Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:CoffeeDev:xr
python3-base
python3.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File python3.changes of Package python3-base
------------------------------------------------------------------- Fri Nov 1 21:32:35 UTC 2024 - Matej Cepl <mcepl@suse.com> - Add CVE-2024-9287-venv_path_unquoted.patch to properly quote path names provided when creating a virtual environment (bsc#1232241, CVE-2024-9287) ------------------------------------------------------------------- Wed Oct 2 16:18:29 UTC 2024 - Matej Cepl <mcepl@cepl.eu> - Drop .pyc files from docdir for reproducible builds (bsc#1230906). ------------------------------------------------------------------- Thu Sep 19 00:04:26 UTC 2024 - Matej Cepl <mcepl@suse.com> - Add CVE-2024-7592-quad-complex-cookies.patch (bsc#1229596, CVE-2024-7592), which fixes quadratic complexity in parsing "-quoted cookie values with backslashes by http.cookies. ------------------------------------------------------------------- Wed Sep 18 23:03:19 UTC 2024 - Matej Cepl <mcepl@suse.com> - Add CVE-2024-6232-ReDOS-backtrack-tarfile.patch prevent ReDos via excessive backtracking while parsing header values (bsc#1230227, CVE-2024-6232). ------------------------------------------------------------------- Thu Sep 12 21:11:02 UTC 2024 - Matej Cepl <mcepl@suse.com> - Add bpo27240-rewrite_email_hdr_fold.patch rewriting the email header folding algorithm to make the codebase compatible with Python 3.6.4+, so we can continue to maintain it. - And even before that we have to add bpo24211-RFC6532-supp-email.patch. - Also bpo20098-email-mangle_from-policy.patch. - Add finally, CVE-2024-6923-email-hdr-inject.patch to prevent email header injection due to unquoted newlines (bsc#1228780, CVE-2024-6923). ------------------------------------------------------------------- Sat Jul 20 21:48:02 UTC 2024 - Matej Cepl <mcepl@suse.com> - Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448 (CVE-2024-4032) rearranging definition of private v global IP addresses. ------------------------------------------------------------------- Mon Jul 15 12:26:59 UTC 2024 - Matej Cepl <mcepl@suse.com> - Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378). ------------------------------------------------------------------- Sat May 18 15:49:07 UTC 2024 - Matej Cepl <mcepl@suse.com> - bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). ------------------------------------------------------------------- Fri May 10 16:00:24 UTC 2024 - Matej Cepl <mcepl@suse.com> - Add CVE-2023-52425-libexpat-2.6.0-backport.patch fixing etree XMLPullParser tests for Expat >=2.6.0 with reparse deferral (fixing CVE-2023-52425 or bsc#1219559). ------------------------------------------------------------------- Mon Feb 26 13:37:33 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com> - Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing gh#python/cpython#108310, backport from upstream patch gh#python/cpython#108315 (bsc#1214692, CVE-2023-40217) ------------------------------------------------------------------ Fri Feb 23 01:06:42 UTC 2024 - Matej Cepl <mcepl@suse.com> - (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory. - Repurpose skip-failing-tests.patch to increase timeout for test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time, which fails on slow machines in IBS (s390x). ------------------------------------------------------------------- Mon Dec 18 16:20:58 UTC 2023 - Matej Cepl <mcepl@cepl.eu> - Refresh CVE-2023-27043-email-parsing-errors.patch from gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). ------------------------------------------------------------------- Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mcepl@suse.com> - (bsc#1214691, CVE-2022-48566) Add CVE-2022-48566-compare_digest-more-constant.patch to make compare_digest more constant-time. ------------------------------------------------------------------- Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com> - (bsc#1214685, CVE-2022-48565) Add CVE-2022-48565-plistlib-XML-vulns.patch (from gh#python/cpython#86217) reject XML entity declarations in plist files. ------------------------------------------------------------------- Sat Sep 9 16:29:01 UTC 2023 - Matej Cepl <mcepl@suse.com> - (bsc#1214677, CVE-2022-48564) Add CVE-2022-48564-DoS-read_ints-plistlib.patch fixing gh#python/cpython#86269 (backport from 3.6), which prevents DoS when processing malformed Apple Property List files in binary format. - Skip test_plistlib.test_identity test on aarch64. ------------------------------------------------------------------- Tue Jul 11 07:35:18 UTC 2023 - Matej Cepl <mcepl@suse.com> - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). ------------------------------------------------------------------- Sat May 6 17:31:35 UTC 2023 - Matej Cepl <mcepl@suse.com> - Add 99366-patch.dict-can-decorate-async.patch fixing gh#python/cpython#98086 (backport from Python 3.10 patch in gh#python/cpython!99366), fixing bsc#1211158. - Add stack_overflow_test_endless_recursion.patch to avoid failing test. ------------------------------------------------------------------- Wed May 3 14:09:37 UTC 2023 - Matej Cepl <mcepl@suse.com> - Add CVE-2007-4559-filter-tarfile_extractall.patch to fix CVE-2007-4559 (bsc#1203750) by