894cbf9c49- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, CVE-2024-8088).
devel
Matej Cepl2024-08-29 12:48:46 +0000
c5f0a256bfAccepting request 1192372 from devel:languages:python:Factory
Dominique Leuenberger
2024-08-10 17:05:45 +0000
adc3db8fd2- %{profileopt} variable is set according to the variable %{do_profiling} (bsc#1227999)Matej Cepl2024-08-07 20:15:48 +0000
060513c7e1- Add CVE-2024-6923-email-hdr-inject.patch to prevent email header injection due to unquoted newlines (bsc#1228780, CVE-2024-6923).Matej Cepl2024-08-07 12:14:54 +0000
18b8a8abd9Accepting request 1190344 from devel:languages:python:Factory
Dominique Leuenberger
2024-07-31 11:28:00 +0000
4532cac800- Remove %suse_update_desktop_file macro as it is not useful any more.Matej Cepl2024-07-22 21:29:24 +0000
77cb5b35a5- Adding bso1227999-reproducible-builds.patch fixing bsc#1227999 adding reproducibility patches from gh#python/cpython!121872 and gh#python/cpython!121883. - Trying %autopatch again (bsc#1189495 seems to be fixed)Matej Cepl2024-07-18 22:39:01 +0000
46872d4763- Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378).Matej Cepl2024-07-15 12:14:33 +0000
5e60accc5cAccepting request 1185397 from devel:languages:python:Factory
Ana Guerrero
2024-07-09 18:02:51 +0000
b840c5dcd7- Update F00251-change-user-install-location.patch to make pip and modern tools install directly in /usr/local when used by the user. bsc#1225660Matej Cepl2024-07-04 13:17:01 +0000
b6c310cc5aAccepting request 1183510 from devel:languages:python:Factory
Ana Guerrero
2024-06-28 13:46:47 +0000
2f6f68cb45- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448 (CVE-2024-4032) rearranging definition of private v global IP addresses.Matej Cepl2024-06-25 21:58:48 +0000
d00c2f8ffdAccepting request 1171202 from devel:languages:python:Factory
Ana Guerrero
2024-05-02 21:42:42 +0000
77ce54fe8f- Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that it uses features sniffing, not just comparing version number. Include also support-expat-CVE-2022-25236-patched.patch. - Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping failing tests.Matej Cepl2024-05-01 23:30:08 +0000
e54275a76b- Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that it uses features sniffing, not just comparing version number. Include also support-expat-CVE-2022-25236-patched.patch. - Refresh patches: - CVE-2023-27043-email-parsing-errors.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch - Remove included patch: - support-expat-CVE-2022-25236-patched.patchMatej Cepl2024-05-01 09:01:36 +0000
32bb272437Accepting request 1169286 from devel:languages:python:Factory
Ana Guerrero
2024-04-21 18:24:16 +0000
116be53bb3Accepting request 1169083 from home:dgarcia:branches:devel:languages:python:FactoryMatej Cepl2024-04-19 22:20:05 +0000
fe7f29284cAccepting request 1166573 from home:dgarcia:branches:devel:languages:python:FactoryMatej Cepl2024-04-10 14:25:37 +0000
19bdd05c49Accepting request 1161081 from devel:languages:python:Factory
Ana Guerrero
2024-03-25 20:06:04 +0000
246a8799b3- Add reference to CVE-2024-0450 (bsc#1221854) to changelog. other entry or central directory (bsc#1221854, CVE-2024-0450).Matej Cepl2024-03-24 07:52:22 +0000
eceb720075- Because of bsc#1189495 we have to revert use of %autopatch.Matej Cepl2024-03-22 21:22:48 +0000
b1a4352010Accepting request 1157149 from devel:languages:python:Factory
Ana Guerrero
2024-03-13 21:16:00 +0000
6acd83df79autosetup actually doesn't have -m/-M, it's autopatchMatej Cepl2024-03-12 08:53:52 +0000
f2e8cdf7ce- Rewrite %prep to use %autosetup et al. for compatibility with rpm 4.20.Matej Cepl2024-03-12 08:46:16 +0000
61edd8bfc6- bsc#1221260 add bsc1221260-test_asyncio-ResourceWarning.patch to eliminate ResourceWarning which broke the test suite in test_asyncio.Matej Cepl2024-03-12 08:20:37 +0000
