forked from pool/python310
- Update to 3.10.12:
- gh-103142: The version of OpenSSL used in Windows and
Mac installers has been upgraded to 1.1.1u to address
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
fixed previously in 1.1.1t (gh-101727).
- gh-102153: urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329.
- gh-99889: Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- gh-104049: Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- gh-103935: trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details.
- Remove upstreamed patches:
- CVE-2007-4559-filter-tarfile_extractall.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=95
This commit is contained in:
Git OBS Bridge
parent
895080bf5f
commit
402f3ae924
File diff suppressed because it is too large
Load Diff
@ -12,7 +12,7 @@ Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
|
||||
|
||||
--- a/Lib/test/test_urlparse.py
|
||||
+++ b/Lib/test/test_urlparse.py
|
||||
@@ -668,6 +668,24 @@ class UrlParseTestCase(unittest.TestCase
|
||||
@@ -727,6 +727,24 @@ class UrlParseTestCase(unittest.TestCase
|
||||
with self.assertRaises(ValueError):
|
||||
p.port
|
||||
|
||||
@ -39,7 +39,7 @@ Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
|
||||
# should allow the username, hostname, and port to be filled
|
||||
--- a/Lib/urllib/parse.py
|
||||
+++ b/Lib/urllib/parse.py
|
||||
@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragm
|
||||
@@ -481,7 +481,7 @@ def urlsplit(url, scheme='', allow_fragm
|
||||
clear_cache()
|
||||
netloc = query = fragment = ''
|
||||
i = url.find(':')
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:3c3bc3048303721c904a03eb8326b631e921f11cc3be2988456a42f115daf04c
|
||||
size 19640792
|
||||
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmQsoHwACgkQ/+h0BBaL
|
||||
2Efs9BAAheWCnenhHhXi0m0DgyB6eEVH8xmZrBqA1WMgGQOqWVZmEnJdc0IXyFWQ
|
||||
1A4C59d6rEvu8jvXTLvsqGEmehofKqq0bXB1tMUBn9CwSiELOm19WvCHc/Htwo2U
|
||||
DsvAsXXO7vBkKBT9+CQ4BmkGzPUTrBLZRHsQX/M/tpx81jnQVunoMojyPK19sf1I
|
||||
C+YnxE0cQVL9+INd0WtbVByJIwzBBDCLqTQWL//73CqFs8IO6PsjFXqmlVqVfpmz
|
||||
aEXuGeRkRgy7kZaDdLcnhBq7a6vgaecfgfRUGyBgwgakfrHA5SOdsWdAonjA676J
|
||||
6DHmFIf82R4wo7Vu0WAfFAq9jJfVxXN7n5Y/N/cxzqjhrfO341vCflN1c16VAFnu
|
||||
ok7n50poENO/tMRerOEj5baL+mToi8Wh+cYHY6tNpaM2iP+bSyjoS+Ff225xhdNV
|
||||
fqGuyaH7cPgGgoXECrSb7iTWYZxJxQV9S8OlR2gX8IlA+XrbGWQl0PvmErhO3FqN
|
||||
W88gBmYrzrSl6+dzF62yn2gKFc2K5k6NmCcySFfjY87G7RhEf1ixPeDyMSvbKlVw
|
||||
sJWeoXuCNPL+PQV+V76UAbn3bEvH87fyImxoYHNAIbHh8JaTvO5vIKDrrsw92siQ
|
||||
6Pud3Oy6DcD5gWX2KcaAjQjruh18dljsbYN+2KVFfQHM8SYeXns=
|
||||
=enP4
|
||||
-----END PGP SIGNATURE-----
|
||||
3
Python-3.10.12.tar.xz
Normal file
3
Python-3.10.12.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:afb74bf19130e7a47d10312c8f5e784f24e0527981eab68e20546cfb865830b8
|
||||
size 19654836
|
||||
16
Python-3.10.12.tar.xz.asc
Normal file
16
Python-3.10.12.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmR/tqIACgkQ/+h0BBaL
|
||||
2EfUfg/9FW0m6nngtGIKTJ+Gk4G13pQvnELgc3eq70t7Sn1g2kGxDpO+rs0WptYG
|
||||
gGcHs6v4rE/3uQ0mf4QCvnnXffQEQ+bRDaj1ZBY/rJjCdgQeUNMElV0KbvADiTqS
|
||||
+akmsXaK3KqLHJesZo65lZ4HSADWKosBU3zxE2/CRMMsz1aLMDLIoaQo+pqDcFl7
|
||||
ZfGMlmiJNyD2jZVYGdwCbhG0BymOTU02BxkH2Dkd9OGzj9A3zDPCO6RcDFtw4dkK
|
||||
lngHQGijYaFV11FqIaApnUkz7aAPk//2KRLwpf5D5z8p8T8QsHAJyTmIm1gMQiQA