adding the filter for tarfile.extractall (PEP 706). CURRENTLY SWITCHED OFF, AS IT IS STILL WIP AND UNDEBUGGED ------------------------------------------------------------------- Tue Apr 18 05:00:11 UTC 2023 - Steve Kowalik <steven.kowalik@suse.com> - Use python3 modules to build the documentation. ------------------------------------------------------------------- Wed Mar 15 18:14:36 UTC 2023 - Matej Cepl <mcepl@suse.com> - Add bpo-44434-libgcc_s-for-pthread_cancel.patch which eliminates unnecessary and dangerous calls to PyThread_exit_thread() (bsc#1203355). ------------------------------------------------------------------- Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com> - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters ------------------------------------------------------------------- Mon Jan 9 09:04:08 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com> - Add CVE-2022-40899-ReDos-cookiejar.patch to Fix REDoS in http.cookiejar (gh#python/cpython#17157, bsc#1206673, CVE-2022-40899) ------------------------------------------------------------------- Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com> - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding extremely long domain names. ------------------------------------------------------------------- Fri Sep 16 16:46:07 UTC 2022 - Matej Cepl <mcepl@suse.com> - Add CVE-2020-10735-DoS-no-limit-int-size.patch to fix CVE-2020-10735 (bsc#1203125) to limit amount of digits converting text to int and vice vera (potential for DoS). Originally by Victor Stinner of Red Hat. ------------------------------------------------------------------- Fri Sep 2 06:53:55 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com> - Add patch CVE-2021-28861-double-slash-path.patch: * http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. (bsc#1202624, CVE-2021-28861) ------------------------------------------------------------------- Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl <mcepl@suse.com> - Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the command injection in the mailcap module. - Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests on s390x. ------------------------------------------------------------------- Wed May 25 04:39:56 UTC 2022 - Matej Cepl <mcepl@suse.com> - drop PYTHONSTARTUP hooks that cause spurious startup errors (bsc#1070738, bsc#1199441), as the relevant feature (REPL history) is now built into Python itself. ------------------------------------------------------------------- Sat Feb 26 15:14:57 UTC 2022 - Matej Cepl <mcepl@suse.com> - Update bundled pip wheel to the latest SLE version patched against bsc#1186819 (CVE-2021-3572). ------------------------------------------------------------------- Tue Feb 15 22:38:32 UTC 2022 - Matej Cepl <mcepl@suse.com> - Add CVE-2022-0391-urllib_parse-newline-parsing.patch (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs containing ASCII newline and tabs in urlparse. ------------------------------------------------------------------- Sun Feb 6 07:43:11 UTC 2022 - Matej Cepl <mcepl@suse.com> - Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146, bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib not trust the PASV response. ------------------------------------------------------------------- Sat Sep 25 15:35:06 UTC 2021 - Matej Cepl <mcepl@suse.com> - Add CVE-2021-3733-ReDoS-urllib-AbstractBasicAuthHandler.patch fixing ReDoS in urllib AbstractBasicAuthHandler (bsc#1189287, CVE-2021-3733, bpo#43075) ------------------------------------------------------------------- Wed Sep 15 15:49:00 UTC 2021 - Matej Cepl <mcepl@suse.com> - Add CVE-2021-3737-infinite-loop-on-100-Continue.patch fixing bpo-44022 (bsc#1189241, CVE-2021-3737): http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server. ------------------------------------------------------------------- Thu Aug 12 19:35:28 UTC 2021 - Matej Cepl <mcepl@suse.com> - Reorder and better documented patches related to bpo#30458 (also, for rechecking solution for bsc#1129071). - Refresh patches: - CVE-2019-10160-netloc-port-regression.patch - CVE-2019-18348-CRLF_injection_via_host_part.patch - CVE-2019-9947-no-ctrl-char-http.patch - CVE-2020-8492-urllib-ReDoS.patch - Python-3.3.0b2-multilib.patch - python-3.6-CVE-2017-18207.patch - python3-urllib-prefer-lowercase-proxies.patch - subprocess-raise-timeout.patch ------------------------------------------------------------------- Fri Jul 16 14:25:20 UTC 2021 - Matej Cepl <mcepl@suse.com> - Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668). ------------------------------------------------------------------- Wed May 12 15:33:37 UTC 2021 - Matej Cepl <mcepl@suse.com> - Add CVE-2020-27619-no-eval-http-content.patch fixing CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. ------------------------------------------------------------------- Sun May 2 09:20:06 UTC 2021 - Ben Greiner <code@bnavigator.de> - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ------------------------------------------------------------------- Wed Mar 10 22:41:18 CET 2021 - Matej Cepl <mcepl@suse.com> - Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids use of semicolon as a query string separator (bpo#42967, bsc#1182379, CVE-2021-23336). ------------------------------------------------------------------- Fri