python-interpreters/python39
SHA256
7
0
Fork 0
forked from pool/python39
Code Pull Requests Activity

Mark the upgrade to 3.9.24 as fixing CVE-2025-8291, bsc#1251305.

Browse Source
This commit is contained in:
Matej Cepl
2025-11-10 01:12:31 +01:00
parent 9eec107af7
commit 69e885b9cf
2 changed files with 169 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

304
CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch
View File

@@ -44,9 +44,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
15 files changed, 77 insertions(+), 873 deletions(-)
create mode 100644 Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst
--- a/Doc/using/unix.rst
+++ b/Doc/using/unix.rst
@@ -113,6 +113,7 @@ For example, on most Linux systems, the
Index: Python-3.9.24/Doc/using/unix.rst
===================================================================
--- Python-3.9.24.orig/Doc/using/unix.rst 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Doc/using/unix.rst 2025-11-14 00:55:05.521462804 +0100
@@ -113,6 +113,7 @@
| | embedding the interpreter. |
+-----------------------------------------------+------------------------------------------+
@@ -54,9 +56,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Miscellaneous
=============
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -912,15 +912,12 @@ class SSLObject:
Index: Python-3.9.24/Lib/ssl.py
===================================================================
--- Python-3.9.24.orig/Lib/ssl.py 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Lib/ssl.py 2025-11-14 00:55:05.522031528 +0100
@@ -912,15 +912,12 @@
"""Return the currently selected NPN protocol as a string, or ``None``
if a next protocol was not negotiated or if NPN is not supported by one
of the peers."""
@@ -73,7 +77,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def cipher(self):
"""Return the currently selected cipher as a 3-tuple ``(name,
@@ -1162,10 +1159,7 @@ class SSLSocket(socket):
@@ -1162,10 +1159,7 @@
@_sslcopydoc
def selected_npn_protocol(self):
self._checkClosed()
@@ -85,9 +89,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
@_sslcopydoc
def selected_alpn_protocol(self):
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -39,7 +39,6 @@ Py_DEBUG_WIN32 = Py_DEBUG and sys.platfo
Index: Python-3.9.24/Lib/test/test_ssl.py
===================================================================
--- Python-3.9.24.orig/Lib/test/test_ssl.py 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Lib/test/test_ssl.py 2025-11-14 00:55:05.522484943 +0100
@@ -39,7 +39,6 @@
PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
HOST = socket_helper.HOST
IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL')
@@ -95,7 +101,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
IS_OPENSSL_1_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1)
IS_OPENSSL_3_0_0 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
@@ -269,18 +268,6 @@ def handle_error(prefix):
@@ -269,18 +268,6 @@
if support.verbose:
sys.stdout.write(prefix + exc_format)
@@ -114,7 +120,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def _have_secp_curves():
if not ssl.HAS_ECDH:
return False
@@ -371,17 +358,15 @@ class BasicSocketTests(unittest.TestCase
@@ -371,17 +358,15 @@
ssl.OP_SINGLE_DH_USE
if ssl.HAS_ECDH:
ssl.OP_SINGLE_ECDH_USE
@@ -135,7 +141,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
def test_private_init(self):
@@ -1169,7 +1154,6 @@ class ContextTests(unittest.TestCase):
@@ -1169,7 +1154,6 @@
self.assertNotIn("RC4", name)
self.assertNotIn("3DES", name)
@@ -143,7 +149,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_get_ciphers(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.set_ciphers('AESGCM')
@@ -1201,15 +1185,11 @@ class ContextTests(unittest.TestCase):
@@ -1201,15 +1185,11 @@
self.assertEqual(default, ctx.options)
ctx.options |= ssl.OP_NO_TLSv1
self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
@@ -164,7 +170,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_verify_mode_protocol(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
@@ -1328,8 +1308,6 @@ class ContextTests(unittest.TestCase):
@@ -1328,8 +1308,6 @@
with self.assertRaises(ValueError):
ctx.maximum_version = ssl.TLSVersion.TLSv1
@@ -173,7 +179,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_verify_flags(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
# default value
@@ -1807,7 +1785,6 @@ class ContextTests(unittest.TestCase):
@@ -1807,7 +1785,6 @@
obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO())
self.assertIsInstance(obj, MySSLObject)
@@ -181,7 +187,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_num_tickest(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
self.assertEqual(ctx.num_tickets, 2)
@@ -2972,8 +2949,6 @@ class ThreadedTests(unittest.TestCase):
@@ -2972,8 +2949,6 @@
after = ssl.cert_time_to_seconds(cert['notAfter'])
self.assertLess(before, after)
@@ -190,7 +196,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_crl_check(self):
if support.verbose:
sys.stdout.write("\n")
@@ -3877,12 +3852,7 @@ class ThreadedTests(unittest.TestCase):
@@ -3877,12 +3852,7 @@
self.assertIs(s.version(), None)
self.assertIs(s._sslobj, None)
s.connect((HOST, server.port))
@@ -204,7 +210,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
self.assertIs(s._sslobj, None)
self.assertIs(s.version(), None)
@@ -3984,8 +3954,6 @@ class ThreadedTests(unittest.TestCase):
