- Remove -IVendor/ from python-config boo#1231795
- Add CVE-2024-11168-validation-IPv6-addrs.patch
  fixing bsc#1233307 (CVE-2024-11168,
  gh#python/cpython#103848): Improper validation of IPv6 and
  IPvFuture addresses.

• Files Changed
• Browse Source

- Update CVE-2024-9287-venv_path_unquoted.patch according to the
  upstream PR gh#python/cpython!126301.

• Files Changed
• Browse Source

- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
  path names provided when creating a virtual environment
  (bsc#1232241, CVE-2024-9287)
- Drop .pyc files from docdir for reproducible builds
  (bsc#1230906).

• Files Changed
• Browse Source

- Add sphinx-802.patch to overcome working both with the most
  recent and older Sphinx versions.

• Files Changed
• Browse Source

      with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592).
  complexity in parsing tarfile headers (bsc#1230227, CVE-2024-6232).

• Files Changed
• Browse Source

- Update to 3.9.20:
  - Tests
    - gh-112769: The tests now correctly compare zlib version when
      :const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For
      example zlib-ng defines the version as ``1.3.0.zlib-ng``.
    - gh-117187: Fix XML tests for vanilla Expat <2.6.0.
  - Security
    - gh-123678: Upgrade libexpat to 2.6.3
    - gh-121957: Fixed missing audit events around interactive use of Python,
      now also properly firing for ``python -i``, as well as for ``python -m
      asyncio``. The event in question is ``cpython.run_stdin``.
    - gh-122133: Authenticate the socket connection for the
      ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not
      available like Windows.
      Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson
      <seth@python.org>. Reported by Ellie <el@horse64.org>
    - gh-121285: Remove backtracking from tarfile header parsing for
      ``hdrcharset``, PAX, and GNU sparse headers
      (bsc#1230227, CVE-2024-6232).
    - gh-118486: :func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to
      restrict the new directory to the current user. This fixes CVE-2024-4030
      affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary
      directory is more permissive than the default.
    - gh-114572: :meth:`ssl.SSLContext.cert_store_stats` and
      :meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the
      certificate store, when the :class:`ssl.SSLContext` is shared across
      multiple threads (bsc#1226447, CVE-2024-0397).
    - gh-116741: Update bundled libexpat to 2.6.2
  - Library
    - gh-123270: Applied a more surgical fix for malformed payloads in
      :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking
      contents using legitimate characters (bsc#1229704, CVE-2024-8088).
    - gh-123067: Fix quadratic complexity in parsing ``"``-quoted cookie values
      with backslashes by :mod:`http.cookies`.
    - gh-121650: :mod:`email` headers with embedded newlines are now quoted on
      output. The :mod:`~email.generator` will now refuse to serialize (write)
      headers that are unsafely folded or delimited; see
      :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
      Bloemsaat and Petr Viktorin in :gh:`121650`; CVE-2024-6923, bsc#1228780).
    - gh-113171: Fixed various false positives and false negatives in
      * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details)
      * :attr:`ipaddress.IPv4Address.is_global`
      * :attr:`ipaddress.IPv6Address.is_private`
      * :attr:`ipaddress.IPv6Address.is_global`
      Also in the corresponding :class:`ipaddress.IPv4Network` and
      :class:`ipaddress.IPv6Network` attributes
      Fixes bsc#1226448 (CVE-2024-4032).
    - gh-102988: :func:`email.utils.getaddresses` and
      :func:`email.utils.parseaddr` now return ``('', '')`` 2-tuples in more
      situations where invalid email addresses are encountered instead of
      potentially inaccurate values. Add optional *strict* parameter to these
      two functions: use ``strict=False`` to get the old behavior, accept
      malformed inputs. ``getattr(email.utils, 'supports_strict_parsing',
      False)`` can be use to check if the *strict* paramater is available. Patch
      by Thomas Dwyer and Victor Stinner to improve the CVE-2023-27043 fix
      (bsc#1210638).
    - gh-67693: Fix :func:`urllib.parse.urlunparse` and
      :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple
      slashes and no authority. Based on patch by Ashwin Ramaswami.
  - Core and Builtins
    - gh-112275: A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in
      ``posixmodule.c`` at fork is now fixed. Patch by ChuBoning based on
      previous Python 3.12 fix by Victor Stinner.
- Remove upstreamed patches:
  - CVE-2023-27043-email-parsing-errors.patch
  - CVE-2024-6232-cookies-quad-complex.patch
  - CVE-2024-4032-private-IP-addrs.patch
  - CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
  - CVE-2024-8088-inf-loop-zipfile_Path.patch
  - CVE-2024-6923-email-hdr-inject.patch

• Files Changed
• Browse Source

- Add CVE-2024-6232-cookies-quad-complex.patch to avoid quadratic
  complexity in parsing "-quoted cookie values with backslashes
  (bsc#1229596, CVE-2024-6232).
- Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with
  patched libexpat below 2.6.0 that doesn't update the version number,
  just in SLE.
- Remove old-libexpat.patch, of course.
- Add gh120226-fix-sendfile-test-kernel-610.patch to avoid
  failing test_sendfile_close_peer_in_the_middle_of_receiving
  tests on Linux >= 6.10 (GH-120227).