Jan 29 17:22:48 UTC 2021 - Matej Cepl <mcepl@suse.com> - Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution. ------------------------------------------------------------------- Sat Jan 23 23:37:31 UTC 2021 - Matej Cepl <mcepl@suse.com> - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ------------------------------------------------------------------- Tue Nov 24 17:38:21 UTC 2020 - Matej Cepl <mcepl@suse.com> - Replace bundled wheels for pip and setuptools with the updated ones (bsc#1176262 CVE-2019-20916). ------------------------------------------------------------------- Mon Oct 19 01:49:43 UTC 2020 - Steve Kowalik <steven.kowalik@suse.com> - Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211 (CVE-2020-26116, bpo#39603) no longer allowing special characters in the method parameter of HTTPConnection.putrequest in httplib, stopping injection of headers. Such characters now raise ValueError. - Add update-ssl-certs.patch, which updates the SSL certificates shipped with the upstream tarball which have since expired. ------------------------------------------------------------------- Fri Sep 11 00:16:38 UTC 2020 - Matej Cepl <mcepl@suse.com> - Add CVE-2020-14422-ipaddress-hash-collision.patch fixing CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions in IPv4Interface and IPv6Interface could lead to DOS. ------------------------------------------------------------------- Fri Sep 11 00:03:14 UTC 2020 - Matej Cepl <mcepl@suse.com> - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. (bnc#1130840) ------------------------------------------------------------------- Thu Sep 10 13:24:57 UTC 2020 - Matej Cepl <mcepl@suse.com> - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py (bnc#1153238) This patch requires also bpo37614-race_test_docxmlrpc_srv_setup.patch (from bpo#37614), which avoids the race in the tested procedure (bsc#1174701). ------------------------------------------------------------------- Mon Jul 20 12:06:41 UTC 2020 - Matej Cepl <mcepl@suse.com> - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 (CVE-2019-20907, bpo#39017) avoiding possible infinite loop in specifically crafted tarball. Add recursion.tar as a testing tarball for the patch. ------------------------------------------------------------------- Wed Mar 18 11:26:23 UTC 2020 - Matej Cepl <mcepl@suse.com> - Add CVE-2019-18348-CRLF_injection_via_host_part.patch to disallow control characters in hostnames in httplib, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094) ------------------------------------------------------------------- Wed Mar 11 22:33:06 UTC 2020 - Matej Cepl <mcepl@suse.com> - Change name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). - Add skip-failing-tests.patch to skip test_write_filtered_python_package test ------------------------------------------------------------------- Sat Feb 8 23:29:28 CET 2020 - Matej Cepl <mcepl@suse.com> - Add CVE-2019-9674-zip-bomb.patch to improve documentation warning about dangers of zip-bombs and other security problems with zipfile library. (bsc#1162825 CVE-2019-9674) - Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug "Python urrlib allowed an HTTP server to conduct Regular Expression Denial of Service (ReDoS)" (bsc#1162367) ------------------------------------------------------------------- Sat Feb 8 22:21:10 CET 2020 - Matej Cepl <mcepl@suse.com> - Add Requires: libpython%{so_version} == %{version}-%{release} to python3-base to keep both packages always synchronized (bsc#1162224). ------------------------------------------------------------------- Fri Dec 20 15:34:09 CET 2019 - Matej Cepl <mcepl@suse.com> - Move idle subpackage build from python3-base to python3 (bsc#1159623). python3-idle introduces considerable extra dependencies and a build loop via rust/librsvg. - Correct installation of idle IDE icons: + idle.png is not the target directory + non-GNOME-specific icons belong into icons/hicolor - Add required Name key to idle3 desktop file - Unify *.changes ------------------------------------------------------------------- Fri Dec 13 16:40:30 CET 2019 - Matej Cepl <mcepl@suse.com> - Update to 3.4.10 (jsc#SLE-9427, bsc#1159208) from 3.4.6: - Security: - bpo-36216: Changes urlsplit() to raise ValueError when the URL contains characters that decompose under IDNA encoding (NFKC-normalization) into characters that affect how the URL is parsed. - bpo-35121: Don’t send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with http.cookiejar.DefaultCookiePolicy policy. Patch by Karthikeyan Singaravelan. - bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco. - bpo-34791: The xml.sax and xml.dom.domreg no longer use environment variables to override parser implementations when sys.flags.ignore_environment is set by -E or -I arguments. - bpo-34623: CVE-2018-14647: The C accelerated _elementtree module now initializes hash randomization salt from _Py_HashSecret instead of libexpat’s default CSPRNG. - bpo-33001: Minimal fix to prevent buffer overrun in os.symlink on Windows - bpo-32981: Regexes in difflib and poplib were vulnerable to catastrophic backtracking. These regexes formed potential DOS vectors (REDOS). They have been refactored. This resolves CVE-2018-1060 and CVE-2018-1061. Patch by Jamie Davis. - bpo-30657: Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158. Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok. - bpo-30947: Upgrade libexpat embedded copy from version 2.2.1 to 2.2.3 to get security fixes. - bpo-29169: Update zlib from 1.2.8 to 1.2.11 to get security fixes. - bpo-29591: Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more information. - bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including: CVE-2017-9233 (External entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718) and CVE-2012-0876 (Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os- specific entropy sources like getrandom) doesn’t impact Python, since Python already gets entropy from the OS to set the expat secret using XML_SetHashSalt(). - bpo-26657: Fix directory traversal vulnerability with http.server on Windows. This fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on patch by Philipp Hagemeister. - bpo-30500: Fix urllib.parse.splithost() to correctly parse fragments. For example, splithost('//127.0.0.1#@evil.com/') now correctly returns the 127.0.0.1 host, instead of treating @evil.com as the host in an authentification (login@host). - bpo-30730: Prevent environment variables injection in subprocess on Windows. Prevent passing other invalid environment variables and command arguments. - Library: - bpo-35121: Don’t set cookie for a request when the request path is a prefix match of the cookie’s path attribute but doesn’t end with “/”. Patch by Karthikeyan Singaravelan. - bpo-33329: Fix multiprocessing regression on newer glibcs - bpo-32072: Fixed issues with binary plists: Fixed saving bytearrays. Identical objects will be saved only once. Equal references will be load as identical objects. Added support for saving and loading recursive data structures. - bpo-31170: expat: Update libexpat from 2.2.3 to 2.2.4. Fix copying of partial characters for UTF-8 input (libexpat bug 115): https://github.com/libexpat/libexpat/issues/115 - bpo-30119: ftplib.FTP.putline() now throws ValueError on commands that contains CR or LF. Patch by Dong-hee Na. - bpo-27850: Remove 3DES from ssl module’s default cipher list to counter measure sweet32 attack (CVE-2016-2183). - Core and Builtins - bpo-26617: Fix crash when GC runs during weakref callbacks. - bpo-27945: Fixed various segfaults with dict when input collections are mutated during searching, inserting or comparing. Based on patches by Duane Griffin and Tim Mitchell. - Documentation - bpo-25008: Document smtpd.py as effectively deprecated and add a pointer to aiosmtpd, a third-party asyncio-based replacement. - Patches replaced by the upstream tarball: - CVE-2019-5010-null-defer-x509-cert-DOS.patch - CVE-2018-1061-DOS-via-regexp-difflib.patch - CVE-2018-20406-pickle_LONG_BINPUT.patch - CVE-2019-9636-urlsplit-NFKC-norm.patch - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch - CVE-2018-20852-cookie-domain-check.patch ------------------------------------------------------------------- Thu Sep 26 15:42:34 CEST 2019 - Matej Cepl <mcepl@suse.com> - Add CVE-2018-20852-cookie-domain-check.patch prefix dot in domain for proper subdomain [bsc#1141853, CVE-2018-20852] ------------------------------------------------------------------- Mon Sep 16 15:57:54 CEST 2019 - Matej Cepl <mcepl@suse.com> - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, CVE-2019-16056] - Remove obsolete patch python-2.6b1-canonicalize2.patch ------------------------------------------------------------------- Wed Jul 24 17:19:58 CEST 2019 - Matej Cepl <mcepl@suse.com> - Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which converts shutil._call_external_zip to use subprocess rather than distutils.spawn. [bsc#1109663, CVE-2018-1000802] ------------------------------------------------------------------- Wed Jul 24 15:27:24 CEST 2019 - Matej Cepl <mcepl@suse.com> - bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo#34623. ------------------------------------------------------------------- Wed Jul 3 21:02:00 CEST 2019 - Matej Cepl <mcepl@suse.com> - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch which fixes regression introduced by the previous patch. (CVE-2019-10160) Upstream gh#python/cpython#13812 ------------------------------------------------------------------- Tue Apr 9 15:15:44 CEST 2019 - Matej Cepl <mcepl@suse.com> - bsc#1129346: add CVE-2019-9636-urlsplit-NFKC-norm.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, no error will be raised. (CVE-2019-9636) Upstream gh#python/cpython#12224 ------------------------------------------------------------------- Mon Jan 21 17:51:37 UTC 2019 - Matěj Cepl <mcepl@suse.com> - bsc#1120644 add CVE-2018-20406-pickle_LONG_BINPUT.patch fixing bpo#34656 Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. ------------------------------------------------------------------- Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch fixing bpo-35746. An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. ------------------------------------------------------------------- Mon Sep 3 16:38:15 UTC 2018 - Matěj Cepl <mcepl@suse.com> - Add -fwrapv to OPTS, which is default for python3 anyway See for example https://github.com/zopefoundation/persistent/issues/86 for bugs which are caused by avoiding it. (bsc#1107030) ------------------------------------------------------------------- Fri Jun 29 10:24:27 UTC 2018 - mcepl@suse.com - Apply "CVE-2018-1061-DOS-via-regexp-difflib.patch" to prevent low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS (CVE-2018-1061). Prior to this patch mail server's timestamp was susceptible to catastrophic backtracking on long evil response from the server. Also, it was susceptible to catastrophic backtracking, which was a potential DOS vector. [bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060] ------------------------------------------------------------------- Fri Jun 29 09:05:03 UTC 2018 - mcepl@suse.com - Apply "python-sorted_tar.patch" (bsc#1086001) sort tarfile output directory listing ------------------------------------------------------------------- Tue Mar 13 18:49:34 UTC 2018 - psimons@suse.com - Apply "python-3.6-CVE-2017-18207.patch" to add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this check, attackers could cause a denial of service (divide-by-zero error and application crash) via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ------------------------------------------------------------------- Wed Mar 1 16:50:48 UTC 2017 - jmatejek@suse.com - update to 3.4.6 (bsc#1027282): * fixed potential crash in PyUnicode_AsDecodedObject() in debug build * fixed possible DoS and arbitrary execution in gettext plurals * fix possible use of uninitialized memory in operator.methodcaller * fix possible Py_DECREF on unowned object in _sre * fix possible integer overflow in _csv module * prevent HTTPoxy attack (CVE-2016-1000110) * fix selectors incorrectly retaining invalid fds - move _elementtree to python3.rpm to match its pyexpat dependency (bsc#1029377) - drop upstreamed python-3.4-CVE-2016-1000110-fix.patch ------------------------------------------------------------------- Mon Aug 8 14:28:04 UTC 2016 - jmatejek@suse.com - rename rpmlintrc to python3-rpmlintrc (applied change from 13.2) - drop python-fix-short-dh.patch and dh2048.pem, this is now fixed upstream - drop disabled libffi-ppc64le.diff completely - reverse order of lowercase-proxies and HTTPoxy patches in order to fix documented behavior - drop upstreamed werror-declaration-after-statement.patch ------------------------------------------------------------------- Sun Aug 7 11:25:39 UTC 2016 - hpj@urpla.net - fix python3-urllib-prefer-lowercase-proxies.patch ------------------------------------------------------------------- Sat Aug 6 21:11:02 UTC 2016 - hpj@urpla.net - apply fix for CVE-2016-1000110 - CGIHandler: sets environmental variable based on user supplied Proxy request header: python-3.4-CVE-2016-1000110-fix.patch (fixes bsc#989523, CVE-2016-1000110) - refresh python3-urllib-prefer-lowercase-proxies.patch ------------------------------------------------------------------- Sun Jul 3 12:41:08 UTC 2016 - hpj@urpla.net - update to 3.4.5 check: https://docs.python.org/3.4/whatsnew/changelog.html (fixes bsc#984751, CVE-2016-0772) (fixes bsc#985177, CVE-2016-5636) (fixes bsc#985348, CVE-2016-5699) ------------------------------------------------------------------- Wed Jun 15 12:57:55 UTC 2016 - hpj@urpla.net - apply upstream patch python3-urllib-prefer-lowercase-proxies.patch in order to make urllib proxy var handling behave as usual on POSIX ------------------------------------------------------------------- Tue Jun 14 08:49:18 UTC 2016 - hpj@urpla.net - Due to being fixed upstream (differently), removed outdated patch CVE-2014-4650-CGIHTTPServer-traversal.patch (bsc#983582) ------------------------------------------------------------------- Sat May 7 09:02:50 UTC 2016 - hpj@urpla.net - update to 3.4.4 check: https://docs.python.org/3.4/whatsnew/changelog.html - all necessary patches refreshed - adjusted Python-3.3.0b2-multilib.patch - disabled libffi-ppc64le.diff: horribly deviated - fix a new multilib issue in configure.ac with $LIBPL (target of python3 config) - disabled more tests, that require ssl ------------------------------------------------------------------- Fri Oct 23 13:59:56 UTC 2015 - jmatejek@suse.com - Issue #21121: Don't force 3rd party C extensions to be built with -Werror=declaration-after-statement. (werror-declaration-after-statement.patch, bsc#951166) ------------------------------------------------------------------- Tue Sep 22 12:54:10 UTC 2015 - dmueller@suse.com - add python-2.7-libffi-aarch64.patch to fix incorrect FFI on aarch64 ------------------------------------------------------------------- Thu Sep 17 09:37:23 UTC 2015 - meissner@suse.com - python-fix-short-dh.patch,dh2048.pem: Bump DH parameters to 2048 bit to fix logjam security issue. bsc#935856 ------------------------------------------------------------------- Wed Jul 23 16:31:02 UTC 2014 - jmatejek@suse.com - CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file disclosure and directory traversal through URL-encoded characters (CVE-2014-4650, bnc#885882) ------------------------------------------------------------------- Tue Jul 22 13:55:57 UTC 2014 - jmatejek@suse.com - drop python-3.4.1-SUSE-ensurepip.patch for compatibility reasons, reinstate bundled copies of pip and setuptools (fixes bnc#885662) - add more files as sources to silence the validator ------------------------------------------------------------------- Wed May 21 11:01:56 UTC 2014 - jmatejek@suse.com - update to 3.4.1 * bugfix-only release, over 300 bugs fixed - drop