@@ -3984,8 +3954,6 @@
# explicitly using the 'ECCdraft' cipher alias. Otherwise,
# our default cipher list should prefer ECDH-based ciphers
# automatically.
@@ -213,7 +219,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
with ThreadedEchoServer(context=context) as server:
with context.wrap_socket(socket.socket()) as s:
s.connect((HOST, server.port))
@@ -4117,15 +4085,11 @@ class ThreadedTests(unittest.TestCase):
@@ -4117,15 +4085,11 @@
server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
try:
@@ -233,7 +239,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_selected_alpn_protocol(self):
# selected_alpn_protocol() is None unless ALPN is used.
@@ -4135,7 +4099,6 @@ class ThreadedTests(unittest.TestCase):
@@ -4135,7 +4099,6 @@
sni_name=hostname)
self.assertIs(stats['client_alpn_protocol'], None)
@@ -241,7 +247,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_selected_alpn_protocol_if_server_uses_alpn(self):
# selected_alpn_protocol() is None unless ALPN is used by the client.
client_context, server_context, hostname = testing_context()
@@ -4145,7 +4108,6 @@ class ThreadedTests(unittest.TestCase):
@@ -4145,7 +4108,6 @@
sni_name=hostname)
self.assertIs(stats['client_alpn_protocol'], None)
@@ -249,7 +255,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_alpn_protocols(self):
server_protocols = ['foo', 'bar', 'milkshake']
protocol_tests = [
@@ -4168,22 +4130,17 @@ class ThreadedTests(unittest.TestCase):
@@ -4168,22 +4130,17 @@
except ssl.SSLError as e:
stats = e
@@ -283,7 +289,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_selected_npn_protocol(self):
# selected_npn_protocol() is None unless NPN is used
@@ -4193,31 +4150,8 @@ class ThreadedTests(unittest.TestCase):
@@ -4193,31 +4150,8 @@
sni_name=hostname)
self.assertIs(stats['client_npn_protocol'], None)
@@ -316,7 +322,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_empty_npn_protocols(self):
"""npn_protocols cannot be empty, see CVE-2024-5642 & gh-121227"""
@@ -4393,8 +4327,7 @@ class ThreadedTests(unittest.TestCase):
@@ -4393,8 +4327,7 @@
self.assertGreater(session.time, 0)
self.assertGreater(session.timeout, 0)
self.assertTrue(session.has_ticket)
@@ -326,13 +332,17 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
self.assertFalse(stats['session_reused'])
sess_stat = server_context.session_stats()
self.assertEqual(sess_stat['accept'], 1)
--- /dev/null
+++ b/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst
Index: Python-3.9.24/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.9.24/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst 2025-11-14 00:55:05.523862509 +0100
@@ -0,0 +1 @@
+Implement :pep:`644`. Python now requires OpenSSL 1.1.1 or newer.
--- a/Modules/Setup
+++ b/Modules/Setup
@@ -210,11 +210,23 @@ _symtable symtablemodule.c
Index: Python-3.9.24/Modules/Setup
===================================================================
--- Python-3.9.24.orig/Modules/Setup 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/Setup 2025-11-14 00:55:05.524260958 +0100
@@ -210,11 +210,23 @@
#_socket socketmodule.c
# Socket module helper for SSL support; you must comment out the other
@@ -361,8 +371,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# The crypt module is now disabled by default because it breaks builds
# on many systems (where -lcrypt is needed), e.g. Linux (I believe).
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
Index: Python-3.9.24/Modules/_hashopenssl.c
===================================================================
--- Python-3.9.24.orig/Modules/_hashopenssl.c 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/_hashopenssl.c 2025-11-14 00:55:05.524484942 +0100
@@ -43,51 +43,12 @@
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
#endif
@@ -416,7 +428,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#define PY_EVP_MD EVP_MD
@@ -1311,8 +1272,7 @@ pbkdf2_hmac_impl(PyObject *module, const
@@ -1311,8 +1272,7 @@
return key_obj;
}
@@ -426,7 +438,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* XXX: Parameters salt, n, r and p should be required keyword-only parameters.
