- Update to 3.8.14:
  - (CVE-2020-10735, bsc#1203125). Converting between int
    and str in bases other than 2 (binary), 4, 8 (octal), 16
    (hexadecimal), or 32 such as base 10 (decimal) now raises a
    ValueError if the number of digits in string form is above a
    limit to avoid potential denial of service attacks due to the
    algorithmic complexity.
    This new limit can be configured or disabled by environment
    variable, command line flag, or sys APIs. See the integer
    string conversion length limitation documentation. The
    default limit is 4300 digits in string form.
  - (CVE-2021-28861, bsc#1202624) http.server: Fix an open
    redirection vulnerability in the HTTP server when an URI path
    starts with //. Vulnerability discovered, and initial fix
    proposed, by Hamza Avvan.
  - Also other bugfixes:
    - Fix contextvars HAMT implementation to handle iteration
      over deep trees. The bug was discovered and fixed by Eli
      Libman. See MagicStack/immutables#84 for more details.
    - Fix ensurepip environment isolation for subprocess running
      pip.
    - Raise ProgrammingError instead of segfaulting on recursive
      usage of cursors in sqlite3 converters. Patch by Sergey
      Fedoseev.
    - Add a new gh role to the documentation to link to GitHub
      issues.
    - Pin Jinja to a version compatible with Sphinx version
      2.4.4.
    - test_ssl is now checking for supported TLS version and
      protocols in more tests.
    - Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses
      0xMNN00PP0L.
- Removed upstreamed patches:
  - CVE-2021-28861-double-slash-path.patch
- Readjusted patches:
  - bpo-31046_ensurepip_honours_prefix.patch
  - sphinx-update-removed-function.patch
- (bsc#1196784, CVE-2022-25236) Add patch
  support-expat-CVE-2022-25236-patched.patch to allow working
  with different versions of libexpat.

• Files Changed
• Browse Source