CVE-2023-27043-email-parsing-errors.patch, which rejects
malformed addresses in email.parseaddr() (gh#python/cpython!111116)
Detect email address parsing errors and return empty tuple to
indicate the parsing error (old API). Add an optional 'strict'
parameter to getaddresses() and parseaddr() functions. Patch by
Thomas Dwyer.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=33
- Update to 3.12.2:
- Security
- gh-113659: Skip .pth files with names starting with a dot or
hidden file attribute.
- Core and Builtins
- gh-114887: Changed socket type validation in
create_datagram_endpoint() to accept all non-stream sockets.
This fixes a regression in compatibility with raw sockets.
- gh-114388: Fix a RuntimeWarning emitted when assign an
integer-like value that is not an instance of int to an
attribute that corresponds to a C struct member of type T_UINT
and T_ULONG. Fix a double RuntimeWarning emitted when assign a
negative integer value to an attribute that corresponds to a C
struct member of type T_UINT.
- gh-113703: Fix a regression in the codeop module that was
causing it to incorrectly identify incomplete f-strings. Patch
by Pablo Galindo
- gh-89811: Check for a valid tp_version_tag before performing
bytecode specializations that rely on this value being usable.
- gh-113602: Fix an error that was causing the parser to try to
overwrite existing errors and crashing in the process. Patch by
Pablo Galindo
- gh-113297: Fix segfault in the compiler on with statement with
19 context managers.
- gh-106905: Use per AST-parser state rather than global state to
track recursion depth within the AST parser to prevent potential
race condition due to simultaneous parsing.
- The issue primarily showed up in 3.11 by multithreaded users of
ast.parse(). In 3.12 a change to when garbage collection can be
triggered prevented the race condition from occurring.
- gh-112943: Correctly compute end column offsets for multiline
tokens in the tokenize module. Patch by Pablo Galindo
- gh-112716: Fix SystemError in the import statement and in
__reduce__() methods of builtin types when __builtins__ is not a
dict.
- gh-94606: Fix UnicodeEncodeError when
email.message.get_payload() reads a message with a Unicode
surrogate character and the message content is not well-formed
for surrogateescape encoding. Patch by Sidney Markowitz.
- Library
- gh-114965: Update bundled pip to 24.0
- gh-114959: tarfile no longer ignores errors when trying to
extract a directory on top of a file.
- gh-109475: Fix support of explicit option value “–” in argparse
(e.g. --option=--).
- gh-110190: Fix ctypes structs with array on Windows ARM64
platform by setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by
Diego Russo
- gh-113280: Fix a leak of open socket in rare cases when error
occurred in ssl.SSLSocket creation.
- gh-77749: email.policy.EmailPolicy.fold() now always encodes
non-ASCII characters in headers if utf8 is false.
- gh-114492: Make the result of termios.tcgetattr() reproducible
on Alpine Linux. Previously it could leave a random garbage in
some fields.
- gh-113267: Revert changes in gh-106584 which made calls of
TestResult methods startTest() and stopTest() unbalanced.
- gh-75128: Ignore an OSError in
asyncio.BaseEventLoop.create_server() when IPv6 is available but
the interface cannot actually support it.
- gh-114257: Dismiss the FileNotFound error in
ctypes.util.find_library() and just return None on Linux.
- gh-114328: The tty.setcbreak() and new tty.cfmakecbreak() no
longer clears the terminal input ICRLF flag. This fixes a
regression introduced in 3.12 that no longer matched how OSes
define cbreak mode in their stty(1) manual pages.
- gh-101438: Avoid reference cycle in ElementTree.iterparse. The
iterator returned by ElementTree.iterparse may hold on to a file
descriptor. The reference cycle prevented prompt clean-up of the
file descriptor if the returned iterator was not exhausted.
- gh-104522: OSError raised when run a subprocess now only has
filename attribute set to cwd if the error was caused by a
failed attempt to change the current directory.
- gh-114149: Enum: correctly handle tuple subclasses in custom
__new__.
- gh-109534: Fix a reference leak in
asyncio.selector_events.BaseSelectorEventLoop when SSL
handshakes fail. Patch contributed by Jamie Phan.
- gh-114077: Fix possible OverflowError in
socket.socket.sendfile() when pass count larger than 2 GiB on
32-bit platform.
- gh-114014: Fixed a bug in fractions.Fraction where an invalid
string using d in the decimals part creates a different error
compared to other invalid letters/characters. Patch by Jeremiah
Gabriel Pascual.
