- Update CVE-2023-52425-libexpat-2.6.0-backport.patch
  so that it uses features sniffing, not just
  comparing version number. Include also
  support-expat-CVE-2022-25236-patched.patch.
- Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping
  failing tests.
- Refresh patches:
  - CVE-2023-27043-email-parsing-errors.patch
  - fix_configure_rst.patch
  - skip_if_buildbot-extend.patch
- Remove included patch:
  - support-expat-CVE-2022-25236-patched.patch

• Files Changed
• Browse Source

Forwarded request #1169083 from dgarcia

- Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with
    patched libexpat below 2.6.0 that doesn't update the version number,
    just in SLE.

• Files Changed
• Browse Source

- Add reference to CVE-2024-0450 (bsc#1221854) to changelog.

- Because of bsc#1189495 we have to revert use of %autopatch.

      other entry or central directory (bsc#1221854, CVE-2024-0450).

• Files Changed
• Browse Source

- Rewrite %prep to use %autosetup et al. for compatibility with
  rpm 4.20.

- bsc#1221260 add bsc1221260-test_asyncio-ResourceWarning.patch
  to eliminate ResourceWarning which broke the test suite in
  test_asyncio.

- Use the system-wide crypto-policies [bsc#1211301]
  * Use the system default cipher list instead of hardcoded values
  * Add the --with-ssl-default-suites=openssl configure option

• Files Changed
• Browse Source

- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Remove double definition of /usr/bin/idle%%{version} in
  %%files. 

• Files Changed
• Browse Source

Forwarded request #1146787 from dgarcia

- Add upstream patch libexpat260.patch, Fix tests for XMLPullParser
    with Expat 2.6.0, gh#python/cpython#115289

• Files Changed
• Browse Source

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Refresh CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- Thus we can remove Revert-gh105127-left-tests.patch, which is
  now useless.

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

      characters without truncating the path (bsc#1214693,
      CVE-2023-41105).