They are optional in the Argument Clinic declaration only due to a
@@ -1433,7 +1393,7 @@ _hashlib_scrypt_impl(PyObject *module, P
@@ -1433,7 +1393,7 @@
}
return key_obj;
}
@@ -435,7 +447,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Fast HMAC for hmac.digest()
*/
@@ -1920,12 +1880,6 @@ hashlib_md_meth_names(PyObject *module)
@@ -1920,12 +1880,6 @@
return 0;
}
@@ -448,7 +460,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_hashlib.get_fips_mode -> int
@@ -1963,7 +1917,6 @@ _hashlib_get_fips_mode_impl(PyObject *mo
@@ -1963,7 +1917,6 @@
return result;
#endif
}
@@ -456,7 +468,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int
@@ -2144,17 +2097,6 @@ hashlib_free(void *m)
@@ -2144,17 +2097,6 @@
/* Py_mod_exec functions */
static int
@@ -474,7 +486,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
hashlib_init_hashtable(PyObject *module)
{
_hashlibstate *state = get_hashlib_state(module);
@@ -2227,10 +2169,7 @@ hashlib_init_hmactype(PyObject *module)
@@ -2227,10 +2169,7 @@
return 0;
}
@@ -485,7 +497,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
{Py_mod_exec, hashlib_init_hashtable},
{Py_mod_exec, hashlib_init_evptype},
{Py_mod_exec, hashlib_init_evpxoftype},
@@ -2238,7 +2177,6 @@ static PyModuleDef_Slot hashlib_slots[]
@@ -2238,7 +2177,6 @@
{Py_mod_exec, hashlib_md_meth_names},
{0, NULL}
};
@@ -493,7 +505,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static struct PyModuleDef _hashlibmodule = {
PyModuleDef_HEAD_INIT,
@@ -2246,7 +2184,7 @@ static struct PyModuleDef _hashlibmodule
@@ -2246,7 +2184,7 @@
.m_doc = "OpenSSL interface for hashlib module",
.m_size = sizeof(_hashlibstate),
.m_methods = EVP_functions,
@@ -502,7 +514,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
.m_traverse = hashlib_traverse,
.m_clear = hashlib_clear,
.m_free = hashlib_free
@@ -2255,41 +2193,5 @@ static struct PyModuleDef _hashlibmodule
@@ -2255,41 +2193,5 @@
PyMODINIT_FUNC
PyInit__hashlib(void)
{
@@ -545,8 +557,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
- return m;
+ return PyModuleDef_Init(&_hashlibmodule);
}
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
Index: Python-3.9.24/Modules/_ssl.c
===================================================================
--- Python-3.9.24.orig/Modules/_ssl.c 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/_ssl.c 2025-11-14 00:55:05.525585095 +0100
@@ -29,9 +29,9 @@
#define _PySSL_FIX_ERRNO
@@ -559,7 +573,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#define PySSL_BEGIN_ALLOW_THREADS { \
PyThreadState *_save = NULL; \
PySSL_BEGIN_ALLOW_THREADS_S(_save);
@@ -62,16 +62,6 @@ static PySocketModule_APIObject PySocket
@@ -62,16 +62,6 @@
#include "openssl/bio.h"
#include "openssl/dh.h"
@@ -576,7 +590,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifndef OPENSSL_THREADS
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
#endif
@@ -142,15 +132,7 @@ static void _PySSLFixErrno(void) {
@@ -142,15 +132,7 @@
#include "_ssl_data.h"
#endif
@@ -593,7 +607,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifndef OPENSSL_NO_TLS1_METHOD
extern const SSL_METHOD *TLSv1_method(void);
#endif
@@ -161,59 +143,10 @@ extern const SSL_METHOD *TLSv1_1_method(
@@ -161,59 +143,10 @@
extern const SSL_METHOD *TLSv1_2_method(void);
#endif
@@ -653,7 +667,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* OpenSSL 1.1+ allows locking X509_STORE, 1.0.2 doesn't. */
#ifdef OPENSSL_VERSION_1_1
#define HAVE_OPENSSL_X509_STORE_LOCK
@@ -224,80 +157,8 @@ extern const SSL_METHOD *TLSv1_2_method(
@@ -224,80 +157,8 @@
#define HAVE_OPENSSL_X509_STORE_GET1_OBJECTS 1
#endif
@@ -735,7 +749,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Default cipher suites */
#ifndef PY_SSL_DEFAULT_CIPHERS
@@ -409,24 +270,10 @@ enum py_proto_version {
@@ -409,24 +270,10 @@
#endif
};
@@ -760,7 +774,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for
* older SSL, but let's be safe */
@@ -436,17 +283,9 @@ static unsigned int _ssl_locks_count = 0
@@ -436,17 +283,9 @@
typedef struct {
PyObject_HEAD
SSL_CTX *ctx;
@@ -778,7 +792,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
int check_hostname;
/* OpenSSL has no API to get hostflags from X509_VERIFY_PARAM* struct.
* We have to maintain our own copy. OpenSSL's hostflags default to 0.