- gh-113951: Fix the behavior of tag_unbind() methods of
tkinter.Text and tkinter.Canvas classes with three arguments.
Previously, widget.tag_unbind(tag, sequence, funcid) destroyed
the current binding for sequence, leaving sequence unbound, and
deleted the funcid command. Now it removes only funcid from the
binding for sequence, keeping other commands, and deletes the
funcid command. It leaves sequence unbound only if funcid was
the last bound command.
- gh-113877: Fix tkinter method winfo_pathname() on 64-bit
Windows.
- gh-113661: unittest runner: Don’t exit 5 if tests were skipped.
The intention of exiting 5 was to detect issues where the test
suite wasn’t discovered at all. If we skipped tests, it was
correctly discovered.
- gh-113781: Silence unraisable AttributeError when warnings are
emitted during Python finalization.
- gh-112932: Restore the ability for zipfile to extractall from
zip files with a “/” directory entry in them as is commonly
added to zips by some wiki or bug tracker data exporters.
- gh-113594: Fix UnicodeEncodeError in email when re-fold lines
that contain unknown-8bit encoded part followed by
non-unknown-8bit encoded part.
- gh-113538: In asyncio.StreamReaderProtocol.connection_made(),
there is callback that logs an error if the task wrapping the
“connected callback” fails. This callback would itself fail if
the task was cancelled. Prevent this by checking whether the
task was cancelled first. If so, close the transport but don’t
log an error.
- gh-85567: Fix resource warnings for unclosed files in pickle and
pickletools command line interfaces.
- gh-101225: Increase the backlog for
multiprocessing.connection.Listener objects created by
multiprocessing.manager and multiprocessing.resource_sharer to
significantly reduce the risk of getting a connection refused
error when creating a multiprocessing.connection.Connection to
them.
- gh-113543: Make sure that webbrowser.MacOSXOSAScript sends
webbrowser.open audit event.
- gh-113028: When a second reference to a string appears in the
input to pickle, and the Python implementation is in use, we are
guaranteed that a single copy gets pickled and a single object
is shared when reloaded. Previously, in protocol 0, when a
string contained certain characters (e.g. newline) it resulted
in duplicate objects.
- gh-113421: Fix multiprocessing logger for %(filename)s.
- gh-111784: Fix segfaults in the _elementtree module. Fix first
segfault during deallocation of _elementtree.XMLParser instances
by keeping strong reference to pyexpat module in module state
for capsule lifetime. Fix second segfault which happens in the
same deallocation process by keeping strong reference to
_elementtree module in XMLParser structure for _elementtree
module lifetime.
- gh-113407: Fix import of unittest.mock when CPython is built
without docstrings.
- gh-113320: Fix regression in Python 3.12 where Protocol classes
that were not marked as runtime-checkable would be unnecessarily
introspected, potentially causing exceptions to be raised if the
protocol had problematic members. Patch by Alex Waygood.
- gh-113358: Fix rendering tracebacks for exceptions with a broken
__getattr__.
- gh-113214: Fix an AttributeError during asyncio SSL protocol
aborts in SSL-over-SSL scenarios.
- gh-113246: Update bundled pip to 23.3.2.
- gh-113199: Make http.client.HTTPResponse.read1 and
http.client.HTTPResponse.readline close IO after reading all
data when content length is known. Patch by Illia Volochii.
- gh-113188: Fix shutil.copymode() and shutil.copystat() on
Windows. Previously they worked differenly if dst is a symbolic
link: they modified the permission bits of dst itself rather
than the file it points to if follow_symlinks is true or src is
not a symbolic link, and did not modify the permission bits if
follow_symlinks is false and src is a symbolic link.
- gh-61648: Detect line numbers of properties in doctests.
- gh-112559: signal.signal() and signal.getsignal() no longer call
repr on callable handlers. asyncio.run() and
asyncio.Runner.run() no longer call repr on the task results.
Patch by Yilei Yang.
- gh-110190: Fix ctypes structs with array on PPC64LE platform by
setting MAX_STRUCT_SIZE to 64 in stgdict. Patch by Diego Russo.
- gh-79429: Ignore FileNotFoundError when remove a temporary
directory in the multiprocessing finalizer.
- gh-81194: Fix a crash in socket.if_indextoname() with specific
value (UINT_MAX). Fix an integer overflow in
socket.if_indextoname() on 64-bit non-Windows platforms.