upstreamed python-3.4.0rc2-sqlite-3.8.4-tests.patch - drop upstreamed CVE-2014-2667-mkdir.patch - include Python release manager keyring and signature file for the source archive (thus renumbering of source files) (see https://www.python.org/download/#openpgp-public-keys ) - move ensurepip to python3, because it transitively requires ssl ------------------------------------------------------------------- Fri Apr 4 16:21:40 UTC 2014 - jmatejek@suse.com - CVE-2014-2667-mkdir.patch: race condition with reseting umask in os.makedirs (CVE-2014-2667, bnc#871152) - updated multilib patch to include ~/.local/lib64 (bnc#637176) ------------------------------------------------------------------- Wed Mar 26 15:24:46 UTC 2014 - jmatejek@suse.com - raise timeout value for test_subprocess to 10s (might fix intermittent build failures in OBS) ------------------------------------------------------------------- Mon Mar 24 17:29:31 UTC 2014 - dmueller@suse.com - remove blacklisting of test_posix on aarch64: qemu bug is fixed ------------------------------------------------------------------- Mon Mar 17 18:26:58 UTC 2014 - jmatejek@suse.com - update to 3.4.0 final - drop upstreamed python-3.4rc2-importlib.patch ------------------------------------------------------------------- Sun Mar 16 16:33:25 UTC 2014 - schwab@suse.de - Only build with profile-opt if profiling is enabled - Update test exclusion lists: * test_ctypes no longer fails on arm * test_io no longer fails on ppc* * test_multiprocessing has been split in multiple tests * test_posix and test_signal fail due to qemu bugs ------------------------------------------------------------------- Fri Mar 14 20:26:03 UTC 2014 - andreas.stieger@gmx.de - Fix build with SQLite 3.8.4 [bnc#867887], fixing SQLite tests, adding python-2.7.6-sqlite-3.8.4-tests.patch ------------------------------------------------------------------- Thu Feb 27 14:08:40 UTC 2014 - jmatejek@suse.com - update to 3.4.0 rc2 * pre-release bugfixes * improvements to asyncio library - drop upstreamed tracemalloc_gcov.patch - python-3.4rc2-importlib.patch fixes backwards-incompatibility in the reworked importlib module that blocks build of vim ------------------------------------------------------------------- Fri Jan 17 18:45:27 UTC 2014 - jmatejek@suse.com - initial commit of 3.4.0 beta 3 * new stdlib modules: pathlib, enum, statistics, tracemalloc * asynchronous IO with new asyncio module * introspection data for builtins * subprocesses no longer inherit open file descriptors * standardized metadata for packages * internal hashing changed to SipHash * new pickle protocol * improved handling of codecs * TLS 1.2 support * major speed improvements for internal unicode handling * many bugfixes and optimizations - see porting guide at: http://docs.python.org/3.4/whatsnew/3.4.html#porting-to-python-3-4 - moved several modules to -testsuite subpackage - updated list of binary extensions, refreshed patches - tracemalloc_gcov.patch fixes profile-based optimization build - updated packages and pre_checkin.sh to use ~-version notation for prereleases - fix-shebangs part of build process moved to common %prep - drop python-3.3.2-no-REUSEPORT.patch (upstreamed) - update baselibs for new soname - TODOs: * require python-pip, make ensurepip work with zypper ------------------------------------------------------------------- Wed Dec 4 13:21:26 UTC 2013 - matz@suse.de - add ppc64le (ELFv2) support for libffi copy for ctypes module - Adjust Python-3.3.0b2-multilib.patch for ppc64le (make sys.lib be "lib64"). - added patches: * libffi-ppc64le.diff ------------------------------------------------------------------- Tue Dec 3 09:51:43 UTC 2013 - adrian@suse.de - add ppc64le rules ------------------------------------------------------------------- Fri Nov 22 13:17:23 UTC 2013 - speilicke@suse.com - Add python-3.3.3-skip-distutils-test_sysconfig_module.patch: + Disable global and distutils sysconfig comparison test, we deviate from the default depending on optflags ------------------------------------------------------------------- Tue Nov 19 14:28:41 UTC 2013 - jmatejek@suse.com - update to 3.3.3 * bugfix-only release * many SSL-related fixes * upstream fix for CVE-2013-4238 * upstream fixes for CVE-2013-1752 - move example module xxlimited to python3-testsuite - remove --with-wide-unicode config option, it is now the default (and only) choice - don't touch anything between make and makeinstall - drop python-3.2b2-buildtime-generate.patch - the issue was caused by touching things between make and makeinstall - link pycache entries for import_failed hooks properly ------------------------------------------------------------------- Fri Aug 16 11:35:15 UTC 2013 - jmatejek@suse.com - handle NULL bytes in certain fields of SSL certificates (CVE-2013-4238, bnc#834601) ------------------------------------------------------------------- Thu Aug 8 14:54:49 UTC 2013 - dvaleev@suse.com - Exclue test_faulthandler from tests on powerpc due to bnc#831629 ------------------------------------------------------------------- Thu Jun 13 15:05:34 UTC 2013 - jmatejek@suse.com - update to 3.3.2 (bnc#709442) * bugfix-only release * fixes several regressions introduced in 3.3.1 - switch to xz compression - move _lzma module to python3-base - python-3.3.2-no-REUSEPORT.patch to fix build