Overview Repositories Revisions Requests Users Attributes Meta

Revisions of python38

Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1161073 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 47) 
- Add old-libexpat.patch making the test suite work with
  libexpat < 2.6.0 (gh#python/cpython#117187).
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1160582 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 46) 
- Update to 3.8.19:
  - Security
    - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
      (CVE-2023-52425, bsc#1219559) by adding five new methods:
        xml.etree.ElementTree.XMLParser.flush()
        xml.etree.ElementTree.XMLPullParser.flush()
        xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
        xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
        xml.sax.expatreader.ExpatParser.flush()
    - gh-115399: Update bundled libexpat to 2.6.0
    - gh-113659: Skip .pth files with names starting with a dot
      or hidden file attribute.
  - Core and Builtins
    - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
      codecs read out of bounds
  - Library
    - gh-115197: urllib.request no longer resolves the hostname
      before checking it against the system’s proxy bypass list
      on macOS and Windows.
    - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
    - gh-81194: Fix a crash in socket.if_indextoname() with
      specific value (UINT_MAX). Fix an integer overflow in
      socket.if_indextoname() on 64-bit non-Windows platforms.
    - gh-109858: Protect zipfile from “quoted-overlap”
      zipbomb. It now raises BadZipFile when try to read an entry
      that overlaps with other entry or central directory
      (CVE-2024-0450, bsc#1221854).
    - gh-107077: Seems that in some conditions, OpenSSL will
      return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
      when a certification verification has failed, but
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1157647 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 45) 
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1153058 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 44) 
- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1152788 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 43) 
Automatic submission by obs-autosubmit
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1143660 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 41) 
- Refresh CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- Thus we can remove Revert-gh105127-left-tests.patch, which is
  now useless.
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1109196 from Daniel Garcia's avatar Daniel Garcia (dgarcia) (revision 40) 
- Update to 3.8.18 (bsc#1214692):
  - gh-108310: Fixed an issue where instances of ssl.SSLSocket were
    vulnerable to a bypass of the TLS handshake and included
    protections (like certificate verification) and treating sent
    unencrypted data as if it were post-handshake TLS encrypted data.
    Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
    Gregory P. Smith.
  - gh-107845: tarfile.data_filter() now takes the location of
    symlinks into account when determining their target, so it will no
    longer reject some valid tarballs with
    LinkOutsideDestinationError.
  - gh-107565: Update multissltests and GitHub CI workflows to use
    OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1102235 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 39) 
- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
  partially reverting CVE-2023-27043-email-parsing-errors.patch,
  because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
  CVE-2023-27043-email-parsing-errors.patch, which detects email
  address parsing errors and returns empty tuple to indicate the
  parsing error (old API). (The patch is faulty,
  gh#python/cpython#106669, but upstream decided not to just
  revert it).
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1095964 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 38) 
- Update to 3.8.17:
  - gh-103142: The version of OpenSSL used in Windows and
    Mac installers has been upgraded to 1.1.1u to address
    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
    fixed previously in 1.1.1t (gh-101727).
  - gh-102153: urllib.parse.urlsplit() now strips leading C0
    control and space characters following the specification for
    URLs defined by WHATWG in response to CVE-2023-24329
    (bsc#1208471).
  - gh-99889: Fixed a security in flaw in uu.decode() that could
    allow for directory traversal based on the input if no
    out_file was specified.
  - gh-104049: Do not expose the local on-disk
    location in directory indexes produced by
    http.client.SimpleHTTPRequestHandler.
  - gh-103935: trace.__main__ now uses io.open_code() for files
    to be executed instead of raw open().
  - gh-102953: The extraction methods in tarfile, and
    shutil.unpack_archive(), have a new filter argument that
    allows limiting tar features than may be surprising or
    dangerous, such as creating files outside the destination
    directory. See Extraction filters for details (fixing
    CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
  - CVE-2023-24329-blank-URL-bypass.patch
  - CVE-2007-4559-filter-tarfile_extractall.patch
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1090625 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 37) 
- Add 99366-patch.dict-can-decorate-async.patch fixing
  gh#python/cpython#98086 (backport from Python 3.10 patch in
  gh#python/cpython!99366), fixing bsc#1211158.
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
  CVE-2007-4559 (bsc#1203750) by adding the filter for
  tarfile.extractall (PEP 706).
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1080040 from Steve Kowalik's avatar Steve Kowalik (StevenK) (revision 36) 
- Use python3 modules to build the documentation.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1068563 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 35) 
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1067029 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 34) 
- Add provides for readline and sqlite3 to the main Python
  package.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1041645 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 31) 
- Update to 3.8.16:
  - python -m http.server no longer allows terminal
    control characters sent within a garbage request to be
    printed to the stderr server log.
    This is done by changing the http.server
    BaseHTTPRequestHandler .log_message method to replace control
    characters with a \xHH hex escape before printing.
  - Avoid publishing list of active per-interpreter
    audit hooks via the gc module
  - The IDNA codec decoder used on DNS hostnames by
    socket or asyncio related name resolution functions no
    longer involves a quadratic algorithm. This prevents a
    potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were
    decoded. Some protocols such as urllib http 3xx redirects
    potentially allow for an attacker to supply such a
    name (CVE-2022-45061).
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - The deprecated mailcap module now refuses to inject
    unsafe text (filenames, MIME types, parameters) into shell
    commands. Instead of using such text, it will warn and act
    as if a match was not found (or for test commands, as if the
    test failed).
- Removed upstream patches:
  - CVE-2022-37454-sha3-buffer-overflow.patch
  - CVE-2022-45061-DoS-by-IDNA-decode.patch
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1034964 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 30) 
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
  CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1032060 from Matej Cepl's avatar Matej Cepl (mcepl) (revision 29) 
- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
  bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
  overflow in hashlib.sha3_* implementations (originally from the
  XKCP library).
Displaying revisions 1 - 20 of 47
openSUSE Build Service is sponsored by
Places