- Update to 3.8.16:
- python -m http.server no longer allows terminal
control characters sent within a garbage request to be
printed to the stderr server log.
This is done by changing the http.server
BaseHTTPRequestHandler .log_message method to replace control
characters with a \xHH hex escape before printing.
- Avoid publishing list of active per-interpreter
audit hooks via the gc module
- The IDNA codec decoder used on DNS hostnames by
socket or asyncio related name resolution functions no
longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive
length hostname involving bidirectional characters were
decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a
name (CVE-2022-45061).
- Update bundled libexpat to 2.5.0
- Port XKCP’s fix for the buffer overflows in SHA-3
(CVE-2022-37454).
- The deprecated mailcap module now refuses to inject
unsafe text (filenames, MIME types, parameters) into shell
commands. Instead of using such text, it will warn and act
as if a match was not found (or for test commands, as if the
test failed).
- Removed upstream patches:
- CVE-2022-37454-sha3-buffer-overflow.patch
- CVE-2022-45061-DoS-by-IDNA-decode.patch
OBS-URL: https://build.opensuse.org/request/show/1041645
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=31
- python -m http.server no longer allows terminal
control characters sent within a garbage request to be
printed to the stderr server log.
This is done by changing the http.server
BaseHTTPRequestHandler .log_message method to replace control
characters with a \xHH hex escape before printing.
- Avoid publishing list of active per-interpreter
audit hooks via the gc module
- The IDNA codec decoder used on DNS hostnames by
socket or asyncio related name resolution functions no
longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive
length hostname involving bidirectional characters were
decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a
name (CVE-2022-45061).
- Update bundled libexpat to 2.5.0
- Port XKCP’s fix for the buffer overflows in SHA-3
(CVE-2022-37454).
- The deprecated mailcap module now refuses to inject
unsafe text (filenames, MIME types, parameters) into shell
commands. Instead of using such text, it will warn and act
as if a match was not found (or for test commands, as if the
test failed).
- Removed upstream patches:
- CVE-2022-37454-sha3-buffer-overflow.patch
- CVE-2022-45061-DoS-by-IDNA-decode.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=115
- Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close
to the maximum size.
- Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no
longer uses a shell to run openssl commands. (originally
filed as CVE-2022-37460, later withdrawn)
- Fix command line parsing: reject -X int_max_str_digits option
with no value (invalid) when the PYTHONINTMAXSTRDIGITS
environment variable is set to a valid limit.
- When ValueError is raised if an integer is larger than the
limit, mention the sys.set_int_max_str_digits() function in
the error message.
- Update bundled libexpat to 2.4.9
- Fixes a potential buffer overrun in msilib.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=106
- Update to 3.8.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- (CVE-2021-28861, bsc#1202624) http.server: Fix an open
redirection vulnerability in the HTTP server when an URI path
starts with //. Vulnerability discovered, and initial fix
proposed, by Hamza Avvan.
- Also other bugfixes:
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix ensurepip environment isolation for subprocess running
pip.
- Raise ProgrammingError instead of segfaulting on recursive
usage of cursors in sqlite3 converters. Patch by Sergey
Fedoseev.
- Add a new gh role to the documentation to link to GitHub
issues.
- Pin Jinja to a version compatible with Sphinx version
2.4.4.
- test_ssl is now checking for supported TLS version and
protocols in more tests.
- Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses
0xMNN00PP0L.
- Removed upstreamed patches:
- CVE-2021-28861-double-slash-path.patch
- Readjusted patches:
- bpo-31046_ensurepip_honours_prefix.patch
- sphinx-update-removed-function.patch
- (bsc#1196784, CVE-2022-25236) Add patch
support-expat-CVE-2022-25236-patched.patch to allow working
with different versions of libexpat.
OBS-URL: https://build.opensuse.org/request/show/1002501
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=26
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- (CVE-2021-28861, bsc#1202624) http.server: Fix an open
redirection vulnerability in the HTTP server when an URI path
starts with //. Vulnerability discovered, and initial fix
proposed, by Hamza Avvan.
- Also other bugfixes:
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix ensurepip environment isolation for subprocess running
pip.
- Raise ProgrammingError instead of segfaulting on recursive
usage of cursors in sqlite3 converters. Patch by Sergey
Fedoseev.