@@ -457,10 +296,8 @@ typedef struct {
@@ -457,10 +296,8 @@
int post_handshake_auth;
#endif
PyObject *msg_cb;
@@ -789,7 +803,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
} PySSLContext;
typedef struct {
@@ -667,23 +504,18 @@ fill_and_set_sslerror(PySSLSocket *sslso
@@ -667,23 +504,18 @@
}
switch (verify_code) {
@@ -813,7 +827,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
default:
verify_str = X509_verify_cert_error_string(verify_code);
if (verify_str != NULL) {
@@ -2014,7 +1846,6 @@ cipher_to_tuple(const SSL_CIPHER *cipher
@@ -2014,7 +1846,6 @@
return NULL;
}
@@ -821,7 +835,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject *
cipher_to_dict(const SSL_CIPHER *cipher)
{
@@ -2023,10 +1854,8 @@ cipher_to_dict(const SSL_CIPHER *cipher)
@@ -2023,10 +1854,8 @@
unsigned long cipher_id;
int alg_bits, strength_bits, len;
char buf[512] = {0};
@@ -832,7 +846,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* can be NULL */
cipher_name = SSL_CIPHER_get_name(cipher);
@@ -2039,7 +1868,6 @@ cipher_to_dict(const SSL_CIPHER *cipher)
@@ -2039,7 +1868,6 @@
buf[len-1] = '\0';
strength_bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
@@ -840,7 +854,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
aead = SSL_CIPHER_is_aead(cipher);
nid = SSL_CIPHER_get_cipher_nid(cipher);
skcipher = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
@@ -2049,13 +1877,10 @@ cipher_to_dict(const SSL_CIPHER *cipher)
@@ -2049,13 +1877,10 @@
kx = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
nid = SSL_CIPHER_get_auth_nid(cipher);
auth = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
@@ -854,7 +868,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
"}",
"id", cipher_id,
"name", cipher_name,
@@ -2063,16 +1888,13 @@ cipher_to_dict(const SSL_CIPHER *cipher)
@@ -2063,16 +1888,13 @@
"description", buf,
"strength_bits", strength_bits,
"alg_bits", alg_bits
@@ -871,7 +885,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLSocket.shared_ciphers
@@ -2143,28 +1965,6 @@ _ssl__SSLSocket_version_impl(PySSLSocket
@@ -2143,28 +1965,6 @@
return PyUnicode_FromString(version);
}
@@ -900,7 +914,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLSocket.selected_alpn_protocol
[clinic start generated code]*/
@@ -2182,7 +1982,6 @@ _ssl__SSLSocket_selected_alpn_protocol_i
@@ -2182,7 +1982,6 @@
Py_RETURN_NONE;
return PyUnicode_FromStringAndSize((char *)out, outlen);
}
@@ -908,7 +922,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLSocket.compression
@@ -2219,11 +2018,6 @@ static int PySSL_set_context(PySSLSocket
@@ -2219,11 +2018,6 @@
void *closure) {
if (PyObject_TypeCheck(value, &PySSLContext_Type)) {
@@ -920,7 +934,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_INCREF(value);
Py_SETREF(self->ctx, (PySSLContext *)value);
SSL_set_SSL_CTX(self->ssl, self->ctx->ctx);
@@ -2232,7 +2026,6 @@ static int PySSL_set_context(PySSLSocket
@@ -2232,7 +2026,6 @@
self->ssl,
self->ctx->msg_cb ? _PySSL_msg_callback : NULL
);
@@ -928,7 +942,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
} else {
PyErr_SetString(PyExc_TypeError, "The value must be a SSLContext");
return -1;
@@ -2857,8 +2650,6 @@ _ssl__SSLSocket_verify_client_post_hands
@@ -2857,8 +2650,6 @@
#endif
}
@@ -937,7 +951,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static SSL_SESSION*
_ssl_session_dup(SSL_SESSION *session) {
SSL_SESSION *newsession = NULL;
@@ -2899,7 +2690,6 @@ _ssl_session_dup(SSL_SESSION *session) {
@@ -2899,7 +2690,6 @@
}
return NULL;
}
@@ -945,7 +959,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject *
PySSL_get_session(PySSLSocket *self, void *closure) {
@@ -2908,7 +2698,6 @@ PySSL_get_session(PySSLSocket *self, voi
@@ -2908,7 +2698,6 @@
PySSLSession *pysess;
SSL_SESSION *session;
@@ -953,7 +967,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* duplicate session as workaround for session bug in OpenSSL 1.1.0,
* https://github.com/openssl/openssl/issues/1550 */
session = SSL_get0_session(self->ssl); /* borrowed reference */
@@ -2918,12 +2707,10 @@ PySSL_get_session(PySSLSocket *self, voi
@@ -2918,12 +2707,10 @@
if ((session = _ssl_session_dup(session)) == NULL) {
return NULL;
}
@@ -966,7 +980,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
pysess = PyObject_GC_New(PySSLSession, &PySSLSession_Type);
if (pysess == NULL) {
SSL_SESSION_free(session);
@@ -2942,9 +2729,7 @@ static int PySSL_set_session(PySSLSocket
@@ -2942,9 +2729,7 @@
void *closure)
{
PySSLSession *pysess;
@@ -976,7 +990,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
int result;
if (!PySSLSession_Check(value)) {
@@ -2968,7 +2753,6 @@ static int PySSL_set_session(PySSLSocket
@@ -2968,7 +2753,6 @@