• Files Changed
• Browse Source

- Update to 3.11.5 (bsc#1214692):
  - Security
    - gh-108310: Fixed an issue where instances of ssl.SSLSocket were
      vulnerable to a bypass of the TLS handshake and included
      protections (like certificate verification) and treating sent
      unencrypted data as if it were post-handshake TLS encrypted data.
      Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
      Gregory P. Smith.
  - Core and Builtins
    - gh-104432: Fix potential unaligned memory access on C APIs
      involving returned sequences of char * pointers within the grp
      and socket modules. These were revealed using a
      -fsaniziter=alignment build on ARM macOS. Patch by Christopher
      Chavez.
    - gh-77377: Ensure that multiprocessing synchronization objects
      created in a fork context are not sent to a different process
      created in a spawn context. This changes a segfault into an
      actionable RuntimeError in the parent process.
    - gh-106092: Fix a segmentation fault caused by a use-after-free
      bug in frame_dealloc when the trashcan delays the deallocation
      of a PyFrameObject.
    - gh-106719: No longer suppress arbitrary errors in the
      __annotations__ getter and setter in the type and module types.
    - gh-106723: Propagate frozen_modules to multiprocessing spawned
      process interpreters.
    - gh-105979: Fix crash in _imp.get_frozen_object() due to improper
      exception handling.
    - gh-105840: Fix possible crashes when specializing function calls
      with too many __defaults__.
    - gh-105588: Fix an issue that could result in crashes when
      compiling malformed ast nodes.
    - gh-105375: Fix bugs in the builtins module where exceptions
      could end up being overwritten.
    - gh-105375: Fix bug in the compiler where an exception could end
      up being overwritten.
    - gh-105375: Improve error handling in
      PyUnicode_BuildEncodingMap() where an exception could end up
      being overwritten.
    - gh-105235: Prevent out-of-bounds memory access during
      mmap.find() calls.
    - gh-101006: Improve error handling when read marshal data.
  - Library
    - gh-105736: Harmonized the pure Python version of OrderedDict
      with the C version. Now, both versions set up their internal
      state in __new__. Formerly, the pure Python version did the set
      up in __init__.
    - gh-107963: Fix multiprocessing.set_forkserver_preload() to check
      the given list of modules names. Patch by Dong-hee Na.
    - gh-106242: Fixes os.path.normpath() to handle embedded null
      characters without truncating the path.
    - gh-107845: tarfile.data_filter() now takes the location of
      symlinks into account when determining their target, so it will
      no longer reject some valid tarballs with
      LinkOutsideDestinationError.
    - gh-107715: Fix doctest.DocTestFinder.find() in presence of class
      names with special characters. Patch by Gertjan van Zwieten.
    - gh-100814: Passing a callable object as an option value to a
      Tkinter image now raises the expected TclError instead of an
      AttributeError.
    - gh-106684: Close asyncio.StreamWriter when it is not closed by
      application leading to memory leaks. Patch by Kumar Aditya.
    - gh-107077: Seems that in some conditions, OpenSSL will return
      SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification
      verification has failed, but the error parameters will still
      contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are
      now detecting this situation and raising the appropiate
      ssl.SSLCertVerificationError. Patch by Pablo Galindo
    - gh-107396: tarfiles; Fixed use before assignment of
      self.exception for gzip decompression
    - gh-62519: Make gettext.pgettext() search plural definitions when
      translation is not found.
    - gh-83006: Document behavior of shutil.disk_usage() for
      non-mounted filesystems on Unix.
    - gh-106186: Do not report MultipartInvariantViolationDefect
      defect when the email.parser.Parser class is used to parse
