Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python38 for openSUSE:Factory checked in at 2022-09-17 20:08:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python38 (Old) and /work/SRC/openSUSE:Factory/.python38.new.2083 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python38" Sat Sep 17 20:08:05 2022 rev:26 rq:1002501 version:3.8.14 Changes: -------- --- /work/SRC/openSUSE:Factory/python38/python38.changes 2022-09-03 23:18:37.531744428 +0200 +++ /work/SRC/openSUSE:Factory/.python38.new.2083/python38.changes 2022-09-17 20:08:06.912771798 +0200 @@ -1,0 +2,48 @@ +Sun Sep 11 09:07:38 UTC 2022 - Matej Cepl <mc...@suse.com> + +- Update to 3.8.14: + - (CVE-2020-10735, bsc#1203125). Converting between int + and str in bases other than 2 (binary), 4, 8 (octal), 16 + (hexadecimal), or 32 such as base 10 (decimal) now raises a + ValueError if the number of digits in string form is above a + limit to avoid potential denial of service attacks due to the + algorithmic complexity. + This new limit can be configured or disabled by environment + variable, command line flag, or sys APIs. See the integer + string conversion length limitation documentation. The + default limit is 4300 digits in string form. + - (CVE-2021-28861, bsc#1202624) http.server: Fix an open + redirection vulnerability in the HTTP server when an URI path + starts with //. Vulnerability discovered, and initial fix + proposed, by Hamza Avvan. + - Also other bugfixes: + - Fix contextvars HAMT implementation to handle iteration + over deep trees. The bug was discovered and fixed by Eli + Libman. See MagicStack/immutables#84 for more details. + - Fix ensurepip environment isolation for subprocess running + pip. + - Raise ProgrammingError instead of segfaulting on recursive + usage of cursors in sqlite3 converters. Patch by Sergey + Fedoseev. + - Add a new gh role to the documentation to link to GitHub + issues. + - Pin Jinja to a version compatible with Sphinx version + 2.4.4. + - test_ssl is now checking for supported TLS version and + protocols in more tests. + - Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses + 0xMNN00PP0L. +- Removed upstreamed patches: + - CVE-2021-28861-double-slash-path.patch +- Readjusted patches: + - bpo-31046_ensurepip_honours_prefix.patch + - sphinx-update-removed-function.patch + +------------------------------------------------------------------- +Sat Sep 3 02:20:54 UTC 2022 - Matej Cepl <mc...@suse.com> + +- (bsc#1196784, CVE-2022-25236) Add patch + support-expat-CVE-2022-25236-patched.patch to allow working + with different versions of libexpat. + +------------------------------------------------------------------- Old: ---- CVE-2021-28861-double-slash-path.patch Python-3.8.13.tar.xz Python-3.8.13.tar.xz.asc New: ---- Python-3.8.14.tar.xz Python-3.8.14.tar.xz.asc support-expat-CVE-2022-25236-patched.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python38.spec ++++++ --- /var/tmp/diff_new_pack.luQtb2/_old 2022-09-17 20:08:08.372776010 +0200 +++ /var/tmp/diff_new_pack.luQtb2/_new 2022-09-17 20:08:08.376776022 +0200 @@ -92,7 +92,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.8.13 +Version: 3.8.14 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -108,7 +108,8 @@ Source11: skipped_tests.py Source19: idle3.desktop Source20: idle3.appdata.xml -Source99: https://www.python.org/static/files/pubkeys.txt#/python.keyring +# Used to be https://www.python.org/static/files/pubkeys.txt#/python.keyring +Source99: python.keyring # The following files are not used in the build. # They are listed here to work around missing functionality in rpmbuild, # which would otherwise exclude them from distributed src.rpm files. @@ -167,9 +168,9 @@ # PATCH-FIX-UPSTREAM bpo34990-2038-problem-compileall.patch gh#python/cpython#79171 mc...@suse.com # Make compileall.py compatible with year 2038 Patch34: bpo34990-2038-problem-compileall.patch -# PATCH-FIX-UPSTREAM CVE-2021-28861 bsc#1202624 gh#python/cpython#94094 -# Coerce // to / in Lib/http/server.py -Patch35: CVE-2021-28861-double-slash-path.patch +# PATCH-FIX-UPSTREAM gh#python/cpython#90967 gh#python/cpython#93900 mc...@suse.com +# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236 +Patch36: support-expat-CVE-2022-25236-patched.