rpm/python39
SHA256
1
0
Fork 0
forked from pool/python39
Code Pull Requests Activity

Compare commits

base: rpm:factory
Branches Tags
rpm:devel rpm:factory pool:factory
..
compare: pool:factory
Branches Tags
pool:factory rpm:devel rpm:factory

51 Commits
factory ... factory

Author SHA256 Message Date
Matěj Cepl
e900ddc04a fix: add missing %patch commands 2025-12-23 23:50:54 +01:00
Matěj Cepl
380660d7b6 Fix CVE-2025-13836, CVE-2025-12084, and CVE-2025-13837 
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
  CVE-2025-13836) to prevent reading an HTTP response from
  a server, if no read amount is specified, with using
  Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
  behavior in node ID cache clearing (CVE-2025-12084,
  bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
  against OOM when loading malicious content (CVE-2025-13837,
  bsc#1254401).
 2025-12-19 23:52:27 +01:00
Matěj Cepl
793408c576 fix: complete unfinished elimination of the patch 53 2025-12-12 12:06:00 +01:00
Matěj Cepl
a7506e8af6 Update to 3.9.25 
Security
    - gh-137836: Add support of the “plaintext” element, RAWTEXT
      elements “xmp”, “iframe”, “noembed” and “noframes”, and
      optionally RAWTEXT element “noscript” in
      html.parser.HTMLParser.
    - gh-136063: email.message: ensure linear complexity for
      legacy HTTP parameters parsing. Patch by Bénédikt Tran.
    - gh-136065: Fix quadratic complexity in
      os.path.expandvars() (CVE-2025-6075, bsc#1252974).
Library
    - gh-98793: Fix argument typechecks in
      _overlapped.WSAConnect() and
      _overlapped.Overlapped.WSASendTo() functions. bpo-44817:
      Ignore WinError 53 (ERROR_BAD_NETPATH), 65
      (ERROR_NETWORK_ACCESS_DENIED) and 161 (ERROR_BAD_PATHNAME)
      when using ntpath.realpath().
Core and Builtins
    - gh-120384: Fix an array out of bounds crash in
      list_ass_subscript, which could be invoked via some
      specificly tailored input: including concurrent
      modification of a list object, where one thread assigns
      a slice and another clears it.
    - gh-120298: Fix use-after free in list_richcompare_impl
      which can be invoked via some specificly tailored evil
      input.
 2025-12-11 22:48:48 +01:00
Matěj Cepl
9cf0841df6 Add missing %patch call. 2025-11-21 12:53:07 +01:00
Matěj Cepl
6d41ecb4ad Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple 
quadratic complexity vulnerabilities of os.path.expandvars()
(CVE-2025-6075, bsc#1252974).
 2025-11-15 19:27:49 +01:00
Matěj Cepl
69e885b9cf Mark the upgrade to 3.9.24 as fixing CVE-2025-8291, bsc#1251305. 2025-11-15 12:22:45 +01:00
Ana Guerrero
9eec107af7 Accepting request 1311760 from devel:languages:python:Factory 
OBS-URL: https://build.opensuse.org/request/show/1311760
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=81
 2025-10-17 15:25:43 +00:00
Matej Cepl
379872e378 - Update to 3.9.24: 
- Security
    - gh-139700: Check consistency of the zip64 end of central
      directory record. Support records with “zip64 extensible data”
      if there are no bytes prepended to the ZIP file.
    - gh-139400: xml.parsers.expat: Make sure that parent Expat
      parsers are only garbage-collected once they are no longer
      referenced by subparsers created by
      ExternalEntityParserCreate(). Patch by Sebastian Pipping.
    - gh-121227: Raise an SSL.SSLError if an empty protocols argument
      is passed to ssl.SSLContext.set_npn_protocols() to fix
      CVE-2024-5642.
    - gh-135661: Fix parsing start and end tags in
      html.parser.HTMLParser according to the HTML5 standard.
      * Whitespaces no longer accepted between </ and the tag name.
        E.g. </ script> does not end the script section.
      * Vertical tabulation (\v) and non-ASCII whitespaces no longer
        recognized as whitespaces. The only whitespaces are \t\n\r\f
        and space.
      * Null character (U+0000) no longer ends the tag name.
      * Attributes and slashes after the tag name in end tags are now
        ignored, instead of terminating after the first > in quoted
        attribute value. E.g. </script/foo=">"/>.
      * Multiple slashes and whitespaces between the last attribute
        and closing > are now ignored in both start and end tags. E.g.
        <a foo=bar/ //>.
      * Multiple = between attribute name and value are no longer
        collapsed. E.g. <a foo==bar> produces attribute “foo” with
        value “=bar”.
    - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=245
 2025-10-16 16:28:18 +00:00
Ana Guerrero
c830e00341 Accepting request 1308251 from devel:languages:python:Factory 
- Add gh139257-Support-docutils-0.22.patch to fix build with latest
  docutils (>=0.22) gh#python/cpython#139257

OBS-URL: https://build.opensuse.org/request/show/1308251
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=80
 2025-10-01 16:56:18 +00:00
Matej Cepl
09f9ecd767 - Add gh139257-Support-docutils-0.22.patch to fix build with latest 
docutils (>=0.22) gh#python/cpython#139257

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=243
 2025-09-30 16:26:50 +00:00
Dominique Leuenberger
c7dccba328 Accepting request 1297167 from devel:languages:python:Factory 
- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now
  validates archives to ensure member offsets are non-negative
  (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).

OBS-URL: https://build.opensuse.org/request/show/1297167
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=79
 2025-08-03 11:37:50 +00:00
Matej Cepl
493db1096a Upstream patch depended unnecessarily on archiver_tests module, which is only in 3.11+ branches. 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=241
 2025-08-02 15:57:55 +00:00
Matej Cepl
a74f2b808f - Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now 
validates archives to ensure member offsets are non-negative
  (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=240
 2025-08-01 20:25:20 +00:00
Ana Guerrero
1309e04380 Accepting request 1290034 from devel:languages:python:Factory 
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
  case quadratic complexity when processing certain crafted
  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).

OBS-URL: https://build.opensuse.org/request/show/1290034
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=78
 2025-07-03 10:10:51 +00:00
Matej Cepl
9f343d4b19 - Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst 
case quadratic complexity when processing certain crafted
  malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=238
 2025-07-02 16:10:52 +00:00
Ana Guerrero
fb0f2c0f89 Accepting request 1288602 from devel:languages:python:Factory 
Also addresses CVE-2025-4435 (gh#135034, bsc#1244061).

OBS-URL: https://build.opensuse.org/request/show/1288602
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=77
 2025-06-26 09:38:14 +00:00
Matej Cepl
fe8dd13261 Also addresses CVE-2025-4435 (gh#135034, bsc#1244061). 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=236
 2025-06-25 20:05:19 +00:00
Ana Guerrero
c2915d540e Accepting request 1284262 from devel:languages:python:Factory 
- Update to 3.9.23:
  - Security
    - gh-135034: Fixes multiple issues that allowed tarfile
      extraction filters (filter="data" and filter="tar") to be
      bypassed using crafted symlinks and hard links.
      Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
      (bsc#1244059), CVE-2025-4330 (bsc#1244060), and
      CVE-2025-4517 (bsc#1244032).
    - gh-133767: Fix use-after-free in the “unicode-escape”
      decoder with a non-“strict” error handler (CVE-2025-4516,
      bsc#1243273).
    - gh-128840: Short-circuit the processing of long IPv6
      addresses early in ipaddress to prevent excessive memory
      consumption and a minor denial-of-service.
    - gh-80222: Fix bug in the folding of quoted strings
      when flattening an email message using a modern email
      policy. Previously when a quoted string was folded so
      that it spanned more than one line, the surrounding
      quotes and internal escapes would be omitted. This could
      theoretically be used to spoof header lines using a
      carefully constructed quoted string if the resulting
      rendered email was transmitted or re-parsed.
  - Library
    - gh-128840: Fix parsing long IPv6 addresses with embedded
      IPv4 address.
    - gh-134062: ipaddress: fix collisions in __hash__() for
      IPv4Network and IPv6Network objects.
    - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
      according to RFC 3596, §2.5. Patch by Bénédikt Tran.
    - bpo-43633: Improve the textual representation of

OBS-URL: https://build.opensuse.org/request/show/1284262
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=76
 2025-06-10 10:24:42 +00:00
Matej Cepl
db68008d03 Fix sphinx patch 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=234
 2025-06-09 17:32:07 +00:00
Matej Cepl
64818e1d6b - Update to 3.9.23: 
- Security
    - gh-135034: Fixes multiple issues that allowed tarfile
      extraction filters (filter="data" and filter="tar") to be
      bypassed using crafted symlinks and hard links.
    - Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
      (bsc#1244059), CVE-2025-4330 (bsc#1244060), and
      CVE-2025-4517 (bsc#1244032).
    - gh-133767: Fix use-after-free in the “unicode-escape”
      decoder with a non-“strict” error handler (CVE-2025-4516,
      bsc#1243273).
    - gh-128840: Short-circuit the processing of long IPv6
      addresses early in ipaddress to prevent excessive memory
      consumption and a minor denial-of-service.
    - gh-80222: Fix bug in the folding of quoted strings
      when flattening an email message using a modern email
      policy. Previously when a quoted string was folded so
      that it spanned more than one line, the surrounding
      quotes and internal escapes would be omitted. This could
      theoretically be used to spoof header lines using a
      carefully constructed quoted string if the resulting
      rendered email was transmitted or re-parsed.
  - Library
    - gh-128840: Fix parsing long IPv6 addresses with embedded
      IPv4 address.
    - gh-134062: ipaddress: fix collisions in __hash__() for
      IPv4Network and IPv6Network objects.
    - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
      according to RFC 3596, §2.5. Patch by Bénédikt Tran.
    - bpo-43633: Improve the textual representation of

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=233
 2025-06-09 16:29:52 +00:00
Ana Guerrero
df6df60726 Accepting request 1281888 from devel:languages:python:Factory 
- Add CVE-2025-4516-DecodeError-handler.patch fixing
  CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
  vulnerability, which could lead to DoS.

  %%files.
- Use python3 modules to build the documentation.
  * Support Expat >= 2.4.5
- allow build with Sphinx >= 3.x
  * remove importlib_resources and importlib-metadata
  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused
  - bpo-29778: Ensure python3.dll is loaded from correct locations
  - bpo-39603: Prevent http header injection by rejecting control
    “__setattr__” in a multi-inheritance setup and
  - bpo-41247: Always cache the running loop holder when running
  - bpo-41252: Fix incorrect refcounting in
  - bpo-41215: Use non-NULL default values in the PEG parser
  - bpo-41218: Python 3.8.3 had a regression where compiling with
    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
  - bpo-41175: Guard against a NULL pointer dereference within
  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s
    __setattr__() by calling the superclass method was
  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
  - bpo-39017: Avoid infinite loop when reading specially crafted
  - bpo-41207: In distutils.spawn, restore expectation that
  - bpo-41194: Fix a crash in the _ast module: it can no longer be
  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a
  - bpo-41300: Save files with non-ascii chars.
  - bpo-37765: Add keywords to module name completion list.
  - bpo-40170: Revert PyType_HasFeature() change: it reads
    again directly the PyTypeObject.tp_flags

OBS-URL: https://build.opensuse.org/request/show/1281888
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=75
 2025-06-02 20:01:04 +00:00
Matej Cepl
2a7083b52f - Add CVE-2025-4516-DecodeError-handler.patch fixing 
CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
  vulnerability, which could lead to DoS.
  %%files.
- Use python3 modules to build the documentation.
  * Support Expat >= 2.4.5
- allow build with Sphinx >= 3.x
  * remove importlib_resources and importlib-metadata
  - bpo-41304: Fixes python3x._pth being ignored on Windows, caused
  - bpo-29778: Ensure python3.dll is loaded from correct locations
  - bpo-39603: Prevent http header injection by rejecting control
    “__setattr__” in a multi-inheritance setup and
  - bpo-41247: Always cache the running loop holder when running
  - bpo-41252: Fix incorrect refcounting in
  - bpo-41215: Use non-NULL default values in the PEG parser
  - bpo-41218: Python 3.8.3 had a regression where compiling with
    ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
  - bpo-41175: Guard against a NULL pointer dereference within
  - bpo-39960: The “hackcheck” that prevents sneaking around a type’s
    __setattr__() by calling the superclass method was
  - bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
  - bpo-39017: Avoid infinite loop when reading specially crafted
  - bpo-41207: In distutils.spawn, restore expectation that
  - bpo-41194: Fix a crash in the _ast module: it can no longer be
  - bpo-39384: Fixed email.contentmanager to allow set_content() to set a
  - bpo-41300: Save files with non-ascii chars.
  - bpo-37765: Add keywords to module name completion list.
  - bpo-40170: Revert PyType_HasFeature() change: it reads
    again directly the PyTypeObject.tp_flags
    member when the limited C API is not used, rather than always calling

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=231
 2025-05-30 16:01:02 +00:00
Ana Guerrero
b3445ff772 Accepting request 1276660 from devel:languages:python:Factory 
- Remove python-3.3.0b1-test-posix_fadvise.patch (not needed
  since kernel 3.6-rc1)

OBS-URL: https://build.opensuse.org/request/show/1276660
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=74
 2025-05-12 14:50:25 +00:00
Matej Cepl
16a3758f99 - Remove python-3.3.0b1-test-posix_fadvise.patch (not needed since kernel 3.6-rc1) 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=229
 2025-05-10 11:42:42 +00:00
Ana Guerrero
819fb77284 Accepting request 1269058 from devel:languages:python:Factory 
- Update to 3.9.22:
  - gh-131809: Update bundled libexpat to 2.7.1
  - gh-131261: Upgrade to libexpat 2.7.0
  - gh-105704: When using urllib.parse.urlsplit() and
    urllib.parse.urlparse() host parsing would not reject domain
    names containing square brackets ([ and ]). Square brackets
    are only valid for IPv6 and IPvFuture hosts according to RFC
    3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
    gh#python/cpython#105704).
  - gh-121284: Fix bug in the folding of rfc2047 encoded-words
    when flattening an email message using a modern email
    policy. Previously when an encoded-word was too long for
    a line, it would be decoded, split across lines, and
    re-encoded. But commas and other special characters in the
    original text could be left unencoded and unquoted. This
    could theoretically be used to spoof header lines using a
    carefully constructed encoded-word if the resulting rendered
    email was transmitted or re-parsed.
  - gh-119511: Fix a potential denial of service in the imaplib
    module. When connecting to a malicious server, it could
    cause an arbitrary amount of memory to be allocated. On many
    systems this is harmless as unused virtual memory is only
    a mapping, but if this hit a virtual address size limit
    it could lead to a MemoryError or other process crash. On
    unusual systems or builds where all allocated memory is
    touched and backed by actual ram or storage it could’ve
    consumed resources doing so until similarly crashing.
  - gh-121277: Writers of CPython’s documentation can now use
    next as the version for the versionchanged, versionadded,
    deprecated directives.