- Add a new gh role to the documentation to link to GitHub
issues.
- Pin Jinja to a version compatible with Sphinx version
2.4.4.
- test_ssl is now checking for supported TLS version and
protocols in more tests.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=104
- Add patch CVE-2021-28861-double-slash-path.patch:
* http.server: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- Add bpo34990-2038-problem-compileall.patch making compileall.py
compliant with year 2038 (bsc#1202666, gh#python/cpython#79171),
backport of fix to Python 3.8.
- Add conditional for requiring rpm-build-python, so we should be
compilable on SLE/Leap.
OBS-URL: https://build.opensuse.org/request/show/1000772
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=25
- Update to 3.8.13:
Core and Builtins
bpo-46794: Bump up the libexpat version into 2.4.6
bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
bpo-46932: Update bundled libexpat to 2.4.7
bpo-46811: Make test suite support Expat >=2.4.5
bpo-46784: Fix libexpat symbols collisions with user
dynamically loaded or statically linked libexpat in embedded
Python.
bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid
potential REDoS by limiting ambiguity in consecutive
whitespace.
bpo-44849: Fix the os.set_inheritable() function on FreeBSD
14 for file descriptor opened with the O_PATH flag: ignore
the EBADF error on ioctl(), fallback on the fcntl()
implementation.
bpo-41028: Language and version switchers, previously
maintained in every cpython branches, are now handled by
docsbuild-script.
bpo-45195: Fix test_readline.test_nonascii(): sometimes, the
newline character is not written at the end, so don’t
expect it in the output.
bpo-44949: Fix auto history tests of test_readline:
sometimes, the newline character is not written at the end,
so don’t expect it in the output.
bpo-45405: Prevent internal configure error when running
configure with recent versions of clang.
- Remove upstreamed patches:
- support-expat-245.patch
OBS-URL: https://build.opensuse.org/request/show/965120
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=22
Core and Builtins
bpo-46794: Bump up the libexpat version into 2.4.6
bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
bpo-46932: Update bundled libexpat to 2.4.7
bpo-46811: Make test suite support Expat >=2.4.5
bpo-46784: Fix libexpat symbols collisions with user
dynamically loaded or statically linked libexpat in embedded
Python.
bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid
potential REDoS by limiting ambiguity in consecutive
whitespace.
bpo-44849: Fix the os.set_inheritable() function on FreeBSD
14 for file descriptor opened with the O_PATH flag: ignore
the EBADF error on ioctl(), fallback on the fcntl()
implementation.
bpo-41028: Language and version switchers, previously
maintained in every cpython branches, are now handled by
docsbuild-script.
bpo-45195: Fix test_readline.test_nonascii(): sometimes, the
newline character is not written at the end, so don’t
expect it in the output.
bpo-44949: Fix auto history tests of test_readline:
sometimes, the newline character is not written at the end,
so don’t expect it in the output.
bpo-45405: Prevent internal configure error when running
configure with recent versions of clang.
- Remove upstreamed patches:
- support-expat-245.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=85
- Update to 3.8.12
* Complete list of changes is available at
https://docs.python.org/release/3.8.12/whatsnew/changelog.html
* Security
- bpo-42278: Replaced usage of tempfile.mktemp() with
TemporaryDirectory to avoid a potential race condition.
- bpo-44394: Update the vendored copy of libexpat to 2.4.1
(from 2.2.8) to get the fix for the CVE-2013-0340 “Billion
Laughs” vulnerability. This copy is most used on Windows and
macOS.
- bpo-43124: Made the internal putcmd function in smtplib
sanitize input for presence of \r and \n characters to avoid
(unlikely) command injection.
- bpo-36384: ipaddress module no longer accepts any leading
zeros in IPv4 address strings. Leading zeros are ambiguous
and interpreted as octal notation by some libraries. For
example the legacy function socket.inet_aton() treats leading
zeros as octal notation. glibc implementation of modern
inet_pton() does not accept any leading zeros. For a while
the ipaddress module used to accept ambiguous leading zeros.
- Refreshed patch:
* decimal-3.8.patch
OBS-URL: https://build.opensuse.org/request/show/915148
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=80