• Files Changed
• Browse Source

- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent
  malformed payload to cause infinite loops in zipfile.Path
  (bsc#1229704, CVE-2024-8088).

• Files Changed
• Browse Source

- Add CVE-2024-6923-email-hdr-inject.patch to prevent email
  header injection due to unquoted newlines (bsc#1228780,
  CVE-2024-6923).
- Adding bso1227999-reproducible-builds.patch fixing bsc#1227999
  adding reproducibility patches from gh#python/cpython!121872
  and gh#python/cpython!121883.
- Add CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch removing
  support for anything but OpenSSL 1.1.1 or newer (bsc#1227233,
  CVE-2024-5642).
- %{profileopt} variable is set according to the variable
  %{do_profiling} (bsc#1227999)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
  (CVE-2024-4032) rearranging definition of private v global IP
  addresses.

• Files Changed
• Browse Source

- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
  fixing bsc#1226447 (CVE-2024-0397) by removing memory race
  condition in ssl.SSLContext certificate store methods.

• Files Changed
• Browse Source

- Add old-libexpat.patch making the test suite work with
  libexpat < 2.6.0 (gh#python/cpython#117187).
- Update to 3.9.19:
  - Security
    - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
      (CVE-2023-52425, bsc#1219559) by adding five new methods:
        xml.etree.ElementTree.XMLParser.flush()
        xml.etree.ElementTree.XMLPullParser.flush()
        xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
        xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
        xml.sax.expatreader.ExpatParser.flush()
    - gh-115399: Update bundled libexpat to 2.6.0
    - gh-113659: Skip .pth files with names starting with a dot
      or hidden file attribute.
  - Core and Builtins
    - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
      codecs read out of bounds
  - Library
    - gh-115197: urllib.request no longer resolves the hostname
      before checking it against the system’s proxy bypass list
      on macOS and Windows.
    - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
    - gh-81194: Fix a crash in socket.if_indextoname() with
      specific value (UINT_MAX). Fix an integer overflow in
      socket.if_indextoname() on 64-bit non-Windows platforms.
    - gh-109858: Protect zipfile from “quoted-overlap”
      zipbomb. It now raises BadZipFile when try to read an
      entry that overlaps with other entry or central directory
      (CVE-2024-0450, bsc#1221854).
    - gh-107077: Seems that in some conditions, OpenSSL will
      return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
      when a certification verification has failed, but
      the error parameters will still contain ERR_LIB_SSL
      and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now
      detecting this situation and raising the appropiate
      ssl.SSLCertVerificationError. Patch by Pablo Galindo
    - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
      which now no longer dereferences symlinks when working
      around file system permission errors (CVE-2023-6597,
      bsc#1219666).
  - Documentation
    - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under
      “XML vulnerabilities”.
  - Tools/Demos
    - gh-109991: Update GitHub CI workflows to use OpenSSL 3.0.11
      and multissltests to use 1.1.1w and 3.0.11.
- Remove upstreamed patches:
  - CVE-2023-6597-TempDir-cleaning-symlink.patch
  - libexpat260.patch
- Refreshed patches:
  - F00251-change-user-install-location.patch
  - python-3.3.0b1-localpath.patch

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update SPEC file to build on SLE-15-SP5 (jsc#PED-7886).

- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
  test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
  which fails on slow machines in IBS (s390x).
 

  - (bsc#1215454, gh-108310) Fixed an issue where instances
- Refresh all patches:
  - 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
  - 99366-patch.dict-can-decorate-async.patch
  - Revert-gh105127-left-tests.patch
  - bpo-31046_ensurepip_honours_prefix.patch
  - decimal.patch
  - distutils-reproducible-compile.patch
  - gh-78214-marshal_stabilize_FLAG_REF.patch
  - python-3.3.0b1-localpath.patch
  - python-3.3.0b1-test-posix_fadvise.patch
  - python3-imp-returntype.patch
  - subprocess-raise-timeout.patch
  - support-expat-CVE-2022-25236-patched.patch
  - downport-Sphinx-features.patch

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to 3.9.18 (bsc#1214692):
  - gh-108310: Fixed an issue where instances of ssl.SSLSocket were
    vulnerable to a bypass of the TLS handshake and included
    protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
    Gregory P. Smith.
  - gh-107845: tarfile.data_filter() now takes the location of
    symlinks into account when determining their target, so it will no
    longer reject some valid tarballs with
    LinkOutsideDestinationError.
  - gh-107565: Update multissltests and GitHub CI workflows to use
    OpenSSL 1.1.1v, 3.0.10, and 3.1.2.

• Files Changed
• Browse Source