OBS-URL: https://build.opensuse.org/request/show/1269058
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=73
 2025-04-14 10:58:58 +00:00
Matej Cepl
975044e74b update patches 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=227
 2025-04-11 07:57:50 +00:00
Matej Cepl
303cf28c8d - Update to 3.9.22: 
- gh-131809: Update bundled libexpat to 2.7.1
  - gh-131261: Upgrade to libexpat 2.7.0
  - gh-105704: When using urllib.parse.urlsplit() and
    urllib.parse.urlparse() host parsing would not reject domain
    names containing square brackets ([ and ]). Square brackets
    are only valid for IPv6 and IPvFuture hosts according to RFC
    3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
    gh#python/cpython#105704).
  - gh-121284: Fix bug in the folding of rfc2047 encoded-words
    when flattening an email message using a modern email
    policy. Previously when an encoded-word was too long for
    a line, it would be decoded, split across lines, and
    re-encoded. But commas and other special characters in the
    original text could be left unencoded and unquoted. This
    could theoretically be used to spoof header lines using a
    carefully constructed encoded-word if the resulting rendered
    email was transmitted or re-parsed.
  - gh-119511: Fix a potential denial of service in the imaplib
    module. When connecting to a malicious server, it could
    cause an arbitrary amount of memory to be allocated. On many
    systems this is harmless as unused virtual memory is only
    a mapping, but if this hit a virtual address size limit
    it could lead to a MemoryError or other process crash. On
    unusual systems or builds where all allocated memory is
    touched and backed by actual ram or storage it could’ve
    consumed resources doing so until similarly crashing.
  - gh-121277: Writers of CPython’s documentation can now use
    next as the version for the versionchanged, versionadded,
    deprecated directives.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=226
 2025-04-09 20:09:20 +00:00
Ana Guerrero
6dcdf81612 Accepting request 1252712 from devel:languages:python:Factory 
- Skip PGO with %want_reproducible_builds (bsc#1239210)

OBS-URL: https://build.opensuse.org/request/show/1252712
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=72
 2025-03-13 14:07:39 +00:00
Matej Cepl
af4e895cc2 - Skip PGO with %want_reproducible_builds (bsc#1239210) 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=224
 2025-03-13 10:06:16 +00:00
Ana Guerrero
557343380e Accepting request 1244103 from devel:languages:python:Factory 
- Add CVE-2025-0938-sq-brackets-domain-names.patch which
  disallows square brackets ([ and ]) in domain names for parsed
  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)

OBS-URL: https://build.opensuse.org/request/show/1244103
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=71
 2025-02-07 22:06:52 +00:00
Matej Cepl
81e576898b - Add CVE-2025-0938-sq-brackets-domain-names.patch which 
disallows square brackets ([ and ]) in domain names for parsed
  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=222
 2025-02-07 08:50:25 +00:00
Ana Guerrero
f857ffb685 Accepting request 1228377 from devel:languages:python:Factory 
- Update to 3.9.21:
  - Tests
    - gh-125041: Re-enable skipped tests for zlib on the
      s390x architecture: only skip checks of the compressed
      bytes, which can be different between zlib’s software
      implementation and the hardware-accelerated implementation.
    - gh-109396: Fix test_socket.test_hmac_sha1() in FIPS
      mode. Use a longer key: FIPS mode requires at least of at
      least 112 bits. The previous key was only 32 bits. Patch by
      Victor Stinner.
    - gh-100454: Fix SSL tests CI for OpenSSL 3.1+
  - Security
    - gh-126623: Upgrade libexpat to 2.6.4
    - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
      consistently use the mapped IPv4 address value for deciding
      properties. Properties which have their behavior fixed are
      is_multicast, is_reserved, is_link_local, is_global, and
      is_unspecified (bsc#1233307, CVE-2024-11168).
  - Library
    - gh-124651: Properly quote template strings in venv
      activation scripts (bsc#1232241, CVE-2024-9287).
    - gh-103848: Add checks to ensure that [ bracketed ] hosts
      found by urllib.parse.urlsplit() are of IPv6 or IPvFuture
      format.
  - Documentation
    - gh-95588: Clarified the conflicting advice given in the ast
      documentation about ast.literal_eval() being “safe” for use
      on untrusted input while at the same time warning that it
      can crash the process. The latter statement is true and is
      deemed unfixable without a large amount of work unsuitable

OBS-URL: https://build.opensuse.org/request/show/1228377
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=70
 2024-12-05 16:09:09 +00:00
Matej Cepl
b657f1bd02 Fix changelog 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=220
 2024-12-04 21:30:02 +00:00
Matej Cepl
0e5b96eafc - Update to 3.9.21: 
- Tests
    - gh-125041: Re-enable skipped tests for zlib on the
      s390x architecture: only skip checks of the compressed
      bytes, which can be different between zlib’s software
      implementation and the hardware-accelerated implementation.
    - gh-109396: Fix test_socket.test_hmac_sha1() in FIPS
      mode. Use a longer key: FIPS mode requires at least of at
      least 112 bits. The previous key was only 32 bits. Patch by
      Victor Stinner.
    - gh-100454: Fix SSL tests CI for OpenSSL 3.1+
  - Security
    - gh-126623: Upgrade libexpat to 2.6.4
    - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
      consistently use the mapped IPv4 address value for deciding
      properties. Properties which have their behavior fixed are
      is_multicast, is_reserved, is_link_local, is_global, and
      is_unspecified.
  - Library
    - gh-124651: Properly quote template strings in venv
      activation scripts.
    - gh-103848: Add checks to ensure that [ bracketed ] hosts
      found by urllib.parse.urlsplit() are of IPv6 or IPvFuture
      format.
  - Documentation
    - gh-95588: Clarified the conflicting advice given in the ast
      documentation about ast.literal_eval() being “safe” for use
      on untrusted input while at the same time warning that it
      can crash the process. The latter statement is true and is
      deemed unfixable without a large amount of work unsuitable

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=219
 2024-12-04 19:54:44 +00:00
Ana Guerrero
935cc14ece Accepting request 1224263 from devel:languages:python:Factory 
- Remove -IVendor/ from python-config boo#1231795
- Add CVE-2024-11168-validation-IPv6-addrs.patch
  fixing bsc#1233307 (CVE-2024-11168,
  gh#python/cpython#103848): Improper validation of IPv6 and
  IPvFuture addresses.

OBS-URL: https://build.opensuse.org/request/show/1224263
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=69
 2024-11-15 14:42:40 +00:00
Matej Cepl
77334d03b1 - Remove -IVendor/ from python-config boo#1231795 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=217
 2024-11-14 16:27:13 +00:00
Matej Cepl
3b3841013a - Add CVE-2024-11168-validation-IPv6-addrs.patch 
fixing bsc#1233307 (CVE-2024-11168,
  gh#python/cpython#103848): Improper validation of IPv6 and
  IPvFuture addresses.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=216
 2024-11-13 14:54:20 +00:00
Dominique Leuenberger
090db10a8a Accepting request 1220114 from devel:languages:python:Factory 
- Update CVE-2024-9287-venv_path_unquoted.patch according to the
  upstream PR gh#python/cpython!126301.

OBS-URL: https://build.opensuse.org/request/show/1220114
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=68
 2024-11-01 22:03:28 +00:00
Matej Cepl
28d2065b0f - Update CVE-2024-9287-venv_path_unquoted.patch according to the 
upstream PR gh#python/cpython!126301.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=214
 2024-11-01 21:18:24 +00:00
Matej Cepl
8b5e0d922c Update the patch 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=213
 2024-11-01 17:07:01 +00:00
Ana Guerrero
79cfd15358 Accepting request 1218097 from devel:languages:python:Factory 
- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
  path names provided when creating a virtual environment
  (bsc#1232241, CVE-2024-9287)
- Drop .pyc files from docdir for reproducible builds
  (bsc#1230906).

OBS-URL: https://build.opensuse.org/request/show/1218097
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=67
 2024-10-25 17:19:37 +00:00
Matej Cepl
087c362626 - Add CVE-2024-9287-venv_path_unquoted.patch to properly quote 
path names provided when creating a virtual environment
  (bsc#1232241, CVE-2024-9287)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=211
 2024-10-24 17:06:14 +00:00
Matej Cepl
c05bd945fa Fix the changelog 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=210
 2024-10-03 15:06:05 +00:00
Matej Cepl
88f27fa1de - Drop .pyc files from docdir for reproducible builds 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=209
 2024-10-02 16:24:07 +00:00
Ana Guerrero
a3040dacb7 Accepting request 1204230 from devel:languages:python:Factory 
- Add sphinx-802.patch to overcome working both with the most
  recent and older Sphinx versions.

OBS-URL: https://build.opensuse.org/request/show/1204230
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=66
 2024-09-29 16:10:02 +00:00
Matej Cepl
63de619ed6 No autopatch 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=207
 2024-09-20 16:44:09 +00:00
Matej Cepl
a456d9d1b0 - Add sphinx-802.patch to overcome working both with the most 
recent and older Sphinx versions.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=206
 2024-09-20 15:25:39 +00:00
Ana Guerrero
ff3037e669 Accepting request 1202002 from devel:languages:python:Factory 
with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592).
  complexity in parsing tarfile headers (bsc#1230227, CVE-2024-6232).

OBS-URL: https://build.opensuse.org/request/show/1202002
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=65
 2024-09-19 19:17:16 +00:00
Matej Cepl
7dad477866 Fix changelog 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=204
 2024-09-19 12:27:39 +00:00
Matej Cepl
3fc2e6a2ef Fix changes 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=203
 2024-09-11 15:30:21 +00:00
17 changed files with 1114 additions and 280 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1 +1,2 @@
.osc
python39-*-build/

22
98437-sphinx.locale._-as-gettext-in-pyspecific.patch
View File

@@ -10,9 +10,11 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst | 1 +
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/Doc/tools/extensions/pyspecific.py
+++ b/Doc/tools/extensions/pyspecific.py
@@ -26,7 +26,7 @@ try:
Index: Python-3.9.22/Doc/tools/extensions/pyspecific.py
===================================================================
--- Python-3.9.22.orig/Doc/tools/extensions/pyspecific.py 2025-04-11 09:49:58.417019238 +0200
+++ Python-3.9.22/Doc/tools/extensions/pyspecific.py 2025-04-11 09:50:56.818993764 +0200
@@ -27,7 +27,7 @@
from sphinx.errors import NoUri
except ImportError:
from sphinx.environment import NoUri
@@ -21,7 +23,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
from sphinx.util import status_iterator, logging
from sphinx.util.nodes import split_explicit_title
from sphinx.writers.text import TextWriter, TextTranslator
@@ -110,7 +110,7 @@ class ImplementationDetail(Directive):
@@ -111,7 +111,7 @@
def run(self):
pnode = nodes.compound(classes=['impl-detail'])
@@ -30,7 +32,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
content = self.content
add_text = nodes.strong(label, label)
if self.arguments:
@@ -179,7 +179,7 @@ class AuditEvent(Directive):
@@ -180,7 +180,7 @@
else:
args = []
@@ -39,16 +41,18 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for
text = label.format(name="``{}``".format(name),
args=", ".join("``{}``".format(a) for a in args if a))
@@ -358,7 +358,7 @@ class DeprecatedRemoved(Directive):
@@ -380,7 +380,7 @@
else:
label = self._removed_label
- label = translators['sphinx'].gettext(label)
+ label = sphinx_gettext(label)
text = label.format(deprecated=self.arguments[0], removed=self.arguments[1])
text = label.format(deprecated=version[0], removed=version[1])
if len(self.arguments) == 3:
inodes, messages = self.state.inline_text(self.arguments[2],
--- /dev/null
+++ b/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst
Index: Python-3.9.22/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.9.22/Misc/NEWS.d/next/Documentation/2022-10-19-07-15-52.gh-issue-98366.UskMXF.rst 2025-04-11 09:50:08.952333342 +0200
@@ -0,0 +1 @@
+Use sphinx.locale._ as the gettext function in pyspecific.py.

26
CVE-2023-52425-libexpat-2.6.0-backport.patch
View File

@@ -4,9 +4,11 @@
Lib/test/test_xml_etree.py | 7 +++++++
3 files changed, 14 insertions(+)
--- a/Lib/test/test_pyexpat.py
+++ b/Lib/test/test_pyexpat.py
@@ -766,6 +766,10 @@ class ReparseDeferralTest(unittest.TestC
Index: Python-3.9.25/Lib/test/test_pyexpat.py
===================================================================
--- Python-3.9.25.orig/Lib/test/test_pyexpat.py 2025-12-11 22:43:38.646411669 +0100
+++ Python-3.9.25/Lib/test/test_pyexpat.py 2025-12-11 22:43:57.288891858 +0100
@@ -802,6 +802,10 @@
self.assertEqual(started, ['doc'])
def test_reparse_deferral_disabled(self):
@@ -17,9 +19,11 @@
started = []
def start_element(name, _):
--- a/Lib/test/test_sax.py
+++ b/Lib/test/test_sax.py
@@ -1236,6 +1236,9 @@ class ExpatReaderTest(XmlTestBase):
Index: Python-3.9.25/Lib/test/test_sax.py
===================================================================
--- Python-3.9.25.orig/Lib/test/test_sax.py 2025-12-11 22:43:38.675498657 +0100
+++ Python-3.9.25/Lib/test/test_sax.py 2025-12-11 22:43:57.289349463 +0100
@@ -1236,6 +1236,9 @@
self.assertEqual(result.getvalue(), start + b"<doc></doc>")
@@ -29,9 +33,11 @@
def test_flush_reparse_deferral_disabled(self):
result = BytesIO()
xmlgen = XMLGenerator(result)
--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
@@ -1416,9 +1416,13 @@ class XMLPullParserTest(unittest.TestCas
Index: Python-3.9.25/Lib/test/test_xml_etree.py
===================================================================
--- Python-3.9.25.orig/Lib/test/test_xml_etree.py 2025-12-11 22:43:38.988627336 +0100
+++ Python-3.9.25/Lib/test/test_xml_etree.py 2025-12-11 22:43:57.289604596 +0100
@@ -1416,9 +1416,13 @@
self.assert_event_tags(parser, [('end', 'root')])
self.assertIsNone(parser.close())
@@ -45,7 +51,7 @@
def test_simple_xml_chunk_5(self):
self.test_simple_xml(chunk_size=5, flush=True)
@@ -1643,6 +1647,9 @@ class XMLPullParserTest(unittest.TestCas
@@ -1643,6 +1647,9 @@
self.assert_event_tags(parser, [('end', 'doc')])