"Cannot set session after handshake.");
return -1;
}
@@ -984,7 +998,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* duplicate session */
if ((session = _ssl_session_dup(pysess->session)) == NULL) {
return -1;
@@ -2976,9 +2760,6 @@ static int PySSL_set_session(PySSLSocket
@@ -2976,9 +2760,6 @@
result = SSL_set_session(self->ssl, session);
/* free duplicate, SSL_set_session() bumps ref count */
SSL_SESSION_free(session);
@@ -994,7 +1008,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if (result == 0) {
_setSSLError(NULL, 0, __FILE__, __LINE__);
return -1;
@@ -3029,7 +2810,6 @@ static PyMethodDef PySSLMethods[] = {
@@ -3029,7 +2810,6 @@
_SSL__SSLSOCKET_CIPHER_METHODDEF
_SSL__SSLSOCKET_SHARED_CIPHERS_METHODDEF
_SSL__SSLSOCKET_VERSION_METHODDEF
@@ -1002,7 +1016,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
_SSL__SSLSOCKET_SELECTED_ALPN_PROTOCOL_METHODDEF
_SSL__SSLSOCKET_COMPRESSION_METHODDEF
_SSL__SSLSOCKET_SHUTDOWN_METHODDEF
@@ -3123,9 +2903,6 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -3123,9 +2903,6 @@
SSL_CTX *ctx = NULL;
X509_VERIFY_PARAM *params;
int result;
@@ -1012,7 +1026,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PySSL_BEGIN_ALLOW_THREADS
switch(proto_version) {
@@ -3190,19 +2967,10 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -3190,19 +2967,10 @@
self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
self->protocol = proto_version;
self->msg_cb = NULL;
@@ -1032,7 +1046,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Don't check host name by default */
if (proto_version == PY_SSL_VERSION_TLS_CLIENT) {
self->check_hostname = 1;
@@ -3264,37 +3032,9 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -3264,37 +3032,9 @@
return NULL;
}
@@ -1072,7 +1086,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#define SID_CTX "Python"
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
@@ -3302,11 +3042,9 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -3302,11 +3042,9 @@
#undef SID_CTX
params = SSL_CTX_get0_param(self->ctx);
@@ -1084,7 +1098,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
X509_VERIFY_PARAM_set_hostflags(params, self->hostflags);
#ifdef TLS1_3_VERSION
@@ -3320,9 +3058,7 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -3320,9 +3058,7 @@
static int
context_traverse(PySSLContext *self, visitproc visit, void *arg)
{
@@ -1094,7 +1108,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_VISIT(self->msg_cb);
return 0;
}
@@ -3330,11 +3066,8 @@ context_traverse(PySSLContext *self, vis
@@ -3330,11 +3066,8 @@
static int
context_clear(PySSLContext *self)
{
@@ -1106,7 +1120,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_CLEAR(self->keylog_filename);
if (self->keylog_bio != NULL) {
PySSL_BEGIN_ALLOW_THREADS
@@ -3342,7 +3075,6 @@ context_clear(PySSLContext *self)
@@ -3342,7 +3075,6 @@
PySSL_END_ALLOW_THREADS
self->keylog_bio = NULL;
}
@@ -1114,7 +1128,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
return 0;
}
@@ -3353,12 +3085,7 @@ context_dealloc(PySSLContext *self)
@@ -3353,12 +3085,7 @@
PyObject_GC_UnTrack(self);
context_clear(self);
SSL_CTX_free(self->ctx);
@@ -1127,7 +1141,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_TYPE(self)->tp_free(self);
}
@@ -3385,7 +3112,6 @@ _ssl__SSLContext_set_ciphers_impl(PySSLC
@@ -3385,7 +3112,6 @@
Py_RETURN_NONE;
}
@@ -1135,7 +1149,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLContext.get_ciphers
[clinic start generated code]*/
@@ -3428,10 +3154,8 @@ _ssl__SSLContext_get_ciphers_impl(PySSLC
@@ -3428,10 +3154,8 @@
return result;
}
@@ -1146,7 +1160,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int
do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
const unsigned char *server_protocols, unsigned int server_protocols_len,
@@ -3455,77 +3179,7 @@ do_protocol_selection(int alpn, unsigned
@@ -3455,77 +3179,7 @@
return SSL_TLSEXT_ERR_OK;
}
@@ -1224,7 +1238,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int
_selectALPN_cb(SSL *s,
const unsigned char **out, unsigned char *outlen,
@@ -3537,7 +3191,6 @@ _selectALPN_cb(SSL *s,
@@ -3537,7 +3191,6 @@
ctx->alpn_protocols, ctx->alpn_protocols_len,
client_protocols, client_protocols_len);
}
@@ -1232,7 +1246,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLContext._set_alpn_protocols
@@ -3550,7 +3203,6 @@ _ssl__SSLContext__set_alpn_protocols_imp
@@ -3550,7 +3203,6 @@
Py_buffer *protos)
/*[clinic end generated code: output=87599a7f76651a9b input=9bba964595d519be]*/
{
@@ -1240,7 +1254,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if ((size_t)protos->len > UINT_MAX) {
PyErr_Format(PyExc_OverflowError,
"protocols longer than %u bytes", UINT_MAX);
@@ -3569,11 +3221,6 @@ _ssl__SSLContext__set_alpn_protocols_imp
@@ -3569,11 +3221,6 @@
SSL_CTX_set_alpn_select_cb(self->ctx, _selectALPN_cb, self);
Py_RETURN_NONE;
@@ -1252,7 +1266,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
}
static PyObject *
@@ -3649,9 +3296,6 @@ set_verify_flags(PySSLContext *self, PyO
@@ -3649,9 +3296,6 @@
}
/* Getter and setter for protocol version */
@@ -1262,7 +1276,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int
set_min_max_proto_version(PySSLContext *self, PyObject *arg, int what)
{
@@ -3746,9 +3390,8 @@ set_maximum_version(PySSLContext *self,
@@ -3746,9 +3390,8 @@
{
return set_min_max_proto_version(self, arg, 1);
}
@@ -1273,7 +1287,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject *
get_num_tickets(PySSLContext *self, void *c)
{
@@ -3779,7 +3422,7 @@ set_num_tickets(PySSLContext *self, PyOb
@@ -3779,7 +3422,7 @@
PyDoc_STRVAR(PySSLContext_num_tickets_doc,
"Control the number of TLSv1.3 session tickets");
@@ -1282,7 +1296,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject *
get_options(PySSLContext *self, void *c)
@@ -3797,13 +3440,7 @@ set_options(PySSLContext *self, PyObject
@@ -3797,13 +3440,7 @@
clear = opts & ~new_opts;
set = ~opts & new_opts;
if (clear) {
@@ -1296,7 +1310,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
}
if (set)
SSL_CTX_set_options(self->ctx, set);
@@ -4500,7 +4137,6 @@ _ssl__SSLContext_set_default_verify_path
@@ -4500,7 +4137,6 @@
Py_RETURN_NONE;
}
@@ -1304,7 +1318,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLContext.set_ecdh_curve
name: object
@@ -4535,9 +4171,7 @@ _ssl__SSLContext_set_ecdh_curve(PySSLCon
@@ -4535,9 +4171,7 @@
EC_KEY_free(key);
Py_RETURN_NONE;
}
@@ -1314,7 +1328,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int
_servername_callback(SSL *s, int *al, void *args)
{
@@ -4641,7 +4275,6 @@ error:
@@ -4641,7 +4275,6 @@
PyGILState_Release(gstate);
return ret;
}
@@ -1322,7 +1336,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject *
get_sni_callback(PySSLContext *self, void *c)
@@ -4662,7 +4295,6 @@ set_sni_callback(PySSLContext *self, PyO
@@ -4662,7 +4295,6 @@
"sni_callback cannot be set on TLS_CLIENT context");
return -1;
}
@@ -1330,7 +1344,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_CLEAR(self->set_sni_cb);
if (arg == Py_None) {
SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL);
@@ -4680,13 +4312,6 @@ set_sni_callback(PySSLContext *self, PyO
@@ -4680,13 +4312,6 @@
SSL_CTX_set_tlsext_servername_arg(self->ctx, self);
}
return 0;
@@ -1344,7 +1358,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
}
/* Shim of X509_STORE_get1_objects API from OpenSSL 3.3
@@ -4882,21 +4507,17 @@ static PyGetSetDef context_getsetlist[]
@@ -4882,21 +4507,17 @@
(setter) set_check_hostname, NULL},
{"_host_flags", (getter) get_host_flags,
(setter) set_host_flags, NULL},
@@ -1367,7 +1381,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
{"num_tickets", (getter) get_num_tickets,
(setter) set_num_tickets, PySSLContext_num_tickets_doc},
#endif
@@ -4923,7 +4544,6 @@ static struct PyMethodDef context_method
@@ -4923,7 +4544,6 @@
_SSL__SSLCONTEXT__WRAP_BIO_METHODDEF
_SSL__SSLCONTEXT_SET_CIPHERS_METHODDEF
_SSL__SSLCONTEXT__SET_ALPN_PROTOCOLS_METHODDEF
@@ -1375,7 +1389,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
_SSL__SSLCONTEXT_LOAD_CERT_CHAIN_METHODDEF
_SSL__SSLCONTEXT_LOAD_DH_PARAMS_METHODDEF
_SSL__SSLCONTEXT_LOAD_VERIFY_LOCATIONS_METHODDEF
@@ -5441,11 +5061,7 @@ PySSL_RAND(int len, int pseudo)
@@ -5441,11 +5061,7 @@
if (bytes == NULL)
return NULL;
if (pseudo) {
@@ -1387,7 +1401,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if (ok == 0 || ok == 1)
return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False);
}
@@ -6000,92 +5616,6 @@ static PyMethodDef PySSL_methods[] = {
@@ -6000,92 +5616,6 @@
};
@@ -1480,7 +1494,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(module_doc,
"Implementation module for SSL socket operations. See the socket module\n\
for documentation.");
@@ -6152,14 +5682,6 @@ PyInit__ssl(void)
@@ -6152,14 +5682,6 @@
return NULL;
PySocketModule = *socket_api;
@@ -1495,7 +1509,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifdef HAVE_OPENSSL_CRYPTO_LOCK
/* note that this will start threading if not already started */
if (!_setup_ssl_threads()) {
@@ -6266,10 +5788,8 @@ PyInit__ssl(void)
@@ -6266,10 +5788,8 @@
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
X509_V_FLAG_X509_STRICT);
@@ -1506,7 +1520,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Alert Descriptions from ssl.h */
/* note RESERVED constants no longer intended for use have been removed */
@@ -6426,31 +5946,11 @@ PyInit__ssl(void)
@@ -6426,31 +5946,11 @@
PyModule_AddObject((m), (key), bool_obj); \
} while (0)
@@ -1538,9 +1552,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#if defined(SSL2_VERSION) && !defined(OPENSSL_NO_SSL2)
addbool(m, "HAS_SSLv2", 1);
--- a/Modules/_ssl/debughelpers.c
+++ b/Modules/_ssl/debughelpers.c
@@ -114,8 +114,6 @@ _PySSLContext_set_msg_callback(PySSLCont
Index: Python-3.9.24/Modules/_ssl/debughelpers.c
===================================================================
--- Python-3.9.24.orig/Modules/_ssl/debughelpers.c 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/_ssl/debughelpers.c 2025-11-14 00:55:05.526651095 +0100
@@ -114,8 +114,6 @@
return 0;
}
@@ -1549,15 +1565,17 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static void
_PySSL_keylog_callback(const SSL *ssl, const char *line)
{
@@ -219,5 +217,3 @@ _PySSLContext_set_keylog_filename(PySSLC
@@ -219,5 +217,3 @@
SSL_CTX_set_keylog_callback(self->ctx, _PySSL_keylog_callback);
return 0;
}
-
-#endif
--- a/Modules/clinic/_hashopenssl.c.h
+++ b/Modules/clinic/_hashopenssl.c.h
@@ -965,7 +965,7 @@ exit:
Index: Python-3.9.24/Modules/clinic/_hashopenssl.c.h
===================================================================
--- Python-3.9.24.orig/Modules/clinic/_hashopenssl.c.h 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/clinic/_hashopenssl.c.h 2025-11-14 00:55:05.527005334 +0100
@@ -965,7 +965,7 @@
return return_value;
}
@@ -1566,7 +1584,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_scrypt__doc__,
"scrypt($module, /, password, *, salt=None, n=None, r=None, p=None,\n"
@@ -1093,7 +1093,7 @@ exit:
@@ -1093,7 +1093,7 @@
return return_value;
}
@@ -1575,7 +1593,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_hmac_singleshot__doc__,
"hmac_digest($module, /, key, msg, digest)\n"
@@ -1324,8 +1324,6 @@ _hashlib_HMAC_hexdigest(HMACobject *self
@@ -1324,8 +1324,6 @@
return _hashlib_HMAC_hexdigest_impl(self);
}
@@ -1584,7 +1602,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_get_fips_mode__doc__,
"get_fips_mode($module, /)\n"
"--\n"
@@ -1361,8 +1359,6 @@ exit:
@@ -1361,8 +1359,6 @@
return return_value;
}
@@ -1593,7 +1611,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_compare_digest__doc__,
"compare_digest($module, a, b, /)\n"
"--\n"
@@ -1439,7 +1435,4 @@ exit:
@@ -1439,7 +1435,4 @@
#define _HASHLIB_SCRYPT_METHODDEF
#endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */
@@ -1601,9 +1619,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
- #define _HASHLIB_GET_FIPS_MODE_METHODDEF
-#endif /* !defined(_HASHLIB_GET_FIPS_MODE_METHODDEF) */
/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/
--- a/Modules/clinic/_ssl.c.h
+++ b/Modules/clinic/_ssl.c.h
@@ -139,29 +139,6 @@ _ssl__SSLSocket_version(PySSLSocket *sel
Index: Python-3.9.24/Modules/clinic/_ssl.c.h
===================================================================
--- Python-3.9.24.orig/Modules/clinic/_ssl.c.h 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/clinic/_ssl.c.h 2025-11-14 00:55:05.527465105 +0100
@@ -139,29 +139,6 @@
return _ssl__SSLSocket_version_impl(self);
}
@@ -1633,7 +1653,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLSocket_selected_alpn_protocol__doc__,
"selected_alpn_protocol($self, /)\n"
"--\n"
@@ -179,8 +156,6 @@ _ssl__SSLSocket_selected_alpn_protocol(P
@@ -179,8 +156,6 @@
return _ssl__SSLSocket_selected_alpn_protocol_impl(self);
}
@@ -1642,7 +1662,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLSocket_compression__doc__,
"compression($self, /)\n"
"--\n"
@@ -457,8 +432,6 @@ exit:
@@ -457,8 +432,6 @@
return return_value;
}
@@ -1651,7 +1671,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext_get_ciphers__doc__,
"get_ciphers($self, /)\n"
"--\n"
@@ -476,44 +449,6 @@ _ssl__SSLContext_get_ciphers(PySSLContex
@@ -476,44 +449,6 @@
return _ssl__SSLContext_get_ciphers_impl(self);
}
@@ -1696,7 +1716,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext__set_alpn_protocols__doc__,
"_set_alpn_protocols($self, protos, /)\n"
"--\n"
@@ -844,8 +779,6 @@ _ssl__SSLContext_set_default_verify_path
@@ -844,8 +779,6 @@
return _ssl__SSLContext_set_default_verify_paths_impl(self);
}
@@ -1705,7 +1725,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext_set_ecdh_curve__doc__,
"set_ecdh_curve($self, name, /)\n"
"--\n"
@@ -854,8 +787,6 @@ PyDoc_STRVAR(_ssl__SSLContext_set_ecdh_c
@@ -854,8 +787,6 @@
#define _SSL__SSLCONTEXT_SET_ECDH_CURVE_METHODDEF \
{"set_ecdh_curve", (PyCFunction)_ssl__SSLContext_set_ecdh_curve, METH_O, _ssl__SSLContext_set_ecdh_curve__doc__},
@@ -1714,7 +1734,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext_cert_store_stats__doc__,
"cert_store_stats($self, /)\n"