2697832d56Accepting request 1155683 from home:pmonrealgonzalez:branches:devel:languages:python:FactoryMatej Cepl2024-03-06 21:50:48 +0000
d0d6107118Accepting request 1153186 from devel:languages:python:Factory
Dominique Leuenberger
2024-03-01 22:35:58 +0000
af31ac92dd- (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory. - Repurpose skip-failing-tests.patch to increase timeout for test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time, which fails on slow machines in IBS (s390x).Matej Cepl2024-02-29 07:16:40 +0000
b0bca7ad80- Remove double definition of /usr/bin/idle%%{version} in %%files.Matej Cepl2024-02-20 22:15:23 +0000
96b991b360Accepting request 1146838 from devel:languages:python:Factory
Ana Guerrero
2024-02-18 19:22:52 +0000
0d9b06c5c0Accepting request 1146787 from home:dgarcia:branches:devel:languages:python:FactoryMatej Cepl2024-02-15 12:58:25 +0000
4fb12f44ccAccepting request 1145179 from devel:languages:python:Factory
Ana Guerrero
2024-02-11 14:45:04 +0000
a7d54cb5c3Accepting request 1145174 from home:dgarcia:branches:devel:languages:python:FactoryMatej Cepl2024-02-08 12:49:59 +0000
21e9e7f697Accepting request 1136197 from devel:languages:python:Factory
Ana Guerrero
2024-01-08 22:43:42 +0000
380c1fa01bAccepting request 1134225 from home:dgarcia:branches:devel:languages:python:FactoryMatej Cepl2024-01-02 13:44:05 +0000
c7d2aa9012Accepting request 1134084 from devel:languages:python:Factory
Ana Guerrero
2023-12-20 20:00:08 +0000
ebe00d33da- Refresh CVE-2023-27043-email-parsing-errors.patch to gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). - Thus we can remove Revert-gh105127-left-tests.patch, which is now useless.Matej Cepl2023-12-19 15:40:30 +0000
5fae7e4a44Accepting request 1134054 from devel:languages:python:FactoryMatej Cepl2023-12-19 15:24:17 +0000
727f4c9b01Accepting request 1134053 from devel:languages:python:FactoryMatej Cepl2023-12-19 15:22:13 +0000
cb3301d2cc- Refresh CVE-2023-27043-email-parsing-errors.patch to gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). - Thus we can remove Revert-gh105127-left-tests.patch, which is now useless.Matej Cepl2023-12-18 16:25:35 +0000
a7b11641feAccepting request 1133399 from home:dgarcia:branches:devel:languages:python:FactoryDaniel Garcia2023-12-15 12:09:56 +0000
18a62cf507Accepting request 1128112 from devel:languages:python:Factory
Ana Guerrero
2023-11-23 20:38:28 +0000
dbc72d69e1Accepting request 1126597 from home:dgarcia:branches:devel:languages:python:FactoryMatej Cepl2023-11-15 12:57:57 +0000
4b50a8332bAccepting request 1113067 from devel:languages:python:Factory
Ana Guerrero
2023-09-25 18:00:36 +0000
558337c773characters without truncating the path (bsc#1214693, CVE-2023-41105).Matej Cepl2023-09-15 11:19:47 +0000
382f0f4b58Accepting request 1109225 from devel:languages:python:Factory
Ana Guerrero
2023-09-08 19:15:18 +0000
55316ef9e1- Update to 3.11.5 (bsc#1214692): - Security - gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith. - Core and Builtins - gh-104432: Fix potential unaligned memory access on C APIs involving returned sequences of char * pointers within the grp and socket modules. These were revealed using a -fsaniziter=alignment build on ARM macOS. Patch by Christopher Chavez. - gh-77377: Ensure that multiprocessing synchronization objects created in a fork context are not sent to a different process created in a spawn context. This changes a segfault into an actionable RuntimeError in the parent process. - gh-106092: Fix a segmentation fault caused by a use-after-free bug in frame_dealloc when the trashcan delays the deallocation of a PyFrameObject. - gh-106719: No longer suppress arbitrary errors in the __annotations__ getter and setter in the type and module types. - gh-106723: Propagate frozen_modules to multiprocessing spawned process interpreters. - gh-105979: Fix crash in _imp.get_frozen_object() due to improper exception handling. - gh-105840: Fix possible crashes when specializing function calls with too many __defaults__. - gh-105588: Fix an issue that could result in crashes whenDaniel Garcia2023-09-06 07:58:19 +0000
