Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python38 for openSUSE:Factory checked in at 2022-12-09 13:16:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python38 (Old) and /work/SRC/openSUSE:Factory/.python38.new.1835 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python38" Fri Dec 9 13:16:47 2022 rev:31 rq:1041645 version:3.8.16 Changes: -------- --- /work/SRC/openSUSE:Factory/python38/python38.changes 2022-11-12 17:39:57.925738030 +0100 +++ /work/SRC/openSUSE:Factory/.python38.new.1835/python38.changes 2022-12-09 13:16:55.074726590 +0100 @@ -1,0 +2,32 @@ +Thu Dec 8 10:32:15 UTC 2022 - Matej Cepl <mc...@suse.com> + +- Update to 3.8.16: + - python -m http.server no longer allows terminal + control characters sent within a garbage request to be + printed to the stderr server log. + This is done by changing the http.server + BaseHTTPRequestHandler .log_message method to replace control + characters with a \xHH hex escape before printing. + - Avoid publishing list of active per-interpreter + audit hooks via the gc module + - The IDNA codec decoder used on DNS hostnames by + socket or asyncio related name resolution functions no + longer involves a quadratic algorithm. This prevents a + potential CPU denial of service if an out-of-spec excessive + length hostname involving bidirectional characters were + decoded. Some protocols such as urllib http 3xx redirects + potentially allow for an attacker to supply such a + name (CVE-2022-45061). + - Update bundled libexpat to 2.5.0 + - Port XKCPâs fix for the buffer overflows in SHA-3 + (CVE-2022-37454). + - The deprecated mailcap module now refuses to inject + unsafe text (filenames, MIME types, parameters) into shell + commands. Instead of using such text, it will warn and act + as if a match was not found (or for test commands, as if the + test failed). +- Removed upstream patches: + - CVE-2022-37454-sha3-buffer-overflow.patch + - CVE-2022-45061-DoS-by-IDNA-decode.patch + +------------------------------------------------------------------- Old: ---- CVE-2022-37454-sha3-buffer-overflow.patch CVE-2022-45061-DoS-by-IDNA-decode.patch Python-3.8.15.tar.xz Python-3.8.15.tar.xz.asc New: ---- Python-3.8.16.tar.xz Python-3.8.16.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python38.spec ++++++ --- /var/tmp/diff_new_pack.Gl7hqC/_old 2022-12-09 13:16:56.166732391 +0100 +++ /var/tmp/diff_new_pack.Gl7hqC/_new 2022-12-09 13:16:56.170732412 +0100 @@ -92,7 +92,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.8.15 +Version: 3.8.16 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -176,13 +176,6 @@ # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mc...@suse.com # this patch makes things totally awesome Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch -# PATCH-FIX-UPSTREAM CVE-2022-37454-sha3-buffer-overflow.patch bsc#1204577 mc...@suse.com -# Fix original buffer overflow -# Originally from gh#python/cpython#98528 -Patch39: CVE-2022-37454-sha3-buffer-overflow.patch -# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mc...@suse.com -# Avoid DoS by decoding IDNA for too long domain names -Patch40: CVE-2022-45061-DoS-by-IDNA-decode.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -451,8 +444,6 @@ %patch36 -p1 %patch37 -p1 %patch38 -p1 -%patch39 -p1 -%patch40 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ Python-3.8.15.tar.xz -> Python-3.8.16.tar.xz ++++++ /work/SRC/openSUSE:Factory/python38/Python-3.8.15.tar.xz /work/SRC/openSUSE:Factory/.python38.new.1835/Python-3.8.16.tar.xz differ: char 27, line 1 ++++++ platlibdir-in-sys.patch ++++++ --- /var/tmp/diff_new_pack.Gl7hqC/_old 2022-12-09 13:16:56.354733390 +0100 +++ /var/tmp/diff_new_pack.Gl7hqC/_new 2022-12-09 13:16:56.354733390 +0100 @@ -1,19 +1,13 @@ -Index: Python-3.8.15/Python/sysmodule.c -=================================================================== ---- Python-3.8.15.orig/Python/sysmodule.c -+++ Python-3.8.15/Python/sysmodule.c -@@ -2979,6 +2979,7 @@ _PySys_InitMain(_PyRuntimeState *runtime - SET_SYS_FROM_WSTR("base_prefix", config->base_prefix); - SET_SYS_FROM_WSTR("exec_prefix", config->exec_prefix); - SET_SYS_FROM_WSTR("base_exec_prefix", config->base_exec_prefix); -+ SET_SYS_FROM_WSTR("platlibdir", config->platlibdir); - - if (config->pycache_prefix != NULL) { - SET_SYS_FROM_WSTR("pycache_prefix", config->pycache_prefix); -Index: Python-3.8.15/Include/cpython/initconfig.h -=================================================================== ---- Python-3.8.15.orig/Include/cpython/initconfig.h -+++ Python-3.8.15/Include/cpython/initconfig.h +--- + Include/cpython/initconfig.h | 1 + + Lib/test/test_embed.py | 1 + + Makefile.pre.in | 5 +++++ + Python/initconfig.c | 21 +++++++++++++++++++++ + Python/sysmodule.c | 1 + + 5 files changed, 29 insertions(+) + +--- a/Include/cpython/initconfig.h ++++ b/Include/cpython/initconfig.h @@ -381,6 +381,7 @@ typedef struct { wchar_t *base_prefix; /* sys.base_prefix */ wchar_t *exec_prefix; /* sys.exec_prefix */ @@ -22,10 +16,32 @@ /* --- Parameter only used by Py_Main() ---------- */ -Index: Python-3.8.15/Python/initconfig.c -=================================================================== ---- Python-3.8.15.orig/Python/initconfig.c -+++ Python-3.8.15/Python/initconfig.c +--- a/Lib/test/test_embed.py ++++ b/Lib/test/test_embed.py +@@ -382,6 +382,7 @@ class InitConfigTests(EmbeddingTestsMixi + 'exec_prefix': GET_DEFAULT_CONFIG, + 'base_exec_prefix': GET_DEFAULT_CONFIG, + 'module_search_paths': GET_DEFAULT_CONFIG, ++ 'platlibdir': sys.platlibdir, + + 'site_import': 1, + 'bytes_warning': 0, +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -811,6 +811,11 @@ Python/sysmodule.o: $(srcdir)/Python/sys + $(MULTIARCH_CPPFLAGS) \ + -o $@ $(srcdir)/Python/sysmodule.c + ++Python/initconfig.o: $(srcdir)/Python/initconfig.c ++ $(CC) -c $(PY_CORE_CFLAGS) \ ++ -DPLATLIBDIR='"$(platsubdir)"' \ ++ -o $@ $(srcdir)/Python/initconfig.c ++ + $(IO_OBJS): $(IO_H) + + .PHONY: regen-grammar +--- a/Python/initconfig.c ++++ b/Python/initconfig.c @@ -596,6 +596,7 @@ PyConfig_Clear(PyConfig *config) CLEAR(config->base_prefix); CLEAR(config->exec_prefix); @@ -96,32 +112,14 @@ DUMP_SYS(executable); DUMP_SYS(prefix); DUMP_SYS(exec_prefix); -Index: Python-3.8.15/Makefile.pre.in -=================================================================== ---- Python-3.8.15.orig/Makefile.pre.in -+++ Python-3.8.15/Makefile.pre.in -@@ -811,6 +811,11 @@ Python/sysmodule.o: $(srcdir)/Python/sys - $(MULTIARCH_CPPFLAGS) \ - -o $@ $(srcdir)/Python/sysmodule.c - -+Python/initconfig.o: $(srcdir)/Python/initconfig.c -+ $(CC) -c $(PY_CORE_CFLAGS) \ -+ -DPLATLIBDIR='"$(platsubdir)"' \ -+ -o $@ $(srcdir)/Python/initconfig.c -+ - $(IO_OBJS): $(IO_H) - - .PHONY: regen-grammar -Index: Python-3.8.15/Lib/test/test_embed.py -=================================================================== ---- Python-3.8.15.orig/Lib/test/test_embed.py -+++ Python-3.8.15/Lib/test/test_embed.py -@@ -382,6 +382,7 @@ class InitConfigTests(EmbeddingTestsMixi - 'exec_prefix': GET_DEFAULT_CONFIG, - 'base_exec_prefix': GET_DEFAULT_CONFIG, - 'module_search_paths': GET_DEFAULT_CONFIG, -+ 'platlibdir': sys.platlibdir, +--- a/Python/sysmodule.c ++++ b/Python/sysmodule.c +@@ -2981,6 +2981,7 @@ _PySys_InitMain(_PyRuntimeState *runtime + SET_SYS_FROM_WSTR("base_prefix", config->base_prefix); + SET_SYS_FROM_WSTR("exec_prefix", config->exec_prefix); + SET_SYS_FROM_WSTR("base_exec_prefix", config->base_exec_prefix); ++ SET_SYS_FROM_WSTR("platlibdir", config->platlibdir); - 'site_import': 1, - 'bytes_warning': 0, + if (config->pycache_prefix != NULL) { + SET_SYS_FROM_WSTR("pycache_prefix", config->pycache_prefix);