib/test/test_http_cookies.py | 52 +++++++++- - Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst | 1 - 5 files changed, 82 insertions(+), 10 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst - -Index: Python-3.14.2/Doc/library/http.cookies.rst -=================================================================== ---- Python-3.14.2.orig/Doc/library/http.cookies.rst 2025-12-05 17:49:16.000000000 +0100 -+++ Python-3.14.2/Doc/library/http.cookies.rst 2026-01-30 14:25:26.265077841 +0100 -@@ -292,9 +292,9 @@ - Set-Cookie: chips=ahoy - Set-Cookie: vienna=finger - >>> C = cookies.SimpleCookie() -- >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";') -+ >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";') - >>> print(C) -- Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;" -+ Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;" - >>> C = cookies.SimpleCookie() - >>> C["oreo"] = "doublestuff" - >>> C["oreo"]["path"] = "/" -Index: Python-3.14.2/Lib/http/cookies.py -=================================================================== ---- Python-3.14.2.orig/Lib/http/cookies.py 2026-01-30 14:25:21.316524119 +0100 -+++ Python-3.14.2/Lib/http/cookies.py 2026-01-30 14:25:26.265560727 +0100 -@@ -87,9 +87,9 @@ - such trickeries do not confuse it. - - >>> C = cookies.SimpleCookie() -- >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";') -+ >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";') - >>> print(C) -- Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;" -+ Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;" - - Each element of the Cookie also supports all of the RFC 2109 - Cookie attributes. Here's an example which sets the Path -@@ -170,6 +170,15 @@ - }) - - _is_legal_key = re.compile('[%s]+' % re.escape(_LegalChars)).fullmatch -+_control_character_re = re.compile(r'[\x00-\x1F\x7F]') -+ -+ -+def _has_control_character(*val): -+ """Detects control characters within a value. -+ Supports any type, as header values can be any type. -+ """ -+ return any(_control_character_re.search(str(v)) for v in val) -+ - - def _quote(str): - r"""Quote a string for use in a cookie header. -@@ -294,12 +303,16 @@ - K = K.lower() - if not K in self._reserved: - raise CookieError("Invalid attribute %r" % (K,)) -+ if _has_control_character(K, V): -+ raise CookieError(f"Control characters are not allowed in cookies {K!r} {V!r}") - dict.__setitem__(self, K, V) - - def setdefault(self, key, val=None): - key = key.lower() - if key not in self._reserved: - raise CookieError("Invalid attribute %r" % (key,)) -+ if _has_control_character(key, val): -+ raise CookieError("Control characters are not allowed in cookies %r %r" % (key, val,)) - return dict.setdefault(self, key, val) - - def __eq__(self, morsel): -@@ -335,6 +348,9 @@ - raise CookieError('Attempt to set a reserved key %r' % (key,)) - if not _is_legal_key(key): - raise CookieError('Illegal key %r' % (key,)) -+ if _has_control_character(key, val, coded_val): -+ raise CookieError( -+ "Control characters are not allowed in cookies %r %r %r" % (key, val, coded_val,)) - - # It's a good key, so save it. - self._key = key -@@ -488,7 +504,10 @@ - result = [] - items = sorted(self.items()) - for key, value in items: -- result.append(value.output(attrs, header)) -+ value_output = value.output(attrs, header) -+ if _has_control_character(value_output): -+ raise CookieError("Control characters are not allowed in cookies") -+ result.append(value_output) - return sep.join(result) - - __str__ = output -Index: Python-3.14.2/Lib/test/support/__init__.py -=================================================================== ---- Python-3.14.2.orig/Lib/test/support/__init__.py 2026-01-30 14:25:22.035209804 +0100 -+++ Python-3.14.2/Lib/test/support/__init__.py 2026-01-30 14:26:31.354376277 +0100 -@@ -68,7 +68,8 @@ - "BrokenIter", - "in_systemd_nspawn_sync_suppressed", - "run_no_yield_async_fn", "run_yielding_async_fn", "async_yield", -- "reset_code", "on_github_actions" -+ "reset_code", "on_github_actions", -+ "control_characters_c0", - ] - - -@@ -3185,3 +3186,10 @@ - return _linked_to_musl - _linked_to_musl = tuple(map(int, version.split('.'))) - return _linked_to_musl -+ -+ -+def control_characters_c0() -> list[str]: -+ """Returns a list of C0 control characters as strings. -+ C0 control characters defined as the byte range 0x00-0x1F, and 0x7F. -+ """ -+ return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"] -Index: Python-3.14.2/Lib/test/test_http_cookies.py -=================================================================== ---- Python-3.14.2.orig/Lib/test/test_http_cookies.py 2026-01-30 14:25:22.919203244 +0100 -+++ Python-3.14.2/Lib/test/test_http_cookies.py 2026-01-30 14:25:26.265943668 +0100 -@@ -17,10 +17,10 @@ - 'repr': "", - 'output': 'Set-Cookie: chips=ahoy\nSet-Cookie: vienna=finger'}, - -- {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"', -- 'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=\012;'}, -- 'repr': '''''', -- 'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"'}, -+ {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=;"', -+ 'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=;'}, -+ 'repr': '''''', -+ 'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=;"'}, - - # Check illegal cookies that have an '=' char in an unquoted value - {'data': 'keebler=E=mc2', -@@ -571,6 +571,50 @@ - r'Set-Cookie: key=coded_val; ' - r'expires=\w+, \d+ \w+ \d+ \d+:\d+:\d+ \w+') - -+ def test_control_characters(self): -+ for c0 in support.control_characters_c0(): -+ morsel = cookies.Morsel() -+ -+ # .