Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python38 for openSUSE:Factory
checked in at 2022-09-17 20:08:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python38 (Old)
and /work/SRC/openSUSE:Factory/.python38.new.2083 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python38"
Sat Sep 17 20:08:05 2022 rev:26 rq:1002501 version:3.8.14
Changes:
--------
--- /work/SRC/openSUSE:Factory/python38/python38.changes 2022-09-03
23:18:37.531744428 +0200
+++ /work/SRC/openSUSE:Factory/.python38.new.2083/python38.changes
2022-09-17 20:08:06.912771798 +0200
@@ -1,0 +2,48 @@
+Sun Sep 11 09:07:38 UTC 2022 - Matej Cepl <mc...@suse.com>
+
+- Update to 3.8.14:
+ - (CVE-2020-10735, bsc#1203125). Converting between int
+ and str in bases other than 2 (binary), 4, 8 (octal), 16
+ (hexadecimal), or 32 such as base 10 (decimal) now raises a
+ ValueError if the number of digits in string form is above a
+ limit to avoid potential denial of service attacks due to the
+ algorithmic complexity.
+ This new limit can be configured or disabled by environment
+ variable, command line flag, or sys APIs. See the integer
+ string conversion length limitation documentation. The
+ default limit is 4300 digits in string form.
+ - (CVE-2021-28861, bsc#1202624) http.server: Fix an open
+ redirection vulnerability in the HTTP server when an URI path
+ starts with //. Vulnerability discovered, and initial fix
+ proposed, by Hamza Avvan.
+ - Also other bugfixes:
+ - Fix contextvars HAMT implementation to handle iteration
+ over deep trees. The bug was discovered and fixed by Eli
+ Libman. See MagicStack/immutables#84 for more details.
+ - Fix ensurepip environment isolation for subprocess running
+ pip.
+ - Raise ProgrammingError instead of segfaulting on recursive
+ usage of cursors in sqlite3 converters. Patch by Sergey
+ Fedoseev.
+ - Add a new gh role to the documentation to link to GitHub
+ issues.
+ - Pin Jinja to a version compatible with Sphinx version
+ 2.4.4.
+ - test_ssl is now checking for supported TLS version and
+ protocols in more tests.
+ - Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses
+ 0xMNN00PP0L.
+- Removed upstreamed patches:
+ - CVE-2021-28861-double-slash-path.patch
+- Readjusted patches:
+ - bpo-31046_ensurepip_honours_prefix.patch
+ - sphinx-update-removed-function.patch
+
+-------------------------------------------------------------------
+Sat Sep 3 02:20:54 UTC 2022 - Matej Cepl <mc...@suse.com>
+
+- (bsc#1196784, CVE-2022-25236) Add patch
+ support-expat-CVE-2022-25236-patched.patch to allow working
+ with different versions of libexpat.
+
+-------------------------------------------------------------------
Old:
----
CVE-2021-28861-double-slash-path.patch
Python-3.8.13.tar.xz
Python-3.8.13.tar.xz.asc
New:
----
Python-3.8.14.tar.xz
Python-3.8.14.tar.xz.asc
support-expat-CVE-2022-25236-patched.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python38.spec ++++++
--- /var/tmp/diff_new_pack.luQtb2/_old 2022-09-17 20:08:08.372776010 +0200
+++ /var/tmp/diff_new_pack.luQtb2/_new 2022-09-17 20:08:08.376776022 +0200
@@ -92,7 +92,7 @@
%define dynlib()
%{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
-Version: 3.8.13
+Version: 3.8.14
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@@ -108,7 +108,8 @@
Source11: skipped_tests.py
Source19: idle3.desktop
Source20: idle3.appdata.xml
-Source99: https://www.python.org/static/files/pubkeys.txt#/python.keyring
+# Used to be https://www.python.org/static/files/pubkeys.txt#/python.keyring
+Source99: python.keyring
# The following files are not used in the build.
# They are listed here to work around missing functionality in rpmbuild,
# which would otherwise exclude them from distributed src.rpm files.
@@ -167,9 +168,9 @@
# PATCH-FIX-UPSTREAM bpo34990-2038-problem-compileall.patch
gh#python/cpython#79171 mc...@suse.com
# Make compileall.py compatible with year 2038
Patch34: bpo34990-2038-problem-compileall.patch
-# PATCH-FIX-UPSTREAM CVE-2021-28861 bsc#1202624 gh#python/cpython#94094
-# Coerce // to / in Lib/http/server.py
-Patch35: CVE-2021-28861-double-slash-path.patch
+# PATCH-FIX-UPSTREAM gh#python/cpython#90967 gh#python/cpython#93900
mc...@suse.com
+# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
+Patch36: support-expat-CVE-2022-25236-patched.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@@ -435,7 +436,7 @@
%patch32 -p1
%patch33 -p1
%patch34 -p1
-%patch35 -p1
+%patch36 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
++++++ Python-3.8.13.tar.xz -> Python-3.8.14.tar.xz ++++++
/work/SRC/openSUSE:Factory/python38/Python-3.8.13.tar.xz
/work/SRC/openSUSE:Factory/.python38.new.2083/Python-3.8.14.tar.xz differ: char
25, line 1
++++++ bpo-31046_ensurepip_honours_prefix.patch ++++++
--- /var/tmp/diff_new_pack.luQtb2/_old 2022-09-17 20:08:08.576776599 +0200
+++ /var/tmp/diff_new_pack.luQtb2/_new 2022-09-17 20:08:08.580776610 +0200
@@ -55,7 +55,7 @@
.. note::
--- a/Lib/ensurepip/__init__.py
+++ b/Lib/ensurepip/__init__.py
-@@ -50,27 +50,27 @@ def _disable_pip_configuration_settings(
+@@ -55,27 +55,27 @@ def _disable_pip_configuration_settings(
os.environ['PIP_CONFIG_FILE'] = os.devnull
@@ -88,7 +88,7 @@
Note that calling this function will alter both sys.path and os.environ.