ecfb0312cfAccepting request 1103332 from devel:languages:python:Factory
Dominique Leuenberger
2023-08-11 13:55:02 +0000
f665ac48feAccepting request 1103305 from home:dirkmueller:FactoryMatej Cepl2023-08-10 13:22:02 +0000
6abedd0987Accepting request 1102676 from home:dirkmueller:FactoryMatej Cepl2023-08-07 14:46:39 +0000
24fe7e4f9eAccepting request 1102237 from devel:languages:python:Factory
Dominique Leuenberger
2023-08-06 14:29:15 +0000
eb7790f0a7- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!Matej Cepl2023-08-03 15:27:34 +0000
41e7e28995- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). (The patch is faulty, gh#python/cpython#106669, but upstream decided not to just revert it).Matej Cepl2023-08-03 14:58:20 +0000
b8797f4452- Update to Python 3.11.4: - gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329 (bsc#1208471). - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). - gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details (fixing CVE-2007-4559, bsc#1203750). - Remove upstreamed patches: - CVE-2007-4559-filter-tarfile_extractall.patchMatej Cepl2023-06-28 19:51:47 +0000
5760576192Accepting request 1095626 from devel:languages:python:Factory
Dominique Leuenberger
2023-06-28 19:33:11 +0000
7a2425c221- Remove obsolete_python_versioned macro again. This mechanism has no business to be in Python 3.11, because we have abolished with it whole interpreter+setuptools+pip product. Python 3.11 should not be replaced by later versions anymore.Matej Cepl2023-06-26 13:04:00 +0000
c1b0d9c8f9Accepting request 1092590 from devel:languages:python:Factory
Dominique Leuenberger
2023-06-12 13:36:40 +0000
d34496b956Add missing Jira references to the changelog.Matej Cepl2023-06-05 12:53:40 +0000
d8e5832ad8Accepting request 1084262 from devel:languages:python:Factory
Dominique Leuenberger
2023-06-03 22:12:15 +0000
39157872a5- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix bsc#1203750 (CVE-2007-4559) and implementing "PEP 706 – Filter for tarfile.extractall".Matej Cepl2023-05-03 10:14:51 +0000
21d42b692c- Update to 3.11.3: - Security - gh-101727: Updated the OpenSSL version used in Windows and macOS binary release builds to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per the OpenSSL 2023-02-07 security advisory. - gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with shell=True. Patch by Eryk Sun, based on a patch by Oleg Iarygin. - Core and Builtins - gh-101975: Fixed stacktop value on tracing entries to avoid corruption on garbage collection. - gh-102701: Fix overflow when creating very large dict. - gh-102416: Do not memoize incorrectly automatically generated loop rules in the parser. Patch by Pablo Galindo. - gh-102356: Fix a bug that caused a crash when deallocating deeply nested filter objects. Patch by Marta Gómez Macías. - gh-102397: Fix segfault from race condition in signal handling during garbage collection. Patch by Kumar Aditya. - gh-102281: Fix potential nullptr dereference and use of uninitialized memory in fileutils. Patch by Max Bachmann. - gh-102126: Fix deadlock at shutdown when clearing thread states if any finalizer tries to acquire the runtime head lock. Patch by Kumar Aditya. - gh-102027: Fix SSE2 and SSE3 detection in _blake2 internal module. Patch by Max Bachmann. - gh-101967: Fix possible segfault in positional_only_passed_as_keyword function, when new list created. - gh-101765: Fix SystemError / segmentation fault in iterMatej Cepl2023-04-27 22:09:02 +0000