From 303cf28c8d291473afd4aab55ddfd4411510bb67e623f697802de53ac4ea79c3 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 9 Apr 2025 20:09:20 +0000 Subject: [PATCH 1/2] =?UTF-8?q?-=20Update=20to=203.9.22:=20=20=20-=20gh-13?= =?UTF-8?q?1809:=20Update=20bundled=20libexpat=20to=202.7.1=20=20=20-=20gh?= =?UTF-8?q?-131261:=20Upgrade=20to=20libexpat=202.7.0=20=20=20-=20gh-10570?= =?UTF-8?q?4:=20When=20using=20urllib.parse.urlsplit()=20and=20=20=20=20?= =?UTF-8?q?=20urllib.parse.urlparse()=20host=20parsing=20would=20not=20rej?= =?UTF-8?q?ect=20domain=20=20=20=20=20names=20containing=20square=20bracke?= =?UTF-8?q?ts=20([=20and=20]).=20Square=20brackets=20=20=20=20=20are=20onl?= =?UTF-8?q?y=20valid=20for=20IPv6=20and=20IPvFuture=20hosts=20according=20?= =?UTF-8?q?to=20RFC=20=20=20=20=203986=20Section=203.2.2=20(bsc#1236705,?= =?UTF-8?q?=20CVE-2025-0938,=20=20=20=20=20gh#python/cpython#105704).=20?= =?UTF-8?q?=20=20-=20gh-121284:=20Fix=20bug=20in=20the=20folding=20of=20rf?= =?UTF-8?q?c2047=20encoded-words=20=20=20=20=20when=20flattening=20an=20em?= =?UTF-8?q?ail=20message=20using=20a=20modern=20email=20=20=20=20=20policy?= =?UTF-8?q?.=20Previously=20when=20an=20encoded-word=20was=20too=20long=20?= =?UTF-8?q?for=20=20=20=20=20a=20line,=20it=20would=20be=20decoded,=20spli?= =?UTF-8?q?t=20across=20lines,=20and=20=20=20=20=20re-encoded.=20But=20com?= =?UTF-8?q?mas=20and=20other=20special=20characters=20in=20the=20=20=20=20?= =?UTF-8?q?=20original=20text=20could=20be=20left=20unencoded=20and=20unqu?= =?UTF-8?q?oted.=20This=20=20=20=20=20could=20theoretically=20be=20used=20?= =?UTF-8?q?to=20spoof=20header=20lines=20using=20a=20=20=20=20=20carefully?= =?UTF-8?q?=20constructed=20encoded-word=20if=20the=20resulting=20rendered?= =?UTF-8?q?=20=20=20=20=20email=20was=20transmitted=20or=20re-parsed.=20?= =?UTF-8?q?=20=20-=20gh-119511:=20Fix=20a=20potential=20denial=20of=20serv?= =?UTF-8?q?ice=20in=20the=20imaplib=20=20=20=20=20module.=20When=20connect?= =?UTF-8?q?ing=20to=20a=20malicious=20server,=20it=20could=20=20=20=20=20c?= =?UTF-8?q?ause=20an=20arbitrary=20amount=20of=20memory=20to=20be=20alloca?= =?UTF-8?q?ted.=20On=20many=20=20=20=20=20systems=20this=20is=20harmless?= =?UTF-8?q?=20as=20unused=20virtual=20memory=20is=20only=20=20=20=20=20a?= =?UTF-8?q?=20mapping,=20but=20if=20this=20hit=20a=20virtual=20address=20s?= =?UTF-8?q?ize=20limit=20=20=20=20=20it=20could=20lead=20to=20a=20MemoryEr?= =?UTF-8?q?ror=20or=20other=20process=20crash.=20On=20=20=20=20=20unusual?= =?UTF-8?q?=20systems=20or=20builds=20where=20all=20allocated=20memory=20i?= =?UTF-8?q?s=20=20=20=20=20touched=20and=20backed=20by=20actual=20ram=20or?= =?UTF-8?q?=20storage=20it=20could=E2=80=99ve=20=20=20=20=20consumed=20res?= =?UTF-8?q?ources=20doing=20so=20until=20similarly=20crashing.=20=20=20-?= =?UTF-8?q?=20gh-121277:=20Writers=20of=20CPython=E2=80=99s=20documentatio?= =?UTF-8?q?n=20can=20now=20use=20=20=20=20=20next=20as=20the=20version=20f?= =?UTF-8?q?or=20the=20versionchanged,=20versionadded,=20=20=20=20=20deprec?= =?UTF-8?q?ated=20directives.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=226 --- Python-3.9.21.tar.xz | 3 --- Python-3.9.21.tar.xz.sigstore | 1 - Python-3.9.22.tar.xz | 3 +++ Python-3.9.22.tar.xz.sigstore | 1 + python39.changes | 36 +++++++++++++++++++++++++++++++++++ python39.spec | 2 +- 6 files changed, 41 insertions(+), 5 deletions(-) delete mode 100644 Python-3.9.21.tar.xz delete mode 100644 Python-3.9.21.tar.xz.sigstore create mode 100644 Python-3.9.22.tar.xz create mode 100644 Python-3.9.22.tar.xz.sigstore diff --git a/Python-3.9.21.tar.xz b/Python-3.9.21.tar.xz deleted file mode 100644 index e7cba3a..0000000 --- a/Python-3.9.21.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3126f59592c9b0d798584755f2bf7b081fa1ca35ce7a6fea980108d752a05bb1 -size 19647056 diff --git a/Python-3.9.21.tar.xz.sigstore b/Python-3.9.21.tar.xz.sigstore deleted file mode 100644 index 1dec9be..0000000 --- a/Python-3.9.21.tar.xz.sigstore +++ /dev/null @@ -1 +0,0 @@ -{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlSgAwIBAgIUW+0j3NwKUHtsI1ptyYDZcjihgN8wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQxMjAzMTg1MjI5WhcNMjQxMjAzMTkwMjI5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYDe8pRetus9jnxd7MLkTXY+JFkJDLrMGG40CRT61fjbNBLG8qSu85JdE0K/6cJ2r1rp1KGoRxFqzBopuxLvq0KOCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUUQGcKMIMB1YvHguNrtBN/O+znCYwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPbHVrYXN6QGxhbmdhLnBsMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABk43d4kwAAAQDAEcwRQIhAP1aIIMfmTWlY4AFegXN2tMa8KyWEgWytzfGodqj5MK+AiBMiejbQYMtnn8G3dzcxgb73sI6X3Y9VypRrPQ+2BXpizAKBggqhkjOPQQDAwNoADBlAjEA5dOgdBqrjV3UtzmGrk7XboUaiaC31bOUovEmM3lPM8f75yvuHqLHxFHRYb66/pR2AjAvdfASd9+vSfOZhgU+SuI7yqJHRR2W9HEWfFJ/ylD6O5jvq7Jj89RqjPY/56pzgn4="}, "tlogEntries": [{"logIndex": "153125339", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1733251949", "inclusionPromise": {"signedEntryTimestamp": "MEUCIQCWfGwPTo62Z/ZRWemot0baNqIzk8NkgOnErKNcGr9yZwIgYDkSVZZj1dXSEnrYmCLnTSF+ZPi2WVGIfQaNE+60gEA="}, "inclusionProof": {"logIndex": "31221077", "rootHash": "CgxjjOo9aZHWhFVAsfJkBugtjSsQD8OHBNjPkaHgKTc=", "treeSize": "31221078", "hashes": ["uhJ3YCyxQmBvz2Fu8n+Ww05PJRAU2nemHSQGGGFlfms=", "gY0cbMQCQcEj7ffNNi51pVaZiruqT+3cB+Dba7Gmxd4=", "m6zxQGEBGI3OJHBvuOkUnGlSR+Jt2JZ+RzenGTHbwYg=", "9uvJ6nsFFcO7iFR4Tw8yH0oOvXKul11TbUuENQy2TKk=", "mFUurhY02kRwS+kqOqGgYLFZYh5nQ9NYMtY/EtqykTI=", "Ian0jhOi0sfcLr99+d1R1/aCvZLioGpN5ZGSSYovttU=", "tH2CD4P6s9/APjnJWsTvHjNo8l825tfN4DUr+zItATY=", "AYwr74Bm2w383UnS7DdbZUUAhusq28JoxKpWrQ7OvGQ=", "u+yWmGIR6sAH32wiSy22mz1Yf+jfPdBTjFbyRISuTZw=", "3eFC7Gp4fWecybDOAw9uUTrM1xB7YRYRAGsfYkiQbV8=", "1uKk2qjOliHMiTk906jrchP8mXWsRG8apaU1sa0lfh0=", "oOecFfN3YqDOkbijS/ej1WF5Da/Gt/AZNhbwE9uoOE8=", "4lUF0YOu9XkIDXKXA0wMSzd6VeDY3TZAgmoOeWmS2+Y=", "gf+9m552B3PnkWnO0o4KdVvjcT3WVHLrCbf1DoVYKFw="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n31221078\nCgxjjOo9aZHWhFVAsfJkBugtjSsQD8OHBNjPkaHgKTc=\n\n\u2014 rekor.sigstore.dev