__setitem__() -+ with self.assertRaises(cookies.CookieError): -+ morsel[c0] = "val" -+ with self.assertRaises(cookies.CookieError): -+ morsel["path"] = c0 -+ -+ # .setdefault() -+ with self.assertRaises(cookies.CookieError): -+ morsel.setdefault("path", c0) -+ with self.assertRaises(cookies.CookieError): -+ morsel.setdefault(c0, "val") -+ -+ # .set() -+ with self.assertRaises(cookies.CookieError): -+ morsel.set(c0, "val", "coded-value") -+ with self.assertRaises(cookies.CookieError): -+ morsel.set("path", c0, "coded-value") -+ with self.assertRaises(cookies.CookieError): -+ morsel.set("path", "val", c0) -+ -+ def test_control_characters_output(self): -+ # Tests that even if the internals of Morsel are modified -+ # that a call to .output() has control character safeguards. -+ for c0 in support.control_characters_c0(): -+ morsel = cookies.Morsel() -+ morsel.set("key", "value", "coded-value") -+ morsel._key = c0 # Override private variable. -+ cookie = cookies.SimpleCookie() -+ cookie["cookie"] = morsel -+ with self.assertRaises(cookies.CookieError): -+ cookie.output() -+ -+ morsel = cookies.Morsel() -+ morsel.set("key", "value", "coded-value") -+ morsel._coded_value = c0 # Override private variable. -+ cookie = cookies.SimpleCookie() -+ cookie["cookie"] = morsel -+ with self.assertRaises(cookies.CookieError): -+ cookie.output() -+ - - def load_tests(loader, tests, pattern): - tests.addTest(doctest.DocTestSuite(cookies)) -Index: Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.14.2/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst 2026-01-30 14:25:26.266224501 +0100 -@@ -0,0 +1 @@ -+Reject control characters in :class:`http.cookies.Morsel` fields and values. diff --git a/Python-3.14.2.tar.xz b/Python-3.14.2.tar.xz deleted file mode 100644 index 3b03ed3..0000000 --- a/Python-3.14.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ce543ab854bc256b61b71e9b27f831ffd1bfd60a479d639f8be7f9757cf573e9 -size 23566248 diff --git a/Python-3.14.2.tar.xz.sigstore b/Python-3.14.2.tar.xz.sigstore deleted file mode 100644 index 5c9cd40..0000000 --- a/Python-3.14.2.tar.xz.sigstore +++ /dev/null @@ -1 +0,0 @@ -{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlSgAwIBAgIUDsC7oWnW0l9pHr41nnkmS1oOYd4wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMjA1MjAwMTUzWhcNMjUxMjA1MjAxMTUzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZEAAJg3xeYECyl7becytac2kIE1oFgQuGjrjBzXQG27d8TeQqTZtRdL5oZOCZt1y/DDoBfdbWul1CPovG+7z2aOCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUl4K9C9akjTSm/al0xnJmeooQq/kwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmvAbUOYAAAQDAEcwRQIgRbXsQrWV8kdhD5tMMwX5Iy2LWWHxil6V5J/mXp+/9/gCIQCwBHKBpWN3SR6/TLPr7oZCZYQB+z5q8lVqybvZSaLS4TAKBggqhkjOPQQDAwNoADBlAjBL6XGjsOPP/N74Rcw3v7CCoe23bfyE18w/XdxmJAsj9Xr6pRdpcRuEytFeLdZWIqICMQDJL2czjBTiWUkqrLq31Cvp+fQhuGSp9IZsVbTo+j6tSzfa1dwu0sy2kjBtlcRbYVs="}, "tlogEntries": [{"logIndex": "743606302", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1764964913", "inclusionPromise": {"signedEntryTimestamp": "MEQCIFnGvsHdMeYy8nrwtVTdv/PaR1aTDwf9Yrv2GjdsNsw+AiAR2o0BrjcFe8TjxbWreTwZ/Kt3zeGSi15x+znz2Ocr9g=="}, "inclusionProof": {"logIndex": "621702040", "rootHash": "dVHtSx74n1EVKTr8ZkEoUDJHV2piMrM5Jyo3x2f8GEU=", "treeSize": "621702042", "hashes": ["Kn+73i6MNIgHE1cdeyArBBdDm+sBwxxKKBO/Y8hPFik=", "21huZMFAhYUSB3tH7/d0+H+OjdndnWoE53mHoRBShZo=", "t3/3NnomBwpQQ/dit38qL8n8ICrN1dqZtiqcYM17fxU=", "e5OOoHIJrUS+lsIZNNLgCqLnU7fsgOINTlSFPPMOK+4=", "ETAkx6N//tEwnhFB+hjwavO9F2M4JBBCbK+W/kZLg0Q=", "mamQezujujSnmKn/0+ueS2xlFZCYg0G6tTjNZ1ezFH0=", "KY+mZ6XMnzG1xo3I/kVu9Uw9DK3UKfa4PXt7i4ElYpQ=", "IaVIX1Ns+gb7uyNW1PFOI2Eko8sf6VyOvY+1txNb27I=", "NTzWPyfxc1IPzv49Nng3yy1Ri5Y94teOI4RQNzzPwik=", "NxaZXwQFBXq44JqVMKZx4KkC0y7CIoG4GsV3H+ntf6w=", "YYvp7Leoq6lF3zEs+Bux7BQt/UrxFbOOJAwVroBevek=", "pQtmpjszxrel2u+2I5HrLBwlwvhc19nfAUsa5EHZAe4=", "0jEq6eagxqoSOor9OR//fY6uOsPzLaE1q1n9tZRzfSc=", "ZmUkYkHBy1B723JrEgiKvepTdHYrP6y2a4oODYvi5VY=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n621702042\ndVHtSx74n1EVKTr8ZkEoUDJHV2piMrM5Jyo3x2f8GEU=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiBERVmx1IGpoQwrsH/RebrgT8NR5mfKLcAa+Mr2DM8VuwIgYHEm0SHrV47gTZwUWt6Ck5Tk3SR6JNQgUCbIntbUQyc=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjZTU0M2FiODU0YmMyNTZiNjFiNzFlOWIyN2Y4MzFmZmQxYmZkNjBhNDc5ZDYzOWY4YmU3Zjk3NTdjZjU3M2U5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNnZFNxNGV0K0J5OTRMS2o1Zyt6MHlTcnlwbW03KzliQlBsVS8vNlVlYmJBSWdZSWFTUG5NSGp2a2wvMFMyTGFJU0lFZmZueVVSKzJsYWRZT21ZdnhNNFVJPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4VFowRjNTVUpCWjBsVlJITkROMjlYYmxjd2JEbHdTSEkwTVc1dWEyMVRNVzlQV1dRMGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFxUVRGTmFrRjNUVlJWZWxkb1kwNU5hbFY0VFdwQk1VMXFRWGhOVkZWNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZhUlVGQlNtY3plR1ZaUlVONWJEZGlaV041ZEdGak1tdEpSVEZ2Um1kUmRVZHFjbW9LUW5wWVVVY3lOMlE0VkdWUmNWUmFkRkprVERWdldrOURXblF4ZVM5RVJHOUNabVJpVjNWc01VTlFiM1pIS3pkNk1tRlBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZzTkVzNUNrTTVZV3RxVkZOdEwyRnNNSGh1U20xbGIyOVJjUzlyZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVdkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpnS1FraHZRV1ZCUWpKQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRka0ZpVlU5WlFRcEJRVkZFUVVWamQxSlJTV2RTWWxoelVYSlhWamhyWkdoRU5YUk5UWGRZTlVsNU1reFhWMGg0YVd3MlZqVktMMjFZY0Nzdk9TOW5RMGxSUTNkQ1NFdENDbkJYVGpOVFVqWXZWRXhRY2pkdldrTmFXVkZDSzNvMWNUaHNWbkY1WW5aYVUyRk1VelJVUVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV2UVVSQ2JFRnFRa3dLTmxoSGFuTlBVRkF2VGpjMFVtTjNNM1kzUTBOdlpUSXpZbVo1UlRFNGR5OVlaSGh0U2tGemFqbFljalp3VW1Sd1kxSjFSWGwwUm1WTVpGcFhTWEZKUXdwTlVVUktUREpqZW1wQ1ZHbFhWV3R4Y2t4eE16RkRkbkFyWmxGb2RVZFRjRGxKV25OV1lsUnZLMm8yZEZONlptRXhaSGQxTUhONU1tdHFRblJzWTFKaUNsbFdjejBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "zlQ6uFS8JWthtx6bJ/gx/9G/1gpHnWOfi+f5dXz1c+k="}, "signature": "MEUCIQCgdSq4et+By94LKj5g+z0ySrypmm7+9bBPlU//6UebbAIgYIaSPnMHjvkl/0S2LaISIEffnyUR+2ladYOmYvxM4UI="}} diff --git a/Python-3.14.3.tar.xz b/Python-3.14.3.tar.xz new file mode 100644 index 0000000..4a73558 --- /dev/null +++ b/Python-3.14.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a97d5549e9ad81fe17159ed02c68774ad5d266c72f8d9a0b5a9c371fe85d902b +size 23778568 diff --git a/Python-3.14.3.tar.xz.sigstore b/Python-3.14.3.tar.xz.sigstore new file mode 100644 index 0000000..615fe1b --- /dev/null +++ b/Python-3.14.3.tar.xz.sigstore @@ -0,0 +1 @@ +{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzzCCAlSgAwIBAgIUBx87ORotwES9Tr9/5NZTngeQhtUwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjYwMjAzMTgyOTIwWhcNMjYwMjAzMTgzOTIwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEw1f5ikJaSUOwVvytG3fHa2lOz7WjZ19hYmJshJl5Ila9TjVqJCTCJF7KNYRkz9b9N6eZXeukwF8PKBZIS4TzoaOCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU20u9xd3ZaH6WWnir8qLg+cbGJNowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABnCTEJRMAAAQDAEcwRQIhAJI6KotoJjZIkucqFuGRaEJTgXyeS2lhlXH0gpvbwnA8AiAL5zIOhGAfKfm81Qv7VX6sAILt+RaFQneJNxUYis/zwzAKBggqhkjOPQQDAwNpADBmAjEA1EiYSJkPzBo30auPquS4i4aS28iJQ5ZjMn0MYFswmwoC7Uo9H3n/c1DcsEnzBzaKAjEA8ySQOh4FRmbxIWYWb5KLlJUplny3HyGYi1URxV7hsa+lNgEaO5o3LV/BbB5lnO4s"}, "tlogEntries": [{"logIndex": "908836744", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1770143360", "inclusionPromise": {"signedEntryTimestamp": "MEYCIQDvK2No1zzRFayBeyzvA42BK6xuXOlV6KMe66YHqPGpyQIhAIgzTnzAjblnl+WzNN7oH2DK/qj4pl9JaBLNHPQrOQrI"}, "inclusionProof": {"logIndex": "786932482", "rootHash": "dGVFvc1oLbLyJiHnFEycV208nQJKUBJwroHzkkEqIIo=", "treeSize": "786932485", "hashes": ["h2AO7cQ01eF2B8CkF2PIO4su+qg6eQB2J/Ig0br85HA=", "O3EIEcvyyn5ZYNiBc8YSrN/mREv4Poj9WCpv8jE/oyI=", "IpLe03oVtHPl1LgYBblTCahhLhs6wFvzdlGZgJzQ1uk=", "go/Nm4TUqqeO6DxsYqK/L32zREpElrXy7C2euZySNzg=", "L2xrC73coSdSyPb0X33W6SDKVMxsk74ZnFRJINpON8I=", "fRNx1tBqRqL5Yibyg7EjJbHuiShPUD+wS5BZPO9nBEM=", "QdVJN4pI2za6IrM4/I4o9aeZMiXnx7faJSZQMhMmtU8=", "sCWg+jViEKkz6QEEx56tYG4vykLu2WiALyfOcM96toQ=", "AAtQsmfrXzumS5rosvNxszWd2XG1lRck4WtRuwVAiU8=", "bGXXJ36FovKuLHu/UAyDMaXYRCr5fKcrc9rlbjQ7HDs=", "iEKYdHrZdRVr6DbpjA8Lcwmot+QZOoeZ1BAEuu/Bvro=", "RBHg3kfW74vkatMSjoUEMZxs4pXkX6y3f906Fc2Yc0Y=", "YEPMagC4YFWQMmrwdZHLOWJudK6RRRuGHVQ8/uADabI=", "yeCWAa93hha1YBKuFn93zBzKbqQW3tYHrgkSp5U7ndU=", "4O6YxKguFZGEr7Xsa3hqNAN2Qq7uVVat/IV4masT570=", "F9MSQ5SmoFr+hoADclpdFY52/TLfHDnNPYb9ZNYO5gI=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n786932485\ndGVFvc1oLbLyJiHnFEycV208nQJKUBJwroHzkkEqIIo=\n\n\u2014 rekor.sigstore.dev