- Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close
to the maximum size.
- Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no
longer uses a shell to run openssl commands. (originally
filed as CVE-2022-37460, later withdrawn)
- Fix command line parsing: reject -X int_max_str_digits option
with no value (invalid) when the PYTHONINTMAXSTRDIGITS
environment variable is set to a valid limit.
- When ValueError is raised if an integer is larger than the
limit, mention the sys.set_int_max_str_digits() function in
the error message.
- Update bundled libexpat to 2.4.9
- Fixes a potential buffer overrun in msilib.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=106
- Update to 3.8.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- (CVE-2021-28861, bsc#1202624) http.server: Fix an open
redirection vulnerability in the HTTP server when an URI path
starts with //. Vulnerability discovered, and initial fix
proposed, by Hamza Avvan.
- Also other bugfixes:
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix ensurepip environment isolation for subprocess running
pip.
- Raise ProgrammingError instead of segfaulting on recursive
usage of cursors in sqlite3 converters. Patch by Sergey
Fedoseev.
- Add a new gh role to the documentation to link to GitHub
issues.
- Pin Jinja to a version compatible with Sphinx version
2.4.4.
- test_ssl is now checking for supported TLS version and
protocols in more tests.
- Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses
0xMNN00PP0L.
- Removed upstreamed patches:
- CVE-2021-28861-double-slash-path.patch
- Readjusted patches:
- bpo-31046_ensurepip_honours_prefix.patch
- sphinx-update-removed-function.patch
- (bsc#1196784, CVE-2022-25236) Add patch
support-expat-CVE-2022-25236-patched.patch to allow working
with different versions of libexpat.
OBS-URL: https://build.opensuse.org/request/show/1002501
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=26
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- (CVE-2021-28861, bsc#1202624) http.server: Fix an open
redirection vulnerability in the HTTP server when an URI path
starts with //. Vulnerability discovered, and initial fix
proposed, by Hamza Avvan.
- Also other bugfixes:
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix ensurepip environment isolation for subprocess running
pip.
- Raise ProgrammingError instead of segfaulting on recursive
usage of cursors in sqlite3 converters. Patch by Sergey
Fedoseev.
- Add a new gh role to the documentation to link to GitHub
issues.
- Pin Jinja to a version compatible with Sphinx version
2.4.4.
- test_ssl is now checking for supported TLS version and
protocols in more tests.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=104
- Add patch CVE-2021-28861-double-slash-path.patch:
* http.server: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- Add bpo34990-2038-problem-compileall.patch making compileall.py
compliant with year 2038 (bsc#1202666, gh#python/cpython#79171),
backport of fix to Python 3.8.
- Add conditional for requiring rpm-build-python, so we should be
compilable on SLE/Leap.
OBS-URL: https://build.opensuse.org/request/show/1000772
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=25
- Update to 3.8.13:
Core and Builtins
bpo-46794: Bump up the libexpat version into 2.4.6
bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
bpo-46932: Update bundled libexpat to 2.4.7
bpo-46811: Make test suite support Expat >=2.4.5
bpo-46784: Fix libexpat symbols collisions with user
dynamically loaded or statically linked libexpat in embedded
Python.
bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid
potential REDoS by limiting ambiguity in consecutive
whitespace.
bpo-44849: Fix the os.set_inheritable() function on FreeBSD
14 for file descriptor opened with the O_PATH flag: ignore
the EBADF error on ioctl(), fallback on the fcntl()
implementation.
bpo-41028: Language and version switchers, previously
maintained in every cpython branches, are now handled by
docsbuild-script.
bpo-45195: Fix test_readline.test_nonascii(): sometimes, the
newline character is not written at the end, so don’t
expect it in the output.
bpo-44949: Fix auto history tests of test_readline:
sometimes, the newline character is not written at the end,
so don’t expect it in the output.
bpo-45405: Prevent internal configure error when running
configure with recent versions of clang.