- gh-112343: Improve handling of pdb convenience variables to
avoid replacing string contents.
- gh-111615: Fix a regression caused by a fix to gh-93162 whereby
you couldn’t configure a QueueHandler without specifying
handlers.
- gh-111049: Fix crash during garbage collection of the io.BytesIO
buffer object.
- gh-110345: Show the Tcl/Tk patchlevel (rather than version) in
tkinter._test().
- gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now
raises BadZipFile when try to read an entry that overlaps with
other entry or central directory.
- gh-114440: On Windows, closing the connection writer when
cleaning up a broken multiprocessing.Queue queue is now done for
all queues, rather than only in concurrent.futures manager
thread. This can prevent a deadlock when a multiprocessing
worker process terminates without cleaning up. This completes
the backport of patches by Victor Stinner and Serhiy Storchaka.
- gh-38807: Fix race condition in trace. Instead of checking if a
directory exists and creating it, directly call os.makedirs()
with the kwarg exist_ok=True.
- gh-75705: Set unixfrom envelope in mailbox.mbox and
mailbox.MMDF.
- gh-106233: Fix stacklevel in InvalidTZPathWarning during
zoneinfo module import.
- gh-105102: Allow ctypes.Union to be nested in ctypes.Structure
when the system endianness is the opposite of the classes.
- gh-104282: Fix null pointer dereference in
lzma._decode_filter_properties() due to improper handling of BCJ
filters with properties of zero length. Patch by Radislav
Chugunov.
- gh-102512: When os.fork() is called from a foreign thread (aka
_DummyThread), the type of the thread in a child process is
changed to _MainThread. Also changed its name and daemonic
status, it can be now joined.
- bpo-35928: io.TextIOWrapper now correctly handles the decoding
buffer after read() and write().
- bpo-26791: shutil.move() now moves a symlink into a directory
when that directory is the target of the symlink. This provides
the same behavior as the mv shell command. The previous behavior
raised an exception. Patch by Jeffrey Kintscher.
- bpo-36959: Fix some error messages for invalid ISO format string
combinations in strptime() that referred to directives not
contained in the format string. Patch by Gordon P. Hemsley.
- bpo-18060: Fixed a class inheritance issue that can cause
segfaults when deriving two or more levels of subclasses from a
base class of Structure or Union.
- Documentation
- gh-110746: Improved markup for valid options/values for methods
ttk.treeview.column and ttk.treeview.heading, and for Layouts.
- gh-95649: Document that the asyncio module contains code taken
from v0.16.0 of the uvloop project, as well as the required MIT
licensing information.
- Tests
- gh-109980: Fix test_tarfile_vs_tar in test_shutil for macOS,
where system tar can include more information in the archive
than shutil.make_archive.
- gh-105089: Fix
test.test_zipfile.test_core.TestWithDirectory.test_create_directory_with_write
test in AIX by doing a bitwise AND of 0xFFFF on mode , so that
it will be in sync with zinfo.external_attr
- bpo-40648: Test modes that file can get with chmod() on Windows.
- Build
- gh-112305: Fixed the check-clean-src step performed on out of
tree builds to detect errant $(srcdir)/Python/frozen_modules/*.h
files and recommend appropriate source tree cleanup steps to get
a working build again.
- gh-112867: Fix the build for the case that
WITH_PYMALLOC_RADIX_TREE=0 set.
- bpo-11102: The os.major(), os.makedev(), and os.minor()
functions are now available on HP-UX v3.
- bpo-36351: Do not set ipv6type when cross-compiling.
- IDLE
- gh-96905: In idlelib code, stop redefining built-ins ‘dict’ and
‘object’.
- gh-72284: Improve the lists of features, editor key bindings,
and shell key bingings in the IDLE doc.
- gh-113903: Fix rare failure of test.test_idle, in
test_configdialog.
- gh-113729: Fix the “Help -> IDLE Doc” menu bug in 3.11.7 and
3.12.1.
- gh-113269: Fix test_editor hang on macOS Catalina.
- gh-112898: Fix processing unsaved files when quitting IDLE on
macOS.
- gh-103820: Revise IDLE bindings so that events from mouse button
4/5 on non-X11 windowing systems (i.e. Win32 and Aqua) are not
mistaken for scrolling.
- bpo-13586: Enter the selected text when opening the “Replace”
dialog.
- Tools/Demos
- gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.13 and
multissltests to use 1.1.1w, 3.0.13, 3.1.5, and 3.2.1.