wNI9ajBFAiAif/bJOkEHuQeaIivryOmrr7YAKYb3T2xrD88l009VuQIhANUlyrkF5XOL10+83p09JViRO8CzJmGsjKL6OMXbObWE\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJhOTdkNTU0OWU5YWQ4MWZlMTcxNTllZDAyYzY4Nzc0YWQ1ZDI2NmM3MmY4ZDlhMGI1YTljMzcxZmU4NWQ5MDJiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRkNjcW9UaGdhUnhWSGpqd3hsaHVxNWJOSTFicHJxRlhwSkM5dGVsNGNHOEFpQkhzQmUzeFhHU0hvbVFrc25FOWVVVSs5bHlQR3lhRUlqcGllaUxVSzVER2c9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZla05EUVd4VFowRjNTVUpCWjBsVlFuZzROMDlTYjNSM1JWTTVWSEk1THpWT1dsUnVaMlZSYUhSVmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFpkMDFxUVhwTlZHZDVUMVJKZDFkb1kwNU5hbGwzVFdwQmVrMVVaM3BQVkVsM1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVYzTVdZMWFXdEtZVk5WVDNkV2RubDBSek5tU0dFeWJFOTZOMWRxV2pFNWFGbHRTbk1LYUVwc05VbHNZVGxVYWxaeFNrTlVRMHBHTjB0T1dWSnJlamxpT1U0MlpWcFlaWFZyZDBZNFVFdENXa2xUTkZSNmIyRlBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlV5TUhVNUNuaGtNMXBoU0RaWFYyNXBjamh4VEdjclkySkhTazV2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVdkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpnS1FraHZRV1ZCUWpKQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnVRMVJGU2xKTlFRcEJRVkZFUVVWamQxSlJTV2hCU2trMlMyOTBiMHBxV2tscmRXTnhSblZIVW1GRlNsUm5XSGxsVXpKc2FHeFlTREJuY0haaWQyNUJPRUZwUVV3MWVrbFBDbWhIUVdaTFptMDRNVkYyTjFaWU5uTkJTVXgwSzFKaFJsRnVaVXBPZUZWWmFYTXZlbmQ2UVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV3UVVSQ2JVRnFSVUVLTVVWcFdWTkthMUI2UW04ek1HRjFVSEYxVXpScE5HRlRNamhwU2xFMVdtcE5iakJOV1VaemQyMTNiME0zVlc4NVNETnVMMk14UkdOelJXNTZRbnBoU3dwQmFrVkJPSGxUVVU5b05FWlNiV0o0U1ZkWlYySTFTMHhzU2xWd2JHNTVNMGg1UjFscE1WVlNlRlkzYUhOaEsyeE9aMFZoVHpWdk0weFdMMEppUWpWc0NtNVBOSE1LTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "qX1VSemtgf4XFZ7QLGh3StXSZscvjZoLWpw3H+hdkCs="}, "signature": "MEQCIFCcqoThgaRxVHjjwxlhuq5bNI1bprqFXpJC9tel4cG8AiBHsBe3xXGSHomQksnE9eUU+9lyPGyaEIjpieiLUK5DGg=="}} diff --git a/gh138131-exclude-pycache-from-digest.patch b/gh138131-exclude-pycache-from-digest.patch deleted file mode 100644 index c5e371d..0000000 --- a/gh138131-exclude-pycache-from-digest.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 4bb41b28d5bac09bccd636d8c5fefe1a462f63a7 Mon Sep 17 00:00:00 2001 -From: Alm -Date: Mon, 25 Aug 2025 08:56:38 +0300 -Subject: [PATCH 1/4] Exclude .pyc files from the computed digest in the jit - stencils - ---- - Tools/jit/_targets.py | 3 +++ - 1 file changed, 3 insertions(+) - -Index: Python-3.14.0rc2/Tools/jit/_targets.py -=================================================================== ---- Python-3.14.0rc2.orig/Tools/jit/_targets.py -+++ Python-3.14.0rc2/Tools/jit/_targets.py -@@ -69,6 +69,9 @@ class _Target(typing.Generic[_S, _R]): - hasher.update(PYTHON_EXECUTOR_CASES_C_H.read_bytes()) - hasher.update((self.pyconfig_dir / "pyconfig.h").read_bytes()) - for dirpath, _, filenames in sorted(os.walk(TOOLS_JIT)): -+ # Exclude cache files from digest computation to ensure reproducible builds. -+ if dirpath.endswith("__pycache__"): -+ continue - for filename in filenames: - hasher.update(pathlib.Path(dirpath, filename).read_bytes()) - return hasher.hexdigest() -Index: Python-3.14.0rc2/Misc/NEWS.d/next/Build/2025-08-27-09-52-45.gh-issue-138061.fMVS9w.rst -=================================================================== ---- /dev/null -+++ Python-3.14.0rc2/Misc/NEWS.d/next/Build/2025-08-27-09-52-45.gh-issue-138061.fMVS9w.rst -@@ -0,0 +1 @@ -+Ensure reproducible builds by making JIT stencil header generation deterministic. diff --git a/gh139257-Support-docutils-0.22.patch b/gh139257-Support-docutils-0.22.patch index fa52df3..031a094 100644 --- a/gh139257-Support-docutils-0.22.patch +++ b/gh139257-Support-docutils-0.22.patch @@ -7,10 +7,10 @@ Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22 Doc/tools/extensions/pyspecific.py | 68 +++++++++++++++++++++++++------------ 1 file changed, 46 insertions(+), 22 deletions(-) -Index: Python-3.14.2/Doc/tools/extensions/pyspecific.py +Index: Python-3.14.3/Doc/tools/extensions/pyspecific.py =================================================================== ---- Python-3.14.2.orig/Doc/tools/extensions/pyspecific.py 2025-12-05 17:49:16.000000000 +0100 -+++ Python-3.14.2/Doc/tools/extensions/pyspecific.py 2025-12-11 18:15:44.936875242 +0100 +--- Python-3.14.3.orig/Doc/tools/extensions/pyspecific.py 2026-02-03 16:32:20.000000000 +0100 ++++ Python-3.14.3/Doc/tools/extensions/pyspecific.py 2026-02-05 16:01:45.363997744 +0100 @@ -1,12 +1,12 @@ # -*- coding: utf-8 -*- """ diff --git a/python314.changes b/python314.changes index f1a954a..212899c 100644 --- a/python314.changes +++ b/python314.changes @@ -1,3 +1,363 @@ +------------------------------------------------------------------- +Thu Feb 5 12:57:09 UTC 2026 - Matej Cepl + +- Update to 3.14.3: + - Tools/Demos + - gh-142095: Make gdb ‘py-bt’ command use frame from thread + local state when available. Patch by Sam Gross and Victor + Stinner. + - Tests + - gh-144415: The Android testbed now distinguishes between + stdout/stderr messages which were triggered by a newline, + and those triggered by a manual call to flush. This fixes + logging of progress indicators and similar content. + - gh-143460: Skip tests relying on infinite recusion if stack + size is unlimited. + - gh-65784: Add support for parametrized resource wantobjects + in regrtests, which allows to run Tkinter tests with the + specified value of tkinter.wantobjects, for example -u + wantobjects=0. + - gh-143553: Add support for parametrized resources, such as + -u