- Update to 3.8.9:
- bpo#42988 (bsc#1183374) CVE-2021-3426: Remove the getfile
feature of the pydoc module which could be abused to read
arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
- bpo-43285: ftplib no longer trusts the IP address value
returned from the server in response to the PASV command by
default. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the
client network.
- Code that requires the former vulnerable behavior may set
a trust_server_pasv_ipv4_address attribute on their
ftplib.FTP instances to True to re-enable it.
- bpo-43439: Add audit hooks for gc.get_objects(),
gc.get_referrers() and gc.get_referents(). Patch by Pablo
Galindo.
- bpo-43660: Fix crash that happens when replacing sys.stderr
with a callable that can remove the object while an exception
is being printed. Patch by Pablo Galindo.
- bpo-35883: Python no longer fails at startup with a fatal
error if a command line argument contains an invalid Unicode
character. The Py_DecodeLocale() function now escapes byte
sequences which would be decoded as Unicode characters
outside the [U+0000; U+10ffff] range.
- bpo-43406: Fix a possible race condition where
PyErr_CheckSignals tries to execute a non-Python signal
handler.
- bpo-35930: Raising an exception raised in a “future” instance
will create reference cycles.
- bpo-43577: Fix deadlock when using ssl.SSLContext debug
callback with ssl.SSLContext.sni_callback().
- bpo-43423: subprocess.communicate() no longer raises an
IndexError when there is an empty stdout or stderr IO buffer
during a timeout on Windows.
- bpo-27820: Fixed long-standing bug of smtplib.SMTP where
doing AUTH LOGIN with initial_response_ok=False will fail.
The cause is that SMTP.auth_login _always_ returns a password
if provided with a challenge string, thus non-compliant with
the standard for AUTH LOGIN. Also fixes bug with the test for
smtpd.
- bpo-43399: Fix ElementTree.extend not working on iterators
when using the Python implementation
- bpo-43316: The python -m gzip command line application now
properly fails when detecting an unsupported extension. It
exits with a non-zero exit code and prints an error message
to stderr.
- bpo-43260: Fix TextIOWrapper can not flush internal buffer
forever after very large text is written.
- bpo-42782: Fail fast in shutil.move() to avoid creating
destination directories on failure.
- bpo-37193: Fixed memory leak in socketserver.ThreadingMixIn
introduced in Python 3.7.
- bpo-43199: Answer “Why is there no goto?” in the Design and
History FAQ.
- bpo-43407: Clarified that a result from time.monotonic(),
time.perf_counter(), time.process_time(), or
time.thread_time() can be compared with the result from any
following call to the same function - not just the next
immediate call.
- bpo-27646: Clarify that ‘yield from <expr>’ works with any
iterable, not just iterators.
- bpo-36346: Update some deprecated unicode APIs which are
documented as “will be removed in 4.0” to “3.12”. See PEP 623
for detail.
- bpo-37945: Fix test_getsetlocale_issue1813() of test_locale:
skip the test if setlocale() fails. Patch by Victor Stinner.
- bpo-41561: Add workaround for Ubuntu’s custom OpenSSL
security level policy.
- bpo-43631: Update macOS, Windows, and CI to OpenSSL 1.1.1k.
- bpo-43617: Improve configure.ac: Check for presence of
autoconf-archive package and remove our copies of M4 macros.
- bpo-41837: Update macOS installer build to use OpenSSL
1.1.1j.
- bpo-42225: Document that IDLE can fail on Unix either from
misconfigured IP masquerage rules or failure displaying
complex colored (non-ascii) characters.
- bpo-43283: Document why printing to IDLE’s Shell is often
slower than printing to a system terminal and that it can be
made faster by pre-formatting a single string before
printing.
OBS-URL: https://build.opensuse.org/request/show/889131
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=12
- bpo#42988 (bsc#1183374) CVE-2021-3426: Remove the getfile
feature of the pydoc module which could be abused to read
arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
- bpo-43285: ftplib no longer trusts the IP address value
returned from the server in response to the PASV command by
default. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the
client network.
- Code that requires the former vulnerable behavior may set
a trust_server_pasv_ipv4_address attribute on their
ftplib.FTP instances to True to re-enable it.
- bpo-43439: Add audit hooks for gc.get_objects(),
gc.get_referrers() and gc.get_referents(). Patch by Pablo
Galindo.
- bpo-43660: Fix crash that happens when replacing sys.stderr
with a callable that can remove the object while an exception
is being printed. Patch by Pablo Galindo.
- bpo-35883: Python no longer fails at startup with a fatal
error if a command line argument contains an invalid Unicode
character. The Py_DecodeLocale() function now escapes byte
sequences which would be decoded as Unicode characters
outside the [U+0000; U+10ffff] range.
- bpo-43406: Fix a possible race condition where
PyErr_CheckSignals tries to execute a non-Python signal
handler.
- bpo-35930: Raising an exception raised in a “future” instance
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=62
- Update to 3.8.8:
- bpo#42938 (bsc#1181126): Avoid static buffers when computing
the repr of ctypes.c_double and ctypes.c_longdouble
values. This issue was assigned CVE-2021-3177.
- bpo#42967 (bso#1182379): Fix web cache poisoning
vulnerability by defaulting the query args separator to &,
and allowing the user to choose a custom separator. This
issue was assigned CVE-2021-23336.
- Remove bsc1167501-invalid-alignment.patch and
CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch, which were included
into the upstream tarball.
OBS-URL: https://build.opensuse.org/request/show/874121
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=10
- bpo#42938 (bsc#1181126): Avoid static buffers when computing
the repr of ctypes.c_double and ctypes.c_longdouble
values. This issue was assigned CVE-2021-3177.
- bpo#42967 (bso#1182379): Fix web cache poisoning
vulnerability by defaulting the query args separator to &,
and allowing the user to choose a custom separator. This
issue was assigned CVE-2021-23336.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=53
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
- (bsc#1180125) We really don't Require python-rpm-macros package.
Unnecessary dependency.
- Update to 3.8.7:
- bugfix release
- multiple patches realigned:
- F00102-lib64.patch
- SUSE-FEDORA-multilib.patch
- bpo-31046_ensurepip_honours_prefix.patch
- skip_random_failing_tests.patch
- Last try before this results in an editwar:
* remove importlib_resources and importlib-metadata
provides/obsoletes
* import importlib_resources is not the same as
import importlib.resources, same for metadata
* The backport packages from PyPI needed for older flavors are
specified as such for setuptools or in pyproject.toml. If a
package requires them they typically add them with a python
version qualifier and the packages have their own version
numbers.
- Add patch sphinx-update-removed-function.patch to no longer call
a now removed function and to make documentation build independent of
the Sphinx version (bsc#1179630, gh#python/cpython#13236).
- Add importlib_resources provide/obsolete as it is integral
part of the lang since 3.7 release
OBS-URL: https://build.opensuse.org/request/show/868033
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=8
- Last try before this results in an editwar:
* remove importlib_resources and importlib-metadata
provides/obsoletes
* import importlib_resources is not the same as
import importlib.resources, same for metadata
* The backport packages from PyPI needed for older flavors are
specified as such for setuptools or in pyproject.toml. If a
package requires them they typically add them with a python
version qualifier and the packages have their own version
numbers.
OBS-URL: https://build.opensuse.org/request/show/854402
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=43
- Update to version 3.8.5:
- bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(…).
- bpo-41295: a regression in CPython 3.8.4 where defining “__setattr__” in a multi-inheritance setup and calling up the hierarchy chain could fail if builtins/extension types were involved in the base types.
- bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing.
- bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
- bpo-37703: Updated Documentation to comprehensively elaborate on the behaviour of gather.cancel()
- bpo-41302: Enable building Python 3.8 with libmpdec-2.5.0 to ease maintenance for Linux distributions. Patch by Felix Yan.
- bpo-41300: Save files with non-ascii chars. Fix regression released in 3.9.0b4 and 3.8.4.
OBS-URL: https://build.opensuse.org/request/show/821971
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=21
- Assignment expressions (PEP-572)
- Positional-only parameters (PEP-570)
- Parallel filesystem cache for compiled bytecode files
(PYTHONPYCACHEPREFIX variable)
- Debug build uses the same ABI as release build
- f-strings support = for self-documenting expressions
and debugging
- Python Runtime Audit Hooks (PEP-578)
- Python Initialization Configuration (PEP-587)
- Vectorcall: a fast calling protocol for CPython (PEP-590)
- Pickle protocol 5 with out-of-band data buffers (PEP-574)
- Many other smaller bug fixes
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=16