308
CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch
View File

@@ -44,9 +44,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
15 files changed, 77 insertions(+), 873 deletions(-)
create mode 100644 Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst
--- a/Doc/using/unix.rst
+++ b/Doc/using/unix.rst
@@ -113,6 +113,7 @@ For example, on most Linux systems, the
Index: Python-3.9.25/Doc/using/unix.rst
===================================================================
--- Python-3.9.25.orig/Doc/using/unix.rst 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/Doc/using/unix.rst 2025-12-19 23:25:05.628832227 +0100
@@ -113,6 +113,7 @@
| | embedding the interpreter. |
+-----------------------------------------------+------------------------------------------+
@@ -54,9 +56,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Miscellaneous
=============
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -910,15 +910,12 @@ class SSLObject:
Index: Python-3.9.25/Lib/ssl.py
===================================================================
--- Python-3.9.25.orig/Lib/ssl.py 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/Lib/ssl.py 2025-12-19 23:25:05.629281589 +0100
@@ -912,15 +912,12 @@
"""Return the currently selected NPN protocol as a string, or ``None``
if a next protocol was not negotiated or if NPN is not supported by one
of the peers."""
@@ -73,7 +77,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def cipher(self):
"""Return the currently selected cipher as a 3-tuple ``(name,
@@ -1160,10 +1157,7 @@ class SSLSocket(socket):
@@ -1162,10 +1159,7 @@
@_sslcopydoc
def selected_npn_protocol(self):
self._checkClosed()
@@ -85,9 +89,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
@_sslcopydoc
def selected_alpn_protocol(self):
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -39,7 +39,6 @@ Py_DEBUG_WIN32 = Py_DEBUG and sys.platfo
Index: Python-3.9.25/Lib/test/test_ssl.py
===================================================================
--- Python-3.9.25.orig/Lib/test/test_ssl.py 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/Lib/test/test_ssl.py 2025-12-19 23:25:05.630031412 +0100
@@ -39,7 +39,6 @@
PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
HOST = socket_helper.HOST
IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL')
@@ -95,7 +101,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
IS_OPENSSL_1_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1)
IS_OPENSSL_3_0_0 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
@@ -269,18 +268,6 @@ def handle_error(prefix):
@@ -269,18 +268,6 @@
if support.verbose:
sys.stdout.write(prefix + exc_format)
@@ -114,7 +120,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def _have_secp_curves():
if not ssl.HAS_ECDH:
return False
@@ -371,17 +358,15 @@ class BasicSocketTests(unittest.TestCase
@@ -371,17 +358,15 @@
ssl.OP_SINGLE_DH_USE
if ssl.HAS_ECDH:
ssl.OP_SINGLE_ECDH_USE
@@ -135,7 +141,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
def test_private_init(self):
@@ -1169,7 +1154,6 @@ class ContextTests(unittest.TestCase):
@@ -1169,7 +1154,6 @@
self.assertNotIn("RC4", name)
self.assertNotIn("3DES", name)
@@ -143,7 +149,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_get_ciphers(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.set_ciphers('AESGCM')
@@ -1201,15 +1185,11 @@ class ContextTests(unittest.TestCase):
@@ -1201,15 +1185,11 @@
self.assertEqual(default, ctx.options)
ctx.options |= ssl.OP_NO_TLSv1
self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
@@ -164,7 +170,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_verify_mode_protocol(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
@@ -1328,8 +1308,6 @@ class ContextTests(unittest.TestCase):
@@ -1328,8 +1308,6 @@
with self.assertRaises(ValueError):
ctx.maximum_version = ssl.TLSVersion.TLSv1
@@ -173,7 +179,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_verify_flags(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
# default value
@@ -1807,7 +1785,6 @@ class ContextTests(unittest.TestCase):
@@ -1807,7 +1785,6 @@
obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO())
self.assertIsInstance(obj, MySSLObject)
@@ -181,7 +187,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_num_tickest(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
self.assertEqual(ctx.num_tickets, 2)
@@ -2972,8 +2949,6 @@ class ThreadedTests(unittest.TestCase):
@@ -2972,8 +2949,6 @@
after = ssl.cert_time_to_seconds(cert['notAfter'])
self.assertLess(before, after)
@@ -190,7 +196,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_crl_check(self):
if support.verbose:
sys.stdout.write("\n")
@@ -3877,12 +3852,7 @@ class ThreadedTests(unittest.TestCase):
@@ -3877,12 +3852,7 @@
self.assertIs(s.version(), None)
self.assertIs(s._sslobj, None)
s.connect((HOST, server.port))
@@ -204,7 +210,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
self.assertIs(s._sslobj, None)
self.assertIs(s.version(), None)
@@ -3984,8 +3954,6 @@ class ThreadedTests(unittest.TestCase):
@@ -3984,8 +3954,6 @@
# explicitly using the 'ECCdraft' cipher alias. Otherwise,
# our default cipher list should prefer ECDH-based ciphers
# automatically.
@@ -213,7 +219,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
with ThreadedEchoServer(context=context) as server:
with context.wrap_socket(socket.socket()) as s:
s.connect((HOST, server.port))
@@ -4117,15 +4085,11 @@ class ThreadedTests(unittest.TestCase):
@@ -4117,15 +4085,11 @@
server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
try:
@@ -233,7 +239,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_selected_alpn_protocol(self):
# selected_alpn_protocol() is None unless ALPN is used.
@@ -4135,7 +4099,6 @@ class ThreadedTests(unittest.TestCase):
@@ -4135,7 +4099,6 @@
sni_name=hostname)
self.assertIs(stats['client_alpn_protocol'], None)
@@ -241,7 +247,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_selected_alpn_protocol_if_server_uses_alpn(self):
# selected_alpn_protocol() is None unless ALPN is used by the client.
client_context, server_context, hostname = testing_context()
@@ -4145,7 +4108,6 @@ class ThreadedTests(unittest.TestCase):
@@ -4145,7 +4108,6 @@
sni_name=hostname)
self.assertIs(stats['client_alpn_protocol'], None)
@@ -249,7 +255,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_alpn_protocols(self):
server_protocols = ['foo', 'bar', 'milkshake']
protocol_tests = [
@@ -4168,22 +4130,17 @@ class ThreadedTests(unittest.TestCase):
@@ -4168,22 +4130,17 @@
except ssl.SSLError as e:
stats = e
@@ -283,7 +289,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_selected_npn_protocol(self):
# selected_npn_protocol() is None unless NPN is used
@@ -4193,31 +4150,8 @@ class ThreadedTests(unittest.TestCase):
@@ -4193,31 +4150,8 @@
sni_name=hostname)
self.assertIs(stats['client_npn_protocol'], None)
@@ -314,9 +320,9 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
- self.assertEqual(server_result, expected, msg % (server_result, "server"))
+ assert not ssl.HAS_NPN
def sni_contexts(self):
server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
@@ -4387,8 +4321,7 @@ class ThreadedTests(unittest.TestCase):
def test_empty_npn_protocols(self):
"""npn_protocols cannot be empty, see CVE-2024-5642 & gh-121227"""
@@ -4393,8 +4327,7 @@
self.assertGreater(session.time, 0)
self.assertGreater(session.timeout, 0)
self.assertTrue(session.has_ticket)
@@ -326,13 +332,17 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
self.assertFalse(stats['session_reused'])
sess_stat = server_context.session_stats()
self.assertEqual(sess_stat['accept'], 1)
--- /dev/null
+++ b/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst
Index: Python-3.9.25/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.9.25/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst 2025-12-19 23:25:05.630820206 +0100
@@ -0,0 +1 @@
+Implement :pep:`644`. Python now requires OpenSSL 1.1.1 or newer.
--- a/Modules/Setup
+++ b/Modules/Setup
@@ -210,11 +210,23 @@ _symtable symtablemodule.c
Index: Python-3.9.25/Modules/Setup
===================================================================
--- Python-3.9.25.orig/Modules/Setup 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/Modules/Setup 2025-12-19 23:25:05.631164735 +0100
@@ -210,11 +210,23 @@
#_socket socketmodule.c
# Socket module helper for SSL support; you must comment out the other
@@ -361,8 +371,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# The crypt module is now disabled by default because it breaks builds
# on many systems (where -lcrypt is needed), e.g. Linux (I believe).
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
Index: Python-3.9.25/Modules/_hashopenssl.c
===================================================================
--- Python-3.9.25.orig/Modules/_hashopenssl.c 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/Modules/_hashopenssl.c 2025-12-19 23:25:05.631562345 +0100
@@ -43,51 +43,12 @@
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
#endif
@@ -416,7 +428,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#define PY_EVP_MD EVP_MD
@@ -1311,8 +1272,7 @@ pbkdf2_hmac_impl(PyObject *module, const
@@ -1311,8 +1272,7 @@
return key_obj;
}
@@ -426,7 +438,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* XXX: Parameters salt, n, r and p should be required keyword-only parameters.
They are optional in the Argument Clinic declaration only due to a
@@ -1433,7 +1393,7 @@ _hashlib_scrypt_impl(PyObject *module, P
@@ -1433,7 +1393,7 @@
}
return key_obj;
}
@@ -435,7 +447,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Fast HMAC for hmac.digest()
*/
@@ -1920,12 +1880,6 @@ hashlib_md_meth_names(PyObject *module)
@@ -1920,12 +1880,6 @@
return 0;
}
@@ -448,7 +460,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_hashlib.get_fips_mode -> int
@@ -1963,7 +1917,6 @@ _hashlib_get_fips_mode_impl(PyObject *mo
@@ -1963,7 +1917,6 @@
return result;
#endif
}
@@ -456,7 +468,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int
@@ -2144,17 +2097,6 @@ hashlib_free(void *m)
@@ -2144,17 +2097,6 @@
/* Py_mod_exec functions */
static int
@@ -474,7 +486,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
hashlib_init_hashtable(PyObject *module)
{
_hashlibstate *state = get_hashlib_state(module);
@@ -2227,10 +2169,7 @@ hashlib_init_hmactype(PyObject *module)
@@ -2227,10 +2169,7 @@
return 0;
}
@@ -485,7 +497,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
{Py_mod_exec, hashlib_init_hashtable},
{Py_mod_exec, hashlib_init_evptype},
{Py_mod_exec, hashlib_init_evpxoftype},
@@ -2238,7 +2177,6 @@ static PyModuleDef_Slot hashlib_slots[]
@@ -2238,7 +2177,6 @@
{Py_mod_exec, hashlib_md_meth_names},
{0, NULL}
};
@@ -493,7 +505,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static struct PyModuleDef _hashlibmodule = {
PyModuleDef_HEAD_INIT,
@@ -2246,7 +2184,7 @@ static struct PyModuleDef _hashlibmodule
@@ -2246,7 +2184,7 @@
.m_doc = "OpenSSL interface for hashlib module",
.m_size = sizeof(_hashlibstate),
.m_methods = EVP_functions,
@@ -502,7 +514,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
.m_traverse = hashlib_traverse,
.m_clear = hashlib_clear,
.m_free = hashlib_free
@@ -2255,41 +2193,5 @@ static struct PyModuleDef _hashlibmodule
@@ -2255,41 +2193,5 @@
PyMODINIT_FUNC
PyInit__hashlib(void)
{
@@ -545,8 +557,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
- return m;
+ return PyModuleDef_Init(&_hashlibmodule);
}
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
Index: Python-3.9.25/Modules/_ssl.c
===================================================================
--- Python-3.9.25.orig/Modules/_ssl.c 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/Modules/_ssl.c 2025-12-19 23:25:05.632257411 +0100
@@ -29,9 +29,9 @@
#define _PySSL_FIX_ERRNO
@@ -559,7 +573,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#define PySSL_BEGIN_ALLOW_THREADS { \
PyThreadState *_save = NULL; \
PySSL_BEGIN_ALLOW_THREADS_S(_save);
@@ -62,16 +62,6 @@ static PySocketModule_APIObject PySocket
@@ -62,16 +62,6 @@
#include "openssl/bio.h"
#include "openssl/dh.h"
@@ -576,7 +590,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifndef OPENSSL_THREADS
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
#endif
@@ -142,15 +132,7 @@ static void _PySSLFixErrno(void) {
@@ -142,15 +132,7 @@
#include "_ssl_data.h"
#endif
@@ -593,7 +607,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifndef OPENSSL_NO_TLS1_METHOD
extern const SSL_METHOD *TLSv1_method(void);
#endif
@@ -161,59 +143,10 @@ extern const SSL_METHOD *TLSv1_1_method(
@@ -161,59 +143,10 @@
extern const SSL_METHOD *TLSv1_2_method(void);
#endif
@@ -653,7 +667,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* OpenSSL 1.1+ allows locking X509_STORE, 1.0.2 doesn't. */
#ifdef OPENSSL_VERSION_1_1
#define HAVE_OPENSSL_X509_STORE_LOCK
@@ -224,80 +157,8 @@ extern const SSL_METHOD *TLSv1_2_method(
@@ -224,80 +157,8 @@
#define HAVE_OPENSSL_X509_STORE_GET1_OBJECTS 1
#endif
@@ -735,7 +749,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Default cipher suites */
#ifndef PY_SSL_DEFAULT_CIPHERS
@@ -409,24 +270,10 @@ enum py_proto_version {
@@ -409,24 +270,10 @@
#endif
};
@@ -760,7 +774,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for
* older SSL, but let's be safe */
@@ -436,17 +283,9 @@ static unsigned int _ssl_locks_count = 0
@@ -436,17 +283,9 @@
typedef struct {
PyObject_HEAD
SSL_CTX *ctx;
@@ -778,7 +792,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
int check_hostname;
/* OpenSSL has no API to get hostflags from X509_VERIFY_PARAM* struct.
* We have to maintain our own copy. OpenSSL's hostflags default to 0.
@@ -457,10 +296,8 @@ typedef struct {
@@ -457,10 +296,8 @@
int post_handshake_auth;
#endif
PyObject *msg_cb;
@@ -789,7 +803,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
} PySSLContext;
typedef struct {
@@ -667,23 +504,18 @@ fill_and_set_sslerror(PySSLSocket *sslso
@@ -667,23 +504,18 @@
}
switch (verify_code) {
@@ -813,7 +827,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
default:
verify_str = X509_verify_cert_error_string(verify_code);
if (verify_str != NULL) {
@@ -2014,7 +1846,6 @@ cipher_to_tuple(const SSL_CIPHER *cipher
@@ -2014,7 +1846,6 @@
return NULL;
}
@@ -821,7 +835,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject *
cipher_to_dict(const SSL_CIPHER *cipher)
{
@@ -2023,10 +1854,8 @@ cipher_to_dict(const SSL_CIPHER *cipher)
@@ -2023,10 +1854,8 @@
unsigned long cipher_id;
int alg_bits, strength_bits, len;
char buf[512] = {0};
@@ -832,7 +846,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* can be NULL */
cipher_name = SSL_CIPHER_get_name(cipher);
@@ -2039,7 +1868,6 @@ cipher_to_dict(const SSL_CIPHER *cipher)
@@ -2039,7 +1868,6 @@
buf[len-1] = '\0';
strength_bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
@@ -840,7 +854,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
aead = SSL_CIPHER_is_aead(cipher);
nid = SSL_CIPHER_get_cipher_nid(cipher);
skcipher = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
@@ -2049,13 +1877,10 @@ cipher_to_dict(const SSL_CIPHER *cipher)
@@ -2049,13 +1877,10 @@
kx = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
nid = SSL_CIPHER_get_auth_nid(cipher);
auth = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
@@ -854,7 +868,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
"}",
"id", cipher_id,
"name", cipher_name,
@@ -2063,16 +1888,13 @@ cipher_to_dict(const SSL_CIPHER *cipher)
@@ -2063,16 +1888,13 @@
"description", buf,
"strength_bits", strength_bits,
"alg_bits", alg_bits
@@ -871,7 +885,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLSocket.shared_ciphers
@@ -2143,28 +1965,6 @@ _ssl__SSLSocket_version_impl(PySSLSocket
@@ -2143,28 +1965,6 @@
return PyUnicode_FromString(version);
}
@@ -900,7 +914,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLSocket.selected_alpn_protocol
[clinic start generated code]*/
@@ -2182,7 +1982,6 @@ _ssl__SSLSocket_selected_alpn_protocol_i
@@ -2182,7 +1982,6 @@
Py_RETURN_NONE;
return PyUnicode_FromStringAndSize((char *)out, outlen);
}
@@ -908,7 +922,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLSocket.compression
@@ -2219,11 +2018,6 @@ static int PySSL_set_context(PySSLSocket
@@ -2219,11 +2018,6 @@
void *closure) {
if (PyObject_TypeCheck(value, &PySSLContext_Type)) {
@@ -920,7 +934,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_INCREF(value);
Py_SETREF(self->ctx, (PySSLContext *)value);
SSL_set_SSL_CTX(self->ssl, self->ctx->ctx);
@@ -2232,7 +2026,6 @@ static int PySSL_set_context(PySSLSocket
@@ -2232,7 +2026,6 @@
self->ssl,
self->ctx->msg_cb ? _PySSL_msg_callback : NULL
);
@@ -928,7 +942,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
} else {
PyErr_SetString(PyExc_TypeError, "The value must be a SSLContext");
return -1;
@@ -2857,8 +2650,6 @@ _ssl__SSLSocket_verify_client_post_hands
@@ -2857,8 +2650,6 @@
#endif
}
@@ -937,7 +951,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static SSL_SESSION*
_ssl_session_dup(SSL_SESSION *session) {
SSL_SESSION *newsession = NULL;
@@ -2899,7 +2690,6 @@ _ssl_session_dup(SSL_SESSION *session) {
@@ -2899,7 +2690,6 @@
}
return NULL;
}
@@ -945,7 +959,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject *
PySSL_get_session(PySSLSocket *self, void *closure) {
@@ -2908,7 +2698,6 @@ PySSL_get_session(PySSLSocket *self, voi
@@ -2908,7 +2698,6 @@
PySSLSession *pysess;
SSL_SESSION *session;
@@ -953,7 +967,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* duplicate session as workaround for session bug in OpenSSL 1.1.0,
* https://github.com/openssl/openssl/issues/1550 */
session = SSL_get0_session(self->ssl); /* borrowed reference */
@@ -2918,12 +2707,10 @@ PySSL_get_session(PySSLSocket *self, voi
@@ -2918,12 +2707,10 @@
if ((session = _ssl_session_dup(session)) == NULL) {
return NULL;
}
@@ -966,7 +980,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
pysess = PyObject_GC_New(PySSLSession, &PySSLSession_Type);
if (pysess == NULL) {
SSL_SESSION_free(session);
@@ -2942,9 +2729,7 @@ static int PySSL_set_session(PySSLSocket
@@ -2942,9 +2729,7 @@
void *closure)
{
PySSLSession *pysess;
@@ -976,7 +990,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
int result;
if (!PySSLSession_Check(value)) {