|
||||
tMThI1tFGN6lF1QSrfwGooXs3AdeEY0VoL4CpQi8TVRLyi6HE4AU4hEQdPqVmpm1
|
||||
+U2K0MpYhkwtPp0E9E7y9v82fMSzUKvGgpTstnblKTfDmgGUGb47Ncj3XvxH8SZz
|
||||
p93YK2xpfl4V2ltLio8ONmwP9lQhxk5L34dQR20cjbOoj622VofqGUV7Zr6UHVLD
|
||||
pqYgnj3zgiTPmbCzgVxZOyaLD3ezsY8oAtfLgX6cjCfsTtV27TvQUD8Br0oKQYS/
|
||||
h5KJBdytokqPa+JWr59hvQpcLSbmCB2y7USminoS2yL1hpXidTvVDUALF3vorvZi
|
||||
BS8prxUIFT2dgerUpWmMrKYih7pJNKdySGgI3zXtxIt5TE0TRag=
|
||||
=9Zqh
|
||||
-----END PGP SIGNATURE-----
|
||||
@ -1,3 +1,31 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 28 16:57:46 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
||||
|
||||
- Update to 3.10.12:
|
||||
- gh-103142: The version of OpenSSL used in Windows and
|
||||
Mac installers has been upgraded to 1.1.1u to address
|
||||
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
|
||||
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
|
||||
fixed previously in 1.1.1t (gh-101727).
|
||||
- gh-102153: urllib.parse.urlsplit() now strips leading C0
|
||||
control and space characters following the specification for
|
||||
URLs defined by WHATWG in response to CVE-2023-24329.
|
||||
- gh-99889: Fixed a security in flaw in uu.decode() that could
|
||||
allow for directory traversal based on the input if no
|
||||
out_file was specified.
|
||||
- gh-104049: Do not expose the local on-disk
|
||||
location in directory indexes produced by
|
||||
http.client.SimpleHTTPRequestHandler.
|
||||
- gh-103935: trace.__main__ now uses io.open_code() for files
|
||||
to be executed instead of raw open().
|
||||
- gh-102953: The extraction methods in tarfile, and
|
||||
shutil.unpack_archive(), have a new filter argument that
|
||||
allows limiting tar features than may be surprising or
|
||||
dangerous, such as creating files outside the destination
|
||||
directory. See Extraction filters for details.
|
||||
- Remove upstreamed patches:
|
||||
- CVE-2007-4559-filter-tarfile_extractall.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 20 21:39:58 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
||||
|
||||
|
||||
@ -103,7 +103,7 @@ Obsoletes: python39%{?1:-%{1}}
|
||||
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
|
||||
%bcond_without profileopt
|
||||
Name: %{python_pkg_name}%{psuffix}
|
||||
Version: 3.10.11
|
||||
Version: 3.10.12
|
||||
Release: 0
|
||||
Summary: Python 3 Interpreter
|
||||
License: Python-2.0
|
||||
@ -170,9 +170,6 @@ Patch36: support-expat-CVE-2022-25236-patched.patch
|
||||
# blocklist bypass via the urllib.parse component when supplying
|
||||
# a URL that starts with blank characters
|
||||
Patch37: CVE-2023-24329-blank-URL-bypass.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mcepl@suse.com
|
||||
# PEP 706 – Filter for tarfile.extractall
|
||||
Patch38: CVE-2007-4559-filter-tarfile_extractall.patch
|
||||
# PATCH-FIX-UPSTREAM bpo-37596-make-set-marshalling.patch bsc#1211765 mcepl@suse.com
|
||||
# Make `set` and `frozenset` marshalling deterministic
|
||||
Patch39: bpo-37596-make-set-marshalling.patch
|
||||
@ -448,7 +445,6 @@ other applications.
|
||||
%patch35 -p1
|
||||
%patch36 -p1
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
%patch39 -p1
|
||||
|
||||
# drop Autoconf version requirement
|
||||
|
||||
Loading…
Reference in New Issue
Block a user