- Update to 3.10.12:
  - gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
  - CVE-2023-24329-blank-URL-bypass.patch
  - CVE-2007-4559-filter-tarfile_extractall.patch

• Files Changed
• Browse Source

- Add bpo-37596-make-set-marshalling.patch making marshalling of
  `set` and `frozenset` deterministic (bsc#1211765).

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Add invalid-json.patch fixing invalid JSON in
  Doc/howto/logging-cookbook.rst (somehow similar to
  gh#python/cpython#102582).

• Files Changed
• Browse Source

- Update to 3.10.10:
  Bug fixes and regressions handling, no change of behaviour and
  no security bugs fixed.
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

• Files Changed
• Browse Source

- Add provides for readline and sqlite3 to the main Python
  package.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to 3.10.9:
  - python -m http.server no longer allows terminal
    control characters sent within a garbage request to be
    printed to the stderr server lo This is done by changing
    the http.server BaseHTTPRequestHandler .log_message method
    to replace control characters with a \xHH hex escape before
    printin
  - Avoid publishing list of active per-interpreter
    audit hooks via the gc module
  - The IDNA codec decoder used on DNS hostnames by
    socket or asyncio related name resolution functions no
    longer involves a quadratic algorithm. This prevents a
    potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were
    decoded. Some protocols such as urllib http 3xx redirects
    potentially allow for an attacker to supply such a name.
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - On Linux the multiprocessing module returns
    to using filesystem backed unix domain sockets for
    communication with the forkserver process instead of the
    Linux abstract socket namespace. Only code that chooses
    to use the “forkserver” start method is affected Abstract
    sockets have no permissions and could allow any user
    on the system in the same network namespace (often the
    whole system) to inject code into the multiprocessing
    forkserver process. This was a potential privilege
    escalation. Filesystem based socket permissions restrict
    this to the forkserver process user as was the default in

• Files Changed
• Browse Source

- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
  CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.

• Files Changed
• Browse Source

- Add CVE-2022-42919-loc-priv-mulitproc-forksrv.patch to avoid
  CVE-2022-42919 (bsc#1204886) avoiding Linux specific local
  privilege escalation via the multiprocessing forkserver start
  method.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to 3.10.7:
  - Fix for CVE-2020-10735 (bsc#1203125) Converting between int
    and str in bases other than 2 (binary), 4, 8 (octal), 16
    (hexadecimal), or 32 such as base 10 (decimal) now raises
    a ValueError if the number of digits in string form is above
    a limit to avoid potential denial of service attacks due to
    the algorithmic complexity.
  - Other bug fixes:
    - Fixed a bug that caused _PyCode_GetExtra to return garbage
      for negative indexes.
    - Fix format string in _PyPegen_raise_error_known_location
      that can lead to memory corruption on some 64bit systems.
      The function was building a tuple with i (int) instead of
      n (Py_ssize_t) for Py_ssize_t arguments.
    - Fix misleading contents of error message when converting an
      all-whitespace string to float.
    - coroutine.throw() now properly initializes the frame.f_back
      when resuming a stack of coroutines. This allows e.g.
      traceback.print_stack() to work correctly when an exception
      (such as CancelledError) is thrown into a coroutine.
    - ast.parse() will no longer parse function definitions with
      positional-only params when passed feature_version less
      than (3, 8).
    - Correct conversion of numbers.Rational’s to float.
    - Fix a performance regression in logging
      TimedRotatingFileHandler. Only check for special files when
      the rollover time has passed.
    - Fix unused localName parameter in the Attr class in
      xml.dom.minidom.
    - Update bundled pip to 22.2.2.