      emails with headersonly=True.
    - gh-106831: Fix potential missing NULL check of d2i_SSL_SESSION
      result in _ssl.c.
    - gh-106774: Update the bundled copy of pip to version 23.2.1.
    - gh-106752: Fixed several bug in zipfile.Path in
      name/suffix/suffixes/stem operations when no filename is present
      and the Path is not at the root of the zipfile.
    - gh-106602: Add __copy__ and __deepcopy__ in enum
    - gh-106530: Revert a change to colorsys.rgb_to_hls() that caused
      division by zero for certain almost-white inputs. Patch by Terry
      Jan Reedy.
    - gh-106052: re module: fix the matching of possessive quantifiers
      in the case of a subpattern containing backtracking.
    - gh-106510: Improve debug output for atomic groups in regular
      expressions.
    - gh-105497: Fix flag mask inversion when unnamed flags exist.
    - gh-90876: Prevent multiprocessing.spawn from failing to import
      in environments where sys.executable is None. This regressed in
      3.11 with the addition of support for path-like objects in
      multiprocessing.
    - gh-106350: Detect possible memory allocation failure in the
      libtommath function mp_init() used by the _tkinter module.
    - gh-102541: Make pydoc.doc catch bad module ImportError when
      output stream is not None.
    - gh-106263: Fix crash when calling repr with a manually
      constructed SignalDict object. Patch by Charlie Zhao.
    - gh-105375: Fix a bug in _Unpickler_SetInputStream() where an
      exception could end up being overwritten in case of failure.
    - gh-105375: Fix bugs in sys where exceptions could end up being
      overwritten because of deferred error handling.
    - gh-105605: Harden pyexpat error handling during module
      initialisation to prevent exceptions from possibly being
      overwritten, and objects from being dereferenced twice.
    - gh-105375: Fix bug in decimal where an exception could end up
      being overwritten.
    - gh-105375: Fix bugs in _datetime where exceptions could be
      overwritten in case of module initialisation failure.
    - gh-105375: Fix bugs in _ssl initialisation which could lead to
      leaked references and overwritten exceptions.
    - gh-105375: Fix a bug in array.array where an exception could end
      up being overwritten.
    - gh-105375: Fix bugs in _ctypes where exceptions could end up
      being overwritten.
    - gh-105375: Fix a bug in the posix module where an exception
      could be overwritten.
    - gh-105375: Fix bugs in _elementtree where exceptions could be
      overwritten.
    - gh-105375: Fix bugs in zoneinfo where exceptions could be
      overwritten.
    - gh-105375: Fix bugs in pickle where exceptions could be
      overwritten.
    - gh-105497: Fix flag inversion when alias/mask members exist.
    - gh-105375: Fix bugs in pickle where exceptions could be
      overwritten.
    - gh-103171: Revert undocumented behaviour change with
      runtime-checkable protocols decorated with typing.final() in
      Python 3.11. The behaviour change had meant that objects would
      not be considered instances of these protocols at runtime unless
      they had a __final__ attribute. Patch by Alex Waygood.
    - gh-105375: Fix a bug in sqlite3 where an exception could be
      overwritten in the collation callback.
    - gh-105332: Revert pickling method from by-name back to by-value.
    - gh-104554: Add RTSPS scheme support in urllib.parse
    - gh-100061: Fix a bug that causes wrong matches for regular
      expressions with possessive qualifier.
    - gh-102541: Hide traceback in help() prompt, when import failed.
    - gh-99203: Restore following CPython <= 3.10.5 behavior of
      shutil.make_archive(): do not create an empty archive if
      root_dir is not a directory, and, in that case, raise
      FileNotFoundError or NotADirectoryError regardless of format
      choice. Beyond the brought-back behavior, the function may now
      also raise these exceptions in dry_run mode.
    - gh-94777: Fix hanging multiprocessing ProcessPoolExecutor when a