wNI9ajBFAiB80M3LsYgHA0J0/ixs038lqL8G88FqomAMCqfogNRYeAIhAKMQKC1VOYlED8cwFuSVh/3uaCCjPlT2jlHB27KX1ukQ\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzMTI2ZjU5NTkyYzliMGQ3OTg1ODQ3NTVmMmJmN2IwODFmYTFjYTM1Y2U3YTZmZWE5ODAxMDhkNzUyYTA1YmIxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUURvVjc3NGRKSHdscGlBNDRzMkRzZ0VCelNNVTArMWdPdE0zT0F3cnFqMnR3SWdXNis0QlUzZTkydXdybjBXdVJZVWZhZEVpNjBlTEhDREZMRi9RZGg1NFVNPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4VFowRjNTVUpCWjBsVlZ5c3dhak5PZDB0VlNIUnpTVEZ3ZEhsWlJGcGphbWxvWjA0NGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJlRTFxUVhwTlZHY3hUV3BKTlZkb1kwNU5hbEY0VFdwQmVrMVVhM2ROYWtrMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZaUkdVNGNGSmxkSFZ6T1dwdWVHUTNUVXhyVkZoWkswcEdhMHBFVEhKTlIwYzBNRU1LVWxRMk1XWnFZazVDVEVjNGNWTjFPRFZLWkVVd1N5ODJZMG95Y2pGeWNERkxSMjlTZUVaeGVrSnZjSFY0VEhaeE1FdFBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZWVVVkakNrdE5TVTFDTVZsMlNHZDFUbkowUWs0dlR5dDZia05aZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlraFdjbGxZVGpaUlIzaG9ZbTFrYUV4dVFuTk5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVdkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpnS1FraHZRV1ZCUWpKQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnJORE5rTkd0M1FRcEJRVkZFUVVWamQxSlJTV2hCVURGaFNVbE5abTFVVjJ4Wk5FRkdaV2RZVGpKMFRXRTRTM2xYUldkWGVYUjZaa2R2WkhGcU5VMUxLMEZwUWsxcFpXcGlDbEZaVFhSdWJqaEhNMlI2WTNobllqY3pjMGsyV0ROWk9WWjVjRkp5VUZFck1rSlljR2w2UVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV2UVVSQ2JFRnFSVUVLTldSUFoyUkNjWEpxVmpOVmRIcHRSM0pyTjFoaWIxVmhhV0ZETXpGaVQxVnZka1Z0VFROc1VFMDRaamMxZVhaMVNIRk1TSGhHU0ZKWllqWTJMM0JTTWdwQmFrRjJaR1pCVTJRNUszWlRaazlhYUdkVksxTjFTVGQ1Y1VwSVVsSXlWemxJUlZkbVJrb3ZlV3hFTms4MWFuWnhOMHBxT0RsU2NXcFFXUzgxTm5CNkNtZHVORDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "MSb1lZLJsNeYWEdV8r97CB+hyjXOem/qmAEI11KgW7E="}, "signature": "MEUCIQDoV774dJHwlpiA44s2DsgEBzSMU0+1gOtM3OAwrqj2twIgW6+4BU3e92uwrn0WuRYUfadEi60eLHCDFLF/Qdh54UM="}} diff --git a/Python-3.9.22.tar.xz b/Python-3.9.22.tar.xz new file mode 100644 index 0000000..d991e4e --- /dev/null +++ b/Python-3.9.22.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8c136d199d3637a1fce98a16adc809c1d83c922d02d41f3614b34f8b6e7d38ec +size 19652572 diff --git a/Python-3.9.22.tar.xz.sigstore b/Python-3.9.22.tar.xz.sigstore new file mode 100644 index 0000000..e7470a7 --- /dev/null +++ b/Python-3.9.22.tar.xz.sigstore @@ -0,0 +1 @@ +{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzzCCAlWgAwIBAgIUF5l4z/m7U4YV9ObX9yrHVSrwtQIwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwNDA4MTY0MDM2WhcNMjUwNDA4MTY1MDM2WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKB5tIN2pdPcLI8+G/2PvFf5mNXRVX30+9UWQwD1XLtPM2SHNpdOXPTjAqC9BVr2lzSq0y0CBNWlQ7d8vTe7ctaOCAXQwggFwMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUkWbkA26gAO+nn/4RBqHwOJwqouYwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPbHVrYXN6QGxhbmdhLnBsMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABlhZGbmQAAAQDAEgwRgIhAL64P7MeYczG0eTPRtbKWh+JK3QONJeTX1Siu1QatF86AiEAgWJoJpZ5wnhvnNll68ZfS4A5NWZrmBQV1jNl6vWn31AwCgYIKoZIzj0EAwMDaAAwZQIwFisaGblldHezzUuq5dHK++zSJ0A+h+TLvlSsP5GortlcKRHvWpNpbNBEgIde2Jh9AjEAi1SXirGnti3TDZHPkuMPpdCT49lydH5aP8RlZfx279WUB5mbJLV+ckvS1lR/vL/S"}, "tlogEntries": [{"logIndex": "193991733", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1744130436", "inclusionPromise": {"signedEntryTimestamp": "MEUCIQCZojFg3d0b1VlT1iIYzQD9qi0Gco8pMfY7ySidgb4VWAIgX2rTgPF7dLilPXnWN4zEd3ZCpuV6RDl8c42m+mok2ks="}, "inclusionProof": {"logIndex": "72087471", "rootHash": "q/PkICD5uDg5OlvIWNsF+lXN1ZiHEWNqVvtzFtmAPlk=", "treeSize": "72087476", "hashes": ["4yUybcYvtBlJ50W9AAsyNwk4NR+F6hiMzaeYCGGB1u8=", "1+97TstZdQ7MhyOhcTb/5wXWWmSsTbW39uY9kLhnhfo=", "q3YXOnHzg/M0HDq9vcHtAaCfgL1bSUam96gi2CbgGnk=", "kV8g3sPKmH7KgUIy4uT6+MtE52LZBdVAU2cDVyNekgU=", "SIo81b3kZgGsX/FWdBQYuvP5papZCszfK1URvAzEKDw=", "qSrXBipOR98Puq+IERBcOWHKeidS0RBLwd959YHA0D4=", "b7hTc5162/5hAKKTNfIy2OShk3XeVpGyGUwnpNrnRWg=", "GXs5uhC5teyVctnWE7ExxF5zLscIRrTKPGgu1U1Juec=", "SEpdK86t0h91343ndP33NAdKXC2lyurSAYMUT30LXYw=", "nATuuvI7Y38ODRIhealRzPKZWWvhMr6ltN0JKaAyLfM=", "TQThq+xH/Rys7mbboD00p4znY8nZ9kiJ56STr/CKVdw=", "7MlcOPugq/cko9b3dV9PgEuxQTnIJE5JYyv5V8MSoKg=", "Y0UveOhlrOl08kRY9fZBgfV5WllXxE42rV8NE+GgwCs=", "RgE76aZZETQ/ZXQCSka8ujxPpjA9SjPpXZFpkrF58Gk=", "+MDT1rEJIJ21rvjo6a7jzRPh//LjIcmfFhNEV/fA+jA=", "QReFEOB9XSZtDKsjRtA0fGnYGMYD2Z7qn50auG1YlWo=", "K26LG80DXyb+bC58c4Nw00WigG52v0PCsZGY3ExGsts=", "WEm5OgPzJpYROv+4CcrieexCYyQKrLUH3hbxmcQQ+DM=", "7v8qPHNDLerpduaMx06eb/MwgoQwczTn/cYGKX/9wZ4="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n72087476\nq/PkICD5uDg5OlvIWNsF+lXN1ZiHEWNqVvtzFtmAPlk=\n\n\u2014 rekor.sigstore.dev wNI9ajBFAiEAptmnbism1EAeeK49B0IwJz0Y3HYhyW39gnaBoHxVFQECICnFiKtwk9Wce+nL732qSHuv60Qt7s+aJJpXG9NB1c/7\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4YzEzNmQxOTlkMzYzN2ExZmNlOThhMTZhZGM4MDljMWQ4M2M5MjJkMDJkNDFmMzYxNGIzNGY4YjZlN2QzOGVjIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRTVDSUJaNkEzZ2FsU1lTY1ByVEV2ZU1pcEpQMklwVE1uVHcwWWU1bkNpREFpQk9xaGlUZTFYbFJOanloZW5tS0ZGNzZrVm1PaDA5blpOdXFhWWx6ZjlGaXc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZla05EUVd4WFowRjNTVUpCWjBsVlJqVnNOSG92YlRkVk5GbFdPVTlpV0RsNWNraFdVM0ozZEZGSmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDVFUVRSTlZGa3dUVVJOTWxkb1kwNU5hbFYzVGtSQk5FMVVXVEZOUkUweVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZMUWpWMFNVNHljR1JRWTB4Sk9DdEhMekpRZGtabU5XMU9XRkpXV0RNd0t6bFZWMUVLZDBReFdFeDBVRTB5VTBoT2NHUlBXRkJVYWtGeFF6bENWbkl5YkhwVGNUQjVNRU5DVGxkc1VUZGtPSFpVWlRkamRHRlBRMEZZVVhkblowWjNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZyVjJKckNrRXlObWRCVHl0dWJpODBVa0p4U0hkUFNuZHhiM1ZaZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlraFdjbGxZVGpaUlIzaG9ZbTFrYUV4dVFuTk5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVhkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWprS1FraHpRV1ZSUWpOQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnNhRnBIWW0xUlFRcEJRVkZFUVVWbmQxSm5TV2hCVERZMFVEZE5aVmxqZWtjd1pWUlFVblJpUzFkb0swcExNMUZQVGtwbFZGZ3hVMmwxTVZGaGRFWTROa0ZwUlVGblYwcHZDa3B3V2pWM2JtaDJiazVzYkRZNFdtWlRORUUxVGxkYWNtMUNVVll4YWs1c05uWlhiak14UVhkRFoxbEpTMjlhU1hwcU1FVkJkMDFFWVVGQmQxcFJTWGNLUm1sellVZGliR3hrU0dWNmVsVjFjVFZrU0VzckszcFRTakJCSzJnclZFeDJiRk56VURWSGIzSjBiR05MVWtoMlYzQk9jR0pPUWtWblNXUmxNa3BvT1FwQmFrVkJhVEZUV0dseVIyNTBhVE5VUkZwSVVHdDFUVkJ3WkVOVU5EbHNlV1JJTldGUU9GSnNXbVo0TWpjNVYxVkNOVzFpU2t4V0syTnJkbE14YkZJdkNuWk1MMU1LTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "jBNtGZ02N6H86YoWrcgJwdg8ki0C1B82FLNPi259OOw="}, "signature": "MEQCIE5CIBZ6A3galSYScPrTEveMipJP2IpTMnTw0Ye5nCiDAiBOqhiTe1XlRNjyhenmKFF76kVmOh09nZNuqaYlzf9Fiw=="}} diff --git a/python39.changes b/python39.changes index fab7d68..46939e4 100644 --- a/python39.changes +++ b/python39.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Wed Apr 9 20:04:17 UTC 2025 - Matej Cepl + +- Update to 3.9.22: + - gh-131809: Update bundled libexpat to 2.7.1 + - gh-131261: Upgrade to libexpat 2.7.0 + - gh-105704: When using urllib.parse.urlsplit() and + urllib.parse.urlparse() host parsing would not reject domain + names containing square brackets ([ and ]). Square brackets + are only valid for IPv6 and IPvFuture hosts according to RFC + 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938, + gh#python/cpython#105704). + - gh-121284: Fix bug in the folding of rfc2047 encoded-words + when flattening an email message using a modern email + policy. Previously when an encoded-word was too long for + a line, it would be decoded, split across lines, and + re-encoded. But commas and other special characters in the + original text could be left unencoded and unquoted. This + could theoretically be used to spoof header lines using a + carefully constructed encoded-word if the resulting rendered + email was transmitted or re-parsed. + - gh-119511: Fix a potential denial of service in the imaplib + module. When connecting to a malicious server, it could + cause an arbitrary amount of memory to be allocated. On many + systems this is harmless as unused virtual memory is only + a mapping, but if this hit a virtual address size limit + it could lead to a MemoryError or other process crash. On + unusual systems or builds where all allocated memory is + touched and backed by actual ram or storage it could’ve + consumed resources doing so until similarly crashing. + - gh-121277: Writers of CPython’s documentation can now use + next as the version for the versionchanged, versionadded, + deprecated directives. +- Remote upstreamed patch: + - CVE-2025-0938-sq-brackets-domain-names.patch + ------------------------------------------------------------------- Mon Mar 10 15:44:31 UTC 2025 - Bernhard Wiedemann diff --git a/python39.spec b/python39.spec index 7e447e2..4899857 100644 --- a/python39.spec +++ b/python39.spec @@ -99,7 +99,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.9.21 +Version: 3.9.22 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 From 975044e74b8d19b3ad423b053bc361222de9f27647d37fb95fa183b882b1b7a8 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Fri, 11 Apr 2025 07:57:50 +0000 Subject: [PATCH 2/2] update patches OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=227 --- ...nx.locale._-as-gettext-in-pyspecific.patch | 22 +-- CVE-2025-0938-sq-brackets-domain-names.patch | 127 ------------------ python39.spec | 4 - sphinx-802.patch | 8 +- sphinx-update-removed-function.patch | 8 +- 5 files changed, 23 insertions(+), 146 deletions(-) delete mode 100644 CVE-2025-0938-sq-brackets-domain-names.patch diff --git a/98437-sphinx.locale._-as-gettext-in-pyspecific.patch b/98437-sphinx.locale._-as-gettext-in-pyspecific.patch index 826428c..fb68fc9 100644 --- a/98437-sphinx.locale._-as-gettext-in-pyspecific.patch +++ b/98437-sphinx.locale._-as-gettext-in-pyspecific.patch @@ -10,9 +10,11 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) ---- a/Doc/tools/extensions/pyspecific.py -+++ b/Doc/tools/extensions/pyspecific.py -@@ -26,7 +26,7 @@ try: +Index: Python-3.9.22/Doc/tools/extensions/pyspecific.py +=================================================================== +--- Python-3.9.22.orig/Doc/tools/extensions/pyspecific.py 2025-04-11 09:49:58.417019238 +0200 ++++ Python-3.9.22/Doc/tools/extensions/pyspecific.py 2025-04-11 09:50:56.818993764 +0200 +@@ -27,7 +27,7 @@ from sphinx.errors import NoUri except ImportError: from sphinx.environment import NoUri @@ -21,7 +23,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for from sphinx.util import status_iterator, logging from sphinx.util.nodes import split_explicit_title from sphinx.writers.text import TextWriter, TextTranslator -@@ -110,7 +110,7 @@ class ImplementationDetail(Directive): +@@ -111,7 +111,7 @@ def run(self): pnode = nodes.compound(classes=['impl-detail']) @@ -30,7 +32,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for content = self.content add_text = nodes.strong(label, label) if self.arguments: -@@ -179,7 +179,7 @@ class AuditEvent(Directive): +@@ -180,7 +180,7 @@ else: args = [] @@ -39,16 +41,18 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for text = label.format(name="``{}``".format(name), args=", ".join("``{}``".format(a) for a in args if a)) -@@ -358,7 +358,7 @@ class DeprecatedRemoved(Directive): +@@ -380,7 +380,7 @@ else: label = self._removed_label - label = translators['sphinx'].gettext(label) + label = sphinx_gettext(label) - text = label.format(deprecated=self.arguments[0], removed=self.arguments[1]) + text = label.format(deprecated=version[0], removed=version[1]) if len(self.arguments) == 3: inodes, messages = self.state.inline_text(self.arguments[2], ---- /dev/null -+++ b/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst +Index: Python-3.9.22/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ Python-3.9.22/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst 2025-04-11 09:50:08.952333342 +0200 @@ -0,0 +1 @@ +Use sphinx.locale._ as the gettext function in pyspecific.py. diff --git a/CVE-2025-0938-sq-brackets-domain-names.patch b/CVE-2025-0938-sq-brackets-domain-names.patch deleted file mode 100644 index fd7a90a..0000000 --- a/CVE-2025-0938-sq-brackets-domain-names.patch +++ /dev/null @@ -1,127 +0,0 @@ -From d91e2c740890837edafaee24d68112b776cda9c5 Mon Sep 17 00:00:00 2001 -From: Seth Michael Larson -Date: Fri, 31 Jan 2025 11:41:34 -0600 -Subject: [PATCH] gh-105704: Disallow square brackets (`[` and `]`) in domain - names for parsed URLs (GH-129418) - -* gh-105704: Disallow square brackets ( and ) in domain names for parsed URLs - -* Use Sphinx references - -Co-authored-by: Peter Bierma - -* Add mismatched bracket test cases, fix news format - -* Add more test coverage for ports - ---------- - -(cherry picked from commit d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a) - -Co-authored-by: Seth Michael Larson -Co-authored-by: Peter Bierma ---- - Lib/test/test_urlparse.py | 37 +++++++++- - Lib/urllib/parse.py | 20 ++++- - Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst | 4 + - 3 files changed, 58 insertions(+), 3 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst - ---- a/Lib/test/test_urlparse.py -+++ b/Lib/test/test_urlparse.py -@@ -1146,16 +1146,51 @@ class UrlParseTestCase(unittest.TestCase - self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query') - self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query') - self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip') -+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix') - - def test_splitting_bracketed_hosts(self): -- p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query') -+ p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query') - self.assertEqual(p1.hostname, 'v6a.ip') - self.assertEqual(p1.username, 'user') - self.assertEqual(p1.path, '/path') -+ self.assertEqual(p1.port, 1234) - p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query') - self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test') - self.assertEqual(p2.username, 'user') - self.assertEqual(p2.path, '/path') -+ self.assertIs(p2.port, None) - p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query') - self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test') - self.assertEqual(p3.username, 'user') ---- a/Lib/urllib/parse.py -+++ b/Lib/urllib/parse.py -@@ -443,6 +443,23 @@ def _checknetloc(netloc): - raise ValueError("netloc '" + netloc + "' contains invalid " + - "characters under NFKC normalization") - -+def _check_bracketed_netloc(netloc): -+ # Note that this function must mirror the splitting -+ # done in NetlocResultMixins._hostinfo(). -+ hostname_and_port = netloc.rpartition('@')[2] -+ before_bracket, have_open_br, bracketed = hostname_and_port.partition('[') -+ if have_open_br: -+ # No data is allowed before a bracket. -+ if before_bracket: -+ raise ValueError("Invalid IPv6 URL") -+ hostname, _, port = bracketed.partition(']') -+ # No data is allowed after the bracket but before the port delimiter. -+ if port and not port.startswith(":"): -+ raise ValueError("Invalid IPv6 URL") -+ else: -+ hostname, _, port = hostname_and_port.partition(':') -+ _check_bracketed_host(hostname) -+ - # Valid bracketed hosts are defined in - # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/ - def _check_bracketed_host(hostname): -@@ -506,8 +523,7 @@ def urlsplit(url, scheme='', allow_fragm - (']' in netloc and '[' not in netloc)): - raise ValueError("Invalid IPv6 URL") - if '[' in netloc and ']' in netloc: -- bracketed_host = netloc.partition('[')[2].partition(']')[0] -- _check_bracketed_host(bracketed_host) -+ _check_bracketed_netloc(netloc) - if allow_fragments and '#' in url: - url, fragment = url.split('#', 1) - if '?' in url: ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst -@@ -0,0 +1,4 @@ -+When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host -+parsing would not reject domain names containing square brackets (``[`` and -+``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to -+`RFC 3986 Section 3.2.2 `__. diff --git a/python39.spec b/python39.spec index 4899857..4f3331c 100644 --- a/python39.spec +++ b/python39.spec @@ -194,9 +194,6 @@ Patch50: gh120226-fix-sendfile-test-kernel-610.patch # PATCH-FIX-UPSTREAM sphinx-802.patch mcepl@suse.com # status_iterator method moved between the Sphinx versions Patch51: sphinx-802.patch -# PATCH-FIX-UPSTREAM CVE-2025-0938-sq-brackets-domain-names.patch bsc#1236705 mcepl@suse.com -# functions `urllib.parse.urlsplit` and `urlparse` accept domain names including square brackets -Patch52: CVE-2025-0938-sq-brackets-domain-names.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -469,7 +466,6 @@ other applications. %patch -p1 -P 48 %patch -p1 -P 50 %patch -p1 -P 51 -%patch -p1 -P 52 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac diff --git a/sphinx-802.patch b/sphinx-802.patch index c4600b7..de00f20 100644 --- a/sphinx-802.patch +++ b/sphinx-802.patch @@ -2,9 +2,11 @@ Doc/tools/extensions/pyspecific.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) ---- a/Doc/tools/extensions/pyspecific.py -+++ b/Doc/tools/extensions/pyspecific.py -@@ -27,7 +27,13 @@ try: +Index: Python-3.9.22/Doc/tools/extensions/pyspecific.py +=================================================================== +--- Python-3.9.22.orig/Doc/tools/extensions/pyspecific.py 2025-04-11 09:50:56.818993764 +0200 ++++ Python-3.9.22/Doc/tools/extensions/pyspecific.py 2025-04-11 09:51:18.844485631 +0200 +@@ -28,7 +28,13 @@ except ImportError: from sphinx.environment import NoUri from sphinx.locale import _ as sphinx_gettext diff --git a/sphinx-update-removed-function.patch b/sphinx-update-removed-function.patch index 84a7659..56c98c4 100644 --- a/sphinx-update-removed-function.patch +++ b/sphinx-update-removed-function.patch @@ -2,9 +2,11 @@ Doc/tools/extensions/pyspecific.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) ---- a/Doc/tools/extensions/pyspecific.py -+++ b/Doc/tools/extensions/pyspecific.py -@@ -385,7 +385,12 @@ class DeprecatedRemoved(Directive): +Index: Python-3.9.22/Doc/tools/extensions/pyspecific.py +=================================================================== +--- Python-3.9.22.orig/Doc/tools/extensions/pyspecific.py 2025-04-08 17:21:55.000000000 +0200 ++++ Python-3.9.22/Doc/tools/extensions/pyspecific.py 2025-04-11 09:49:58.417019238 +0200 +@@ -407,7 +407,12 @@ translatable=False) node.append(para) env = self.state.document.settings.env