xpickle=2.7. + - gh-142836: Accommodated Solaris in + test_pdb.test_script_target_anonymous_pipe. + - bpo-31391: Forward-port test_xpickle from Python 2 to + Python 3 and add the resource back to test’s command line. + - Security + - gh-144125: BytesGenerator will now refuse to serialize + (write) headers that are unsafely folded or delimited; see + verify_generated_headers. (Contributed by Bas Bloemsaat and + Petr Viktorin in gh-121650). + - gh-143935: Fixed a bug in the folding of comments when + flattening an email message using a modern email policy. + Comments consisting of a very long sequence of non-foldable + characters could trigger a forced line wrap that omitted + the required leading space on the continuation line, + causing the remainder of the comment to be interpreted as + a new header field. This enabled header injection with + carefully crafted inputs (bsc#1257029, CVE-2025-11468). + - gh-143925: Reject control characters in data: URL media + types. + - gh-143919: Reject control characters in http.cookies.Morsel + fields and values (bsc#1257031, CVE-2026-0672). + - gh-143916: Reject C0 control characters within + wsgiref.headers.Headers fields, values, and parameters. + - Library + - gh-144380: Improve performance of io.BufferedReader line + iteration by ~49%. + - gh-144169: Fix three crashes when non-string keyword + arguments are supplied to objects in the ast module. + - gh-144100: Fixed a crash in ctypes when using a deprecated + POINTER(str) type in argtypes. Instead of aborting, ctypes + now raises a proper Python exception when the pointer + target type is unresolved. + - gh-144050: Fix stat.filemode() in the pure-Python + implementation to avoid misclassifying invalid mode values + as block devices. + - gh-144023: Fixed validation of file descriptor 0 in posix + functions when used with follow_symlinks parameter. + - gh-143999: Fix an issue where inspect.getgeneratorstate() + and inspect.getcoroutinestate() could fail for generators + wrapped by types.coroutine() in the suspended state. + - gh-143831: annotationlib.ForwardRef objects are now + hashable when created from annotation scopes with closures. + Previously, hashing such objects would throw an exception. + Patch by Bartosz Sławecki. + - gh-143874: Fixed a bug in pdb where expression results were + not sent back to remote client. + - gh-143880: Fix data race in functools.partial() in the free + threading build. + - gh-143706: Fix multiprocessing forkserver so that sys.argv + is correctly set before __main__ is preloaded. Previously, + sys.argv was empty during main module import in forkserver + child processes. This fixes a regression introduced in + 3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test + provided by Thomas Watson, thanks! + - gh-143638: Forbid reentrant calls of the pickle.Pickler and + pickle.Unpickler methods for the C implementation. + Previously, this could cause crash or data corruption, now + concurrent calls of methods of the same object raise + RuntimeError. + - gh-78724: Raise RuntimeError’s when user attempts to call + methods on half-initialized Struct objects, For example, + created by Struct.__new__(Struct). Patch by Sergey + B Kirpichev. + - gh-143196: Fix crash when the internal encoder object + returned by undocumented function + json.encoder.c_make_encoder() was called with non-zero + second (_current_indent_level) argument. + - gh-143191: _thread.stack_size() now raises ValueError if + the stack size is too small. Patch by Victor Stinner. + - gh-143602: Fix a inconsistency issue in write() that leads + to unexpected buffer overwrite by deduplicating the buffer + exports. + - gh-143547: Fix sys.unraisablehook() when the hook raises an + exception and changes sys.unraisablehook(): hold a strong + reference to the old hook. Patch by Victor Stinner. + - gh-143517: annotationlib.get_annotations() no longer raises + a SyntaxError when evaluating a stringified starred + annotation that starts with one or more whitespace + characters followed by a *. Patch by Bartosz Sławecki. + - gh-143378: Fix use-after-free crashes when a BytesIO object + is concurrently mutated during write() or writelines(). + - gh-143346: Fix incorrect wrapping of the Base64 data in + plistlib._PlistWriter when the indent contains a mix of + tabs and spaces. + - gh-143310: tkinter: fix a crash when a Python list is + mutated during the conversion to a Tcl object (e.g., when + setting a Tcl variable). Patch by Bénédikt Tran. + - gh-143309: Fix a crash in os.execve() on non-Windows + platforms when given a custom environment mapping which is + then mutated during parsing. Patch by Bénédikt Tran. + - gh-143308: pickle: fix use-after-free crashes when + a PickleBuffer is concurrently mutated by a custom buffer + callback during pickling. Patch by Bénédikt Tran and Aaron + Wieczorek. + - gh-143237: Fix support