Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python39 for openSUSE:Factory
checked in at 2022-12-09 13:16:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python39 (Old)
and /work/SRC/openSUSE:Factory/.python39.new.1835 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python39"
Fri Dec 9 13:16:49 2022 rev:38 rq:1041648 version:3.9.16
Changes:
--------
--- /work/SRC/openSUSE:Factory/python39/python39.changes 2022-11-12
17:39:59.473747246 +0100
+++ /work/SRC/openSUSE:Factory/.python39.new.1835/python39.changes
2022-12-09 13:16:56.866736110 +0100
@@ -1,0 +2,45 @@
+Thu Dec 8 10:43:43 UTC 2022 - Matej Cepl <mc...@suse.com>
+
+- Update to 3.9.16:
+ - python -m http.server no longer allows terminal control
+ characters sent within a garbage request to be printed to the
+ stderr server log.
+ This is done by changing the http.server
+ BaseHTTPRequestHandler .log_message method to replace control
+ characters with a \xHH hex escape before printing.
+ - Avoid publishing list of active per-interpreter audit hooks
+ via the gc module
+ - The IDNA codec decoder used on DNS hostnames by socket or
+ asyncio related name resolution functions no longer involves
+ a quadratic algorithm. This prevents a potential CPU denial
+ of service if an out-of-spec excessive length hostname
+ involving bidirectional characters were decoded. Some
+ protocols such as urllib http 3xx redirects potentially allow
+ for an attacker to supply such a name (CVE-2015-20107).
+ - Update bundled libexpat to 2.5.0
+ - Port XKCPâs fix for the buffer overflows in SHA-3
+ (CVE-2022-37454).
+ - On Linux the multiprocessing module returns to using
+ filesystem backed unix domain sockets for communication with
+ the forkserver process instead of the Linux abstract socket
+ namespace. Only code that chooses to use the âforkserverâ
+ start method is affected.
+ Abstract sockets have no permissions and could allow any
+ user on the system in the same network namespace (often
+ the whole system) to inject code into the multiprocessing
+ forkserver process. This was a potential privilege
+ escalation. Filesystem based socket permissions restrict this
+ to the forkserver process user as was the default in Python
+ 3.8 and earlier.
+ This prevents Linux CVE-2022-42919.
+ - The deprecated mailcap module now refuses to inject unsafe
+ text (filenames, MIME types, parameters) into shell
+ commands. Instead of using such text, it will warn and act
+ as if a match was not found (or for test commands, as if the
+ test failed).
+- Removed upstreamed patches:
+ - CVE-2015-20107-mailcap-unsafe-filenames.patch
+ - CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
+ - CVE-2022-45061-DoS-by-IDNA-decode.patch
+
+-------------------------------------------------------------------
Old:
----
CVE-2015-20107-mailcap-unsafe-filenames.patch
CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
CVE-2022-45061-DoS-by-IDNA-decode.patch
Python-3.9.15.tar.xz
Python-3.9.15.tar.xz.asc
New:
----
Python-3.9.16.tar.xz
Python-3.9.16.tar.xz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python39.spec ++++++
--- /var/tmp/diff_new_pack.PG3Sa3/_old 2022-12-09 13:16:58.186743122 +0100
+++ /var/tmp/diff_new_pack.PG3Sa3/_new 2022-12-09 13:16:58.186743122 +0100
@@ -93,7 +93,7 @@
%define dynlib()
%{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
-Version: 3.9.15
+Version: 3.9.16
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@@ -158,18 +158,9 @@
# PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253
mc...@suse.com
# Makes Python resilient to changes of API of libexpat
Patch35: support-expat-CVE-2022-25236-patched.patch
-# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511
mc...@suse.com
-# avoid the command injection in the mailcap module.
-Patch36: CVE-2015-20107-mailcap-unsafe-filenames.patch
# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
gh#python/cpython#98366 mc...@suse.com
# this patch makes things totally awesome
Patch37: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
-# PATCH-FIX-UPSTREAM CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
bsc#1204886 mc...@suse.com
-# Avoid Linux specific local privilege escalation via the multiprocessing
forkserver start method
-Patch38: CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
-# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244
mc...@suse.com
-# Avoid DoS by decoding IDNA for too long domain names
-Patch39: CVE-2022-45061-DoS-by-IDNA-decode.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@@ -428,10 +419,7 @@
%patch05 -p1
%endif
%patch35 -p1
-%patch36 -p1
%patch37 -p1
-%patch38 -p1
-%patch39 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
++++++ 98437-sphinx.locale._-as-gettext-in-pyspecific.patch ++++++
--- /var/tmp/diff_new_pack.PG3Sa3/_old 2022-12-09 13:16:58.218743291 +0100
+++ /var/tmp/diff_new_pack.PG3Sa3/_new 2022-12-09 13:16:58.222743313 +0100
@@ -30,7 +30,7 @@
content = self.content
add_text = nodes.strong(label, label)
if self.arguments:
-@@ -266,7 +266,7 @@ class AuditEvent(Directive):
+@@ -179,7 +179,7 @@ class AuditEvent(Directive):
else:
args = []
@@ -39,7 +39,7 @@
text = label.format(name="``{}``".format(name),
args=", ".join("``{}``".format(a) for a in args
if a))
-@@ -445,7 +445,7 @@ class DeprecatedRemoved(Directive):
+@@ -358,7 +358,7 @@ class DeprecatedRemoved(Directive):
else:
label = self._removed_label
++++++ Python-3.9.15.tar.xz -> Python-3.9.16.tar.xz ++++++
/work/SRC/openSUSE:Factory/python39/Python-3.9.15.tar.xz
/work/SRC/openSUSE:Factory/.python39.new.1835/Python-3.9.16.tar.xz differ: char
26, line 1
