Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python310 for openSUSE:Factory checked in at 2023-06-30 19:58:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python310 (Old) and /work/SRC/openSUSE:Factory/.python310.new.13546 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python310" Fri Jun 30 19:58:24 2023 rev:33 rq:1095863 version:3.10.12 Changes: -------- --- /work/SRC/openSUSE:Factory/python310/python310.changes 2023-06-22 23:24:56.369668004 +0200 +++ /work/SRC/openSUSE:Factory/.python310.new.13546/python310.changes 2023-06-30 19:58:40.461572851 +0200 @@ -1,0 +2,31 @@ +Wed Jun 28 16:57:46 UTC 2023 - Matej Cepl <mc...@suse.com> + +- Update to 3.10.12: + - gh-103142: The version of OpenSSL used in Windows and + Mac installers has been upgraded to 1.1.1u to address + CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, + as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 + fixed previously in 1.1.1t (gh-101727). + - gh-102153: urllib.parse.urlsplit() now strips leading C0 + control and space characters following the specification for + URLs defined by WHATWG in response to CVE-2023-24329 + (bsc#1208471). + - gh-99889: Fixed a security in flaw in uu.decode() that could + allow for directory traversal based on the input if no + out_file was specified. + - gh-104049: Do not expose the local on-disk + location in directory indexes produced by + http.client.SimpleHTTPRequestHandler. + - gh-103935: trace.__main__ now uses io.open_code() for files + to be executed instead of raw open(). + - gh-102953: The extraction methods in tarfile, and + shutil.unpack_archive(), have a new filter argument that + allows limiting tar features than may be surprising or + dangerous, such as creating files outside the destination + directory. See Extraction filters for details (fixing + CVE-2007-4559, bsc#1203750). +- Remove upstreamed patches: + - CVE-2023-24329-blank-URL-bypass.patch + - CVE-2007-4559-filter-tarfile_extractall.patch + +------------------------------------------------------------------- Old: ---- CVE-2007-4559-filter-tarfile_extractall.patch CVE-2023-24329-blank-URL-bypass.patch Python-3.10.11.tar.xz Python-3.10.11.tar.xz.asc New: ---- Python-3.10.12.tar.xz Python-3.10.12.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python310.spec ++++++ --- /var/tmp/diff_new_pack.L8cSWb/_old 2023-06-30 19:58:41.625579774 +0200 +++ /var/tmp/diff_new_pack.L8cSWb/_new 2023-06-30 19:58:41.629579798 +0200 @@ -103,7 +103,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.10.11 +Version: 3.10.12 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -166,13 +166,6 @@ # PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mc...@suse.com # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236 Patch36: support-expat-CVE-2022-25236-patched.patch -# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mc...@suse.com -# blocklist bypass via the urllib.parse component when supplying -# a URL that starts with blank characters -Patch37: CVE-2023-24329-blank-URL-bypass.patch -# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mc...@suse.com -# PEP 706 â Filter for tarfile.extractall -Patch38: CVE-2007-4559-filter-tarfile_extractall.patch # PATCH-FIX-UPSTREAM bpo-37596-make-set-marshalling.patch bsc#1211765 mc...@suse.com # Make `set` and `frozenset` marshalling deterministic Patch39: bpo-37596-make-set-marshalling.patch @@ -447,8 +440,6 @@ %endif %patch35 -p1 %patch36 -p1 -%patch37 -p1 -%patch38 -p1 %patch39 -p1 # drop Autoconf version requirement ++++++ Python-3.10.11.tar.xz -> Python-3.10.12.tar.xz ++++++ /work/SRC/openSUSE:Factory/python310/Python-3.10.11.tar.xz /work/SRC/openSUSE:Factory/.python310.new.13546/Python-3.10.12.tar.xz differ: char 27, line 1