- Remove upstreamed patches:
- support-expat-245.patch
OBS-URL: https://build.opensuse.org/request/show/965120
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=22
Core and Builtins
bpo-46794: Bump up the libexpat version into 2.4.6
bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
bpo-46932: Update bundled libexpat to 2.4.7
bpo-46811: Make test suite support Expat >=2.4.5
bpo-46784: Fix libexpat symbols collisions with user
dynamically loaded or statically linked libexpat in embedded
Python.
bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid
potential REDoS by limiting ambiguity in consecutive
whitespace.
bpo-44849: Fix the os.set_inheritable() function on FreeBSD
14 for file descriptor opened with the O_PATH flag: ignore
the EBADF error on ioctl(), fallback on the fcntl()
implementation.
bpo-41028: Language and version switchers, previously
maintained in every cpython branches, are now handled by
docsbuild-script.
bpo-45195: Fix test_readline.test_nonascii(): sometimes, the
newline character is not written at the end, so don’t
expect it in the output.
bpo-44949: Fix auto history tests of test_readline:
sometimes, the newline character is not written at the end,
so don’t expect it in the output.
bpo-45405: Prevent internal configure error when running
configure with recent versions of clang.
- Remove upstreamed patches:
- support-expat-245.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=85
- Update to 3.8.12
* Complete list of changes is available at
https://docs.python.org/release/3.8.12/whatsnew/changelog.html
* Security
- bpo-42278: Replaced usage of tempfile.mktemp() with
TemporaryDirectory to avoid a potential race condition.
- bpo-44394: Update the vendored copy of libexpat to 2.4.1
(from 2.2.8) to get the fix for the CVE-2013-0340 “Billion
Laughs” vulnerability. This copy is most used on Windows and
macOS.
- bpo-43124: Made the internal putcmd function in smtplib
sanitize input for presence of \r and \n characters to avoid
(unlikely) command injection.
- bpo-36384: ipaddress module no longer accepts any leading
zeros in IPv4 address strings. Leading zeros are ambiguous
and interpreted as octal notation by some libraries. For
example the legacy function socket.inet_aton() treats leading
zeros as octal notation. glibc implementation of modern
inet_pton() does not accept any leading zeros. For a while
the ipaddress module used to accept ambiguous leading zeros.
- Refreshed patch:
* decimal-3.8.patch
OBS-URL: https://build.opensuse.org/request/show/915148
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=80
- Update to 3.8.11
* Security
- bpo-44022 (boo#1189241): mod:http.client now avoids
infinitely reading potential HTTP headers after a 100
Continue status response from the server.
- bpo-43882: The presence of newline or tab characters in parts
of a URL could allow some forms of attacks.
Following the controlling specification for URLs defined by
WHATWG urllib.parse() now removes ASCII newlines and tabs
from URLs, preventing such attacks.
- bpo-42800: Audit hooks are now fired for frame.f_code,
traceback.tb_frame, and generator code/frame attribute
access.
* Core and Builtins
- bpo-44070: No longer eagerly makes import filenames absolute,
except for extension modules, which was introduced in 3.8.10.
* Library
- bpo-44061: Fix regression in previous release when calling
pkgutil.iter_modules() with a list of pathlib.Path objects
OBS-URL: https://build.opensuse.org/request/show/911124
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=77
- Update to 3.8.10:
- Security
- bpo-43434: Creating a sqlite3.Connection object now also
produces a sqlite3.connect auditing event. Previously this
event was only produced by sqlite3.connect() calls. Patch
by Erlend E. Aasland.
- bpo-43472: Ensures interpreter-level audit hooks receive
the cpython.PyInterpreterState_New event when called
through the _xxsubinterpreters module.
- bpo-43075: Fix Regular Expression Denial of Service (ReDoS)
vulnerability in urllib.request.AbstractBasicAuthHandler.
The ReDoS-vulnerable regex has quadratic worst-case
complexity and it allows cause a denial of service when
identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the
HTTP server.
- Core and Builtins
- bpo-43105: Importlib now resolves relative paths when
creating module spec objects from file locations.
- bpo-42924: Fix bytearray repetition incorrectly copying
data from the start of the buffer, even if the data is
offset within the buffer (e.g. after reassigning a slice at
the start of the bytearray to a shorter byte string).
- Library
- bpo-43993: Update bundled pip to 21.1.1.
- bpo-43937: Fixed the turtle module working with non-default
root window.
- bpo-43930: Update bundled pip to 21.1 and setuptools to
56.0.0
- bpo-43920: OpenSSL 3.0.0: load_verify_locations() now
returns a consistent error message when cadata contains no
valid certificate.
- bpo-43607: urllib can now convert Windows paths with \\?\
prefixes into URL paths.