@@ -2968,7 +2753,6 @@ static int PySSL_set_session(PySSLSocket
@@ -2968,7 +2753,6 @@
"Cannot set session after handshake.");
return -1;
}
@@ -984,7 +998,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* duplicate session */
if ((session = _ssl_session_dup(pysess->session)) == NULL) {
return -1;
@@ -2976,9 +2760,6 @@ static int PySSL_set_session(PySSLSocket
@@ -2976,9 +2760,6 @@
result = SSL_set_session(self->ssl, session);
/* free duplicate, SSL_set_session() bumps ref count */
SSL_SESSION_free(session);
@@ -994,7 +1008,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if (result == 0) {
_setSSLError(NULL, 0, __FILE__, __LINE__);
return -1;
@@ -3029,7 +2810,6 @@ static PyMethodDef PySSLMethods[] = {
@@ -3029,7 +2810,6 @@
_SSL__SSLSOCKET_CIPHER_METHODDEF
_SSL__SSLSOCKET_SHARED_CIPHERS_METHODDEF
_SSL__SSLSOCKET_VERSION_METHODDEF
@@ -1002,7 +1016,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
_SSL__SSLSOCKET_SELECTED_ALPN_PROTOCOL_METHODDEF
_SSL__SSLSOCKET_COMPRESSION_METHODDEF
_SSL__SSLSOCKET_SHUTDOWN_METHODDEF
@@ -3123,9 +2903,6 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -3123,9 +2903,6 @@
SSL_CTX *ctx = NULL;
X509_VERIFY_PARAM *params;
int result;
@@ -1012,7 +1026,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PySSL_BEGIN_ALLOW_THREADS
switch(proto_version) {
@@ -3190,19 +2967,10 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -3190,19 +2967,10 @@
self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
self->protocol = proto_version;
self->msg_cb = NULL;
@@ -1032,7 +1046,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Don't check host name by default */
if (proto_version == PY_SSL_VERSION_TLS_CLIENT) {
self->check_hostname = 1;
@@ -3264,37 +3032,9 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -3264,37 +3032,9 @@
return NULL;
}
@@ -1072,7 +1086,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#define SID_CTX "Python"
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
@@ -3302,11 +3042,9 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -3302,11 +3042,9 @@
#undef SID_CTX
params = SSL_CTX_get0_param(self->ctx);
@@ -1084,7 +1098,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
X509_VERIFY_PARAM_set_hostflags(params, self->hostflags);
#ifdef TLS1_3_VERSION
@@ -3320,9 +3058,7 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -3320,9 +3058,7 @@
static int
context_traverse(PySSLContext *self, visitproc visit, void *arg)
{
@@ -1094,7 +1108,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_VISIT(self->msg_cb);
return 0;
}
@@ -3330,11 +3066,8 @@ context_traverse(PySSLContext *self, vis
@@ -3330,11 +3066,8 @@
static int
context_clear(PySSLContext *self)
{
@@ -1106,7 +1120,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_CLEAR(self->keylog_filename);
if (self->keylog_bio != NULL) {
PySSL_BEGIN_ALLOW_THREADS
@@ -3342,7 +3075,6 @@ context_clear(PySSLContext *self)
@@ -3342,7 +3075,6 @@
PySSL_END_ALLOW_THREADS
self->keylog_bio = NULL;
}
@@ -1114,7 +1128,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
return 0;
}
@@ -3353,12 +3085,7 @@ context_dealloc(PySSLContext *self)
@@ -3353,12 +3085,7 @@
PyObject_GC_UnTrack(self);
context_clear(self);
SSL_CTX_free(self->ctx);
@@ -1127,7 +1141,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_TYPE(self)->tp_free(self);
}
@@ -3385,7 +3112,6 @@ _ssl__SSLContext_set_ciphers_impl(PySSLC
@@ -3385,7 +3112,6 @@
Py_RETURN_NONE;
}
@@ -1135,7 +1149,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLContext.get_ciphers
[clinic start generated code]*/
@@ -3428,10 +3154,8 @@ _ssl__SSLContext_get_ciphers_impl(PySSLC
@@ -3428,10 +3154,8 @@
return result;
}
@@ -1146,7 +1160,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int
do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
const unsigned char *server_protocols, unsigned int server_protocols_len,
@@ -3455,77 +3179,7 @@ do_protocol_selection(int alpn, unsigned
@@ -3455,77 +3179,7 @@
return SSL_TLSEXT_ERR_OK;
}
@@ -1224,7 +1238,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int
_selectALPN_cb(SSL *s,
const unsigned char **out, unsigned char *outlen,
@@ -3537,7 +3191,6 @@ _selectALPN_cb(SSL *s,
@@ -3537,7 +3191,6 @@
ctx->alpn_protocols, ctx->alpn_protocols_len,
client_protocols, client_protocols_len);
}
@@ -1232,7 +1246,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLContext._set_alpn_protocols
@@ -3550,7 +3203,6 @@ _ssl__SSLContext__set_alpn_protocols_imp
@@ -3550,7 +3203,6 @@
Py_buffer *protos)
/*[clinic end generated code: output=87599a7f76651a9b input=9bba964595d519be]*/
{
@@ -1240,7 +1254,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if ((size_t)protos->len > UINT_MAX) {
PyErr_Format(PyExc_OverflowError,
"protocols longer than %u bytes", UINT_MAX);
@@ -3569,11 +3221,6 @@ _ssl__SSLContext__set_alpn_protocols_imp
@@ -3569,11 +3221,6 @@
SSL_CTX_set_alpn_select_cb(self->ctx, _selectALPN_cb, self);
Py_RETURN_NONE;
@@ -1252,7 +1266,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
}
static PyObject *
@@ -3649,9 +3296,6 @@ set_verify_flags(PySSLContext *self, PyO
@@ -3649,9 +3296,6 @@
}
/* Getter and setter for protocol version */
@@ -1262,7 +1276,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int
set_min_max_proto_version(PySSLContext *self, PyObject *arg, int what)
{
@@ -3746,9 +3390,8 @@ set_maximum_version(PySSLContext *self,
@@ -3746,9 +3390,8 @@
{
return set_min_max_proto_version(self, arg, 1);
}
@@ -1273,7 +1287,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject *
get_num_tickets(PySSLContext *self, void *c)
{
@@ -3779,7 +3422,7 @@ set_num_tickets(PySSLContext *self, PyOb
@@ -3779,7 +3422,7 @@
PyDoc_STRVAR(PySSLContext_num_tickets_doc,
"Control the number of TLSv1.3 session tickets");
@@ -1282,7 +1296,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject *
get_options(PySSLContext *self, void *c)
@@ -3797,13 +3440,7 @@ set_options(PySSLContext *self, PyObject
@@ -3797,13 +3440,7 @@
clear = opts & ~new_opts;
set = ~opts & new_opts;
if (clear) {
@@ -1296,7 +1310,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
}
if (set)
SSL_CTX_set_options(self->ctx, set);
@@ -4500,7 +4137,6 @@ _ssl__SSLContext_set_default_verify_path
@@ -4500,7 +4137,6 @@
Py_RETURN_NONE;
}
@@ -1304,7 +1318,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input]
_ssl._SSLContext.set_ecdh_curve
name: object
@@ -4535,9 +4171,7 @@ _ssl__SSLContext_set_ecdh_curve(PySSLCon
@@ -4535,9 +4171,7 @@
EC_KEY_free(key);
Py_RETURN_NONE;
}
@@ -1314,7 +1328,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int
_servername_callback(SSL *s, int *al, void *args)
{
@@ -4641,7 +4275,6 @@ error:
@@ -4641,7 +4275,6 @@
PyGILState_Release(gstate);
return ret;
}
@@ -1322,7 +1336,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject *
get_sni_callback(PySSLContext *self, void *c)
@@ -4662,7 +4295,6 @@ set_sni_callback(PySSLContext *self, PyO
@@ -4662,7 +4295,6 @@
"sni_callback cannot be set on TLS_CLIENT context");
return -1;
}
@@ -1330,7 +1344,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_CLEAR(self->set_sni_cb);
if (arg == Py_None) {
SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL);
@@ -4680,13 +4312,6 @@ set_sni_callback(PySSLContext *self, PyO
@@ -4680,13 +4312,6 @@
SSL_CTX_set_tlsext_servername_arg(self->ctx, self);
}
return 0;
@@ -1344,7 +1358,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
}
/* Shim of X509_STORE_get1_objects API from OpenSSL 3.3
@@ -4882,21 +4507,17 @@ static PyGetSetDef context_getsetlist[]
@@ -4882,21 +4507,17 @@
(setter) set_check_hostname, NULL},
{"_host_flags", (getter) get_host_flags,
(setter) set_host_flags, NULL},
@@ -1367,7 +1381,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
{"num_tickets", (getter) get_num_tickets,
(setter) set_num_tickets, PySSLContext_num_tickets_doc},
#endif
@@ -4923,7 +4544,6 @@ static struct PyMethodDef context_method
@@ -4923,7 +4544,6 @@
_SSL__SSLCONTEXT__WRAP_BIO_METHODDEF
_SSL__SSLCONTEXT_SET_CIPHERS_METHODDEF
_SSL__SSLCONTEXT__SET_ALPN_PROTOCOLS_METHODDEF
@@ -1375,7 +1389,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
_SSL__SSLCONTEXT_LOAD_CERT_CHAIN_METHODDEF
_SSL__SSLCONTEXT_LOAD_DH_PARAMS_METHODDEF
_SSL__SSLCONTEXT_LOAD_VERIFY_LOCATIONS_METHODDEF
@@ -5441,11 +5061,7 @@ PySSL_RAND(int len, int pseudo)
@@ -5441,11 +5061,7 @@
if (bytes == NULL)
return NULL;
if (pseudo) {
@@ -1387,7 +1401,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if (ok == 0 || ok == 1)
return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False);
}
@@ -6000,92 +5616,6 @@ static PyMethodDef PySSL_methods[] = {
@@ -6000,92 +5616,6 @@
};
@@ -1480,7 +1494,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(module_doc,
"Implementation module for SSL socket operations. See the socket module\n\
for documentation.");
@@ -6152,14 +5682,6 @@ PyInit__ssl(void)
@@ -6152,14 +5682,6 @@
return NULL;
PySocketModule = *socket_api;
@@ -1495,7 +1509,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifdef HAVE_OPENSSL_CRYPTO_LOCK
/* note that this will start threading if not already started */
if (!_setup_ssl_threads()) {
@@ -6266,10 +5788,8 @@ PyInit__ssl(void)
@@ -6266,10 +5788,8 @@
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
X509_V_FLAG_X509_STRICT);
@@ -1506,7 +1520,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Alert Descriptions from ssl.h */
/* note RESERVED constants no longer intended for use have been removed */
@@ -6426,31 +5946,11 @@ PyInit__ssl(void)
@@ -6426,31 +5946,11 @@
PyModule_AddObject((m), (key), bool_obj); \
} while (0)
@@ -1538,9 +1552,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#if defined(SSL2_VERSION) && !defined(OPENSSL_NO_SSL2)
addbool(m, "HAS_SSLv2", 1);
--- a/Modules/_ssl/debughelpers.c
+++ b/Modules/_ssl/debughelpers.c
@@ -114,8 +114,6 @@ _PySSLContext_set_msg_callback(PySSLCont
Index: Python-3.9.25/Modules/_ssl/debughelpers.c
===================================================================
--- Python-3.9.25.orig/Modules/_ssl/debughelpers.c 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/Modules/_ssl/debughelpers.c 2025-12-19 23:25:05.633150689 +0100
@@ -114,8 +114,6 @@
return 0;
}
@@ -1549,15 +1565,17 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static void
_PySSL_keylog_callback(const SSL *ssl, const char *line)
{
@@ -219,5 +217,3 @@ _PySSLContext_set_keylog_filename(PySSLC
@@ -219,5 +217,3 @@
SSL_CTX_set_keylog_callback(self->ctx, _PySSL_keylog_callback);
return 0;
}
-
-#endif
--- a/Modules/clinic/_hashopenssl.c.h
+++ b/Modules/clinic/_hashopenssl.c.h
@@ -965,7 +965,7 @@ exit:
Index: Python-3.9.25/Modules/clinic/_hashopenssl.c.h
===================================================================
--- Python-3.9.25.orig/Modules/clinic/_hashopenssl.c.h 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/Modules/clinic/_hashopenssl.c.h 2025-12-19 23:25:05.633452755 +0100
@@ -965,7 +965,7 @@
return return_value;
}
@@ -1566,7 +1584,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_scrypt__doc__,
"scrypt($module, /, password, *, salt=None, n=None, r=None, p=None,\n"
@@ -1093,7 +1093,7 @@ exit:
@@ -1093,7 +1093,7 @@
return return_value;
}
@@ -1575,7 +1593,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_hmac_singleshot__doc__,
"hmac_digest($module, /, key, msg, digest)\n"
@@ -1324,8 +1324,6 @@ _hashlib_HMAC_hexdigest(HMACobject *self
@@ -1324,8 +1324,6 @@
return _hashlib_HMAC_hexdigest_impl(self);
}
@@ -1584,7 +1602,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_get_fips_mode__doc__,
"get_fips_mode($module, /)\n"
"--\n"
@@ -1361,8 +1359,6 @@ exit:
@@ -1361,8 +1359,6 @@
return return_value;
}
@@ -1593,7 +1611,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_compare_digest__doc__,
"compare_digest($module, a, b, /)\n"
"--\n"
@@ -1439,7 +1435,4 @@ exit:
@@ -1439,7 +1435,4 @@
#define _HASHLIB_SCRYPT_METHODDEF
#endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */
@@ -1601,9 +1619,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
- #define _HASHLIB_GET_FIPS_MODE_METHODDEF
-#endif /* !defined(_HASHLIB_GET_FIPS_MODE_METHODDEF) */
/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/
--- a/Modules/clinic/_ssl.c.h
+++ b/Modules/clinic/_ssl.c.h
@@ -139,29 +139,6 @@ _ssl__SSLSocket_version(PySSLSocket *sel
Index: Python-3.9.25/Modules/clinic/_ssl.c.h
===================================================================
--- Python-3.9.25.orig/Modules/clinic/_ssl.c.h 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/Modules/clinic/_ssl.c.h 2025-12-19 23:25:05.633884238 +0100
@@ -139,29 +139,6 @@
return _ssl__SSLSocket_version_impl(self);
}
@@ -1633,7 +1653,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLSocket_selected_alpn_protocol__doc__,
"selected_alpn_protocol($self, /)\n"
"--\n"
@@ -179,8 +156,6 @@ _ssl__SSLSocket_selected_alpn_protocol(P
@@ -179,8 +156,6 @@
return _ssl__SSLSocket_selected_alpn_protocol_impl(self);
}
@@ -1642,7 +1662,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLSocket_compression__doc__,
"compression($self, /)\n"
"--\n"
@@ -457,8 +432,6 @@ exit:
@@ -457,8 +432,6 @@
return return_value;
}
@@ -1651,7 +1671,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext_get_ciphers__doc__,
"get_ciphers($self, /)\n"
"--\n"
@@ -476,44 +449,6 @@ _ssl__SSLContext_get_ciphers(PySSLContex
@@ -476,44 +449,6 @@
return _ssl__SSLContext_get_ciphers_impl(self);
}
@@ -1696,7 +1716,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext__set_alpn_protocols__doc__,
"_set_alpn_protocols($self, protos, /)\n"
"--\n"
@@ -844,8 +779,6 @@ _ssl__SSLContext_set_default_verify_path
@@ -844,8 +779,6 @@
return _ssl__SSLContext_set_default_verify_paths_impl(self);
}
@@ -1705,7 +1725,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext_set_ecdh_curve__doc__,
"set_ecdh_curve($self, name, /)\n"
"--\n"
@@ -854,8 +787,6 @@ PyDoc_STRVAR(_ssl__SSLContext_set_ecdh_c
@@ -854,8 +787,6 @@
#define _SSL__SSLCONTEXT_SET_ECDH_CURVE_METHODDEF \
{"set_ecdh_curve", (PyCFunction)_ssl__SSLContext_set_ecdh_curve, METH_O, _ssl__SSLContext_set_ecdh_curve__doc__},
@@ -1714,7 +1734,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext_cert_store_stats__doc__,
"cert_store_stats($self, /)\n"
"--\n"
@@ -1455,22 +1386,6 @@ exit:
@@ -1455,22 +1386,6 @@
#endif /* defined(_MSC_VER) */
@@ -1737,9 +1757,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifndef _SSL_RAND_EGD_METHODDEF
#define _SSL_RAND_EGD_METHODDEF
#endif /* !defined(_SSL_RAND_EGD_METHODDEF) */
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -43,8 +43,6 @@ import tarfile
Index: Python-3.9.25/Tools/ssl/multissltests.py
===================================================================
--- Python-3.9.25.orig/Tools/ssl/multissltests.py 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/Tools/ssl/multissltests.py 2025-12-19 23:25:05.634262920 +0100
@@ -44,8 +44,6 @@
log = logging.getLogger("multissl")
OPENSSL_OLD_VERSIONS = [
@@ -1748,7 +1770,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
]
OPENSSL_RECENT_VERSIONS = [
@@ -53,11 +51,9 @@ OPENSSL_RECENT_VERSIONS = [
@@ -54,11 +52,9 @@
]
LIBRESSL_OLD_VERSIONS = [
@@ -1760,9 +1782,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
]
# store files in ../multissl
--- a/configure
+++ b/configure
@@ -88,6 +88,13 @@ fi
Index: Python-3.9.25/configure
===================================================================
--- Python-3.9.25.orig/configure 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/configure 2025-12-19 23:25:05.636084606 +0100
@@ -88,6 +88,13 @@
# splitting by setting IFS to empty value.)
IFS=" "" $as_nl"
@@ -1776,7 +1800,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# Find who we are. Look in the path if we contain no directory separator.
as_myself=
case $0 in #((
@@ -17997,7 +18004,6 @@ as_fn_error ()
@@ -17997,7 +18004,6 @@
as_fn_exit $as_status
} # as_fn_error
@@ -1784,14 +1808,16 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# as_fn_set_status STATUS
# -----------------------
# Set $? to STATUS, without forking.
@@ -19043,4 +19049,3 @@ if test "$Py_OPT" = 'false' -a "$Py_DEBU
@@ -19043,4 +19049,3 @@
echo "" >&6
echo "" >&6
fi
-
--- a/configure.ac
+++ b/configure.ac
@@ -5756,42 +5756,6 @@ ac_includes_default="$save_includes_defa
Index: Python-3.9.25/configure.ac
===================================================================
--- Python-3.9.25.orig/configure.ac 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/configure.ac 2025-12-19 23:25:05.637165408 +0100
@@ -5756,42 +5756,6 @@
# Check for usable OpenSSL
AX_CHECK_OPENSSL([have_openssl=yes],[have_openssl=no])
@@ -1834,8 +1860,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# ssl module default cipher suite string
AH_TEMPLATE(PY_SSL_DEFAULT_CIPHERS,
[Default cipher suites list for ssl module.
--- a/pyconfig.h.in
+++ b/pyconfig.h.in
Index: Python-3.9.25/pyconfig.h.in
===================================================================
--- Python-3.9.25.orig/pyconfig.h.in 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/pyconfig.h.in 2025-12-19 23:25:05.638051492 +0100
@@ -1351,9 +1351,6 @@
/* Define to 1 if you have the `writev' function. */
#undef HAVE_WRITEV
@@ -1846,9 +1874,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Define if the zlib library has inflateCopy */
#undef HAVE_ZLIB_COPY
--- a/setup.py
+++ b/setup.py
@@ -539,10 +539,7 @@ class PyBuildExt(build_ext):
Index: Python-3.9.25/setup.py
===================================================================
--- Python-3.9.25.orig/setup.py 2025-12-19 23:25:00.457106547 +0100
+++ Python-3.9.25/setup.py 2025-12-19 23:25:05.638647942 +0100
@@ -539,10 +539,7 @@
for l in (self.missing, self.failed, self.failed_on_import)):
print()
print("Could not build the ssl module!")
@@ -1860,7 +1890,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
print()
if os.environ.get("PYTHONSTRICTEXTENSIONBUILD") and (self.failed or self.failed_on_import):
@@ -2346,13 +2343,13 @@ class PyBuildExt(build_ext):
@@ -2346,13 +2343,13 @@
self.missing.extend(['_ssl', '_hashlib'])
return None, None
@@ -1880,7 +1910,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if config_vars.get("HAVE_X509_VERIFY_PARAM_SET1_HOST"):
self.add(Extension(
@@ -2367,8 +2364,6 @@ class PyBuildExt(build_ext):
@@ -2367,8 +2364,6 @@
'_ssl_data_111.h',
'_ssl_data_300.h',
]))

