python39

rpm/python39

SHA256

Fork 0

forked from pool/python39

a9055a2611 Accepting request 1199746 from devel:languages:python:Factory factory Ana Guerrero 2024-09-10 19:13:31 +0000
ad933f5c9f - Update to 3.9.20: - Tests - gh-112769: The tests now correctly compare zlib version when :const:zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For example zlib-ng defines the version as `1.3.0.zlib-ng. - gh-117187: Fix XML tests for vanilla Expat <2.6.0. - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for python -i, as well as for python -m asyncio. The event in question is cpython.run_stdin. - gh-122133: Authenticate the socket connection for the socket.socketpair() fallback on platforms where AF_UNIX is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for hdrcharset, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:os.mkdir on Windows now accepts *mode* of 0o700 to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:tempfile.mkdtemp in scenarios where the base temporary directory is more permissive than the default. - gh-114572: :meth:ssl.SSLContext.cert_store_stats and :meth:ssl.SSLContext.get_ca_certs now correctly lock access to the certificate store, when the :class:ssl.SSLContext` is shared across multiple threads (bsc#1226447, CVE-2024-0397). - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in devel Matej Cepl 2024-09-09 20:10:25 +0000
f39c6ce1fe Accepting request 1199546 from devel:languages:python:Factory Ana Guerrero 2024-09-09 12:44:59 +0000
1955425d20 - Add CVE-2024-6232-cookies-quad-complex.patch to avoid quadratic complexity in parsing "-quoted cookie values with backslashes (bsc#1229596, CVE-2024-6232). Matej Cepl 2024-09-05 13:45:40 +0000
52ba2746e2 Update patch Matej Cepl 2024-09-05 11:13:45 +0000
9196daa838 - Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with patched libexpat below 2.6.0 that doesn't update the version number, just in SLE. - Remove old-libexpat.patch, of course. Matej Cepl 2024-09-05 08:12:03 +0000
ee4c161ee9 - Add gh120226-fix-sendfile-test-kernel-610.patch to avoid failing test_sendfile_close_peer_in_the_middle_of_receiving tests on Linux >= 6.10 (GH-120227). Matej Cepl 2024-09-02 12:36:06 +0000
51d667b29b Accepting request 1197416 from devel:languages:python:Factory Dominique Leuenberger 2024-08-29 13:44:17 +0000
e7e6aae574 - Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, CVE-2024-8088). Matej Cepl 2024-08-28 20:33:16 +0000
e4bde5df1c Accepting request 1192673 from devel:languages:python:Factory Dominique Leuenberger 2024-08-09 14:15:52 +0000
477d837ffc Fix the patch Matej Cepl 2024-08-08 17:05:11 +0000
0abadf881e Fix the patch Matej Cepl 2024-08-08 13:56:09 +0000
5c5b1d5bd8 - Add CVE-2024-6923-email-hdr-inject.patch to prevent email header injection due to unquoted newlines (bsc#1228780, CVE-2024-6923). - Adding bso1227999-reproducible-builds.patch fixing bsc#1227999 adding reproducibility patches from gh#python/cpython!121872 and gh#python/cpython!121883. - Add CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch removing support for anything but OpenSSL 1.1.1 or newer (bsc#1227233, CVE-2024-5642). - %{profileopt} variable is set according to the variable %{do_profiling} (bsc#1227999) Matej Cepl 2024-08-07 20:58:51 +0000
402bcdd59b Accepting request 1190346 from devel:languages:python:Factory Dominique Leuenberger 2024-07-30 09:55:04 +0000
5e7bedbe7b - Remove %suse_update_desktop_file macro as it is not useful any more. Matej Cepl 2024-07-22 21:25:21 +0000
a6bb102623 Accepting request 1189045 from devel:languages:python:Factory Ana Guerrero 2024-07-22 15:19:13 +0000
9ed46c99a2 - Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378). Matej Cepl 2024-07-15 12:17:08 +0000
af01200932 Accepting request 1183504 from devel:languages:python:Factory Ana Guerrero 2024-06-27 14:04:00 +0000
b08f4f5b35 - Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448 (CVE-2024-4032) rearranging definition of private v global IP addresses. Matej Cepl 2024-06-26 22:23:08 +0000
9dfd78f56c Accepting request 1182485 from devel:languages:python:Factory Ana Guerrero 2024-06-22 11:23:24 +0000
b66ea2b702 - Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch fixing bsc#1226447 (CVE-2024-0397) by removing memory race condition in ssl.SSLContext certificate store methods. Matej Cepl 2024-06-21 09:45:51 +0000
f364a35c85 Accepting request 1166527 from devel:languages:python:Factory Matej Cepl 2024-04-09 23:57:11 +0000