• Files Changed
• Browse Source

Add references to bsc#1202624, CVE-2021-28861

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to 3.10.6:
  - gh-87389: http.server: Fix an open redirection vulnerability
    in the HTTP server when an URI path starts with //.
    Vulnerability discovered, and initial fix proposed, by Hamza
    Avvan.
  - gh-92888: Fix memoryview use after free when accessing the
    backing buffer in certain cases.
  - gh-95355: _PyPegen_Parser_New now properly detects token
    memory allocation errors. Patch by Honglin Zhu.
  - gh-94938: Fix error detection in some builtin functions when
    keyword argument name is an instance of a str subclass with
    overloaded __eq__ and __hash__. Previously it could cause
    SystemError or other undesired behavior.
  - gh-94949: ast.parse() will no longer parse parenthesized
    context managers when passed feature_version less than
    (3, 9). Patch by Shantanu Jain.
  - gh-94947: ast.parse() will no longer parse assignment
    expressions when passed feature_version less than
    (3, 8). Patch by Shantanu Jain.
  - gh-94869: Fix the column offsets for some expressions in
    multi-line f-strings ast nodes. Patch by Pablo Galindo.
  - gh-91153: Fix an issue where a bytearray item assignment
    could crash if it’s resized by the new value’s __index__()
    method.
  - gh-94329: Compile and run code with unpacking of extremely
    large sequences (1000s of elements). Such code failed to
    compile. It now compiles and runs correctly.
  - gh-94360: Fixed a tokenizer crash when reading encoded
    files with syntax errors from stdin with non utf-8 encoded
    text. Patch by Pablo Galindo
  - gh-94192: Fix error for dictionary literals with invalid
    expression as value.
  - gh-93964: Strengthened compiler overflow checks to prevent
    crashes when compiling very large source files.
  - gh-93671: Fix some exponential backtrace case happening with
    deeply nested sequence patterns in match statements. Patch by
    Pablo Galindo
  - gh-93021: Fix the __text_signature__ for __get__() methods
    implemented in C. Patch by Jelle Zijlstra.
  - gh-92930: Fixed a crash in _pickle.c from mutating
    collections during __reduce__ or persistent_id.
  - gh-92914: Always round the allocated size for lists up to the
    nearest even number.
  - gh-92858: Improve error message for some suites with syntax
    error before ‘:’
  - gh-95339: Update bundled pip to 22.2.1.
  - gh-95045: Fix GC crash when deallocating _lsprof.Profiler by
    untracking it before calling any callbacks. Patch by Kumar
    Aditya.
  - gh-95087: Fix IndexError in parsing invalid date in the email
    module.
  - gh-95199: Upgrade bundled setuptools to 63.2.0.
  - gh-95194: Upgrade bundled pip to 22.2.
  - gh-93899: Fix check for existence of os.EFD_CLOEXEC,
    os.EFD_NONBLOCK and os.EFD_SEMAPHORE flags on older kernel
    versions where these flags are not present. Patch by Kumar
    Aditya.
  - gh-95166: Fix concurrent.futures.Executor.map() to cancel the
    currently waiting on future on an error - e.g. TimeoutError
    or KeyboardInterrupt.
  - gh-93157: Fix fileinput module didn’t support errors option
    when inplace is true.
  - gh-94821: Fix binding of unix socket to empty address
    on Linux to use an available address from the abstract
    namespace, instead of “0”.
  - gh-94736: Fix crash when deallocating an instance of a
    subclass of _multiprocessing.SemLock. Patch by Kumar Aditya.
  - gh-94637: SSLContext.set_default_verify_paths() now releases
    the GIL around SSL_CTX_set_default_verify_paths call. The
    function call performs I/O and CPU intensive work.
  - gh-94510: Re-entrant calls to sys.setprofile() and
    sys.settrace() now raise RuntimeError. Patch by Pablo
    Galindo.
  - gh-92336: Fix bug where linecache.getline() fails on bad
    files with UnicodeDecodeError or SyntaxError. It now returns
    an empty string as per the documentation.
  - gh-89988: Fix memory leak in pickle.Pickler when looking up
    dispatch_table. Patch by Kumar Aditya.
  - gh-94254: Fixed types of struct module to be immutable. Patch
    by Kumar Aditya.
  - gh-94245: Fix pickling and copying of typing.Tuple[()].
  - gh-94207: Made _struct.Struct GC-tracked in order to fix a
    reference leak in the _struct module.
  - gh-94101: Manual instantiation of ssl.SSLSession objects is
    no longer allowed as it lead to misconfigured instances that
    crashed the interpreter when attributes where accessed on
    them.
  - gh-84753: inspect.iscoroutinefunction(),
    inspect.isgeneratorfunction(), and
    inspect.isasyncgenfunction() now properly return True
    for duck-typed function-like objects like instances of
    unittest.mock.AsyncMock.
  - This makes inspect.iscoroutinefunction() consistent with the
    behavior of asyncio.iscoroutinefunction(). Patch by Mehdi
    ABAAKOUK.
  - gh-83499: Fix double closing of file description in tempfile.
  - gh-79512: Fixed names and __module__ value of weakref classes
