Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python39 for openSUSE:Factory checked in at 2022-12-09 13:16:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python39 (Old) and /work/SRC/openSUSE:Factory/.python39.new.1835 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python39" Fri Dec 9 13:16:49 2022 rev:38 rq:1041648 version:3.9.16 Changes: -------- --- /work/SRC/openSUSE:Factory/python39/python39.changes 2022-11-12 17:39:59.473747246 +0100 +++ /work/SRC/openSUSE:Factory/.python39.new.1835/python39.changes 2022-12-09 13:16:56.866736110 +0100 @@ -1,0 +2,45 @@ +Thu Dec 8 10:43:43 UTC 2022 - Matej Cepl <mc...@suse.com> + +- Update to 3.9.16: + - python -m http.server no longer allows terminal control + characters sent within a garbage request to be printed to the + stderr server log. + This is done by changing the http.server + BaseHTTPRequestHandler .log_message method to replace control + characters with a \xHH hex escape before printing. + - Avoid publishing list of active per-interpreter audit hooks + via the gc module + - The IDNA codec decoder used on DNS hostnames by socket or + asyncio related name resolution functions no longer involves + a quadratic algorithm. This prevents a potential CPU denial + of service if an out-of-spec excessive length hostname + involving bidirectional characters were decoded. Some + protocols such as urllib http 3xx redirects potentially allow + for an attacker to supply such a name (CVE-2015-20107). + - Update bundled libexpat to 2.5.0 + - Port XKCPâs fix for the buffer overflows in SHA-3 + (CVE-2022-37454). + - On Linux the multiprocessing module returns to using + filesystem backed unix domain sockets for communication with + the forkserver process instead of the Linux abstract socket + namespace. Only code that chooses to use the âforkserverâ + start method is affected. + Abstract sockets have no permissions and could allow any + user on the system in the same network namespace (often + the whole system) to inject code into the multiprocessing + forkserver process. This was a potential privilege + escalation. Filesystem based socket permissions restrict this + to the forkserver process user as was the default in Python + 3.8 and earlier. + This prevents Linux CVE-2022-42919. + - The deprecated mailcap module now refuses to inject unsafe + text (filenames, MIME types, parameters) into shell + commands. Instead of using such text, it will warn and act + as if a match was not found (or for test commands, as if the + test failed). +- Removed upstreamed patches: + - CVE-2015-20107-mailcap-unsafe-filenames.patch + - CVE-2022-42919-loc-priv-mulitproc-forksrv.patch + - CVE-2022-45061-DoS-by-IDNA-decode.patch + +------------------------------------------------------------------- Old: ---- CVE-2015-20107-mailcap-unsafe-filenames.patch CVE-2022-42919-loc-priv-mulitproc-forksrv.patch CVE-2022-45061-DoS-by-IDNA-decode.patch Python-3.9.15.tar.xz Python-3.9.15.tar.xz.asc New: ---- Python-3.9.16.tar.xz Python-3.9.16.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python39.spec ++++++ --- /var/tmp/diff_new_pack.PG3Sa3/_old 2022-12-09 13:16:58.186743122 +0100 +++ /var/tmp/diff_new_pack.PG3Sa3/_new 2022-12-09 13:16:58.186743122 +0100 @@ -93,7 +93,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.9.15 +Version: 3.9.16 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -158,18 +158,9 @@ # PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mc...@suse.com # Makes Python resilient to changes of API of libexpat Patch35: support-expat-CVE-2022-25236-patched.patch -# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mc...@suse.com -# avoid the command injection in the mailcap module. -Patch36: CVE-2015-20107-mailcap-unsafe-filenames.patch # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mc...@suse.com # this patch makes things totally awesome Patch37: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch -# PATCH-FIX-UPSTREAM CVE-2022-42919-loc-priv-mulitproc-forksrv.patch bsc#1204886 mc...@suse.com -# Avoid Linux specific local privilege escalation via the multiprocessing forkserver start method -Patch38: CVE-2022-42919-loc-priv-mulitproc-forksrv.patch -# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mc...@suse.com -# Avoid DoS by decoding IDNA for too long domain names -Patch39: CVE-2022-45061-DoS-by-IDNA-decode.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -428,10 +419,7 @@ %patch05 -p1 %endif %patch35 -p1 -%patch36 -p1 %patch37 -p1 -%patch38 -p1 -%patch39 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ 98437-sphinx.locale._-as-gettext-in-pyspecific.patch ++++++ --- /var/tmp/diff_new_pack.PG3Sa3/_old 2022-12-09 13:16:58.218743291 +0100 +++ /var/tmp/diff_new_pack.PG3Sa3/_new 2022-12-09 13:16:58.222743313 +0100 @@ -30,7 +30,7 @@ content = self.content add_text = nodes.strong(label, label) if self.arguments: -@@ -266,7 +266,7 @@ class AuditEvent(Directive): +@@ -179,7 +179,7 @@ class AuditEvent(Directive): else: args = [] @@ -39,7 +39,7 @@ text = label.format(name="``{}``".format(name), args=", ".join("``{}``".format(a) for a in args if a)) -@@ -445,7 +445,7 @@ class DeprecatedRemoved(Directive): +@@ -358,7 +358,7 @@ class DeprecatedRemoved(Directive): else: label = self._removed_label ++++++ Python-3.9.15.tar.xz -> Python-3.9.16.tar.xz ++++++ /work/SRC/openSUSE:Factory/python39/Python-3.9.15.tar.xz /work/SRC/openSUSE:Factory/.python39.new.1835/Python-3.9.16.tar.xz differ: char 26, line 1