of named pipes in the rotating + logging handlers. + - gh-143249: Fix possible buffer leaks in Windows overlapped + I/O on error handling. + - gh-143241: zoneinfo: fix infinite loop in + ZoneInfo.from_file when parsing a malformed TZif file. + Patch by Fatih Celik. + - gh-142830: sqlite3: fix use-after-free crashes when the + connection’s callbacks are mutated during a callback + execution. Patch by Bénédikt Tran. + - gh-143200: xml.etree.ElementTree: fix use-after-free + crashes in __getitem__() and __setitem__() methods of + Element when the element is concurrently mutated. Patch by + Bénédikt Tran. + - gh-142195: Updated timeout evaluation logic in subprocess + to be compatible with deterministic environments like + Shadow where time moves exactly as requested. + - gh-142164: Fix the ctypes bitfield overflow error message + to report the correct offset and size calculation. + - gh-143145: Fixed a possible reference leak in ctypes when + constructing results with multiple output parameters on + error. + - gh-122431: Corrected the error message in + readline.append_history_file() to state that nelements must + be non-negative instead of positive. + - gh-143004: Fix a potential use-after-free in + collections.Counter.update() when user code mutates the + Counter during an update. + - gh-143046: The asyncio REPL no longer prints copyright and + version messages in the quiet mode (-q). Patch by Bartosz + Sławecki. + - gh-140648: The asyncio REPL now respects the -I flag + (isolated mode). Previously, it would load and execute + PYTHONSTARTUP even if the flag was set. Contributed by + Bartosz Sławecki. + - gh-142991: Fixed socket operations such as recvfrom() and + sendto() for FreeBSD divert(4) socket. + - gh-143010: Fixed a bug in mailbox where the precise timing + of an external event could result in the library opening an + existing file instead of a file it expected to create. + - gh-142881: Fix concurrent and reentrant call of + atexit.unregister(). + - gh-112127: Fix possible use-after-free in + atexit.unregister() when the callback is unregistered + during comparison. + - gh-142783: Fix zoneinfo use-after-free with descriptor + _weak_cache. a descriptor as _weak_cache could cause + crashes during object creation. The fix ensures proper + reference counting for descriptor-provided objects. + - gh-142754: Add the ownerDocument attribute to + xml.dom.minidom elements and attributes created by directly + instantiating the Element or Attr class. Note that this way + of creating nodes is not supported; creator functions like + xml.dom.Document.documentElement() should be used instead. + - gh-142784: The asyncio REPL now properly closes the loop + upon the end of interactive session. Previously, it could + cause surprising warnings. Contributed by Bartosz Sławecki. + - gh-142555: array: fix a crash in a[i] = v when converting + i to an index via i.__index__ or i.__float__ mutates the + array. + - gh-142594: Fix crash in TextIOWrapper.close() when the + underlying buffer’s closed property calls detach(). + - gh-142451: hmac: Ensure that the HMAC.block_size attribute + is correctly copied by HMAC.copy. Patch by Bénédikt Tran. + - gh-142495: collections.defaultdict now prioritizes + __setitem__() when inserting default values from + default_factory. This prevents race conditions where + a default value would overwrite a value set before + default_factory returns. + - gh-142651: unittest.mock: fix a thread safety issue where + Mock.call_count may return inaccurate values when the mock + is called concurrently from multiple threads. + - gh-142595: Added type check during initialization of the + decimal module to prevent a crash in case of broken stdlib. + Patch by Sergey B Kirpichev. + - gh-142556: Fix crash when a task gets re-registered during + finalization in asyncio. Patch by Kumar Aditya. + - gh-123241: Avoid reference count operations in garbage + collection of ctypes objects. + - gh-142517: The non-compat32 email policies now correctly + handle refolding encoded words that contain bytes that can + not be decoded in their specified character set. Previously + this resulted in an encoding exception during folding. + - gh-112527: The help text for required options in argparse + no longer extended with “ (default: None)”. + - gh-142346: Fix usage formatting for mutually exclusive + groups in argparse when they are preceded by positional + arguments or followed or intermixed with other optional + arguments. + - gh-142315: Pdb can now run scripts from anonymous pipes + used in process substitution. Patch by Bartosz Sławecki. + - gh-142332: Fix usage formatting for positional arguments in + mutually exclusive groups in argparse. in argparse. + - gh-142282: Fix winreg.QueryValueEx() to not accidentally + read garbage buffer under race condition. + - gh-75949: Fix argparse to preserve | separators