    ReferenceType, ProxyType, CallableProxyType. It makes them
    pickleable.
  - gh-90494: copy.copy() and copy.deepcopy() now always raise
    a TypeError if __reduce__() returns a tuple with length 6
    instead of silently ignore the 6th item or produce incorrect
    result.
  - gh-90549: Fix a multiprocessing bug where a global named
    resource (such as a semaphore) could leak when a child
    process is spawned (as opposed to forked).
  - gh-79579: sqlite3 now correctly detects DML queries with
    leading comments. Patch by Erlend E. Aasland.
  - gh-93421: Update sqlite3.Cursor.rowcount when a DML
    statement has run to completion. This fixes the row count
    for SQL queries like UPDATE ... RETURNING. Patch by Erlend
    E. Aasland.
  - gh-91810: Suppress writing an XML declaration in open
    files in ElementTree.write() with encoding='unicode' and
    xml_declaration=None.
  - gh-93353: Fix the importlib.resources.as_file() context
    manager to remove the temporary file if destroyed late
    during Python finalization: keep a local reference to the
    os.remove() function. Patch by Victor Stinner.
  - gh-83658: Make multiprocessing.Pool raise an exception if
    maxtasksperchild is not None or a positive int.
  - gh-74696: shutil.make_archive() no longer temporarily changes
    the current working directory during creation of standard
    .zip or tar archives.
  - gh-91577: Move imports in SharedMemory methods to module
    level so that they can be executed late in python
    finalization.
  - bpo-47231: Fixed an issue with inconsistent trailing slashes
    in tarfile longname directories.
  - bpo-46755: In QueueHandler, clear stack_info from LogRecord
    to prevent stack trace from being written twice.
  - bpo-46053: Fix OSS audio support on NetBSD.
  - bpo-46197: Fix ensurepip environment isolation for subprocess
    running pip.
  - bpo-45924: Fix asyncio incorrect traceback when future’s
    exception is raised multiple times. Patch by Kumar Aditya.
  - bpo-34828: sqlite3.Connection.iterdump() now handles
    databases that use AUTOINCREMENT in one or more tables.
  - gh-94321: Document the PEP 246 style protocol type
    sqlite3.PrepareProtocol.
  - gh-86128: Document a limitation in ThreadPoolExecutor where
    its exit handler is executed before any handlers in atexit.
  - gh-61162: Clarify sqlite3 behavior when Using the connection
    as a context manager.
  - gh-87260: Align sqlite3 argument specs with the actual
    implementation.
  - gh-86986: The minimum Sphinx version required to build the
    documentation is now 3.2.
  - gh-88831: Augmented documentation of
    asyncio.create_task(). Clarified the need to keep strong
    references to tasks and added a code snippet detailing how to
    to this.
  - bpo-47161: Document that pathlib.PurePath does not collapse
    initial double slashes because they denote UNC paths.
  - gh-95280: Fix problem with test_ssl test_get_ciphers on
    systems that require perfect forward secrecy (PFS) ciphers.
  - gh-95212: Make multiprocessing test case
    test_shared_memory_recreate parallel-safe.
  - gh-91330: Added more tests for dataclasses to cover behavior
    with data descriptor-based fields.
  - gh-94208: test_ssl is now checking for supported TLS version
    and protocols in more tests.
  - gh-93951: In test_bdb.StateTestCase.test_skip, avoid
    including auxiliary importers.
  - gh-93957: Provide nicer error reporting from subprocesses in
    test_venv.EnsurePipTest.test_with_pip.
  - gh-57539: Increase calendar test coverage for
    calendar.LocaleTextCalendar.formatweekday().
  - gh-92886: Fixing tests that fail when running with
    optimizations (-O) in test_zipimport.py
  - bpo-47016: Create a GitHub Actions workflow for verifying
    bundled pip and setuptools. Patch by Illia Volochii and Adam
    Turner.
  - gh-94841: Fix the possible performance regression of
    PyObject_Free() compiled with MSVC version 1932.
  - gh-95511: Fix the Shell context menu copy-with-prompts bug of
    copying an extra line when one selects whole lines.
  - gh-95471: In the Edit menu, move Select All and add a new
    separator.
  - gh-95411: Enable using IDLE’s module browser with .pyw files.
  - gh-89610: Add .pyi as a recognized extension for IDLE on
    macOS. This allows opening stub files by double clicking on
    them in the Finder.
  - gh-94538: Fix Argument Clinic output to custom file
    destinations. Patch by Erlend E. Aasland.
  - gh-94430: Allow parameters named module and self with custom
    C names in Argument Clinic. Patch by Erlend E. Aasland
  - gh-94930: Fix SystemError raised when
    PyArg_ParseTupleAndKeywords() is used with # in (...) but
    without PY_SSIZE_T_CLEAN defined.
  - gh-94864: Fix PyArg_Parse* with deprecated format units “u”
    and “Z”. It returned 1 (success) when warnings are turned
    into exceptions.
- Reapply patches
  -  bpo-31046_ensurepip_honours_prefix.patch
  -  fix_configure_rst.patch
  -  no-skipif-doctests.patch
  -  skip-test_pyobject_freed_is_freed.patch

• Files Changed
• Browse Source

- Switch from %primary_interpreter to prjconf-defined
  %primary_python (gh#openSUSE/python-rpm-macros#127).

• Files Changed
• Browse Source

- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
- Fix building of documentation and the universal configuration of the
  %primary_interpreter.

- Switch primary_interpreter from python38 to python310 for
  Factory (only)

- (bsc#1196784, CVE-2022-25236) Rename patch:
  support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch
  and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5
  as it was fully patched against CVE-2022-25236.

• Files Changed
• Browse Source

Synchronize the changelog with SLE, so that we can update from Factory.

• Files Changed
• Browse Source

- Update to 3.10.4:
  - bpo-46968: Check for the existence of the “sys/auxv.h” header
    in faulthandler to avoid compilation problems in systems
    where this header doesn’t exist. Patch by Pablo Galindo
  - bpo-23691: Protect the re.finditer() iterator from
    re-entering.
  - bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to
    avoid a “zipfile.BadZipFile: Bad CRC-32 for file” exception
    when reading a ZipFile from multiple threads.
  - bpo-38256: Fix binascii.crc32() when it is compiled to use
    zlib’c crc32 to work properly on inputs 4+GiB in length
    instead of returning the wrong result. The workaround prior
    to this was to always feed the function data in increments
    smaller than 4GiB or to just call the zlib module function.
  - bpo-39394: A warning about inline flags not at the start of
    the regular expression now contains the position of the flag.
  - bpo-47061: Deprecate the various modules listed by PEP 594:
  - aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt,
    imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd,
    sndhdr, spwd, sunau, telnetlib, uu, xdrlib
  - bpo-2604: Fix bug where doctests using globals would fail
    when run multiple times.
  - bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
  - bpo-47022: The asynchat, asyncore and smtpd modules have been
    deprecated since at least Python 3.6. Their documentation and
    deprecation warnings and have now been updated to note they
    will removed in Python 3.12 (PEP 594).
  - bpo-46421: Fix a unittest issue where if the command was
    invoked as python -m unittest and the filename(s) began with
    a dot (.), a ValueError is returned.

• Files Changed
• Browse Source