forked from pool/python39
- Update to 3.9.17:
- gh-103142: The version of OpenSSL used in Windows and
Mac installers has been upgraded to 1.1.1u to address
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
fixed previously in 1.1.1t (gh-101727).
- gh-102153: urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329
(bsc#1208471).
- gh-99889: Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- gh-104049: Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- gh-101283: subprocess.Popen now uses a safer approach to find
cmd.exe when launching with shell=True.
- gh-103935: trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details (fixing
CVE-2007-4559, bsc#1203750).
- gh-102126: Fixed a deadlock at shutdown when clearing thread
states if any finalizer tries to acquire the runtime head
lock.
- gh-100892: Fixed a crash due to a race while iterating over
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=147
This commit is contained in:
Git OBS Bridge
@@ -93,7 +93,7 @@
|
||||
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
|
||||
%bcond_without profileopt
|
||||
Name: %{python_pkg_name}%{psuffix}
|
||||
Version: 3.9.16
|
||||
Version: 3.9.17
|
||||
Release: 0
|
||||
Summary: Python 3 Interpreter
|
||||
License: Python-2.0
|
||||
@@ -161,13 +161,6 @@ Patch35: support-expat-CVE-2022-25236-patched.patch
|
||||
# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
|
||||
# this patch makes things totally awesome
|
||||
Patch37: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
|
||||
# blocklist bypass via the urllib.parse component when supplying
|
||||
# a URL that starts with blank characters
|
||||
Patch38: CVE-2023-24329-blank-URL-bypass.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mcepl@suse.com
|
||||
# Implement PEP-706 to filter outcome of the tarball extracing
|
||||
Patch39: CVE-2007-4559-filter-tarfile_extractall.patch
|
||||
# PATCH-FIX-UPSTREAM 99366-patch.dict-can-decorate-async.patch bsc#[0-9]+ mcepl@suse.com
|
||||
# Patch for gh#python/cpython#98086
|
||||
Patch40: 99366-patch.dict-can-decorate-async.patch
|
||||
@@ -429,8 +422,6 @@ other applications.
|
||||
%endif
|
||||
%patch35 -p1
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
%patch39 -p1
|
||||
%patch40 -p1
|
||||
|
||||
# drop Autoconf version requirement
|
||||
|
||||
Reference in New Issue
Block a user