on kernels without SO_REUSEPORT ------------------------------------------------------------------- Mon Apr 29 22:32:43 UTC 2013 - schwab@suse.de - Readd missing bits from ctypes-libffi-aarch64.patch ------------------------------------------------------------------- Sat Apr 13 07:56:51 UTC 2013 - idonmez@suse.com - Update to version 3.3.1 * Fix the –enable-profiling configure switch. * In IDLE, close the replace dialog after it is used. - Too many bugfixes to list here, see See http://hg.python.org/cpython/file/v3.3.0/Misc/NEWS - Refresh Python-3.3.0b2-multilib.patch - Refresh python-3.2b2-buildtime-generate.patch - Drop upstream patches: ctypes-libffi-aarch64.patch, python-3.2.3rc2-pypirc-secure.patch, python-3.3.0-getdents64.patch ------------------------------------------------------------------- Fri Apr 5 12:59:20 UTC 2013 - idonmez@suse.com - Add Source URL, see https://en.opensuse.org/title=SourceUrls ------------------------------------------------------------------- Wed Apr 3 15:36:04 UTC 2013 - jmatejek@suse.com - remove spurious modification of python-3.3.0b1-localpath.patch that would force installation into /usr/local. this fixes bnc#809831 ------------------------------------------------------------------- Thu Mar 28 18:38:51 UTC 2013 - jmatejek@suse.com - replace broken movetogetdents64.diff patch with a correct one from upstream repo (python-3.3.0-getdents64.patch) ------------------------------------------------------------------- Fri Mar 1 07:42:21 UTC 2013 - dmueller@suse.com - add ctypes-libffi-aarch64.patch: * import aarch64 support for libffi in _ctypes module - add aarch64 to the list of lib64 based archs - add movetogetdents64.diff: * port to getdents64, as SYS_getdents is not implemented everywhere ------------------------------------------------------------------- Tue Feb 26 08:57:55 UTC 2013 - saschpe@suse.de - /etc/rpm/macros.python3 is no %config, it is not meant to be changed by users. - Add rpmlintrc with some obvious filters ------------------------------------------------------------------- Mon Jan 28 18:14:39 UTC 2013 - jmatejek@suse.com - update baselibs for new version of libpython3 ------------------------------------------------------------------- Thu Nov 29 17:02:37 UTC 2012 - jmatejek@suse.com - fix include path in macros (bnc#787526) - implement failed import handlers for modules that live in subpackages - e.g. "import ssl" will now throw a sensible error message telling you to install "python3" ------------------------------------------------------------------- Wed Nov 28 17:02:07 UTC 2012 - jmatejek@suse.com - merge python3-xml into python3 - merge python3-2to3 library into python3-base and the 2to3 binary into python3-devel (python3-devel is now in conflict with python-2to3, which will be dropped) - enable --with-system-expat for python3, making the xml modules (and thus python3) depend on expat - reconfigure tests to disable network and GUI resources, which the upstream apparently thought is a good idea to enable by default. this fixes build failures in Factory - add lzma-devel to build the _lzma module - moved %dynlib macro definition to common section ------------------------------------------------------------------- Mon Nov 5 20:01:46 UTC 2012 - coolo@suse.com - buildrequire timezone for the test suite ------------------------------------------------------------------- Mon Oct 29 18:21:45 UTC 2012 - dmueller@suse.com - disable more checks for qemu builds as they use syscalls not implemented yet ------------------------------------------------------------------- Thu Oct 25 08:14:36 UTC 2012 - Rene.vanPaassen@gmail.com - exclude test_math for SLE 11; math library fails on negative gamma function values close to integers and 0, probably due to imprecision in -lm on SLE_11_SP2. ------------------------------------------------------------------- Tue Oct 16 12:15:34 UTC 2012 - coolo@suse.com - buildrequire libbz2-devel explicitly ------------------------------------------------------------------- Mon Oct 8 14:33:08 UTC 2012 - jmatejek@suse.com - remove distutils.cfg (bnc#658604) * this changes default prefix for distutils to /usr * see ML for details: http://lists.opensuse.org/opensuse-packaging/2012-09/msg00254.html ------------------------------------------------------------------- Mon Oct 1 08:53:03 UTC 2012 - idonmez@suse.com - Update to final 3.3.0 release * See http://hg.python.org/cpython/file/v3.3.0/Misc/NEWS ------------------------------------------------------------------- Thu Sep 27 12:35:01 UTC 2012 - idonmez@suse.com - Correct dependency for python3-testsuite, python3-tkinter -> python3-tk ------------------------------------------------------------------- Thu Aug 23 13:08:11 UTC 2012 - jmatejek@suse.com - update to 3.3.0 RC1 ------------------------------------------------------------------- Fri Aug 3 12:09:34 UTC 2012 - jmatejek@suse.com - update to 3.3.0 beta 1 * flexible string representation, no longer distinguishing between wide and narrow Unicode builds * importlib-based import system * virtualenv support in core * namespace packages * explicit Unicode literals for easier porting * key-sharing dict implementation reduces memory footprint of OO code * hash randomization on by default * many other new bugfixes and features, check NEWS for details - pre_checkin.sh now autofills