From 8760b4335a64bf4d4f0afcd99b25b7d0b7cfe532fd8f8154df5d548274209f06 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Mon, 27 Jan 2025 13:48:13 +0000 Subject: [PATCH 1/2] Accepting request 1240526 from home:glaubitz:branches:devel:languages:python - Update to 1.0.6 * drop testing and support for Python3.8, add Python 3.13, change document to reflect this. * implement safe_getattr and safe_format functions; fix bugs in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage * make all procedure attributes private to curb access to AST nodes, which can be exploited * improvements to error messages, including use ast functions to construct better error messages * remove import of numpy.linalg, as documented * update doc description for security advisory OBS-URL: https://build.opensuse.org/request/show/1240526 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-asteval?expand=0&rev=42 --- asteval-1.0.5.tar.gz | 3 --- asteval-1.0.6.tar.gz | 3 +++ python-asteval.changes | 15 +++++++++++++++ python-asteval.spec | 4 ++-- 4 files changed, 20 insertions(+), 5 deletions(-) delete mode 100644 asteval-1.0.5.tar.gz create mode 100644 asteval-1.0.6.tar.gz diff --git a/asteval-1.0.5.tar.gz b/asteval-1.0.5.tar.gz deleted file mode 100644 index 8fc2fee..0000000 --- a/asteval-1.0.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bac3c8dd6d2b789e959cfec9bb296fb8338eec066feae618c462132701fbc665 -size 50826 diff --git a/asteval-1.0.6.tar.gz b/asteval-1.0.6.tar.gz new file mode 100644 index 0000000..304d2a8 --- /dev/null +++ b/asteval-1.0.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1aa8e7304b2e171a90d64dd269b648cacac4e46fe5de54ac0db24776c0c4a19f +size 52079 diff --git a/python-asteval.changes b/python-asteval.changes index 5e752c6..3655fd1 100644 --- a/python-asteval.changes +++ b/python-asteval.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Mon Jan 27 12:42:41 UTC 2025 - John Paul Adrian Glaubitz + +- Update to 1.0.6 + * drop testing and support for Python3.8, add Python 3.13, + change document to reflect this. + * implement safe_getattr and safe_format functions; fix bugs + in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage + * make all procedure attributes private to curb access to AST + nodes, which can be exploited + * improvements to error messages, including use ast functions + to construct better error messages + * remove import of numpy.linalg, as documented + * update doc description for security advisory + ------------------------------------------------------------------- Thu Oct 10 15:41:37 UTC 2024 - Dirk Müller diff --git a/python-asteval.spec b/python-asteval.spec index 50a47b5..a0e52ba 100644 --- a/python-asteval.spec +++ b/python-asteval.spec @@ -1,7 +1,7 @@ # # spec file for package python-asteval # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %{?sle15_python_module_pythons} Name: python-asteval -Version: 1.0.5 +Version: 1.0.6 Release: 0 Summary: Safe, minimalistic evaluator of python expression using ast module License: MIT From 2a11a765e3ba2cb0c40341a93984b99e8585d2fb3ae6c107a40d9a8c18ea2740 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Mon, 27 Jan 2025 15:21:08 +0000 Subject: [PATCH 2/2] Add information about the fixed CVE. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-asteval?expand=0&rev=43 --- python-asteval.changes | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/python-asteval.changes b/python-asteval.changes index 3655fd1..a8dc4e3 100644 --- a/python-asteval.changes +++ b/python-asteval.changes @@ -5,7 +5,8 @@ Mon Jan 27 12:42:41 UTC 2025 - John Paul Adrian Glaubitz