93
CVE-2025-12084-minidom-quad-search.patch Normal file
View File

@@ -0,0 +1,93 @@
From f4eb9ab014545b521fb261b80adfa6d138e7e092 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Wed, 3 Dec 2025 01:16:37 -0600
Subject: [PATCH] gh-142145: Remove quadratic behavior in node ID cache
clearing (GH-142146)
* Remove quadratic behavior in node ID cache clearing
Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
* Add news fragment
---------
(cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
---
Lib/test/test_minidom.py | 18 ++++++++++
Lib/xml/dom/minidom.py | 9 -----
Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst | 1
3 files changed, 20 insertions(+), 8 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
Index: Python-3.9.25/Lib/test/test_minidom.py
===================================================================
--- Python-3.9.25.orig/Lib/test/test_minidom.py 2025-12-19 23:24:47.176384491 +0100
+++ Python-3.9.25/Lib/test/test_minidom.py 2025-12-19 23:27:27.634483015 +0100
@@ -2,6 +2,7 @@
import copy
import pickle
+import time
import io
from test import support
import unittest
@@ -162,6 +163,23 @@
self.confirm(dom.documentElement.childNodes[-1].data == "Hello")
dom.unlink()
+ def testAppendChildNoQuadraticComplexity(self):
+ impl = getDOMImplementation()
+
+ newdoc = impl.createDocument(None, "some_tag", None)
+ top_element = newdoc.documentElement
+ children = [newdoc.createElement(f"child-{i}") for i in range(1, 2 ** 15 + 1)]
+ element = top_element
+
+ start = time.time()
+ for child in children:
+ element.appendChild(child)
+ element = child
+ end = time.time()
+
+ # This example used to take at least 30 seconds.
+ self.assertLess(end - start, 1)
+
def testAppendChildFragment(self):
dom, orig, c1, c2, c3, frag = self._create_fragment_test_nodes()
dom.documentElement.appendChild(frag)
Index: Python-3.9.25/Lib/xml/dom/minidom.py
===================================================================
--- Python-3.9.25.orig/Lib/xml/dom/minidom.py 2025-10-31 19:40:52.000000000 +0100
+++ Python-3.9.25/Lib/xml/dom/minidom.py 2025-12-19 23:27:27.635128214 +0100
@@ -292,13 +292,6 @@
childNodes.append(node)
node.parentNode = self
-def _in_document(node):
- # return True iff node is part of a document tree
- while node is not None:
- if node.nodeType == Node.DOCUMENT_NODE:
- return True
- node = node.parentNode
- return False
def _write_data(writer, data):
"Writes datachars to writer."
@@ -1537,7 +1530,7 @@
if node.nodeType == Node.DOCUMENT_NODE:
node._id_cache.clear()
node._id_search_stack = None
- elif _in_document(node):
+ elif node.ownerDocument:
node.ownerDocument._id_cache.clear()
node.ownerDocument._id_search_stack= None
Index: Python-3.9.25/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.9.25/Misc/NEWS.d/next/Security/2025-12-01-09-36-45.gh-issue-142145.tcAUhg.rst 2025-12-19 23:27:27.635403950 +0100
@@ -0,0 +1 @@
+Remove quadratic behavior in ``xml.minidom`` node ID cache clearing.

158
CVE-2025-13836-http-resp-cont-len.patch Normal file
View File

@@ -0,0 +1,158 @@
From b3a7998115e195c40e00cfa662bcaa899d937c05 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Mon, 1 Dec 2025 17:26:07 +0200
Subject: [PATCH] gh-119451: Fix a potential denial of service in http.client
(GH-119454)
Reading the whole body of the HTTP response could cause OOM if
the Content-Length value is too large even if the server does not send
a large amount of data. Now the HTTP client reads large data by chunks,
therefore the amount of consumed memory is proportional to the amount
of sent data.
(cherry picked from commit 5a4c4a033a4a54481be6870aa1896fad732555b5)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
Lib/http/client.py | 32 +++-
Lib/test/test_httplib.py | 66 ++++++++++
Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst | 5
3 files changed, 95 insertions(+), 8 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
Index: Python-3.9.25/Lib/http/client.py
===================================================================
--- Python-3.9.25.orig/Lib/http/client.py 2025-10-31 19:40:52.000000000 +0100
+++ Python-3.9.25/Lib/http/client.py 2025-12-19 23:26:40.448421016 +0100
@@ -113,6 +113,11 @@
_MAXLINE = 65536
_MAXHEADERS = 100
+# Data larger than this will be read in chunks, to prevent extreme
+# overallocation.
+_MIN_READ_BUF_SIZE = 1 << 20
+
+
# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
#
# VCHAR = %x21-7E
@@ -621,14 +626,25 @@
reading. If the bytes are truly not available (due to EOF), then the
IncompleteRead exception can be used to detect the problem.
"""
- s = []
- while amt > 0:
- chunk = self.fp.read(min(amt, MAXAMOUNT))
- if not chunk:
- raise IncompleteRead(b''.join(s), amt)
- s.append(chunk)
- amt -= len(chunk)
- return b"".join(s)
+ cursize = min(amt, _MIN_READ_BUF_SIZE)
+ data = self.fp.read(cursize)
+ if len(data) >= amt:
+ return data
+ if len(data) < cursize:
+ raise IncompleteRead(data, amt - len(data))
+
+ data = io.BytesIO(data)
+ data.seek(0, 2)
+ while True:
+ # This is a geometric increase in read size (never more than
+ # doubling out the current length of data per loop iteration).
+ delta = min(cursize, amt - cursize)
+ data.write(self.fp.read(delta))
+ if data.tell() >= amt:
+ return data.getvalue()
+ cursize += delta
+ if data.tell() < cursize:
+ raise IncompleteRead(data.getvalue(), amt - data.tell())
def _safe_readinto(self, b):
"""Same as _safe_read, but for reading into a buffer."""
Index: Python-3.9.25/Lib/test/test_httplib.py
===================================================================
--- Python-3.9.25.orig/Lib/test/test_httplib.py 2025-10-31 19:40:52.000000000 +0100
+++ Python-3.9.25/Lib/test/test_httplib.py 2025-12-19 23:25:14.713217193 +0100
@@ -1196,6 +1196,72 @@
thread.join()
self.assertEqual(result, b"proxied data\n")
+ def test_large_content_length(self):
+ serv = socket.create_server((HOST, 0))
+ self.addCleanup(serv.close)
+
+ def run_server():
+ [conn, address] = serv.accept()
+ with conn:
+ while conn.recv(1024):
+ conn.sendall(
+ b"HTTP/1.1 200 Ok\r\n"
+ b"Content-Length: %d\r\n"
+ b"\r\n" % size)
+ conn.sendall(b'A' * (size//3))
+ conn.sendall(b'B' * (size - size//3))
+
+ thread = threading.Thread(target=run_server)
+ thread.start()
+ self.addCleanup(thread.join, 1.0)
+
+ conn = client.HTTPConnection(*serv.getsockname())
+ try:
+ for w in range(15, 27):
+ size = 1 << w
+ conn.request("GET", "/")
+ with conn.getresponse() as response:
+ self.assertEqual(len(response.read()), size)
+ finally:
+ conn.close()
+ thread.join(1.0)
+
+ def test_large_content_length_truncated(self):
+ serv = socket.create_server((HOST, 0))
+ self.addCleanup(serv.close)
+
+ def run_server():
+ while True:
+ [conn, address] = serv.accept()
+ with conn:
+ conn.recv(1024)
+ if not size:
+ break
+ conn.sendall(
+ b"HTTP/1.1 200 Ok\r\n"
+ b"Content-Length: %d\r\n"
+ b"\r\n"
+ b"Text" % size)
+
+ thread = threading.Thread(target=run_server)
+ thread.start()
+ self.addCleanup(thread.join, 1.0)
+
+ conn = client.HTTPConnection(*serv.getsockname())
+ try:
+ for w in range(18, 65):
+ size = 1 << w
+ conn.request("GET", "/")
+ with conn.getresponse() as response:
+ self.assertRaises(client.IncompleteRead, response.read)
+ conn.close()
+ finally:
+ conn.close()
+ size = 0
+ conn.request("GET", "/")
+ conn.close()
+ thread.join(1.0)
+
def test_putrequest_override_domain_validation(self):
"""
It should be possible to override the default validation
Index: Python-3.9.25/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.9.25/Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst 2025-12-19 23:25:14.713527850 +0100
@@ -0,0 +1,5 @@
+Fix a potential memory denial of service in the :mod:`http.client` module.
+When connecting to a malicious server, it could cause
+an arbitrary amount of memory to be allocated.
+This could have led to symptoms including a :exc:`MemoryError`, swapping, out
+of memory (OOM) killed processes or containers, or even system crashes.

159
CVE-2025-13837-plistlib-mailicious-length.patch Normal file
View File

@@ -0,0 +1,159 @@
From e99059d800b741504ef18693803927a0dc062be4 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Mon, 1 Dec 2025 17:28:15 +0200
Subject: [PATCH] [3.10] gh-119342: Fix a potential denial of service in
plistlib (GH-119343)
Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922cf40aa3a28f898b5f5ee08b71b4922df70)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
Lib/plistlib.py | 31 +++++---
Lib/test/test_plistlib.py | 37 +++++++++-
Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst | 5 +
3 files changed, 59 insertions(+), 14 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
Index: Python-3.9.25/Lib/plistlib.py
===================================================================
--- Python-3.9.25.orig/Lib/plistlib.py 2025-12-23 23:47:30.450823742 +0100
+++ Python-3.9.25/Lib/plistlib.py 2025-12-23 23:49:03.726727983 +0100
@@ -64,6 +64,9 @@
PlistFormat = enum.Enum('PlistFormat', 'FMT_XML FMT_BINARY', module=__name__)
globals().update(PlistFormat.__members__)
+# Data larger than this will be read in chunks, to prevent extreme
+# overallocation.
+_MIN_READ_BUF_SIZE = 1 << 20
class UID:
def __init__(self, data):
@@ -490,12 +493,24 @@
return tokenL
+ def _read(self, size):
+ cursize = min(size, _MIN_READ_BUF_SIZE)
+ data = self._fp.read(cursize)
+ while True:
+ if len(data) != cursize:
+ raise InvalidFileException
+ if cursize == size:
+ return data
+ delta = min(cursize, size - cursize)
+ data += self._fp.read(delta)
+ cursize += delta
+
def _read_ints(self, n, size):
- data = self._fp.read(size * n)
+ data = self._read(size * n)
if size in _BINARY_FORMAT:
return struct.unpack(f'>{n}{_BINARY_FORMAT[size]}', data)
else:
- if not size or len(data) != size * n:
+ if not size:
raise InvalidFileException()
return tuple(int.from_bytes(data[i: i + size], 'big')
for i in range(0, size * n, size))
@@ -552,22 +567,16 @@
elif tokenH == 0x40: # data
s = self._get_size(tokenL)
- result = self._fp.read(s)
- if len(result) != s:
- raise InvalidFileException()
+ result = self._read(s)
elif tokenH == 0x50: # ascii string
s = self._get_size(tokenL)
- data = self._fp.read(s)
- if len(data) != s:
- raise InvalidFileException()
+ data = self._read(s)
result = data.decode('ascii')
elif tokenH == 0x60: # unicode string
s = self._get_size(tokenL) * 2
- data = self._fp.read(s)
- if len(data) != s:
- raise InvalidFileException()
+ data = self._read(s)
result = data.decode('utf-16be')
elif tokenH == 0x80: # UID
Index: Python-3.9.25/Lib/test/test_plistlib.py
===================================================================
--- Python-3.9.25.orig/Lib/test/test_plistlib.py 2025-12-23 23:47:31.633839488 +0100
+++ Python-3.9.25/Lib/test/test_plistlib.py 2025-12-23 23:50:05.844028198 +0100
@@ -837,8 +837,7 @@
class TestBinaryPlistlib(unittest.TestCase):
- @staticmethod
- def decode(*objects, offset_size=1, ref_size=1):
+ def build(self, *objects, offset_size=1, ref_size=1):
data = [b'bplist00']
offset = 8
offsets = []
@@ -850,7 +849,11 @@
len(objects), 0, offset)
data.extend(offsets)
data.append(tail)
- return plistlib.loads(b''.join(data), fmt=plistlib.FMT_BINARY)
+ return b''.join(data)
+
+ def decode(self, *objects, offset_size=1, ref_size=1):
+ data = self.build(*objects, offset_size=offset_size, ref_size=ref_size)
+ return plistlib.loads(data, fmt=plistlib.FMT_BINARY)
def test_nonstandard_refs_size(self):
# Issue #21538: Refs and offsets are 24-bit integers
@@ -958,6 +961,34 @@
with self.assertRaises(plistlib.InvalidFileException):
plistlib.loads(b'bplist00' + data, fmt=plistlib.FMT_BINARY)
+ def test_truncated_large_data(self):
+ self.addCleanup(support.unlink, support.TESTFN)
+ def check(data):
+ with open(support.TESTFN, 'wb') as f:
+ f.write(data)
+ # buffered file
+ with open(support.TESTFN, 'rb') as f:
+ with self.assertRaises(plistlib.InvalidFileException):
+ plistlib.load(f, fmt=plistlib.FMT_BINARY)
+ # unbuffered file
+ with open(support.TESTFN, 'rb', buffering=0) as f:
+ with self.assertRaises(plistlib.InvalidFileException):
+ plistlib.load(f, fmt=plistlib.FMT_BINARY)
+ for w in range(20, 64):
+ s = 1 << w
+ # data
+ check(self.build(b'\x4f\x13' + s.to_bytes(8, 'big')))
+ # ascii string
+ check(self.build(b'\x5f\x13' + s.to_bytes(8, 'big')))
+ # unicode string
+ check(self.build(b'\x6f\x13' + s.to_bytes(8, 'big')))
+ # array
+ check(self.build(b'\xaf\x13' + s.to_bytes(8, 'big')))
+ # dict
+ check(self.build(b'\xdf\x13' + s.to_bytes(8, 'big')))
+ # number of objects
+ check(b'bplist00' + struct.pack('>6xBBQQQ', 1, 1, s, 0, 8))
+
class TestKeyedArchive(unittest.TestCase):
def test_keyed_archive_data(self):
Index: Python-3.9.25/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.9.25/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst 2025-12-23 23:49:03.727528792 +0100
@@ -0,0 +1,5 @@
+Fix a potential memory denial of service in the :mod:`plistlib` module.
+When reading a Plist file received from untrusted source, it could cause
+an arbitrary amount of memory to be allocated.
+This could have led to symptoms including a :exc:`MemoryError`, swapping, out
+of memory (OOM) killed processes or containers, or even system crashes.

BIN
Python-3.9.20.tar.xz LFS
View File

Binary file not shown.

16
Python-3.9.20.tar.xz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmbcKf0ACgkQsmmV4xAl
BWh4rg//R5E1EjsifYqhLeIyT+JnrBvbTZeEcdxPXevsgilojYmrxBUKuXXViul0
YZFaoDf6wjbHh6NMNgUpqcOH/5S/LsFZvuEcrw0jyGlMr0AMA4KLmNvQ9Wxf+wp4
mUmhymQx555nVivsdPiziNnDwubZeA870ZllYEMWP5vXw7p2LbnlZvn7A+LSKjqM
S/6xbiKYVexK3vHY/uG0xo4z24FySfvs0/PF11JfRJCxm9+bli7FmHOoFMwpOO6S
caZLok4987YWOcPIPY6h+o2sFhDqHs8POGKd8k+0KQNQs5UbEQ4t/eKgnaoATkGn
nfcAGXSjX5RSv5uXPzBUc0PulYo6EalIn1b5fu96La/FEg9GLMR/n9g75Fgm/j9L
QGYu/DSaastY/c7Ot4QVyB6pxbQKjM438yneQrjhKBILGla4Crh1k6yRCx93j/TH
hF9kiuRf7jtLIGTp0cnquELGnatmL1RhOySn/1Y+asMR+oK8d+XQab//w4VsAt7C
SIfVXg25PUgZoaiYj/qIjLK9vkcj/EZ1IacivP5qBWb3O1E8gzSV8Z9duGT8Ef3P
ch4M/pd6hefVVVfyCoazB3gwDs68O6U2BIRdYLRlet8AuKTBysQKFwOo3EcCMmJV
W20KutPnERCzt8jeJdzFd0z3po9mvxNTKDLYaABtNI6NN00LcsM=
=svjf
-----END PGP SIGNATURE-----

BIN
Python-3.9.25.tar.xz LFS Normal file
View File

Binary file not shown.

1
Python-3.9.25.tar.xz.sigstore Normal file
View File

File diff suppressed because one or more lines are too long

36
gh139257-Support-docutils-0.22.patch Normal file
View File

@@ -0,0 +1,36 @@
From 19b61747df3d62c822285c488753d6fbdf91e3ac Mon Sep 17 00:00:00 2001
From: Daniel Garcia Moreno <daniel.garcia@suse.com>
Date: Tue, 23 Sep 2025 10:20:16 +0200
Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22
---
Doc/tools/extensions/pyspecific.py | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
Index: Python-3.9.23/Doc/tools/extensions/pyspecific.py
===================================================================
--- Python-3.9.23.orig/Doc/tools/extensions/pyspecific.py 2025-09-30 18:26:26.712969300 +0200
+++ Python-3.9.23/Doc/tools/extensions/pyspecific.py 2025-09-30 18:26:26.763263890 +0200
@@ -55,11 +55,21 @@
SOURCE_URI = 'https://github.com/python/cpython/tree/3.9/%s'
# monkey-patch reST parser to disable alphabetic and roman enumerated lists
+def _disable_alphabetic_and_roman(text):
+ try:
+ # docutils >= 0.22
+ from docutils.parsers.rst.states import InvalidRomanNumeralError
+ raise InvalidRomanNumeralError(text)
+ except ImportError:
+ # docutils < 0.22
+ return None
+
+
from docutils.parsers.rst.states import Body
Body.enum.converters['loweralpha'] = \
Body.enum.converters['upperalpha'] = \
Body.enum.converters['lowerroman'] = \
- Body.enum.converters['upperroman'] = lambda x: None
+ Body.enum.converters['upperroman'] = _disable_alphabetic_and_roman
# Support for marking up and linking to bugs.python.org issues

15
python-3.3.0b1-test-posix_fadvise.patch
View File

@@ -1,15 +0,0 @@
---
Lib/test/test_posix.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Lib/test/test_posix.py
+++ b/Lib/test/test_posix.py
@@ -422,7 +422,7 @@ class PosixTester(unittest.TestCase):
def test_posix_fadvise(self):
fd = os.open(support.TESTFN, os.O_RDONLY)
try:
- posix.posix_fadvise(fd, 0, 0, posix.POSIX_FADV_WILLNEED)
+ posix.posix_fadvise(fd, 0, 0, posix.POSIX_FADV_RANDOM)
finally:
os.close(fd)

409
python39.changes
View File

@@ -1,3 +1,321 @@
-------------------------------------------------------------------
Thu Dec 18 10:33:44 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
CVE-2025-13836) to prevent reading an HTTP response from
a server, if no read amount is specified, with using
Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
behavior in node ID cache clearing (CVE-2025-12084,
bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
against OOM when loading malicious content (CVE-2025-13837,
bsc#1254401).
-------------------------------------------------------------------
Thu Dec 11 21:44:35 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
* Update to 3.9.25:
- Security
- gh-137836: Add support of the “plaintext” element, RAWTEXT
elements “xmp”, “iframe”, “noembed” and “noframes”, and
optionally RAWTEXT element “noscript” in
html.parser.HTMLParser.
- gh-136063: email.message: ensure linear complexity for
legacy HTTP parameters parsing. Patch by Bénédikt Tran.
- gh-136065: Fix quadratic complexity in
os.path.expandvars() (CVE-2025-6075, bsc#1252974).
- Library
- gh-98793: Fix argument typechecks in
_overlapped.WSAConnect() and
_overlapped.Overlapped.WSASendTo() functions. bpo-44817:
Ignore WinError 53 (ERROR_BAD_NETPATH), 65
(ERROR_NETWORK_ACCESS_DENIED) and 161 (ERROR_BAD_PATHNAME)
when using ntpath.realpath().
- Core and Builtins
- gh-120384: Fix an array out of bounds crash in
list_ass_subscript, which could be invoked via some
specificly tailored input: including concurrent
modification of a list object, where one thread assigns
a slice and another clears it.
- gh-120298: Fix use-after free in list_richcompare_impl
which can be invoked via some specificly tailored evil
input.
- Remove upstreamed patches:
-CVE-2025-6075-expandvars-perf-degrad.patch
-------------------------------------------------------------------
Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
quadratic complexity vulnerabilities of os.path.expandvars()
(CVE-2025-6075, bsc#1252974).
-------------------------------------------------------------------
Wed Oct 15 06:28:09 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
- Update to 3.9.24:
- Security
- gh-139700: Check consistency of the zip64 end of central
directory record. Support records with “zip64 extensible data”
if there are no bytes prepended to the ZIP file
(CVE-2025-8291, bsc#1251305).
- gh-139400: xml.parsers.expat: Make sure that parent Expat
parsers are only garbage-collected once they are no longer
referenced by subparsers created by
ExternalEntityParserCreate(). Patch by Sebastian Pipping.
- gh-121227: Raise an SSL.SSLError if an empty protocols argument
is passed to ssl.SSLContext.set_npn_protocols() to fix
CVE-2024-5642.
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
* Whitespaces no longer accepted between </ and the tag name.
E.g. </ script> does not end the script section.
* Vertical tabulation (\v) and non-ASCII whitespaces no longer
recognized as whitespaces. The only whitespaces are \t\n\r\f
and space.
* Null character (U+0000) no longer ends the tag name.
* Attributes and slashes after the tag name in end tags are now
ignored, instead of terminating after the first > in quoted
attribute value. E.g. </script/foo=">"/>.
* Multiple slashes and whitespaces between the last attribute
and closing > are now ignored in both start and end tags. E.g.
<a foo=bar/ //>.
* Multiple = between attribute name and value are no longer
collapsed. E.g. <a foo==bar> produces attribute “foo” with
value “=bar”.
- gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
according to the HTML5 standard: ] ]> and ]] > no longer end the
CDATA section. Add private method _set_support_cdata() which can
be used to specify how to parse <[CDATA[ — as a CDATA section in
foreign content (SVG or MathML) or as a bogus comment in the
HTML namespace.
- gh-102555: Fix comment parsing in html.parser.HTMLParser
according to the HTML5 standard. --!> now ends the comment. -- >
no longer ends the comment. Support abnormally ended empty
comments <--> and <--->.
- gh-135462: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors are
now handled according to the HTML5 specs comments and
declarations are automatically closed, tags are ignored.
- gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser.
- gh-86155: html.parser.HTMLParser.close() no longer loses data
when the <script> tag is not closed. Patch by Waylan Limberg.
- Library
- gh-139312: Upgrade bundled libexpat to 2.7.3
- gh-138998: Update bundled libexpat to 2.7.2
- gh-130577: tarfile now validates archives to ensure member
offsets are non-negative. (Contributed by Alexander Enrique
Urieles Nieto in gh-130577.)
- gh-135374: Update the bundled copy of setuptools to 79.0.1.
- Drop upstreamed patches:
- CVE-2025-8194-tarfile-no-neg-offsets.patch
- CVE-2025-6069-quad-complex-HTMLParser.patch
- Refresh patch CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch
-------------------------------------------------------------------
Mon Sep 29 06:52:07 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
- Add gh139257-Support-docutils-0.22.patch to fix build with latest
docutils (>=0.22) gh#python/cpython#139257
-------------------------------------------------------------------
Fri Aug 1 20:09:24 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now
validates archives to ensure member offsets are non-negative
(gh#python/cpython#130577, CVE-2025-8194, bsc#1247249).
-------------------------------------------------------------------
Wed Jul 2 14:47:20 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
case quadratic complexity when processing certain crafted
malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
-------------------------------------------------------------------
Mon Jun 9 16:14:05 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.9.23:
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar")
to be bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
(gh#135034, bsc#1244061).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- gh-80222: Fix bug in the folding of quoted strings
when flattening an email message using a modern email
policy. Previously when a quoted string was folded so
that it spanned more than one line, the surrounding
quotes and internal escapes would be omitted. This could
theoretically be used to spoof header lines using a
carefully constructed quoted string if the resulting
rendered email was transmitted or re-parsed.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
- bpo-25264: os.path.realpath() now accepts a strict
keyword-only argument. When set to True, OSError is raised
if a path doesnt exist or a symlink loop is encountered.
- Remove upstreamed patches:
- CVE-2025-4516-DecodeError-handler.patch
-------------------------------------------------------------------
Thu May 22 13:01:17 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-4516-DecodeError-handler.patch fixing
CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
vulnerability, which could lead to DoS.
-------------------------------------------------------------------
Sat May 10 11:38:21 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Remove python-3.3.0b1-test-posix_fadvise.patch (not needed
since kernel 3.6-rc1)
-------------------------------------------------------------------
Wed Apr 9 20:04:17 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.9.22:
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-105704: When using urllib.parse.urlsplit() and
urllib.parse.urlparse() host parsing would not reject domain
names containing square brackets ([ and ]). Square brackets
are only valid for IPv6 and IPvFuture hosts according to RFC
3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
gh#python/cpython#105704).
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using a
carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.
- gh-119511: Fix a potential denial of service in the imaplib
module. When connecting to a malicious server, it could
cause an arbitrary amount of memory to be allocated. On many
systems this is harmless as unused virtual memory is only
a mapping, but if this hit a virtual address size limit
it could lead to a MemoryError or other process crash. On
unusual systems or builds where all allocated memory is
touched and backed by actual ram or storage it couldve
consumed resources doing so until similarly crashing.
- gh-121277: Writers of CPythons documentation can now use
next as the version for the versionchanged, versionadded,
deprecated directives.
- Remote upstreamed patch:
- CVE-2025-0938-sq-brackets-domain-names.patch
-------------------------------------------------------------------
Mon Mar 10 15:44:31 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
- Skip PGO with %want_reproducible_builds (bsc#1239210)
-------------------------------------------------------------------
Tue Feb 4 14:43:13 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-0938-sq-brackets-domain-names.patch which
disallows square brackets ([ and ]) in domain names for parsed
URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
-------------------------------------------------------------------
Wed Dec 4 19:51:41 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.9.21:
- Tests
- gh-125041: Re-enable skipped tests for zlib on the
s390x architecture: only skip checks of the compressed
bytes, which can be different between zlibs software
implementation and the hardware-accelerated implementation.
- gh-109396: Fix test_socket.test_hmac_sha1() in FIPS
mode. Use a longer key: FIPS mode requires at least of at
least 112 bits. The previous key was only 32 bits. Patch by
Victor Stinner.
- gh-100454: Fix SSL tests CI for OpenSSL 3.1+
- Security
- gh-126623: Upgrade libexpat to 2.6.4
- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to
consistently use the mapped IPv4 address value for deciding
properties. Properties which have their behavior fixed are
is_multicast, is_reserved, is_link_local, is_global, and
is_unspecified (bsc#1233307, CVE-2024-11168).
- Library
- gh-124651: Properly quote template strings in venv
activation scripts (bsc#1232241, CVE-2024-9287).
- gh-103848: Add checks to ensure that [ bracketed ] hosts
found by urllib.parse.urlsplit() are of IPv6 or IPvFuture
format.
- Documentation
- gh-95588: Clarified the conflicting advice given in the ast
documentation about ast.literal_eval() being “safe” for use
on untrusted input while at the same time warning that it
can crash the process. The latter statement is true and is
deemed unfixable without a large amount of work unsuitable
for a bugfix. So we keep the warning and no longer claim
that literal_eval is safe.
- Remove upstreamed patches:
- CVE-2024-11168-validation-IPv6-addrs.patch
- CVE-2024-9287-venv_path_unquoted.patch
-------------------------------------------------------------------
Thu Nov 14 07:06:20 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Remove -IVendor/ from python-config boo#1231795
-------------------------------------------------------------------
Wed Nov 13 13:25:01 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-11168-validation-IPv6-addrs.patch
fixing bsc#1233307 (CVE-2024-11168,
gh#python/cpython#103848): Improper validation of IPv6 and
IPvFuture addresses.
-------------------------------------------------------------------
Fri Nov 1 21:16:32 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Update CVE-2024-9287-venv_path_unquoted.patch according to the
upstream PR gh#python/cpython!126301.
-------------------------------------------------------------------
Thu Oct 24 16:09:00 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
path names provided when creating a virtual environment
(bsc#1232241, CVE-2024-9287)
-------------------------------------------------------------------
Wed Oct 2 16:18:29 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Drop .pyc files from docdir for reproducible builds
(bsc#1230906).
-------------------------------------------------------------------
Fri Sep 20 14:57:10 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Add sphinx-802.patch to overcome working both with the most
recent and older Sphinx versions.
-------------------------------------------------------------------
Mon Sep 9 18:02:59 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
@@ -34,7 +352,7 @@ Mon Sep 9 18:02:59 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
:class:`zipfile.Path` causing infinite loops (gh-122905) without breaking
contents using legitimate characters (bsc#1229704, CVE-2024-8088).
- gh-123067: Fix quadratic complexity in parsing ``"``-quoted cookie values
with backslashes by :mod:`http.cookies`.
with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592).
- gh-121650: :mod:`email` headers with embedded newlines are now quoted on
output. The :mod:`~email.generator` will now refuse to serialize (write)
headers that are unsafely folded or delimited; see
@@ -76,8 +394,7 @@ Mon Sep 9 18:02:59 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
Thu Sep 5 13:44:48 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-6232-cookies-quad-complex.patch to avoid quadratic
complexity in parsing "-quoted cookie values with backslashes
(bsc#1229596, CVE-2024-6232).
complexity in parsing tarfile headers (bsc#1230227, CVE-2024-6232).
-------------------------------------------------------------------
Thu Sep 5 08:11:45 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
@@ -224,12 +541,12 @@ Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
- Repurpose skip-failing-tests.patch to increase timeout for
test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
which fails on slow machines in IBS (s390x).
-------------------------------------------------------------------
Tue Feb 20 22:14:02 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Remove double definition of /usr/bin/idle%%{version} in
%%files.
%%files.
-------------------------------------------------------------------
Thu Feb 15 10:29:07 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
@@ -368,7 +685,7 @@ Wed May 3 14:09:37 UTC 2023 - Matej Cepl <mcepl@suse.com>
-------------------------------------------------------------------
Tue Apr 18 05:00:11 UTC 2023 - Steve Kowalik <steven.kowalik@suse.com>
- Use python3 modules to build the documentation.
- Use python3 modules to build the documentation.
-------------------------------------------------------------------
Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com>
@@ -941,7 +1258,7 @@ Sat Mar 26 22:22:24 UTC 2022 - Matej Cepl <mcepl@suse.com>
Tue Feb 22 05:53:06 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
- Add patch support-expat-245.patch:
* Support Expat >= 2.4.5
* Support Expat >= 2.4.5
-------------------------------------------------------------------
Wed Jan 19 21:50:04 UTC 2022 - Matej Cepl <mcepl@suse.com>
@@ -1384,7 +1701,7 @@ Sat Jun 5 21:21:38 UTC 2021 - Matej Cepl <mcepl@suse.com>
-------------------------------------------------------------------
Fri Jun 4 21:36:30 UTC 2021 - Dirk Müller <dmueller@suse.com>
- allow build with Sphinx >= 3.x
- allow build with Sphinx >= 3.x
-------------------------------------------------------------------
Wed Jun 2 13:12:04 UTC 2021 - Dan Čermák <dcermak@suse.com>
@@ -1936,7 +2253,7 @@ Sat Dec 12 14:29:33 UTC 2020 - Matej Cepl <mcepl@suse.com>
Thu Dec 10 00:26:51 UTC 2020 - Benjamin Greiner <code@bnavigator.de>
- Last try before this results in an editwar:
* remove importlib_resources and importlib-metadata
* remove importlib_resources and importlib-metadata
provides/obsoletes
* import importlib_resources is not the same as
import importlib.resources, same for metadata
@@ -2053,54 +2370,54 @@ Tue Jul 21 09:53:06 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
- Removed CVE-2019-20907_tarfile-inf-loop.patch: fixed in upstream
- Removed recursion.tar: contained in upstream
- Update to 3.9.0b5:
- bpo-41304: Fixes python3x._pth being ignored on Windows, caused
- bpo-41304: Fixes python3x._pth being ignored on Windows, caused
by the fix for bpo-29778 (CVE-2020-15801).
- bpo-41162: Audit hooks are now cleared later during
finalization to avoid missing events.
- bpo-29778: Ensure python3.dll is loaded from correct locations
- bpo-29778: Ensure python3.dll is loaded from correct locations
when Python is embedded (CVE-2020-15523).
- bpo-39603: Prevent http header injection by rejecting control
- bpo-39603: Prevent http header injection by rejecting control
characters in http.client.putrequest(…).
- bpo-41295: Resolve a regression in CPython 3.8.4 where defining
“__setattr__” in a multi-inheritance setup and
“__setattr__” in a multi-inheritance setup and
calling up the hierarchy chain could fail if builtins/extension
types were involved in the base types.
- bpo-41247: Always cache the running loop holder when running
- bpo-41247: Always cache the running loop holder when running
asyncio.set_running_loop.
- bpo-41252: Fix incorrect refcounting in
- bpo-41252: Fix incorrect refcounting in
_ssl.cs _servername_callback().
- bpo-41215: Use non-NULL default values in the PEG parser
- bpo-41215: Use non-NULL default values in the PEG parser
keyword list to overcome a bug that was '
preventing Python from being properly compiled when using the
XLC compiler. Patch by Pablo Galindo.
- bpo-41218: Python 3.8.3 had a regression where compiling with
ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
- bpo-41218: Python 3.8.3 had a regression where compiling with
ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would
aggressively mark list comprehension with CO_COROUTINE. Now only
list comprehension making use of async/await will tagged as so.
- bpo-41175: Guard against a NULL pointer dereference within
- bpo-41175: Guard against a NULL pointer dereference within
bytearrayobject triggered by the bytearray() + bytearray() operation.
- bpo-39960: The “hackcheck” that prevents sneaking around a types
__setattr__() by calling the superclass method was
- bpo-39960: The “hackcheck” that prevents sneaking around a types
__setattr__() by calling the superclass method was
rewritten to allow C implemented heap types.
- bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
- bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the
C implementation raises now UnpicklingError instead of crashing.
- bpo-39017: Avoid infinite loop when reading specially crafted
- bpo-39017: Avoid infinite loop when reading specially crafted
TAR files using the tarfile module (CVE-2019-20907, bsc#1174091).
- bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().
- bpo-41207: In distutils.spawn, restore expectation that
- bpo-41207: In distutils.spawn, restore expectation that
DistutilsExecError is raised when the command is not found.
- bpo-39168: Remove the __new__ method of typing.Generic.
- bpo-41194: Fix a crash in the _ast module: it can no longer be
- bpo-41194: Fix a crash in the _ast module: it can no longer be
loaded more than once. It now uses a global state rather than a module state.
- bpo-39384: Fixed email.contentmanager to allow set_content() to set a
- bpo-39384: Fixed email.contentmanager to allow set_content() to set a
null string.
- bpo-41300: Save files with non-ascii chars.
- bpo-41300: Save files with non-ascii chars.
Fix regression released in 3.9.0b4 and 3.8.4.
- bpo-37765: Add keywords to module name completion list.
- bpo-37765: Add keywords to module name completion list.
Rewrite Completions section of IDLE doc.
- bpo-40170: Revert PyType_HasFeature() change: it reads
again directly the PyTypeObject.tp_flags
member when the limited C API is not used, rather than always calling
- bpo-40170: Revert PyType_HasFeature() change: it reads
again directly the PyTypeObject.tp_flags
member when the limited C API is not used, rather than always calling
PyType_GetFlags() which hides implementation details.
-------------------------------------------------------------------
@@ -2621,7 +2938,7 @@ Wed Jun 5 12:19:09 CEST 2019 - Matej Cepl <mcepl@suse.com>
pickling costs between processes
- typed_ast is merged back to CPython
- LOAD_GLOBAL is now 40% faster
- pickle now uses Protocol 4 by default, improving performance
- pickle now uses Protocol 4 by default, improving performance
- Remove patches which were included in the upstream:
- 00251-change-user-install-location.patch
- 00316-mark-bdist_wininst-unsupported.patch
@@ -2766,7 +3083,7 @@ Mon Dec 17 17:24:49 CET 2018 - mcepl@suse.com
- Upgrade to 3.7.2rc1:
* bugfix release, for the full list of all changes see
https://docs.python.org/3.7/whatsnew/changelog.html#changelog
https://docs.python.org/3.7/whatsnew/changelog.html#changelog
- Make run of the test suite more verbose
-------------------------------------------------------------------
@@ -3193,7 +3510,7 @@ Mon Mar 13 14:04:22 UTC 2017 - jmatejek@suse.com
Sat Feb 25 20:55:57 UTC 2017 - bwiedemann@suse.com
- Add 0001-allow-for-reproducible-builds-of-python-packages.patch
upstream https://github.com/python/cpython/pull/296
upstream https://github.com/python/cpython/pull/296
-------------------------------------------------------------------
Wed Feb 8 12:30:20 UTC 2017 - jmatejek@suse.com
@@ -3259,7 +3576,7 @@ Mon Mar 7 20:38:11 UTC 2016 - toddrme2178@gmail.com
- Add Python-3.5.1-fix_lru_cache_copying.patch
Fix copying the lru_cache() wrapper object.
Fixes deep-copying lru_cache regression, which worked on
Fixes deep-copying lru_cache regression, which worked on
previous versions of python but fails on python 3.5.
This fixes a bunch of packages in devel:languages:python3.
See: https://bugs.python.org/issue25447
@@ -3397,7 +3714,7 @@ Sun Jan 11 13:01:30 UTC 2015 - p.drouand@gmail.com
-------------------------------------------------------------------
Sat Oct 18 20:14:54 UTC 2014 - crrodriguez@opensuse.org
- Only pkgconfig(x11) is required for build, not the whole
- Only pkgconfig(x11) is required for build, not the whole
set of packages provided by xorg-x11-devel metapackage.
-------------------------------------------------------------------
@@ -3457,7 +3774,7 @@ Wed Mar 26 15:24:46 UTC 2014 - jmatejek@suse.com
-------------------------------------------------------------------
Mon Mar 24 17:29:31 UTC 2014 - dmueller@suse.com
- remove blacklisting of test_posix on aarch64: qemu bug is fixed
- remove blacklisting of test_posix on aarch64: qemu bug is fixed
-------------------------------------------------------------------
Mon Mar 17 18:26:58 UTC 2014 - jmatejek@suse.com
@@ -3560,7 +3877,7 @@ Tue Nov 19 14:28:41 UTC 2013 - jmatejek@suse.com
-------------------------------------------------------------------
Tue Oct 15 17:44:08 UTC 2013 - crrodriguez@opensuse.org
- build with -DOPENSSL_LOAD_CONF for the same reasons
- build with -DOPENSSL_LOAD_CONF for the same reasons
described in the python2 package.
-------------------------------------------------------------------
@@ -3572,7 +3889,7 @@ Fri Aug 16 11:35:15 UTC 2013 - jmatejek@suse.com
-------------------------------------------------------------------
Thu Aug 8 14:54:49 UTC 2013 - dvaleev@suse.com
- Exclue test_faulthandler from tests on powerpc due to bnc#831629
- Exclue test_faulthandler from tests on powerpc due to bnc#831629
-------------------------------------------------------------------
Thu Jun 13 15:05:34 UTC 2013 - jmatejek@suse.com
@@ -3631,7 +3948,7 @@ Fri Mar 1 07:42:21 UTC 2013 - dmueller@suse.com
- add ctypes-libffi-aarch64.patch:
* import aarch64 support for libffi in _ctypes module
- add aarch64 to the list of lib64 based archs
- add aarch64 to the list of lib64 based archs
- add movetogetdents64.diff:
* port to getdents64, as SYS_getdents is not implemented everywhere
@@ -3685,9 +4002,9 @@ Mon Oct 29 18:21:45 UTC 2012 - dmueller@suse.com
-------------------------------------------------------------------
Thu Oct 25 08:14:36 UTC 2012 - Rene.vanPaassen@gmail.com
- exclude test_math for SLE 11; math library fails on negative
- exclude test_math for SLE 11; math library fails on negative
gamma function values close to integers and 0, probably
due to imprecision in -lm on SLE_11_SP2.
due to imprecision in -lm on SLE_11_SP2.
-------------------------------------------------------------------
Tue Oct 16 12:15:34 UTC 2012 - coolo@suse.com
@@ -3711,7 +4028,7 @@ Mon Oct 1 08:53:03 UTC 2012 - idonmez@suse.com
-------------------------------------------------------------------
Thu Sep 27 12:35:01 UTC 2012 - idonmez@suse.com
- Correct dependency for python3-testsuite,
- Correct dependency for python3-testsuite,
python3-tkinter -> python3-tk
-------------------------------------------------------------------
@@ -3744,7 +4061,7 @@ Fri Aug 3 12:09:34 UTC 2012 - jmatejek@suse.com
-------------------------------------------------------------------
Fri Jul 27 09:02:41 UTC 2012 - dvaleev@suse.com
- skip test_io on ppc
- skip test_io on ppc
- drop test_io ppc patch
-------------------------------------------------------------------
@@ -3793,8 +4110,8 @@ Wed Jan 18 15:49:47 UTC 2012 - jmatejek@suse.com
-------------------------------------------------------------------
Sun Dec 25 13:25:01 UTC 2011 - idonmez@suse.com
- Use system ffi, included one is broken see
http://bugs.python.org/issue11729 and
- Use system ffi, included one is broken see
http://bugs.python.org/issue11729 and
http://bugs.python.org/issue12081
-------------------------------------------------------------------