various version strings in specs - ship hashlib's fallback modules - those uselessly take up space when real _hashlib.so from python3 is present, but the space wasted is only 114kB and it provides python3-base with a working hashlib module. (also, this fixes bnc#743787) ------------------------------------------------------------------- Fri Jul 27 09:02:41 UTC 2012 - dvaleev@suse.com - skip test_io on ppc - drop test_io ppc patch ------------------------------------------------------------------- Thu Jun 28 07:57:58 UTC 2012 - saschpe@suse.de - Satisfy source_validator by uncommenting an otherwise unused "Patch" line ------------------------------------------------------------------- Fri May 18 11:50:27 UTC 2012 - idonmez@suse.com - update to 3.2.3 * No changes since rc2 ------------------------------------------------------------------- Thu Mar 29 15:44:33 UTC 2012 - jmatejek@suse.com - update to 3.2.3rc2 * fixes several security issues: * CVE-2012-0845, bnc#747125 * CVE-2012-1150, bnc#751718 * CVE-2011-4944, bnc#754447 * CVE-2011-3389, bnc#754677 - fix for insecure .pypirc (CVE-2011-4944, bnc#754447) - disable test_gdb because it is broken by our gdb ------------------------------------------------------------------- Thu Feb 16 12:33:12 UTC 2012 - dvaleev@suse.com - skip broken test_io test on ppc ------------------------------------------------------------------- Wed Jan 18 15:49:47 UTC 2012 - jmatejek@suse.com - update to 3.2.2 * bugfix-only release * reports "linux2" as sys.platform regardless of Linux kernel - added pre_checkin.sh to copy common spec sections to python3.spec - added PACKAGING-NOTES with some helpful info for packagers ------------------------------------------------------------------- Sun Dec 25 13:25:01 UTC 2011 - idonmez@suse.com - Use system ffi, included one is broken see http://bugs.python.org/issue11729 and http://bugs.python.org/issue12081 ------------------------------------------------------------------- Fri Dec 9 17:19:55 UTC 2011 - jmatejek@suse.com - license.opensuse.org-compatible license headers ------------------------------------------------------------------- Fri Dec 2 16:46:44 UTC 2011 - coolo@suse.com - add automake as buildrequire to avoid implicit dependency ------------------------------------------------------------------- Thu Nov 24 12:42:25 UTC 2011 - agraf@suse.com - fix ARM build (exclude some test cases which break for us) ------------------------------------------------------------------- Tue Aug 16 17:02:22 UTC 2011 - termim@gmail.com - use sysconfig module to get py3_incdir, py3_abiflags, py3_soflags, python3_sitelib and python3_sitearch ------------------------------------------------------------------- Mon Jul 18 16:22:31 UTC 2011 - jmatejek@novell.com - update to 3.2.1 * bugfix-only release, no major changes - fix build on linux3 platform - remove upstreamed pybench patch - install /usr/lib directories in all cases to prevent spurious "directory not owned" in dependent packages ------------------------------------------------------------------- Wed Jun 15 14:16:38 UTC 2011 - jmatejek@novell.com - replaced dynamic so version with manual so version, because autobuild does not support autogeneration ------------------------------------------------------------------- Tue May 24 13:39:06 UTC 2011 - jmatejek@novell.com - generate macros.python3 at compile-time with fixed values - don't include bogus values in pyconfig.h, as they can break third-party packages (bnc#673071) ------------------------------------------------------------------- Tue May 17 12:52:51 UTC 2011 - jmatejek@novell.com - added Obsoletes: python3 < 3.1 so that the transition from non-split to split packages goes smoothly ------------------------------------------------------------------- Fri May 13 12:38:19 UTC 2011 - jmatejek@novell.com - fixed RPM macros to use python3 instead of python - updated to build --with-wide-unicode (for compatibility with fedora and our own python 2.x series) ------------------------------------------------------------------- Thu Apr 21 03:39:25 UTC 2011 - termim@gmail.com - fix python3-base build failure due to pybench.py crash by python-3.2-pybench.patch - move pyconfig.h from python3-devel to python3-base package to make python3-base functional again ------------------------------------------------------------------- Wed Mar 23 04:26:28 UTC 2011 - termim@gmail.com - update to python 3.2 * stable ABI, ABI-tagged .so files * concurrent.futures and many other new or upgraded modules * PYC repository directories ( __pycache__ ) * python WSGI 1.0.1 * Unicode 6.0.0 support * a great number of bugfixes and assorted improvements ------------------------------------------------------------------- Tue Feb 8 19:42:17 CET 2011 - matejcik@suse.cz - update to python 3.2 RC2 - renamed python3-demo to python3-tools, because the demo part became much smaller than the tools part - added rpm macros ------------------------------------------------------------------- Tue Jan 18 14:13:04 UTC 2011 - jmatejek@novell.com - update to python 3.2 beta 2, see NEWS for details - split off -base package with less dependencies, and a shlib-policy compliant libpython3 package - mostly rewritten the spec file with more detailed comments - cleaned up lists of patches
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor