Overview Repositories Revisions Requests Users Attributes Meta

Revisions of python311

Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1220125 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 42) 
- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
  path names provided when creating a virtual environment
  (bsc#1232241, CVE-2024-9287)
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1199725 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 40) 
- Update to 3.11.10:
  - Security
    - gh-123678: Upgrade libexpat to 2.6.3
    - gh-121957: Fixed missing audit events around interactive
      use of Python, now also properly firing for ``python -i``,
      as well as for ``python -m asyncio``. The event in question
      is ``cpython.run_stdin``.
    - gh-122133: Authenticate the socket connection for the
      ``socket.socketpair()`` fallback on platforms where
      ``AF_UNIX`` is not available like Windows. Patch by
      Gregory P. Smith <greg@krypto.org> and Seth Larson
      <seth@python.org>. Reported by Ellie <el@horse64.org>
    - gh-121285: Remove backtracking from tarfile header parsing
      for ``hdrcharset``, PAX, and GNU sparse headers
      (bsc#1230227, CVE-2024-6232).
    - gh-118486: :func:`os.mkdir` on Windows now accepts
      *mode* of ``0o700`` to restrict the new directory to
      the current user. This fixes CVE-2024-4030 affecting
      :func:`tempfile.mkdtemp` in scenarios where the base
      temporary directory is more permissive than the default.
    - gh-116741: Update bundled libexpat to 2.6.2
  - Library
    - gh-123270: Applied a more surgical fix for malformed
      payloads in :class:`zipfile.Path` causing infinite loops
      (gh-122905) without breaking contents using legitimate
      characters (bsc#1229704, CVE-2024-8088).
    - gh-123067: Fix quadratic complexity in parsing ``"``-quoted
      cookie values with backslashes by :mod:`http.cookies`
      (bsc#1229596, CVE-2024-7592).
    - gh-122905: :class:`zipfile.Path` objects now sanitize names
      from the zipfile.
    - gh-121650: :mod:`email` headers with embedded newlines are
      now quoted on output. The :mod:`~email.generator` will now
      refuse to serialize (write) headers that are unsafely folded
      or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`.
      (Contributed by Bas Bloemsaat and Petr Viktorin in
      :gh:`121650`; CVE-2024-6923, bsc#1228780).
    - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method
      breaks internal buffer when the method is called again
      during flushing internal buffer.
    - gh-118643: Fix an AttributeError in the :mod:`email` module
      when re-fold a long address list. Also fix more cases of
      incorrect encoding of the address separator in the address
      list.
    - gh-113171: Fixed various false positives and false
      negatives in * :attr:`ipaddress.IPv4Address.is_private`
      (see these docs for details) *
      :attr:`ipaddress.IPv4Address.is_global` *
      :attr:`ipaddress.IPv6Address.is_private` *
      :attr:`ipaddress.IPv6Address.is_global` Also in the
      corresponding :class:`ipaddress.IPv4Network` and
      :class:`ipaddress.IPv6Network` attributes.
      Fixes bsc#1226448 (CVE-2024-4032).
    - gh-102988: :func:`email.utils.getaddresses` and
      :func:`email.utils.parseaddr` now return ``('', '')``
      2-tuples in more situations where invalid email addresses
      are encountered instead of potentially inaccurate
      values. Add optional *strict* parameter to these two
      functions: use ``strict=False`` to get the old behavior,
      accept malformed inputs. ``getattr(email.utils,
      'supports_strict_parsing', False)`` can be use to check if
      the *strict* paramater is available. Patch by Thomas Dwyer
      and Victor Stinner to improve the CVE-2023-27043 fix
      (bsc#1210638).
    - gh-67693: Fix :func:`urllib.parse.urlunparse` and
      :func:`urllib.parse.urlunsplit` for URIs with path starting
      with multiple slashes and no authority. Based on patch by
      Ashwin Ramaswami.
  - Core and Builtins
    - gh-112275: A deadlock involving ``pystate.c``'s
      ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now
      fixed. Patch by ChuBoning based on previous Python 3.12 fix
      by Victor Stinner.
    - gh-109120: Added handle of incorrect star expressions, e.g
      ``f(3, *)``. Patch by Grigoryev Semyon
- Removed upstreamed patches:
  - CVE-2023-27043-email-parsing-errors.patch
  - CVE-2024-4032-private-IP-addrs.patch
  - CVE-2024-6923-email-hdr-inject.patch
  - CVE-2024-8088-inf-loop-zipfile_Path.patch
- Add gh120226-fix-sendfile-test-kernel-610.patch to avoid
  failing test_sendfile_close_peer_in_the_middle_of_receiving
  tests on Linux >= 6.10 (GH-120227).
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1197475 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 39) 
- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent
  malformed payload to cause infinite loops in zipfile.Path
  (bsc#1229704, CVE-2024-8088).
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1192372 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 38) 
- Add CVE-2024-6923-email-hdr-inject.patch to prevent email
  header injection due to unquoted newlines (bsc#1228780,
  CVE-2024-6923).
- %{profileopt} variable is set according to the variable
  %{do_profiling} (bsc#1227999)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1190344 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 37) 
Automatic submission by obs-autosubmit
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1183510 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 35) 
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
  (CVE-2024-4032) rearranging definition of private v global IP
  addresses.

      multiple threads (bsc#1226447, CVE-2024-0397).
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1171202 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 34) 
- Update CVE-2023-52425-libexpat-2.6.0-backport.patch
  so that it uses features sniffing, not just
  comparing version number. Include also
  support-expat-CVE-2022-25236-patched.patch.
- Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping
  failing tests.
- Refresh patches:
  - CVE-2023-27043-email-parsing-errors.patch
  - fix_configure_rst.patch
  - skip_if_buildbot-extend.patch
- Remove included patch:
  - support-expat-CVE-2022-25236-patched.patch
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1169286 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 33) 
Forwarded request #1169083 from dgarcia

- Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with
    patched libexpat below 2.6.0 that doesn't update the version number,
    just in SLE.
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1161081 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 32) 
- Add reference to CVE-2024-0450 (bsc#1221854) to changelog.

- Because of bsc#1189495 we have to revert use of %autopatch.

      other entry or central directory (bsc#1221854, CVE-2024-0450).
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1157149 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 31) 
- Rewrite %prep to use %autosetup et al. for compatibility with
  rpm 4.20.

- bsc#1221260 add bsc1221260-test_asyncio-ResourceWarning.patch
  to eliminate ResourceWarning which broke the test suite in
  test_asyncio.

- Use the system-wide crypto-policies [bsc#1211301]
  * Use the system default cipher list instead of hardcoded values
  * Add the --with-ssl-default-suites=openssl configure option
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1153186 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 30) 
- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Remove double definition of /usr/bin/idle%%{version} in
  %%files.
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1146838 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 29) 
Forwarded request #1146787 from dgarcia

- Add upstream patch libexpat260.patch, Fix tests for XMLPullParser
    with Expat 2.6.0, gh#python/cpython#115289
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1136197 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 27) 
Automatic submission by obs-autosubmit
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1134084 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 26) 
- Refresh CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- Thus we can remove Revert-gh105127-left-tests.patch, which is
  now useless.
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1128112 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 25) 
Automatic submission by obs-autosubmit
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1113067 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 24) 
      characters without truncating the path (bsc#1214693,
      CVE-2023-41105).
Displaying revisions 1 - 20 of 43
openSUSE Build Service is sponsored by
Places