in mutually + exclusive groups when the usage line wraps due to length. + - gh-142267: Improve argparse performance by caching the + formatter used for argument validation. + - gh-68552: MisplacedEnvelopeHeaderDefect and Missing header + name defects are now correctly passed to the handle_defect + method of policy in FeedParser. + - gh-142006: Fix a bug in the email.policy.default folding + algorithm which incorrectly resulted in a doubled newline + when a line ending at exactly max_line_length was followed + by an unfoldable token. + - gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving + underlying cancelled asyncio task running. + - gh-139971: pydoc: Ensure that the link to the online + documentation of a stdlib module is correct. + - gh-139262: Some keystrokes can be swallowed in the new + PyREPL on Windows, especially when used together with the + ALT key. Fix by Chris Eibl. + - gh-138897: Improved license/copyright/credits display in + the REPL: now uses a pager. + - gh-79986: Add parsing for References and In-Reply-To + headers to the email library that parses the header content + as lists of message id tokens. This prevents them from + being folded incorrectly. + - gh-136282: Add support for UNNAMED_SECTION when creating + a section via the mapping protocol access + - gh-109263: Starting a process from spawn context in + multiprocessing no longer sets the start method globally. + - gh-133253: Fix thread-safety issues in linecache. + - gh-132715: Skip writing objects during marshalling once + a failure has occurred. + - IDLE + - gh-143774: Better explain the operation of Format / Format + Paragraph. + - Documentation + - gh-140806: Add documentation for enum.bin(). + - Core and Builtins + - gh-144307: Prevent a reference leak in module teardown at + interpreter finalization. + - gh-144194: Fix error handling in perf jitdump + initialization on memory allocation failure. + - gh-144012: Check if the result is NULL in BINARY_OP_EXTENT + opcode. + - gh-141805: Fix crash in set when objects with the same hash + are concurrently added to the set after removing an element + with the same hash while the set still contains elements + with the same hash. + - gh-143670: Fixes a crash in ga_repr_items_list function. + - gh-143377: Fix a crash in _interpreters.capture_exception() + when the exception is incorrectly formatted. Patch by + Bénédikt Tran. + - gh-136924: The interactive help mode in the REPL no longer + incorrectly syntax highlights text input as Python code. + Contributed by Olga Matoula. + - gh-143189: Fix crash when inserting a non-str key into + a split table dictionary when the key matches an existing + key in the split table but has no corresponding value in + the dict. + - gh-143228: Fix use-after-free in perf trampoline when + toggling profiling while threads are running or during + interpreter finalization with daemon threads active. The + fix uses reference counting to ensure trampolines are not + freed while any code object could still reference them. + Pach by Pablo Galindo + - gh-142664: Fix a use-after-free crash in + memoryview.__hash__ when the __hash__ method of the + referenced object mutates that object or the view. Patch by + Bénédikt Tran. + - gh-142557: Fix a use-after-free crash in bytearray.__mod__ + when the bytearray is mutated while formatting the %-style + arguments. Patch by Bénédikt Tran. + - gh-143195: Fix use-after-free crashes in bytearray.hex() + and memoryview.hex() when the separator’s __len__() mutates + the original object. Patch by Bénédikt Tran. + - gh-142975: Fix crash after unfreezing all objects tracked + by the garbage collector on the free threaded build. + - gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is + 0. Previously, it was set to 0 in this case. + - gh-143003: Fix an overflow of the shared empty buffer in + bytearray.extend() when __length_hint__() returns 0 for + non-empty iterator. + - gh-143006: Fix a possible assertion error when comparing + negative non-integer float and int with the same number of + bits in the integer part. + - gh-143057: Avoid locking in PyTraceMalloc_Track() and + PyTraceMalloc_Untrack() when tracemalloc is not enabled. + - gh-142776: Fix a file descriptor leak in import.c + - gh-142829: Fix a use-after-free crash in + contextvars.Context comparison when a custom __eq__ method + modifies the context via set(). + - gh-142766: Clear the frame of a generator when + generator.close() is called. + - gh-142737: Tracebacks will be displayed in fallback mode + even if io.open() is lost. Previously, this would crash the + interpreter. Patch by Bartosz Sławecki. + - gh-142554: Fix a crash in divmod() when + _pylong.int_divmod() does not return a tuple of length two + exactly. Patch by Bénédikt Tran. + - gh-142560: Fix use-after-free in bytearray search-like + methods (find(), count(), index(), rindex(), and