"--\n"
@@ -1455,22 +1386,6 @@ exit:
@@ -1455,22 +1386,6 @@
#endif /* defined(_MSC_VER) */
@@ -1737,9 +1757,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifndef _SSL_RAND_EGD_METHODDEF
#define _SSL_RAND_EGD_METHODDEF
#endif /* !defined(_SSL_RAND_EGD_METHODDEF) */
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -44,8 +44,6 @@ import tarfile
Index: Python-3.9.24/Tools/ssl/multissltests.py
===================================================================
--- Python-3.9.24.orig/Tools/ssl/multissltests.py 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Tools/ssl/multissltests.py 2025-11-14 00:55:05.527928158 +0100
@@ -43,8 +43,6 @@
log = logging.getLogger("multissl")
OPENSSL_OLD_VERSIONS = [
@@ -1748,7 +1770,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
]
OPENSSL_RECENT_VERSIONS = [
@@ -54,11 +52,9 @@ OPENSSL_RECENT_VERSIONS = [
@@ -53,11 +51,9 @@
]
LIBRESSL_OLD_VERSIONS = [
@@ -1760,9 +1782,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
]
# store files in ../multissl
--- a/configure
+++ b/configure
@@ -88,6 +88,13 @@ fi
Index: Python-3.9.24/configure
===================================================================
--- Python-3.9.24.orig/configure 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/configure 2025-11-14 00:55:05.530484938 +0100
@@ -88,6 +88,13 @@
# splitting by setting IFS to empty value.)
IFS=" "" $as_nl"
@@ -1776,7 +1800,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# Find who we are. Look in the path if we contain no directory separator.
as_myself=
case $0 in #((
@@ -17997,7 +18004,6 @@ as_fn_error ()
@@ -17997,7 +18004,6 @@
as_fn_exit $as_status
} # as_fn_error
@@ -1784,14 +1808,16 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# as_fn_set_status STATUS
# -----------------------
# Set $? to STATUS, without forking.
@@ -19043,4 +19049,3 @@ if test "$Py_OPT" = 'false' -a "$Py_DEBU
@@ -19043,4 +19049,3 @@
echo "" >&6
echo "" >&6
fi
-
--- a/configure.ac
+++ b/configure.ac
@@ -5756,42 +5756,6 @@ ac_includes_default="$save_includes_defa
Index: Python-3.9.24/configure.ac
===================================================================
--- Python-3.9.24.orig/configure.ac 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/configure.ac 2025-11-14 00:55:05.531555268 +0100
@@ -5756,42 +5756,6 @@
# Check for usable OpenSSL
AX_CHECK_OPENSSL([have_openssl=yes],[have_openssl=no])
@@ -1834,8 +1860,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# ssl module default cipher suite string
AH_TEMPLATE(PY_SSL_DEFAULT_CIPHERS,
[Default cipher suites list for ssl module.
--- a/pyconfig.h.in
+++ b/pyconfig.h.in
Index: Python-3.9.24/pyconfig.h.in
===================================================================
--- Python-3.9.24.orig/pyconfig.h.in 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/pyconfig.h.in 2025-11-14 00:55:05.532315919 +0100
@@ -1351,9 +1351,6 @@
/* Define to 1 if you have the `writev' function. */
#undef HAVE_WRITEV
@@ -1846,9 +1874,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Define if the zlib library has inflateCopy */
#undef HAVE_ZLIB_COPY
--- a/setup.py
+++ b/setup.py
@@ -539,10 +539,7 @@ class PyBuildExt(build_ext):
Index: Python-3.9.24/setup.py
===================================================================
--- Python-3.9.24.orig/setup.py 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/setup.py 2025-11-14 00:55:05.532484937 +0100
@@ -539,10 +539,7 @@
for l in (self.missing, self.failed, self.failed_on_import)):
print()
print("Could not build the ssl module!")
@@ -1860,7 +1890,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
print()
if os.environ.get("PYTHONSTRICTEXTENSIONBUILD") and (self.failed or self.failed_on_import):
@@ -2346,13 +2343,13 @@ class PyBuildExt(build_ext):
@@ -2346,13 +2343,13 @@
self.missing.extend(['_ssl', '_hashlib'])
return None, None
@@ -1880,7 +1910,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if config_vars.get("HAVE_X509_VERIFY_PARAM_SET1_HOST"):
self.add(Extension(
@@ -2367,8 +2364,6 @@ class PyBuildExt(build_ext):
@@ -2367,8 +2364,6 @@
'_ssl_data_111.h',
'_ssl_data_300.h',
]))

3
python39.changes
View File

@@ -5,7 +5,8 @@ Wed Oct 15 06:28:09 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
- Security
- gh-139700: Check consistency of the zip64 end of central
directory record. Support records with “zip64 extensible data”
if there are no bytes prepended to the ZIP file.
if there are no bytes prepended to the ZIP file
(CVE-2025-8291, bsc#1251305).
- gh-139400: xml.parsers.expat: Make sure that parent Expat
parsers are only garbage-collected once they are no longer
referenced by subparsers created by