- gh-115015: Fix a bug in Argument Clinic that generated incorrect
code for methods with no parameters that use the METH_METHOD |
METH_FASTCALL | METH_KEYWORDS calling convention. Only the
positional parameter count was checked; any keyword argument
passed would be silently accepted.
- Refresh patches:
- bpo-31046_ensurepip_honours_prefix.patch
- fix_configure_rst.patch
- no-skipif-doctests.patch
- python-3.3.0b1-fix_date_time_compiler.patch
- python-3.3.0b1-localpath.patch
- python-3.3.0b1-test-posix_fadvise.patch
- skip-test_pyobject_freed_is_freed.patch
- subprocess-raise-timeout.patch
OBS-URL: https://build.opensuse.org/request/show/1145175
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=31
- Update to 3.12.1 (CVE-2023-6507, bsc#1217939):
- Core and Builtins
- gh-112125: Fix None.__ne__(None) returning NotImplemented
instead of False
- gh-112625: Fixes a bug where a bytearray object could be
cleared while iterating over an argument in the
bytearray.join() method that could result in reading memory
after it was freed.
- gh-105967: Workaround a bug in Apple’s macOS platform zlib
library where zlib.crc32() and binascii.crc32() could produce
incorrect results on multi-gigabyte inputs. Including when
using zipfile on zips containing large data.
- gh-112356: Stopped erroneously deleting a LOAD_NULL bytecode
instruction when optimized twice.
- gh-111058: Change coro.cr_frame/gen.gi_frame to return None
after the coroutine/generator has been closed. This fixes a bug
where getcoroutinestate() and getgeneratorstate() return the
wrong state for a closed coroutine/generator.
- gh-112388: Fix an error that was causing the parser to try to
overwrite tokenizer errors. Patch by pablo Galindo
- gh-112387: Fix error positions for decoded strings with
backwards tokenize errors. Patch by Pablo Galindo
- gh-112367: Avoid undefined behaviour when using the perf
trampolines by not freeing the code arenas until shutdown.
Patch by Pablo Galindo
- gh-112243: Don’t include comments in f-string debug
expressions. Patch by Pablo Galindo
- gh-112266: Change docstrings of __dict__ and __weakref__.
- gh-111654: Fix runtime crash when some error happens in opcode
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=29
Python 3.12 is the latest stable release of the Python
programming language, with a mix of changes to the language and
the standard library. The library changes focus on cleaning up
deprecated APIs, usability, and correctness. Of note, the
distutils package has been removed from the standard library.
Filesystem support in os and pathlib has seen a number of
improvements, and several modules have better performance.
The language changes focus on usability, as f-strings have had
many limitations removed and ‘Did you mean …’ suggestions
continue to improve. The new type parameter syntax and type
statement improve ergonomics for using generic types and type
aliases with static type checkers.
This article doesn’t attempt to provide a complete
specification of all new features, but instead gives
a convenient overview. For full details, you should refer to
the documentation, such as the Library Reference and Language
Reference. If you want to understand the complete
implementation and design rationale for a change, refer to the
PEP for a particular new feature; but note that PEPs usually
are not kept up-to-date once a feature has been fully
implemented.
- New syntax features:
- PEP 695, type parameter syntax and the type statement
- New grammar features:
- PEP 701, f-strings in the grammar
- Interpreter improvements:
- PEP 684, a unique per-interpreter GIL
- PEP 669, low impact monitoring
- Improved ‘Did you mean …’ suggestions for NameError,
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=25
- Core and Builtins
- gh-109496: On a Python built in debug mode, Py_DECREF() now
calls _Py_NegativeRefcount() if the object is a dangling pointer
to deallocated memory: memory filled with 0xDD “dead byte” by
the debug hook on memory allocators. The fix is to check the
reference count before checking for _Py_IsImmortal(). Patch by
Victor Stinner.
- gh-109371: Deopted instructions correctly for tool
initialization and modified the incorrect assertion in
instrumentation, when a previous tool already sets INSTRUCTION
events
- gh-105658: Fix bug where the line trace of an except block
ending with a conditional includes an excess event with the line
of the conditional expression.
- gh-109219: Fix compiling type param scopes that use a name which
is also free in an inner scope.
- gh-109341: Fix crash when compiling an invalid AST involving a
ast.TypeAlias.
- gh-109195: Fix source location for the LOAD_* instruction
preceding a LOAD_SUPER_ATTR to load the super global (or
shadowing variable) so that it encompasses only the name super
and not the following parentheses.