rfind()) + by marking the storage as exported which causes + reallocation attempts to raise BufferError. For contains(), + split(), and rsplit() the buffer protocol is used for this. + - gh-142531: Fix a free-threaded GC performance regression. + If there are many untracked tuples, the GC will run too + often, resulting in poor performance. The fix is to include + untracked tuples in the “long lived” object count. The + number of frozen objects is also now included since the + free-threaded GC must scan those too. + - gh-142402: Fix reference counting when adjacent literal + parts are merged while constructing + string.templatelib.Template, preventing the displaced + string object from leaking. + - gh-133932: Fix crash in the free threading build when + clearing frames that hold tagged integers. + - gh-142343: Fix SIGILL crash on m68k due to incorrect + assembly constraint. + - gh-100964: Fix reference cycle in exhausted generator + frames. Patch by Savannah Ostrowski. + - gh-69605: Fix edge-cases around already imported modules in + the REPL auto-completion of imports. + - gh-138568: Adjusted the built-in help() function so that + empty inputs are ignored in interactive mode. + - gh-137007: Fix a bug during JIT compilation failure which + caused garbage collection debug assertions to fail. + - C API + - gh-142589: Fix + PyUnstable_Object_IsUniqueReferencedTemporary() handling of + tagged ints on the interpreter stack. + - gh-142571: PyUnstable_CopyPerfMapFile() now checks that + opening the file succeeded before flushing. + - Build + - gh-142454: When calculating the digest of the JIT stencils + input, sort the hashed files by filenames before adding + their content to the hasher. This ensures deterministic + hash input and hence deterministic hash, independent on + filesystem order. + - gh-141808: When running make clean-retain-profile, keep the + generated JIT stencils. That way, the stencils are not + generated twice when Profile-guided optimization (PGO) is + used. It also allows distributors to supply their own + pre-built JIT stencils. + - gh-138061: Ensure reproducible builds by making JIT stencil + header generation deterministic. +- Remove upstreamed patches: + - CVE-2024-6923-follow-up-EOL-email-headers.patch + - CVE-2025-11468-email-hdr-fold-comment.patch + - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch + - gh138131-exclude-pycache-from-digest.patch + ------------------------------------------------------------------- Thu Jan 29 12:58:15 UTC 2026 - Matej Cepl @@ -4030,7 +4390,7 @@ Tue Nov 19 22:08:24 UTC 2024 - Matej Cepl generated URLs beginning with four slashes (rather than two) when given a Windows UNC path. - gh-126156: Improved performances of creating Morsel objects - by a factor of 3.8x. + by a factor of 3.8x (bsc#1257031, CVE-2026-0672). - gh-126105: Fix a crash in ast when the ast.AST._fields attribute is deleted. - gh-126106: Fixes a possible NULL pointer dereference in diff --git a/python314.spec b/python314.spec index bbc6ae6..1932edd 100644 --- a/python314.spec +++ b/python314.spec @@ -124,7 +124,7 @@ # %%define tarversion %%{version} # %%endif # We don't process beta signs well -%define folderversion 3.14.2 +%define folderversion 3.14.3 %define sitedir %{_libdir}/python%{python_version} # three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149 %define abi_kind %{nil} @@ -162,7 +162,7 @@ # _md5.cpython-38m-x86_64-linux-gnu.so %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so Name: %{python_pkg_name}%{psuffix} -Version: 3.14.2 +Version: 3.14.3 %define tarversion %{version} %define tarname Python-%{tarversion} Release: 0 @@ -220,20 +220,8 @@ Patch40: fix-test-recursion-limit-15.6.patch # PATCH-FIX-UPSTREAM bsc1243155-sphinx-non-determinism.patch bsc#1243155 mcepl@suse.com # Doc: Generate ids for audit_events using docname Patch41: bsc1243155-sphinx-non-determinism.patch -# PATCH-FIX-UPSTREAM gh138131-exclude-pycache-from-digest.patch bsc#1244680 daniel.garcia@suse.com -Patch44: gh138131-exclude-pycache-from-digest.patch # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com Patch45: gh139257-Support-docutils-0.22.patch -# PATCH-FIX-UPSTREAM CVE-2024-6923-follow-up-EOL-email-headers.patch bsc#1257181 mcepl@suse.com -# Encode newlines in headers when using ByteGenerator -# patch from gh#python/cpython#144125 -Patch46: CVE-2024-6923-follow-up-EOL-email-headers.patch -# PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 mcepl@suse.com -# Email preserve parens when folding comments -Patch47: CVE-2025-11468-email-hdr-fold-comment.patch -# PATCH-FIX-UPSTREAM CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch bsc#1257031 mcepl@suse.com -# Reject control characters in http cookies -Patch48: CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch #### Python 3.14 END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake