Revisions of python38
Ana Guerrero (anag+factory)
accepted
request 1161073
from
Matej Cepl (mcepl)
(revision 47)
- Add old-libexpat.patch making the test suite work with libexpat < 2.6.0 (gh#python/cpython#117187).
Ana Guerrero (anag+factory)
accepted
request 1160582
from
Matej Cepl (mcepl)
(revision 46)
- Update to 3.8.19: - Security - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425, bsc#1219559) by adding five new methods: xml.etree.ElementTree.XMLParser.flush() xml.etree.ElementTree.XMLPullParser.flush() xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() xml.sax.expatreader.ExpatParser.flush() - gh-115399: Update bundled libexpat to 2.6.0 - gh-113659: Skip .pth files with names starting with a dot or hidden file attribute. - Core and Builtins - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds - Library - gh-115197: urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows. - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0. - gh-81194: Fix a crash in socket.if_indextoname() with specific value (UINT_MAX). Fix an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms. - gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises BadZipFile when try to read an entry that overlaps with other entry or central directory (CVE-2024-0450, bsc#1221854). - gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification verification has failed, but
Ana Guerrero (anag+factory)
accepted
request 1157647
from
Factory Maintainer (factory-maintainer)
(revision 45)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1153058
from
Matej Cepl (mcepl)
(revision 44)
- (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory.
Ana Guerrero (anag+factory)
accepted
request 1152788
from
Factory Maintainer (factory-maintainer)
(revision 43)
Automatic submission by obs-autosubmit
Ana Guerrero (anag+factory)
accepted
request 1143660
from
Matej Cepl (mcepl)
(revision 41)
- Refresh CVE-2023-27043-email-parsing-errors.patch to gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). - Thus we can remove Revert-gh105127-left-tests.patch, which is now useless.
Ana Guerrero (anag+factory)
accepted
request 1109196
from
Daniel Garcia (dgarcia)
(revision 40)
- Update to 3.8.18 (bsc#1214692): - gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith. - gh-107845: tarfile.data_filter() now takes the location of symlinks into account when determining their target, so it will no longer reject some valid tarballs with LinkOutsideDestinationError. - gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
Dominique Leuenberger (dimstar_suse)
accepted
request 1102235
from
Matej Cepl (mcepl)
(revision 39)
- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED! - Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). (The patch is faulty, gh#python/cpython#106669, but upstream decided not to just revert it).
Dominique Leuenberger (dimstar_suse)
accepted
request 1095964
from
Matej Cepl (mcepl)
(revision 38)
- Update to 3.8.17: - gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329 (bsc#1208471). - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). - gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details (fixing CVE-2007-4559, bsc#1203750). - Remove upstreamed patches: - CVE-2023-24329-blank-URL-bypass.patch - CVE-2007-4559-filter-tarfile_extractall.patch
Dominique Leuenberger (dimstar_suse)
accepted
request 1090625
from
Matej Cepl (mcepl)
(revision 37)
- Add 99366-patch.dict-can-decorate-async.patch fixing gh#python/cpython#98086 (backport from Python 3.10 patch in gh#python/cpython!99366), fixing bsc#1211158. - Add CVE-2007-4559-filter-tarfile_extractall.patch to fix CVE-2007-4559 (bsc#1203750) by adding the filter for tarfile.extractall (PEP 706).
Dominique Leuenberger (dimstar_suse)
accepted
request 1080040
from
Steve Kowalik (StevenK)
(revision 36)
- Use python3 modules to build the documentation.
Dominique Leuenberger (dimstar_suse)
accepted
request 1068563
from
Matej Cepl (mcepl)
(revision 35)
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters
Dominique Leuenberger (dimstar_suse)
accepted
request 1067029
from
Matej Cepl (mcepl)
(revision 34)
- Add provides for readline and sqlite3 to the main Python package.
Dominique Leuenberger (dimstar_suse)
accepted
request 1041645
from
Matej Cepl (mcepl)
(revision 31)
- Update to 3.8.16: - python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing. - Avoid publishing list of active per-interpreter audit hooks via the gc module - The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name (CVE-2022-45061). - Update bundled libexpat to 2.5.0 - Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454). - The deprecated mailcap module now refuses to inject unsafe text (filenames, MIME types, parameters) into shell commands. Instead of using such text, it will warn and act as if a match was not found (or for test commands, as if the test failed). - Removed upstream patches: - CVE-2022-37454-sha3-buffer-overflow.patch - CVE-2022-45061-DoS-by-IDNA-decode.patch
Dominique Leuenberger (dimstar_suse)
accepted
request 1034964
from
Matej Cepl (mcepl)
(revision 30)
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding extremely long domain names.
Dominique Leuenberger (dimstar_suse)
accepted
request 1032060
from
Matej Cepl (mcepl)
(revision 29)
- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer overflow in hashlib.sha3_* implementations (originally from the XKCP library).
Displaying revisions 1 - 20 of 47