      child process crashes while data is being written in the call
      queue.
    - bpo-18319: Ensure gettext(msg) retrieve translations even if a
      plural form exists. In other words: gettext(msg) ==
      ngettext(msg, '', 1).
  - Documentation
    - gh-107008: Document the curses module variables LINES and COLS.
    - gh-106948: Add a number of standard external names to
      nitpick_ignore.
    - gh-54738: Add documentation on how to localize the argparse
      module.
  - Tests
    - gh-105776: Fix test_cppext when the C compiler command -std=c11
      option: remove -std= options from the compiler command. Patch by
      Victor Stinner.
    - gh-107237: test_logging: Fix test_udp_reconnection() by
      increasing the timeout from 100 ms to 5 minutes (LONG_TIMEOUT).
      Patch by Victor Stinner.
    - gh-101634: When running the Python test suite with -jN option,
      if a worker stdout cannot be decoded from the locale encoding
      report a failed testn so the exitcode is non-zero. Patch by
      Victor Stinner.
  - Build
    - gh-107814: When calling find_python.bat with -q it did not
      properly silence the output of nuget. That is now fixed.
    - gh-106881: Check for linux/limits.h before including it in
      Modules/posixmodule.c.
    - gh-104692: Include commoninstall as a prerequisite for
      bininstall
    - This ensures that commoninstall is completed before bininstall
      is started when parallel builds are used (make -j install), and
      so the python3 symlink is only installed after all standard
      library modules are installed.
    - gh-100340: Allows -Wno-int-conversion for wasm-sdk 17 and
      onwards, thus enables building WASI builds once against the
      latest sdk.
  - Windows
    - gh-106242: Fixes realpath() to behave consistently when passed a
      path containing an embedded null character on Windows. In strict
      mode, it now raises OSError instead of the unexpected
      ValueError, and in non-strict mode will make the path absolute.
    - gh-106844: Fix integer overflow in _winapi.LCMapStringEx() which
      affects ntpath.normcase().
    - gh-99079: Update Windows build to use OpenSSL 3.0.9
    - gh-105436: Ensure that an empty environment block is terminated
      by two null characters, as is required by Windows.
  - macOS
    - gh-107565: Update macOS installer to use OpenSSL 3.0.10.
    - gh-99079: Update macOS installer to use OpenSSL 3.0.9.
  - Tools/Demos
    - gh-107565: Update multissltests and GitHub CI workflows to use
      OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
    - gh-95065: Argument Clinic now supports overriding automatically
      generated signature by using directive @text_signature. See How
      to override the generated signature.
    - gh-106970: Fix bugs in the Argument Clinic destination <name>
      clear command; the destination buffers would never be cleared,
      and the destination directive parser would simply continue to
      the fault handler after processing the command. Patch by Erlend
      E. Aasland.
  - C API
    - gh-107916: C API functions PyErr_SetFromErrnoWithFilename(),
      PyErr_SetExcFromWindowsErrWithFilename() and
      PyErr_SetFromWindowsErrWithFilename() save now the error code
      before calling PyUnicode_DecodeFSDefault().
    - gh-107915: Such C API functions as PyErr_SetString(),
      PyErr_Format(), PyErr_SetFromErrnoWithFilename() and many others
      no longer crash or ignore errors if it failed to format the
      error message or decode the filename. Instead, they keep a
      corresponding error.
    - gh-107226: PyModule_AddObjectRef() is now only available in the
      limited API version 3.10 or later.
    - gh-105375: Fix a bug in PyErr_WarnExplicit() where an exception
      could end up being overwritten if the API failed internally.
    - gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only
      data: *consumed was not set.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API). (The patch is faulty,
  gh#python/cpython#106669, but upstream decided not to just
  revert it).

• Files Changed
• Browse Source

- Update to Python 3.11.4:
  - gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
  - CVE-2007-4559-filter-tarfile_extractall.patch

• Files Changed
• Browse Source

- Remove obsolete_python_versioned macro again. This mechanism
  has no business to be in Python 3.11, because we have abolished
  with it whole interpreter+setuptools+pip product. Python 3.11
  should not be replaced by later versions anymore.

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Why in the world we download from HTTP?
- Add 103213-fetch-CONFIG_ARGS.patch (gh#python/cpython#103053).
- Add skip_if_buildbot-extend.patch to avoid the bug altogether
  (extending what skip_if_buildbot covers).
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
  bsc#1203750 (CVE-2007-4559) and implementing "PEP 706 – Filter
  for tarfile.extractall".
- Update to 3.11.3:
  - Security
    - gh-101727: Updated the OpenSSL version used in Windows
      and macOS binary release builds to 1.1.1t to address
      CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per the
      OpenSSL 2023-02-07 security advisory.
  - Core and Builtins
    - gh-101975: Fixed stacktop value on tracing entries to avoid
      corruption on garbage collection.
    - gh-102701: Fix overflow when creating very large dict.
    - gh-102416: Do not memoize incorrectly automatically
      generated loop rules in the parser. Patch by Pablo Galindo.
    - gh-102356: Fix a bug that caused a crash when deallocating
      deeply nested filter objects. Patch by Marta Gómez Macías.
    - gh-102397: Fix segfault from race condition in signal
      handling during garbage collection. Patch by Kumar Aditya.
    - gh-102281: Fix potential nullptr dereference and use of
      uninitialized memory in fileutils. Patch by Max Bachmann.
    - gh-102126: Fix deadlock at shutdown when clearing thread
      states if any finalizer tries to acquire the runtime head
      lock. Patch by Kumar Aditya.
    - gh-102027: Fix SSE2 and SSE3 detection in _blake2 internal
      module. Patch by Max Bachmann.
    - gh-101967: Fix possible segfault in
      positional_only_passed_as_keyword function, when new list
      created.
    - gh-101765: Fix SystemError / segmentation fault in iter
      __reduce__ when internal access of builtins.__dict__ keys
      mutates the iter object.
    - gh-101696: Invalidate type version tag in
      _PyStaticType_Dealloc for static types, avoiding bug where
      a false cache hit could crash the interpreter. Patch by
      Kumar Aditya.
  - Library
    - gh-102549: Don’t ignore exceptions in member type creation.
    - gh-102947: Improve traceback when dataclasses.fields() is
      called on a non-dataclass. Patch by Alex Waygood
    - gh-102780: The asyncio.Timeout context manager now
      works reliably even when performing cleanup due to task
      cancellation. Previously it could raise a CancelledError
      instead of an TimeoutError in such cases.
    - gh-88965: typing: Fix a bug relating to substitution in   .
    Pacustom classes generic over a ParamSpec. Previously, if   .
    Pathe ParamSpec was substituted with a parameters list that .
    Paitself contained a TypeVar, the TypeVar in the parameters .
    Palist could not be subsequently substituted. This is now   .
    Pafixed tch by Nikita Sobolev                               .
    - gh-101979: Fix a bug where parentheses in the metavar
      argument to argparse.ArgumentParser.add_argument() were
      dropped. Patch by Yeojin Kim.
    - gh-102179: Fix os.dup2() error message for negative fds.
    - gh-101961: For the binary mode, fileinput.hookcompressed()
      doesn’t set the encoding value even if the value is
      None. Patch by Gihwan Kim.
    - gh-101936: The default value of fp becomes io.BytesIO
      if HTTPError is initialized without a designated fp
      parameter. Patch by Long Vo.
    - gh-102069: Fix __weakref__ descriptor generation for custom
      dataclasses.
    - gh-101566: In zipfile, apply fix for extractall on the
      underlying zipfile after being wrapped in Path.
    - gh-101892: Callable iterators no longer raise SystemError
      when the callable object exhausts the iterator but forgets
      to either return a sentinel value or raise StopIteration.
    - gh-97786: Fix potential undefined behaviour in corner cases
      of floating-point-to-time conversions.
    - gh-101517: Fixed bug where bdb looks up the source line
      with linecache with a lineno=None, which causes it to fail
      with an unhandled exception.
    - gh-101673: Fix a pdb bug where ll clears the changes to
      local variables.
    - gh-96931: Fix incorrect results from
      ssl.SSLSocket.shared_ciphers()
    - gh-88233: Correctly preserve “extra” fields in zipfile
      regardless of their ordering relative to a zip64 “extra.”
    - gh-96127: inspect.signature was raising TypeError on
      call with mock objects. Now it correctly returns (*args,
      **kwargs) as infered signature.
    - gh-95495: When built against OpenSSL 3.0, the ssl module
      had a bug where it reported unauthenticated EOFs (i.e.
      without close_notify) as a clean TLS-level EOF. It now
      raises SSLEOFError, matching the behavior in previous
      versions of OpenSSL. The options attribute on SSLContext
      also no longer includes OP_IGNORE_UNEXPECTED_EOF by
      default. This option may be set to specify the previous
      OpenSSL 3.0 behavior.
    - gh-94440: Fix a concurrent.futures.process bug where
      ProcessPoolExecutor shutdown could hang after a future has
      been quickly submitted and canceled.
  - Documentation
    - gh-103112: Add docstring to http.client.HTTPResponse.read()
      to fix pydoc output.
    - gh-85417: Update cmath documentation to clarify behaviour
      on branch cuts.
    - gh-97725: Fix asyncio.Task.print_stack() description for
      file=None. Patch by Oleg Iarygin.
  - Tests
    - gh-102980: Improve test coverage on pdb.
    - gh-102537: Adjust the error handling strategy in
      test_zoneinfo.TzPathTest.python_tzpath_context. Patch by
      Paul Ganssle.
    - gh-89792: test_tools now copies up to 10x less source data
      to a temporary directory during the freeze test by ignoring
      git metadata and other artifacts. It also limits its python
      build parallelism based on os.cpu_count instead of hard
      coding it as 8 cores.
    - gh-101377: Improved test_locale_calendar_formatweekday of
      calendar.
  - Build
    - gh-102711: Fix -Wstrict-prototypes compiler warnings.

• Files Changed
• Browse Source

- Update to 3.11.2:
  Bug fixes, no changes in API and no security bugs.
- Add python310 Obsoletes line to obsolete_python_versioned macro.

• Files Changed
• Browse Source

- Add provides for readline and sqlite3 to the main Python
  package.

• Files Changed
• Browse Source