- gh-109118: Disallow nested scopes (lambdas, generator
expressions, and comprehensions) within PEP 695 annotation
scopes that are nested within classes.
- gh-109114: Relax the detection of the error message for invalid
lambdas inside f-strings to not search for arbitrary replacement
fields to avoid false positives. Patch by Pablo Galindo
- gh-109118: Fix interpreter crash when a NameError is raised
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=23
- Refresh all patches
- Drop Revert-gh105127-left-tests.patch, in upstream now
- Update to 3.12.0rc1:
- Reverted the :mod:`email.utils` security improvement change
released in 3.12beta4 that unintentionally caused
:mod:`email.utils.getaddresses` to fail to parse email addresses
with a comma in the quoted name field. See :gh:`106669`.
- Start initializing ob_digit during creation of
:c:type:`PyLongObject` objects. Patch by Illia Volochii.
- Increase C recursion limit for functions other than the main
interpreter from 800 to 1500. This should allow functions like
list.__repr__ and json.dumps to handle all the inputs that they
could prior to 3.12
- Fix potential unaligned memory access on C APIs involving returned
sequences of char * pointers within the :mod:`grp` and
:mod:`socket` modules. These were revealed using a
-fsaniziter=alignment build on ARM macOS. Patch by Christopher
Chavez.
- Add the exception as the third argument to PY_UNIND callbacks in
sys.monitoring. This makes the PY_UNWIND callback consistent with
the other exception hanlding callbacks.
- Raise a ValueError when a monitoring callback funtion returns
DISABLE for events that cannot be disabled locally.
- Add a RERAISE event to sys.monitoring, which occurs when an
exception is reraised, either explicitly by a plain raise
statement, or implicitly in an except or finally block.
- Unsupported modules now always fail to be imported.
- Fix classmethod-style :func:`super` method calls (i.e., where the
second argument to :func:`super`, or the implied second argument
drawn from self/cls in the case of zero-arg super, is a type) when
the target of the call is not a classmethod.
- Python no longer crashes due an infrequent race when initialzing
per-interpreter interned strings. The crash would manifest when
the interpreter was finalized.
- Python no longer crashes due to an infrequent race in setting
Py_FileSystemDefaultEncoding and Py_FileSystemDefaultEncodeErrors
(both deprecated), when simultaneously initializing two isolated
subinterpreters. Now they are only set during runtime
initialization.
- Fix a segmentation fault caused by a use-after-free bug in
frame_dealloc when the trashcan delays the deallocation of a
PyFrameObject.
- No longer suppress arbitrary errors in the __annotations__ getter
and setter in the type and module types.
- Propagate frozen_modules to multiprocessing spawned process
interpreters.
- Prevent out-of-bounds memory access during mmap.find() calls.
- Seems that in some conditions, OpenSSL will return
SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification
verification has failed, but the error parameters will still
contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are
now detecting this situation and raising the appropiate
ssl.SSLCertVerificationError. Patch by Pablo Galindo
- Fix :func:`types.get_original_bases` to only return
:attr:`!__orig_bases__` if it is present on cls directly. Patch by
James Hilton-Balfe.
- Prevent memory leak and use-after-free when using pointers to
pointers with ctypes
- Make :func:`gettext.pgettext` search plural definitions when
translation is not found.
- Document behavior of :func:`shutil.disk_usage` for non-mounted
filesystems on Unix.
- Do not report MultipartInvariantViolationDefect defect when the
:class:`email.parser.Parser` class is used to parse emails with
headersonly=True.
- Fix invalid result from :meth:`PurePath.relative_to` method when
attempting to walk a ".." segment in other with walk_up enabled. A
:exc:`ValueError` exception is now raised in this case.
- Fix potential missing NULL check of d2i_SSL_SESSION result in
_ssl.c.
- Update the bundled copy of pip to version 23.2.1.
- Fixed several bugs in zipfile.Path, including: in Path.match`,
Windows separators are no longer honored (and never were meant to
be); Fixed ``name/suffix/suffixes/stem operations when no filename
is present and the Path is not at the root of the zipfile;
Reworked glob for performance and more correct matching behavior.
- Add __copy__ and __deepcopy__ in :mod:`enum`
- Revert a change to :func:`colorsys.rgb_to_hls` that caused
division by zero for certain almost-white inputs. Patch by Terry
Jan Reedy.
