Revisions of python310
Ana Guerrero (anag+factory)
accepted
request 1161074
from
Matej Cepl (mcepl)
(revision 42)
- Add old-libexpat.patch making the test suite work with libexpat < 2.6.0 (gh#python/cpython#117187). - Because of bsc#1189495 we have to revert use of %autopatch. - Update 3.10.14: - gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0 to address CVE-2023-52425, and control of the new reparse deferral functionality was exposed with new APIs (bsc#1219559). - gh-109858: zipfile is now protected from the “quoted-overlap” zipbomb to address CVE-2024-0450. It now raises BadZipFile when attempting to read an entry that overlaps with another entry or central directory. (bsc#1221854) - gh-91133: tempfile.TemporaryDirectory cleanup no longer dereferences symlinks when working around file system permission errors to address CVE-2023-6597 (bsc#1219666) - gh-115197: urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows - gh-81194: a crash in socket.if_indextoname() with a specific value (UINT_MAX) was fixed. Relatedly, an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms was fixed - gh-113659: .pth files with names starting with a dot or containing the hidden file attribute are now skipped - gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer read out of bounds - gh-114572: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads - Remove upstreamed patches: - CVE-2023-6597-TempDir-cleaning-symlink.patch - libexpat260.patch - Readjust patches: - F00251-change-user-install-location.patch - fix_configure_rst.patch - python-3.3.0b1-localpath.patch - skip-test_pyobject_freed_is_freed.patch - Port to %autosetup and %autopatch.
Ana Guerrero (anag+factory)
accepted
request 1157645
from
Factory Maintainer (factory-maintainer)
(revision 41)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1153061
from
Matej Cepl (mcepl)
(revision 40)
- (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory.
Ana Guerrero (anag+factory)
accepted
request 1152786
from
Factory Maintainer (factory-maintainer)
(revision 39)
Automatic submission by obs-autosubmit
Ana Guerrero (anag+factory)
accepted
request 1110597
from
Factory Maintainer (factory-maintainer)
(revision 37)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1102193
from
Matej Cepl (mcepl)
(revision 35)
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669.
Ana Guerrero (anag+factory)
accepted
request 1099501
from
Matej Cepl (mcepl)
(revision 34)
- Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for stabilizing FLAG_REF usage (required for reproduceability; bsc#1213463). - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API).
Dominique Leuenberger (dimstar_suse)
accepted
request 1095863
from
Matej Cepl (mcepl)
(revision 33)
- Update to 3.10.12: - gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329 (bsc#1208471). - gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. - gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. - gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). - gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details (fixing CVE-2007-4559, bsc#1203750). - Remove upstreamed patches: - CVE-2023-24329-blank-URL-bypass.patch - CVE-2007-4559-filter-tarfile_extractall.patch
Dominique Leuenberger (dimstar_suse)
accepted
request 1094243
from
Matej Cepl (mcepl)
(revision 32)
- Add bpo-37596-make-set-marshalling.patch making marshalling of `set` and `frozenset` deterministic (bsc#1211765).
Dominique Leuenberger (dimstar_suse)
accepted
request 1086101
from
Factory Maintainer (factory-maintainer)
(revision 31)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1071070
from
Matej Cepl (mcepl)
(revision 30)
- Add invalid-json.patch fixing invalid JSON in Doc/howto/logging-cookbook.rst (somehow similar to gh#python/cpython#102582).
Dominique Leuenberger (dimstar_suse)
accepted
request 1068979
from
Matej Cepl (mcepl)
(revision 29)
- Update to 3.10.10: Bug fixes and regressions handling, no change of behaviour and no security bugs fixed. - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters
Dominique Leuenberger (dimstar_suse)
accepted
request 1066987
from
Matej Cepl (mcepl)
(revision 28)
- Add provides for readline and sqlite3 to the main Python package.
Dominique Leuenberger (dimstar_suse)
accepted
request 1041730
from
Matej Cepl (mcepl)
(revision 26)
- Update to 3.10.9: - python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server lo This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printin - Avoid publishing list of active per-interpreter audit hooks via the gc module - The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name. - Update bundled libexpat to 2.5.0 - Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454). - On Linux the multiprocessing module returns to using filesystem backed unix domain sockets for communication with the forkserver process instead of the Linux abstract socket namespace. Only code that chooses to use the “forkserver” start method is affected Abstract sockets have no permissions and could allow any user on the system in the same network namespace (often the whole system) to inject code into the multiprocessing forkserver process. This was a potential privilege escalation. Filesystem based socket permissions restrict this to the forkserver process user as was the default in
Dominique Leuenberger (dimstar_suse)
accepted
request 1034962
from
Matej Cepl (mcepl)
(revision 25)
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding extremely long domain names.
Dominique Leuenberger (dimstar_suse)
accepted
request 1033570
from
Matej Cepl (mcepl)
(revision 24)
- Add CVE-2022-42919-loc-priv-mulitproc-forksrv.patch to avoid CVE-2022-42919 (bsc#1204886) avoiding Linux specific local privilege escalation via the multiprocessing forkserver start method.
Displaying revisions 1 - 20 of 42