db43d93a80 - (bsc#1222509) Remove *.exe and *.dll files from bundled wheels. Matej Cepl 2024-04-09 19:38:17 +0000
2ee23ed438 Accepting request 1161042 from devel:languages:python:Factory Ana Guerrero 2024-03-26 18:24:40 +0000
f0704e96b5 - Add old-libexpat.patch making the test suite work with libexpat < 2.6.0 (gh#python/cpython#117187). Matej Cepl 2024-03-24 00:46:11 +0000
731de38310 Fix *.changes Matej Cepl 2024-03-22 09:05:09 +0000
e6aa51477e - Update to 3.9.19: - Security - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods: xml.etree.ElementTree.XMLParser.flush() xml.etree.ElementTree.XMLPullParser.flush() xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() xml.sax.expatreader.ExpatParser.flush() - gh-115399: Update bundled libexpat to 2.6.0 - gh-113659: Skip .pth files with names starting with a dot or hidden file attribute. - Core and Builtins - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds - Library - gh-115197: urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows. - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0. - gh-81194: Fix a crash in socket.if_indextoname() with specific value (UINT_MAX). Fix an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms. - gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises BadZipFile when try to read an entry that overlaps with other entry or central directory. - gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification verification has failed, but the error parameters will still contain ERR_LIB_SSL Matej Cepl 2024-03-21 20:28:22 +0000
103e541cc6 Accepting request 1157648 from devel:languages:python:Factory Ana Guerrero 2024-03-14 16:42:40 +0000
22ffaaf624 Accepting request 1155683 from home:pmonrealgonzalez:branches:devel:languages:python:Factory Matej Cepl 2024-03-06 21:50:52 +0000
289cc66e3c Accepting request 1153059 from devel:languages:python:Factory Dominique Leuenberger 2024-03-01 22:34:05 +0000
7ff141432c - Update SPEC file to build on SLE-15-SP5 (jsc#PED-7886). Matej Cepl 2024-02-28 22:56:56 +0000
15c8751a4b Accepting request 1152789 from devel:languages:python:Factory Ana Guerrero 2024-02-28 18:44:34 +0000
7c8ca681d6 - Remove double definition of /usr/bin/idle%%{version} in %%files. Matej Cepl 2024-02-20 22:17:10 +0000
6d21418eaf Accepting request 1146870 from devel:languages:python:Factory Ana Guerrero 2024-02-15 19:59:22 +0000
2c60467072 Accepting request 1146816 from home:dgarcia:branches:devel:languages:python:Factory Matej Cepl 2024-02-15 14:36:41 +0000
068535b602 - Refresh CVE-2023-27043-email-parsing-errors.patch to gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). - Thus we can remove Revert-gh105127-left-tests.patch, which is now useless. Matej Cepl 2024-02-12 13:14:48 +0000
c154c39fde Accepting request 1119266 from devel:languages:python:Factory Ana Guerrero 2023-10-22 19:01:04 +0000
311f19ba89 - (bsc#1215454, gh-108310)Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith. - Update to 3.9.17 (bsc#1212015): * Support Expat >= 2.4.4 (jsc#SLE-21253, CVE-2022-25236) Matej Cepl 2023-10-13 16:13:04 +0000
9b86048150 Accepting request 1109203 from devel:languages:python:Factory Ana Guerrero 2023-09-10 11:09:09 +0000
b8f8306bca - Update to 3.9.18 (bsc#1214692): - gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith. - gh-107845: tarfile.data_filter() now takes the location of symlinks into account when determining their target, so it will no longer reject some valid tarballs with LinkOutsideDestinationError. - gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2. Daniel Garcia 2023-09-06 06:39:22 +0000
89466274a0 Accepting request 1102236 from devel:languages:python:Factory Dominique Leuenberger 2023-08-06 14:29:14 +0000
96f7ae7576 - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). (The patch is faulty, gh#python/cpython#106669, but upstream decided not to just revert it). Matej Cepl 2023-08-03 15:29:05 +0000
fb0cb0d77e Accepting request 1101338 from devel:languages:python:Factory Yuchen Lin 2023-08-01 12:15:34 +0000
dbd04e1e44 Fix patches Matej Cepl 2023-07-29 20:30:07 +0000
c13a3979ae - Add bpo-37596-make-set-marshalling.patch making marshalling of set and frozenset deterministic (bsc#1211765). Matej Cepl 2023-07-29 20:19:21 +0000
0999da949b Accepting request 1100886 from devel:languages:python:Factory Ana Guerrero 2023-07-27 14:49:51 +0000
b5917212a3 - Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for stabilizing FLAG_REF usage (required for reproduceability; bsc#1213463). Matej Cepl 2023-07-26 14:05:15 +0000
9d7c3614b4 - Revert faulty fix for CVE-2023-27043 (gh#python/cpython#106669) Matej Cepl 2023-07-14 10:26:09 +0000
4182a08672 Accepting request 1098657 from devel:languages:python:Factory Matej Cepl 2023-07-14 10:24:55 +0000
745f5ba19c - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). Matej Cepl 2023-07-11 07:36:50 +0000
22c0faa015 Accepting request 1096213 from devel:languages:python:Factory Dominique Leuenberger 2023-07-01 21:18:01 +0000
27cb2961b5 - Add downport-Sphinx-features.patch to make documentation buildable even on SLE-15. Matej Cepl 2023-06-30 21:00:48 +0000
69c4eef74b Accepting request 1096147 from devel:languages:python:Factory Matej Cepl 2023-06-30 13:47:16 +0000
0ed644a292 - Patch skip-test_pyobject_freed_is_freed.patch should be used for SLE-15-SP4 as well. Matej Cepl 2023-06-30 08:18:36 +0000
97bb975b72 Fix changes Matej Cepl 2023-06-28 20:06:49 +0000
6c43cd2475 - Update to 3.9.17: - gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329 (bsc#1208471). - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with shell=True. - gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). - gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details (fixing CVE-2007-4559, bsc#1203750). - gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to acquire the runtime head lock. - gh-100892: Fixed a crash due to a race while iterating over Matej Cepl 2023-06-28 19:17:56 +0000
5fc7c9de92 Do not use :type: option of :attribute: rST element. Matej Cepl 2023-06-05 15:08:18 +0000
ac33b94579 Accepting request 1085861 from devel:languages:python:Factory Dominique Leuenberger 2023-06-03 22:12:18 +0000
5caf918e2d Updating link to change in openSUSE:Factory/python39 revision 45 OBS User buildservice-autocommit 2023-06-03 22:12:18 +0000
83790a812b Accepting request 1087859 from devel:languages:python:Factory Dominique Leuenberger 2023-05-21 17:07:58 +0000
afb0081ba8 Better skip Matej Cepl 2023-05-11 22:19:52 +0000
6438e76544 Skip test_pyobject_is_freed_free on SLE-15 Matej Cepl 2023-05-11 21:39:02 +0000
1079252656 Accepting request 1085253 from home:mcepl:branches:devel:languages:python Matej Cepl 2023-05-09 22:34:01 +0000
7ce77a1280 - Add CVE-2007-4559-filter-tarfile_extractall.patch to fix CVE-2007-4559 (bsc#1203750) by adding the filter for tarfile.extractall (PEP 706). Matej Cepl 2023-05-03 14:35:47 +0000
cbc1e5d930 - Why in the world we download from HTTP? Matej Cepl 2023-04-30 18:16:50 +0000
4864dd15f6 Accepting request 1080041 from devel:languages:python:Factory Dominique Leuenberger 2023-04-20 13:13:29 +0000
d3d22d08c2 - Use python3 modules to build the documentation. Steve Kowalik 2023-04-18 05:01:12 +0000
fa669904c0 Accepting request 1068564 from devel:languages:python:Factory Dominique Leuenberger 2023-03-03 21:24:11 +0000
5247938501 - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters Matej Cepl 2023-03-01 21:31:34 +0000
c65f198c5f Accepting request 1067030 from devel:languages:python:Factory Dominique Leuenberger 2023-02-22 14:21:12 +0000
2163aded52 - Add provides for readline and sqlite3 to the main Python package. Matej Cepl 2023-02-21 13:46:40 +0000
1adf96a982 Accepting request 1061593 from devel:languages:python:Factory Dominique Leuenberger 2023-01-29 13:10:09 +0000
c4677b0c0c Accepting request 1061586 from home:kukuk:branches:devel:languages:python:Factory Matej Cepl 2023-01-27 16:15:01 +0000
ca3d1579b7 Accepting request 1058286 from devel:languages:python:Factory Dominique Leuenberger 2023-01-15 16:57:54 +0000
99c7e0b52b Accepting request 1058220 from home:marxin:branches:devel:languages:python:Factory Matej Cepl 2023-01-13 17:34:48 +0000
cac9860ceb Accepting request 1041648 from devel:languages:python:Factory Dominique Leuenberger 2022-12-09 12:16:49 +0000
80936f6706 Actually remove the patch. Matej Cepl 2022-12-08 10:50:57 +0000
59150a7e9a - CVE-2022-45061-DoS-by-IDNA-decode.patch Matej Cepl 2022-12-08 10:47:50 +0000
2c04be55bd - Update to 3.9.16: - python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing. - Avoid publishing list of active per-interpreter audit hooks via the gc module - The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name (CVE-2015-20107). - Update bundled libexpat to 2.5.0 - Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454). - On Linux the multiprocessing module returns to using filesystem backed unix domain sockets for communication with the forkserver process instead of the Linux abstract socket namespace. Only code that chooses to use the “forkserver” start method is affected. Abstract sockets have no permissions and could allow any user on the system in the same network namespace (often the whole system) to inject code into the multiprocessing forkserver process. This was a potential privilege escalation. Filesystem based socket permissions restrict this to the forkserver process user as was the default in Python Matej Cepl 2022-12-08 10:47:18 +0000
a0ade6e31d Accepting request 1034968 from devel:languages:python:Factory Dominique Leuenberger 2022-11-12 16:39:58 +0000
80ef87d611 - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding extremely long domain names. Matej Cepl 2022-11-09 18:43:25 +0000
a697b381bc Accepting request 1033552 from devel:languages:python:Factory Dominique Leuenberger 2022-11-05 13:46:31 +0000
ea87139f16 - Add CVE-2022-42919-loc-priv-mulitproc-forksrv.patch to avoid CVE-2022-42919 (bsc#1204886) avoiding Linux specific local privilege escalation via the multiprocessing forkserver start method. Matej Cepl 2022-11-03 21:36:18 +0000
d28bf8ebe9 Accepting request 1031408 from devel:languages:python:Factory Dominique Leuenberger 2022-10-28 17:28:34 +0000
d6d31d7ca3 Accepting request 1031398 from home:mcepl:branches:devel:languages:python:Factory Matej Cepl 2022-10-26 21:25:00 +0000
6c0c30d16d Fix version number in changelog Matej Cepl 2022-10-19 07:32:56 +0000
0f6aeb04bb - Update to 3.8.15: - Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. - Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. (originally filed as CVE-2022-37460, later withdrawn) - Fix command line parsing: reject -X int_max_str_digits option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. - When ValueError is raised if an integer is larger than the limit, mention the sys.set_int_max_str_digits() function in the error message. - Update bundled libexpat to 2.4.9 Matej Cepl 2022-10-19 07:31:04 +0000
a25e716d37 Accepting request 1003029 from devel:languages:python:Factory Dominique Leuenberger 2022-09-17 18:08:13 +0000
6fa3cda544 - Update to 3.9.14: - (CVE-2020-10735, bsc#1203125). Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form. - Also other bug fixes: - http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan. - Fix contextvars HAMT implementation to handle iteration over deep trees. The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details. - Fix binding of unix socket to empty address on Linux to use an available address from the abstract namespace, instead of “0”. - Suppress writing an XML declaration in open files in ElementTree.write() with encoding='unicode' and xml_declaration=None. - Fix the formatting for await x and not x in the operator precedence table when using the help() system. - Fix ensurepip environment isolation for subprocess running pip. - Fix problem with test_ssl test_get_ciphers on systems that require perfect forward secrecy (PFS) ciphers. Matej Cepl 2022-09-11 08:54:55 +0000
a851d71273 Accepting request 1000771 from devel:languages:python:Factory Dominique Leuenberger 2022-09-03 21:18:32 +0000
19674afc6d Correct changelog entry Steve Kowalik 2022-09-02 05:07:50 +0000
a2b82842e5 - http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. (bsc#1202624, CVE-2021-28861) Steve Kowalik 2022-09-01 03:50:33 +0000
0535f25347 Accepting request 990683 from devel:languages:python:Factory Richard Brown 2022-07-29 14:46:57 +0000
f343483635 Restore %primary_interpreter Matej Cepl 2022-07-21 15:15:38 +0000
d57ee42f22 - Switch from %primary_interpreter to prjconf-defined %primary_python (gh#openSUSE/python-rpm-macros#127). Matej Cepl 2022-07-21 14:23:09 +0000
8ac9461637 Accepting request 985337 from devel:languages:python:Factory Dominique Leuenberger 2022-06-29 14:00:52 +0000
6f0c4c85a1 Add missing Bugzilla reference. Matej Cepl 2022-06-20 13:41:37 +0000
35d1711e18 Accepting request 983632 from devel:languages:python:Factory Dominique Leuenberger 2022-06-19 19:10:34 +0000
56c63c9ae2 Fix changelog Matej Cepl 2022-06-16 11:52:38 +0000
04678e52ad Adjust support-expat-CVE-2022-25236-patched.patch Matej Cepl 2022-06-15 04:53:24 +0000

Commit Graph Select branches Hide Pull Requests devel factory Mono Color

Commit Graph

Select branches

Hide Pull Requests

devel

factory