- bpo-43284: platform.win32_ver derives the windows version
from sys.getwindowsversion().platform_version which in turn
derives the version from kernel32.dll (which can be of
a different version than Windows itself). Therefore change
the platform.win32_ver to determine the version using the
platform module’s _syscmd_ver private function to return an
accurate version.
- bpo-42248: [Enum] ensure exceptions raised in _missing__
are released
- bpo-43799: OpenSSL 3.0.0: define OPENSSL_API_COMPAT 1.1.1
to suppress deprecation warnings. Python requires OpenSSL
1.1.1 APIs.
- bpo-43794: Add ssl.OP_IGNORE_UNEXPECTED_EOF constants
(OpenSSL 3.0.0)
- bpo-43789: OpenSSL 3.0.0: Don’t call the password callback
function a second time when first call has signaled an
error condition.
- bpo-43788: The header files for ssl error codes are now
OpenSSL version-specific. Exceptions will now show correct
reason and library codes. The make_ssl_data.py script has
been rewritten to use OpenSSL’s text file with error codes.
- bpo-43655: tkinter dialog windows are now recognized as
dialogs by window managers on macOS and X Window.
- bpo-43534: turtle.textinput() and turtle.numinput() create
now a transient window working on behalf of the canvas
window.
- bpo-43522: Fix problem with hostname_checks_common_name.
OpenSSL does not copy hostflags from struct SSL_CTX to
struct SSL.
- bpo-42967: Allow bytes separator argument in
urllib.parse.parse_qs and urllib.parse.parse_qsl when
parsing str query strings. Previously, this raised
a TypeError.
- bpo-43176: Fixed processing of a dataclass that inherits
from a frozen dataclass with no fields. It is now correctly
detected as an error.
- bpo-34463: Fixed discrepancy between traceback and the
interpreter in formatting of SyntaxError with lineno not
set (traceback was changed to match interpreter).
- bpo-41735: Fix thread locks in zlib module may go wrong in
rare case. Patch by Ma Lin.
- bpo-26053: Fixed bug where the pdb interactive run command
echoed the args from the shell command line, even if those
have been overridden at the pdb prompt.
- bpo-36470: Fix dataclasses with InitVars and replace().
Patch by Claudiu Popa.
- bpo-28577: The hosts method on 32-bit prefix length
IPv4Networks and 128-bit prefix IPv6Networks now returns
a list containing the single Address instead of an empty
list.
- bpo-32745: Fix a regression in the handling of ctypes’
ctypes.c_wchar_p type: embedded null characters would cause
a ValueError to be raised. Patch by Zackery Spytz.
- Documentation
- bpo-43959: The documentation on the PyContextVar C-API was
clarified.
- bpo-43938: Update dataclasses documentation to express that
FrozenInstanceError is derived from AttributeError.
- bpo-43739: Fixing the example code in
Doc/extending/extending.rst to declare and initialize the
pmodule variable to be of the right type.
- Tests
- bpo-43842: Fix a race condition in the SMTP test of
test_logging. Don’t close a file descriptor (socket) from
a different thread while asyncore.loop() is polling the
file descriptor. Patch by Victor Stinner.
- bpo-43811: Tests multiple OpenSSL versions on GitHub
Actions. Use ccache to speed up testing.
- bpo-43791: OpenSSL 3.0.0: Disable testing of legacy
protocols TLS 1.0 and 1.1. Tests are failing with
TLSV1_ALERT_INTERNAL_ERROR.
- IDLE
- bpo-43655: IDLE dialog windows are now recognized as
dialogs by window managers on macOS and X Window.
- C API
- bpo-43962: _PyInterpreterState_IDIncref() now calls
_PyInterpreterState_IDInitref() and always increments
id_refcount. Previously, calling
_xxsubinterpreters.get_current() could create an
id_refcount inconsistency when
a _xxsubinterpreters.InterpreterID object was deallocated.
Patch by Victor Stinner.
- Reapplied patches:
- CVE-2019-5010-null-defer-x509-cert-DOS.patch
- F00102-lib64.patch
- SUSE-FEDORA-multilib.patch
- bpo-31046_ensurepip_honours_prefix.patch
- python-3.3.0b1-fix_date_time_compiler.patch
- Make sure to close the import_failed.map file after the exception
has been raised in order to avoid ResourceWarnings when the
failing import is part of a try...except block.
OBS-URL: https://build.opensuse.org/request/show/890780
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=13