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -435,7 +436,7 @@ %patch32 -p1 %patch33 -p1 %patch34 -p1 -%patch35 -p1 +%patch36 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ Python-3.8.13.tar.xz -> Python-3.8.14.tar.xz ++++++ /work/SRC/openSUSE:Factory/python38/Python-3.8.13.tar.xz /work/SRC/openSUSE:Factory/.python38.new.2083/Python-3.8.14.tar.xz differ: char 25, line 1 ++++++ bpo-31046_ensurepip_honours_prefix.patch ++++++ --- /var/tmp/diff_new_pack.luQtb2/_old 2022-09-17 20:08:08.576776599 +0200 +++ /var/tmp/diff_new_pack.luQtb2/_new 2022-09-17 20:08:08.580776610 +0200 @@ -55,7 +55,7 @@ .. note:: --- a/Lib/ensurepip/__init__.py +++ b/Lib/ensurepip/__init__.py -@@ -50,27 +50,27 @@ def _disable_pip_configuration_settings( +@@ -55,27 +55,27 @@ def _disable_pip_configuration_settings( os.environ['PIP_CONFIG_FILE'] = os.devnull @@ -88,7 +88,7 @@ Note that calling this function will alter both sys.path and os.environ. """ -@@ -113,6 +113,8 @@ def _bootstrap(*, root=None, upgrade=Fal +@@ -118,6 +118,8 @@ def _bootstrap(*, root=None, upgrade=Fal args = ["install", "--no-cache-dir", "--no-index", "--find-links", tmpdir] if root: args += ["--root", root] @@ -97,7 +97,7 @@ if upgrade: args += ["--upgrade"] if user: -@@ -185,6 +187,11 @@ def _main(argv=None): +@@ -190,6 +192,11 @@ def _main(argv=None): help="Install everything relative to this alternate root directory.", ) parser.add_argument( @@ -109,7 +109,7 @@ "--altinstall", action="store_true", default=False, -@@ -203,6 +210,7 @@ def _main(argv=None): +@@ -208,6 +215,7 @@ def _main(argv=None): return _bootstrap( root=args.root, ++++++ python.keyring ++++++ ++++ 12207 lines (skipped) ++++ between python.keyring ++++ and /work/SRC/openSUSE:Factory/.python38.new.2083/python.keyring ++++++ sphinx-update-removed-function.patch ++++++ --- /var/tmp/diff_new_pack.luQtb2/_old 2022-09-17 20:08:08.716777003 +0200 +++ /var/tmp/diff_new_pack.luQtb2/_new 2022-09-17 20:08:08.720777014 +0200 @@ -5,12 +5,12 @@ (GH-13236) --- - Doc/tools/extensions/pyspecific.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + Doc/tools/extensions/pyspecific.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) --- a/Doc/tools/extensions/pyspecific.py +++ b/Doc/tools/extensions/pyspecific.py -@@ -361,7 +361,12 @@ class DeprecatedRemoved(Directive): +@@ -384,7 +384,12 @@ class DeprecatedRemoved(Directive): translatable=False) node.append(para) env = self.state.document.settings.env ++++++ support-expat-CVE-2022-25236-patched.patch ++++++ >From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-isling...@users.noreply.github.com> Date: Mon, 21 Feb 2022 08:16:09 -0800 Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) (GH-31472) Curly brackets were never allowed in namespace URIs according to RFC 3986, and so-called namespace-validating XML parsers have the right to reject them a invalid URIs. libexpat >=2.4.5 has become strcter in that regard due to related security issues; with ET.XML instantiating a namespace-aware parser under the hood, this test has no future in CPython. References: - https://datatracker.ietf.org/doc/html/rfc3968 - https://www.w3.org/TR/xml-names/ Also, test_minidom.py: Support Expat >=2.4.5 (cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e) Co-authored-by: Sebastian Pipping <sebast...@pipping.org> --- Lib/test/test_minidom.py | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst --- a/Lib/test/test_minidom.py +++ b/Lib/test/test_minidom.py @@ -1149,14 +1149,12 @@ class MinidomTest(unittest.TestCase): # Verify that character decoding errors raise exceptions instead # of crashing - if pyexpat.version_info >= (2, 4, 5): - self.assertRaises(ExpatError, parseString, - b'<fran\xe7ais></fran\xe7ais>') - self.assertRaises(ExpatError, parseString, - b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>') - else: - self.assertRaises(UnicodeDecodeError, parseString, - b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>') + # It doesn???t make any sense to insist on the exact text of the + # error message, or even the exact Exception ??? it is enough that + # the error has been discovered. + with self.assertRaises((UnicodeDecodeError, ExpatError)): + parseString( + b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>') doc.unlink() @@ -1601,13 +1599,12 @@ class MinidomTest(unittest.TestCase): self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) def testExceptionOnSpacesInXMLNSValue(self): - if pyexpat.version_info >= (2, 4, 5): - context = self.assertRaisesRegex(ExpatError, 'syntax error') - else: - context = self.assertRaisesRegex(ValueError, 'Unsupported syntax') + # It doesn???t make any sense to insist on the exact text of the + # error message, or even the exact Exception ??? it is enough that + # the error has been discovered. + with self.assertRaises((ExpatError, ValueError)): + parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>') - with context: - parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>') def testDocRemoveChild(self): doc = parse(tstfile)