python-interpreters/python39
SHA256
7
0
Fork 0
forked from pool/python39
Code Pull Requests Activity

- Update to 3.9.19:

Browse Source 
- Security
    - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
      (CVE-2023-52425) by adding five new methods:
        xml.etree.ElementTree.XMLParser.flush()
        xml.etree.ElementTree.XMLPullParser.flush()
        xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
        xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
        xml.sax.expatreader.ExpatParser.flush()
    - gh-115399: Update bundled libexpat to 2.6.0
    - gh-113659: Skip .pth files with names starting with a dot
      or hidden file attribute.
  - Core and Builtins
    - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
      codecs read out of bounds
  - Library
    - gh-115197: urllib.request no longer resolves the hostname
      before checking it against the system’s proxy bypass list
      on macOS and Windows.
    - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
    - gh-81194: Fix a crash in socket.if_indextoname() with
      specific value (UINT_MAX). Fix an integer overflow in
      socket.if_indextoname() on 64-bit non-Windows platforms.
    - gh-109858: Protect zipfile from “quoted-overlap”
      zipbomb. It now raises BadZipFile when try to read an entry
      that overlaps with other entry or central directory.
    - gh-107077: Seems that in some conditions, OpenSSL will
      return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
      when a certification verification has failed, but
      the error parameters will still contain ERR_LIB_SSL

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=176
This commit is contained in:
Matej Cepl
2024-03-21 20:28:22 +00:00
committed by Git OBS Bridge
parent 22ffaaf624
commit e6aa51477e
10 changed files with 81 additions and 331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
python39.changes
View File

@@ -1,3 +1,55 @@
-------------------------------------------------------------------
Thu Mar 21 20:24:05 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.9.19:
- Security
- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
(CVE-2023-52425) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
- gh-115399: Update bundled libexpat to 2.6.0
- gh-113659: Skip .pth files with names starting with a dot
or hidden file attribute.
- Core and Builtins
- gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
codecs read out of bounds
- Library
- gh-115197: urllib.request no longer resolves the hostname
before checking it against the systems proxy bypass list
on macOS and Windows.
- gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
- gh-81194: Fix a crash in socket.if_indextoname() with
specific value (UINT_MAX). Fix an integer overflow in
socket.if_indextoname() on 64-bit non-Windows platforms.
- gh-109858: Protect zipfile from “quoted-overlap”
zipbomb. It now raises BadZipFile when try to read an entry
that overlaps with other entry or central directory.
- gh-107077: Seems that in some conditions, OpenSSL will
return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
when a certification verification has failed, but
the error parameters will still contain ERR_LIB_SSL
and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now
detecting this situation and raising the appropiate
ssl.SSLCertVerificationError. Patch by Pablo Galindo
- gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
which now no longer dereferences symlinks when working
around file system permission errors.
- Documentation
- gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under
“XML vulnerabilities”.
- Tools/Demos
- gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11
and multissltests to use 1.1.1w and 3.0.11.
- Remove upstreamed patches:
- CVE-2023-6597-TempDir-cleaning-symlink.patch
- libexpat260.patch
- Refreshed patches:
- F00251-change-user-install-location.patch
- python-3.3.0b1-localpath.patch
-------------------------------------------------------------------
Wed Mar 6 14:13:58 UTC 2024 - Pedro Monreal <pmonreal@suse.com>