Accepting request 1096536 from devel:languages:python:Factory

- Update to Python 3.11.4: - gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329 (bsc#1208471). - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). - gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details (fixing CVE-2007-4559, bsc#1203750). - Remove upstreamed patches: - CVE-2007-4559-filter-tarfile_extractall.patch OBS-URL: https://build.opensuse.org/request/show/1096536 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=20
2023-07-06 16:27:44 +00:00 · 2023-07-06 16:27:44 +00:00 · fdf11aefc4
commit fdf11aefc4
parent 5760576192 f7f28c547b
9 changed files with 52 additions and 2642 deletions
--- a/CVE-2007-4559-filter-tarfile_extractall.patch
+++ b/CVE-2007-4559-filter-tarfile_extractall.patch
--- a/Python-3.11.3.tar.xz
+++ b/Python-3.11.3.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8a5db99c961a7ecf27c75956189c9602c968751f11dbeae2b900dbff1c085b5e
-size 19906156
--- a/Python-3.11.3.tar.xz.asc
+++ b/Python-3.11.3.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmQsppwACgkQ/+h0BBaL
-2Ee3kg//ewFzE4twuLz2MKoki+7xKz5VzTm2fvCtymAtqVq8Tk3oTvRrc9llHIQn
-+QU6Cjiu38igRgQ4O0/i6909U3N1tmqXsSHtuGIB5mEOqwK9LESTPJG+wK4nULg5
-fLH+FgBAJ4HSI3WIMt8jn98LJ8lsfFrH1sdv9ijcDN9VdekY8vXOOaWbAWg2vpYb
-vXTtajHXA1KLZR1GvhDel3G6qPhxOjud/gwVJgzHcxA/mpDjT5DTiqS5rVMsJQq0
-R/LCtsqM4NVjurWwe5jEOi/Fv60qTN7ekuIdziC3IB50WjkwXltKB90l9heihnZo
-oGAe2T9Kv74Pr1kWhkstURwFGP6hRrZHNfvZXYgcJdN2SxsS9VNkt2JQ9aKevPo3
-t1ZgmB5WGsWAWgny7pm+qLfKy5mkdaal/BB7iLTh5/u3b6tlO2C7wNpGRLS1OBrN
-kr/SMS0uyVXcZfcjMTs9e/7YU/ArAvu5nwbFqDrFLHe1SHqTq1PXkeVxbxf1c6KW
-TZyOivQA7pcbPyqrbm+tuL2qbAjfOtDo771i9AG2vjgsblxTQvBxXc7buv5/JoCl
-4jKuDYHuteiVsuJFeC2Gs67hcM0qjEzbB7mFSJLPDZU3gMMGQxMn/ZWrI/laD5hB
-biXtLQJt/Z+3f1ROWiFgjZvdaWYjT26BWaBkIMrv65NG//M7wfo=
-=SzVA
-----END PGP SIGNATURE-----
--- a/Python-3.11.4.tar.xz
+++ b/Python-3.11.4.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2f0e409df2ab57aa9fc4cbddfb976af44e4e55bf6f619eee6bc5c2297264a7f6
+size 19954828
--- a/Python-3.11.4.tar.xz.asc
+++ b/Python-3.11.4.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmR/sHIACgkQ/+h0BBaL
+2EfQDQ//eFWvcQ5ijhVd3r5lp7NTNUPK6xKR2iqzpNWlN2Z4QkGJ2+IworBaZoGA
+tzmbT0j0LB9ZQ+ba3xnqXGXD8Ky+fHLg8GV5yshPlH/bD7tPuHtfDRxNcWplEVSS
+MbMuLjAYavTIHhYEz/Rpx4jvZTI5lwplVqj9WxNI/8tNrL5M2bsCtv+IB6brohiw
+rUOUlT/KDkZbrGfB1Fe033Ep8hay5MkKjhgr7O1dU7zMuDRG+HRsCYGs7a5x6KhH
+3QNTEp+GEIAKEsip5nR7vl5KqL02lHa5sf36SV2wjRTwO+IhgV7lvtJEwOD12oE5
+c+TCQMFbmBXg2vVmNBN/Lwftw1SwT/+orFX6V4U93jq6QNUo4GvPqum6YzuayGYc
+/JM4MNziqmfdNW2YjEHPPfzti3f40eTapys97YufOrmYjM2NY0Fs+kAErvyxiWqi
+guVQtaZIYeLl/9KWqQ0F/Apy1N+fVDuWBkZlizwHrUsGips4Rp7Bh/iCrDdOj+1D
+gRCio7+KvdtzHavZPZnU5dcpUiXZgsDzOTI138IyYaEtVUS59ELkA2qxI1yCb5mk
+eLVG1L7r/J2tIaTcguQppp5Z+62UDTArlUbnRxda0buzA2r1aFiQCTMwp+kTRegw
+T9Ht/CT/D4vpMdmSQTun9MkKifcK+2uGfSsS7Lz4fSWjQLqg36k=
+=zSfJ
+-----END PGP SIGNATURE-----
--- a/fix_configure_rst.patch
+++ b/fix_configure_rst.patch
@ -29,7 +29,7 @@
    Create a Python.framework rather than a traditional Unix install. Optional
 --- a/Misc/NEWS
 +++ b/Misc/NEWS
-@@ -7809,7 +7809,7 @@ C API
+@@ -8105,7 +8105,7 @@ C API
 - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
 
 - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name
--- a/python311.changes
+++ b/python311.changes
@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Wed Jun 28 19:47:28 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Update to Python 3.11.4:
+  - gh-103142: The version of OpenSSL used in Windows and
+    Mac installers has been upgraded to 1.1.1u to address
+    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
+    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
+    fixed previously in 1.1.1t (gh-101727).
+  - gh-102153: urllib.parse.urlsplit() now strips leading C0
+    control and space characters following the specification for
+    URLs defined by WHATWG in response to CVE-2023-24329
+    (bsc#1208471).
+  - gh-99889: Fixed a security in flaw in uu.decode() that could
+    allow for directory traversal based on the input if no
+    out_file was specified.
+  - gh-104049: Do not expose the local on-disk
+    location in directory indexes produced by
+    http.client.SimpleHTTPRequestHandler.
+  - gh-103935: trace.__main__ now uses io.open_code() for files
+    to be executed instead of raw open().
+  - gh-102953: The extraction methods in tarfile, and
+    shutil.unpack_archive(), have a new filter argument that
+    allows limiting tar features than may be surprising or
+    dangerous, such as creating files outside the destination
+    directory. See Extraction filters for details (fixing
+    CVE-2007-4559, bsc#1203750).
+- Remove upstreamed patches:
+  - CVE-2007-4559-filter-tarfile_extractall.patch
+
 -------------------------------------------------------------------
 Mon Jun 26 13:02:05 UTC 2023 - Matej Cepl <mcepl@suse.com>

--- a/python311.spec
+++ b/python311.spec
@ -94,7 +94,7 @@
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.11.3
+Version:        3.11.4
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@ -157,9 +157,6 @@ Patch35:        fix_configure_rst.patch
 # PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com
 # Makes Python resilient to changes of API of libexpat
 Patch36:        support-expat-CVE-2022-25236-patched.patch
-# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mcepl@suse.com
-# PEP 706 – Filter for tarfile.extractall
-Patch37:        CVE-2007-4559-filter-tarfile_extractall.patch
 # PATCH-FIX-UPSTREAM 103213-fetch-CONFIG_ARGS.patch gh#python/cpython#103053 mcepl@suse.com
 # Fetch CONFIG_ARGS from original python instance
 Patch38:        103213-fetch-CONFIG_ARGS.patch
@ -424,7 +421,6 @@ other applications.
 %endif
 %patch35 -p1
 %patch36 -p1
-%patch37 -p1
 %patch38 -p1
 %patch39 -p1

--- a/subprocess-raise-timeout.patch
+++ b/subprocess-raise-timeout.patch
@ -4,7 +4,7 @@

 --- a/Lib/test/test_subprocess.py
 +++ b/Lib/test/test_subprocess.py
-@@ -278,7 +278,8 @@ class ProcessTestCase(BaseTestCase):
+@@ -279,7 +279,8 @@ class ProcessTestCase(BaseTestCase):
                      "time.sleep(3600)"],
                     # Some heavily loaded buildbots (sparc Debian 3.x) require
                     # this much time to start and print.