"""
-@@ -113,6 +113,8 @@ def _bootstrap(*, root=None, upgrade=Fal
+@@ -118,6 +118,8 @@ def _bootstrap(*, root=None, upgrade=Fal
args = ["install", "--no-cache-dir", "--no-index", "--find-links",
tmpdir]
if root:
args += ["--root", root]
@@ -97,7 +97,7 @@
if upgrade:
args += ["--upgrade"]
if user:
-@@ -185,6 +187,11 @@ def _main(argv=None):
+@@ -190,6 +192,11 @@ def _main(argv=None):
help="Install everything relative to this alternate root directory.",
)
parser.add_argument(
@@ -109,7 +109,7 @@
"--altinstall",
action="store_true",
default=False,
-@@ -203,6 +210,7 @@ def _main(argv=None):
+@@ -208,6 +215,7 @@ def _main(argv=None):
return _bootstrap(
root=args.root,
++++++ python.keyring ++++++
++++ 12207 lines (skipped)
++++ between python.keyring
++++ and /work/SRC/openSUSE:Factory/.python38.new.2083/python.keyring
++++++ sphinx-update-removed-function.patch ++++++
--- /var/tmp/diff_new_pack.luQtb2/_old 2022-09-17 20:08:08.716777003 +0200
+++ /var/tmp/diff_new_pack.luQtb2/_new 2022-09-17 20:08:08.720777014 +0200
@@ -5,12 +5,12 @@
(GH-13236)
---
- Doc/tools/extensions/pyspecific.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ Doc/tools/extensions/pyspecific.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
--- a/Doc/tools/extensions/pyspecific.py
+++ b/Doc/tools/extensions/pyspecific.py
-@@ -361,7 +361,12 @@ class DeprecatedRemoved(Directive):
+@@ -384,7 +384,12 @@ class DeprecatedRemoved(Directive):
translatable=False)
node.append(para)
env = self.state.document.settings.env
++++++ support-expat-CVE-2022-25236-patched.patch ++++++
>From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-isling...@users.noreply.github.com>
Date: Mon, 21 Feb 2022 08:16:09 -0800
Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453)
(GH-31472)
Curly brackets were never allowed in namespace URIs
according to RFC 3986, and so-called namespace-validating
XML parsers have the right to reject them a invalid URIs.
libexpat >=2.4.5 has become strcter in that regard due to
related security issues; with ET.XML instantiating a
namespace-aware parser under the hood, this test has no
future in CPython.
References:
- https://datatracker.ietf.org/doc/html/rfc3968
- https://www.w3.org/TR/xml-names/
Also, test_minidom.py: Support Expat >=2.4.5
(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e)
Co-authored-by: Sebastian Pipping <sebast...@pipping.org>
---
Lib/test/test_minidom.py | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
create mode 100644
Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
@@ -1149,14 +1149,12 @@ class MinidomTest(unittest.TestCase):
# Verify that character decoding errors raise exceptions instead
# of crashing
- if pyexpat.version_info >= (2, 4, 5):
- self.assertRaises(ExpatError, parseString,
- b'<fran\xe7ais></fran\xe7ais>')
- self.assertRaises(ExpatError, parseString,
- b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
- else:
- self.assertRaises(UnicodeDecodeError, parseString,
- b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien
?</fran\xe7ais>')
+ # It doesn???t make any sense to insist on the exact text of the
+ # error message, or even the exact Exception ??? it is enough that
+ # the error has been discovered.
+ with self.assertRaises((UnicodeDecodeError, ExpatError)):
+ parseString(
+ b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien
?</fran\xe7ais>')
doc.unlink()
@@ -1601,13 +1599,12 @@ class MinidomTest(unittest.TestCase):
self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
def testExceptionOnSpacesInXMLNSValue(self):
- if pyexpat.version_info >= (2, 4, 5):
- context = self.assertRaisesRegex(ExpatError, 'syntax error')
- else:
- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
+ # It doesn???t make any sense to insist on the exact text of the
+ # error message, or even the exact Exception ??? it is enough that
+ # the error has been discovered.
+ with self.assertRaises((ExpatError, ValueError)):
+ parseString('<element xmlns:abc="http:abc.com/de f g/hi/j
k"><abc:foo /></element>')
- with context:
- parseString('<element xmlns:abc="http:abc.com/de f g/hi/j
k"><abc:foo /></element>')
def testDocRemoveChild(self):
doc = parse(tstfile)