- Instances of :class:`typing.TypeVar`, :class:`typing.ParamSpec`,
:class:`typing.ParamSpecArgs`, :class:`typing.ParamSpecKwargs`,
and :class:`typing.TypeVarTuple` once again support weak
references, fixing a regression introduced in Python 3.12.0 beta
1. Patch by Jelle Zijlstra.
- Detect possible memory allocation failure in the libtommath
function :c:func:`mp_init` used by the _tkinter module.
- Fix crash when calling repr with a manually constructed SignalDict
object. Patch by Charlie Zhao.
- Change the default return value of
:meth:`http.client.HTTPConnection.get_proxy_response_headers` to
be None and not {}.
- Ensure gettext(msg) retrieve translations even if a plural form
exists. In other words: gettext(msg) == ngettext(msg, '', 1).
- Add documentation for :c:type:`PyInterpreterConfig` and
:c:func:`Py_NewInterpreterFromConfig`. Also clarify some of the
nearby docs relative to per-interpreter GIL.
- Document the :mod:`curses` module variables :const:`~curses.LINES`
and :const:`~curses.COLS`.
- Add a number of standard external names to nitpick_ignore.
- Add documentation on how to localize the :mod:`argparse` module.
- test_logging: Fix test_udp_reconnection() by increasing the
timeout from 100 ms to 5 minutes (LONG_TIMEOUT). Patch by Victor
Stinner.
- test_capi: Fix test_no_FatalError_infinite_loop() to no longer
write a coredump, by using test.support.SuppressCrashReport. Patch
by Victor Stinner.
- Avoid creating a reference to the test object in
:meth:`~unittest.TestResult.collectedDurations`.
- Moved tests for zipfile.Path into Lib/test/test_zipfile/_path.
Made zipfile._path a package.
- Check for linux/limits.h before including it in
Modules/posixmodule.c.
- Detect MPI compilers in :file:`configure`.
- Add experimental wasi-threads support. Patch by Takashi Yamamoto.
- Update Windows build to use OpenSSL 3.0.9
- Update macOS installer to use OpenSSL 3.0.9.
- Fix bugs in the Argument Clinic destination <name> clear command;
the destination buffers would never be cleared, and the
destination directive parser would simply continue to the fault
handler after processing the command. Patch by Erlend E. Aasland.
- freeze now fetches CONFIG_ARGS from the original CPython instance
the Makefile uses to call utility scripts. Patch by Ijtaba
Hussain.
- :c:func:`PyModule_AddObjectRef` is now only available in the
limited API version 3.10 or later.
OBS-URL: https://build.opensuse.org/request/show/1102652
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=19
- gh-issue-102988: CVE-2023-27043: Prevent
:func:`email.utils.parseaddr` and
:func:`email.utils.getaddresses` from returning the realname
portion of an invalid RFC2822 email header in the email
address portion of the 2-tuple returned after being parsed by
:class:`email._parseaddr.AddressList`.
- gh-issue-106396: When the format specification of an
f-string expression is empty, the parser now generates an
empty :class:`ast.JoinedStr` node for it instead of an
one-element :class:`ast.JoinedStr` with an empty string
:class:`ast.Constant`.
- gh-issue-106145: Make ``end_lineno`` and ``end_col_offset``
required on ``type_param`` ast nodes.
- gh-issue-105979: Fix crash in :func:`!_imp.get_frozen_object`
due to improper exception handling.
- gh-issue-98931: Ensure custom :exc:`SyntaxError` error
messages are raised for invalid imports with multiple
targets. Patch by Pablo Galindo
- gh-issue-105908: Fixed bug where :gh:`99111` breaks future
import ``barry_as_FLUFL`` in the Python REPL.
- gh-issue-105340: Include the comprehension iteration
variable in ``locals()`` inside a module- or class-scope
comprehension.
- gh-issue-105486: Change the repr of ``ParamSpec`` list of
args in ``types.GenericAlias``.
- gh-issue-101006: Improve error handling when read
:mod:`marshal` data.
- gh-issue-106524: Fix crash in :func:`!_sre.template` with
templates containing invalid group indices.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=12
- gh-103142: The version of OpenSSL used in Windows and
Mac installers has been upgraded to 1.1.1u to address
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
fixed previously in 1.1.1t (gh-101727).
- gh-102153: urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329.
- gh-99889: Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- gh-104049: Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- gh-103935: trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details.
- Remove upstreamed patches:
- 00398-fix-stack-overwrite-on-32-bit-in-perf-map-test-harness-gh-104811-104823.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=9