106
python39.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package python39
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -36,7 +36,7 @@
%bcond_without general
%endif
%if 0%{?do_profiling}
%if 0%{?do_profiling} && !0%{?want_reproducible_builds}
%bcond_without profileopt
%else
%bcond_with profileopt
@@ -99,13 +99,13 @@
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
Version: 3.9.20
Version: 3.9.25
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
URL: https://www.python.org/
Source0: https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz
Source1: https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.asc
Source1: https://www.python.org/ftp/python/%{folderversion}/%{tarname}.tar.xz.sigstore
Source2: baselibs.conf
Source3: README.SUSE
Source7: macros.python3
@@ -134,10 +134,6 @@ Source100: PACKAGING-NOTES
# to /usr/local if executable is /usr/bin/python* and RPM build
# is not detected to make pip and distutils install into separate location
Patch02: F00251-change-user-install-location.patch
# PATCH-FEATURE-UPSTREAM decimal.patch bsc#1189356 mcepl@suse.com
# fix building with mpdecimal
# https://www.bytereef.org/contrib/decimal.diff
Patch05: decimal.patch
# PATCH-FEATURE-UPSTREAM distutils-reproducible-compile.patch gh#python/cpython#8057 mcepl@suse.com
# Improve reproduceability
Patch06: distutils-reproducible-compile.patch
@@ -145,8 +141,6 @@ Patch06: distutils-reproducible-compile.patch
Patch07: python-3.3.0b1-localpath.patch
# replace DATE, TIME and COMPILER by fixed definitions to aid reproducible builds
Patch08: python-3.3.0b1-fix_date_time_compiler.patch
# POSIX_FADV_WILLNEED throws EINVAL. Use a different constant in test
Patch09: python-3.3.0b1-test-posix_fadvise.patch
# Raise timeout value for test_subprocess
Patch15: subprocess-raise-timeout.patch
Patch25: python3-imp-returntype.patch
@@ -161,37 +155,54 @@ Patch33: no-skipif-doctests.patch
# PATCH-FIX-SLE skip-test_pyobject_freed_is_freed.patch mcepl@suse.com
# skip a test failing on SLE-15
Patch34: skip-test_pyobject_freed_is_freed.patch
# PATCH-FEATURE-UPSTREAM decimal.patch bsc#1189356 mcepl@suse.com
# fix building with mpdecimal
# https://www.bytereef.org/contrib/decimal.diff
Patch35: decimal.patch
# PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com
# Makes Python resilient to changes of API of libexpat
Patch35: support-expat-CVE-2022-25236-patched.patch
Patch40: support-expat-CVE-2022-25236-patched.patch
# PATCH-FIX-UPSTREAM CVE-2023-52425-libexpat-2.6.0-backport.patch gh#python/cpython#117187 mcepl@suse.com
# Make the test suite work with libexpat < 2.6.0
Patch36: CVE-2023-52425-libexpat-2.6.0-backport.patch
Patch41: CVE-2023-52425-libexpat-2.6.0-backport.patch
# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
# this patch makes things totally awesome
Patch37: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
Patch42: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
# PATCH-FIX-UPSTREAM bpo-37596-make-set-marshalling.patch bsc#1211765 mcepl@suse.com
# Make `set` and `frozenset` marshalling deterministic
Patch38: bpo-37596-make-set-marshalling.patch
Patch43: bpo-37596-make-set-marshalling.patch
# PATCH-FIX-UPSTREAM gh-78214-marshal_stabilize_FLAG_REF.patch bsc#1213463 mcepl@suse.com
# marshal: Stabilize FLAG_REF usage
Patch39: gh-78214-marshal_stabilize_FLAG_REF.patch
Patch44: gh-78214-marshal_stabilize_FLAG_REF.patch
# PATCH-FIX-UPSTREAM 99366-patch.dict-can-decorate-async.patch bsc#[0-9]+ mcepl@suse.com
# Patch for gh#python/cpython#98086
Patch40: 99366-patch.dict-can-decorate-async.patch
Patch45: 99366-patch.dict-can-decorate-async.patch
# PATCH-FIX-OPENSUSE downport-Sphinx-features.patch mcepl@suse.com
# Make documentation build with older Sphinx
Patch41: downport-Sphinx-features.patch
Patch46: downport-Sphinx-features.patch
# PATCH-FIX-UPSTREAM bso1227999-reproducible-builds.patch bsc#1227999 mcepl@suse.com
# reproducibility patches
Patch46: bso1227999-reproducible-builds.patch
Patch47: bso1227999-reproducible-builds.patch
# PATCH-FIX-UPSTREAM CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch bsc#1227233 mcepl@suse.com
# Remove for support for anything but OpenSSL 1.1.1 or newer
Patch48: CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch
# PATCH-FIX-UPSTREAM gh120226-fix-sendfile-test-kernel-610.patch gh#python/cpython#120226 mcepl@suse.com
# Fix test_sendfile_close_peer_in_the_middle_of_receiving on Linux >= 6.10 (GH-120227)
Patch50: gh120226-fix-sendfile-test-kernel-610.patch
# PATCH-FIX-UPSTREAM sphinx-802.patch mcepl@suse.com
# status_iterator method moved between the Sphinx versions
Patch51: sphinx-802.patch
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
Patch52: gh139257-Support-docutils-0.22.patch
# PATCH-FIX-UPSTREAM CVE-2025-13836-http-resp-cont-len.patch bsc#1254400 mcepl@suse.com
# Avoid loading possibly compromised length of HTTP response
Patch53: CVE-2025-13836-http-resp-cont-len.patch
# PATCH-FIX-UPSTREAM CVE-2025-12084-minidom-quad-search.patch bsc#1254997 mcepl@suse.com
# prevent quadratic behavior in node ID cache clearing
Patch54: CVE-2025-12084-minidom-quad-search.patch
# PATCH-FIX-UPSTREAM CVE-2025-13837-plistlib-mailicious-length.patch bsc#1254401 mcepl@suse.com
# protect against OOM when loading malicious content
Patch55: CVE-2025-13837-plistlib-mailicious-length.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@@ -430,34 +441,43 @@ other applications.
%prep
%setup -q -n %{tarname}
%patch -P 02 -p1
%patch -P 06 -p1
%patch -P 07 -p1
%patch -P 08 -p1
%patch -P 09 -p1
%patch -P 15 -p1
%patch -P 25 -p1
%patch -P 29 -p1
%patch -P 32 -p1
%patch -p1 -P 02
%patch -p1 -P 06
%patch -p1 -P 07
%patch -p1 -P 08
%patch -p1 -P 15
%patch -p1 -P 25
%patch -p1 -P 29
%patch -p1 -P 32
%if 0%{?sle_version}
%patch -P 33 -p1
%patch -P 34 -p1
%patch -p1 -P 33
%patch -p1 -P 34
%endif
%if %{with mpdecimal}
%patch -P 05 -p1
%patch -p1 -P 35
%endif
%patch -P 35 -p1
%patch -P 36 -p1
%patch -P 37 -p1
%patch -P 38 -p1
%patch -P 39 -p1
%patch -P 40 -p1
%if 0%{?sle_version} && 0%{?sle_version} <= 150500
%patch -p1 -P 40
%patch -p1 -P 41
%endif
%patch -p1 -P 42
%patch -p1 -P 43
%patch -p1 -P 44
%patch -p1 -P 45
%if 0%{?sle_version} && 0%{?sle_version} <= 150500
%patch -p1 -P 46
%endif
%patch -p1 -P 47
%patch -p1 -P 48
%patch -p1 -P 50
%patch -p1 -P 51
%patch -p1 -P 52
%patch -p1 -P 53
%patch -p1 -P 54
%patch -p1 -P 55
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -764,6 +784,9 @@ install -m 755 -D Tools/gdb/libpython.py %{buildroot}%{_datadir}/gdb/auto-load/%
# install devel files to /config
#cp Makefile Makefile.pre.in Makefile.pre $RPM_BUILD_ROOT%{sitedir}/config-%{python_abi}/
# Remove -IVendor/ from python-config boo#1231795
sed -i 's/-IVendor\///' %{buildroot}%{_bindir}/python%{python_abi}-config
# RPM macros
%if %{primary_interpreter}
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d/
@@ -792,6 +815,11 @@ LD_LIBRARY_PATH=. ./python -O -c "from py_compile import compile; compile('$FAIL
echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-import-failed-hooks.pth
%endif
# For the purposes of reproducibility, it is necessary to eliminate any *.pyc files inside documentation dirs
if [ -d %{buildroot}%{_defaultdocdir} ] ; then
find %{buildroot}%{_defaultdocdir} -type f -name \*.pyc -ls -exec rm -vf '{}' \;
fi
%if %{with general}
%files -n %{python_pkg_name}-tk
%{sitedir}/tkinter

30
sphinx-802.patch Normal file
View File

@@ -0,0 +1,30 @@
---
Doc/tools/extensions/pyspecific.py | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/Doc/tools/extensions/pyspecific.py
+++ b/Doc/tools/extensions/pyspecific.py
@@ -28,7 +28,13 @@ try:
except ImportError:
from sphinx.environment import NoUri
from sphinx.locale import _ as sphinx_gettext
-from sphinx.util import status_iterator, logging
+try:
+ from sphinx.util.display import status_iterator
+except ImportError:
+ # This method was moved into sphinx.util.display in Sphinx 6.1.0. Before
+ # that it resided in sphinx.util.
+ from sphinx.util import status_iterator
+from sphinx.util import logging
from sphinx.util.nodes import split_explicit_title
from sphinx.writers.text import TextWriter, TextTranslator
from sphinx.writers.latex import LaTeXTranslator
@@ -338,7 +344,7 @@ class PyAbstractMethod(PyMethod):
def expand_version_arg(argument, release):
"""Expand "next" to the current version"""
if argument == 'next':
- return translators['sphinx'].gettext('{} (unreleased)').format(release)
+ return sphinx_gettext('{} (unreleased)').format(release)
return argument

8
sphinx-update-removed-function.patch
View File

@@ -2,9 +2,11 @@
Doc/tools/extensions/pyspecific.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/Doc/tools/extensions/pyspecific.py
+++ b/Doc/tools/extensions/pyspecific.py
@@ -385,7 +385,12 @@ class DeprecatedRemoved(Directive):
Index: Python-3.9.22/Doc/tools/extensions/pyspecific.py
===================================================================
--- Python-3.9.22.orig/Doc/tools/extensions/pyspecific.py 2025-04-08 17:21:55.000000000 +0200
+++ Python-3.9.22/Doc/tools/extensions/pyspecific.py 2025-04-11 09:49:58.417019238 +0200
@@ -407,7 +407,12 @@
translatable=False)
node.append(para)
env = self.state.document.settings.env