commit python39 for openSUSE:Factory

Sat, 01 Jul 2023 14:18:19 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package python39 for openSUSE:Factory 
checked in at 2023-07-01 23:18:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python39 (Old)
 and      /work/SRC/openSUSE:Factory/.python39.new.13546 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "python39"

Sat Jul  1 23:18:01 2023 rev:46 rq:1096213 version:3.9.17

Changes:
--------
--- /work/SRC/openSUSE:Factory/python39/python39.changes        2023-05-21 
19:08:02.662207665 +0200
+++ /work/SRC/openSUSE:Factory/.python39.new.13546/python39.changes     
2023-07-01 23:18:09.838300845 +0200
@@ -1,0 +2,42 @@
+Fri Jun 30 20:23:43 UTC 2023 - Matej Cepl <mc...@suse.com>
+
+- Add downport-Sphinx-features.patch to make documentation
+  buildable even on SLE-15.
+
+-------------------------------------------------------------------
+Wed Jun 28 19:12:12 UTC 2023 - Matej Cepl <mc...@suse.com>
+
+- Update to 3.9.17:
+  - gh-103142: The version of OpenSSL used in Windows and
+    Mac installers has been upgraded to 1.1.1u to address
+    CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
+    as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
+    fixed previously in 1.1.1t (gh-101727).
+  - gh-102153: urllib.parse.urlsplit() now strips leading C0
+    control and space characters following the specification for
+    URLs defined by WHATWG in response to CVE-2023-24329
+    (bsc#1208471).
+  - gh-99889: Fixed a security in flaw in uu.decode() that could
+    allow for directory traversal based on the input if no
+    out_file was specified.
+  - gh-104049: Do not expose the local on-disk
+    location in directory indexes produced by
+    http.client.SimpleHTTPRequestHandler.
+  - gh-103935: trace.__main__ now uses io.open_code() for files
+    to be executed instead of raw open().
+  - gh-102953: The extraction methods in tarfile, and
+    shutil.unpack_archive(), have a new filter argument that
+    allows limiting tar features than may be surprising or
+    dangerous, such as creating files outside the destination
+    directory. See Extraction filters for details (fixing
+    CVE-2007-4559, bsc#1203750).
+  - gh-102126: Fixed a deadlock at shutdown when clearing thread
+    states if any finalizer tries to acquire the runtime head
+    lock.
+  - gh-100892: Fixed a crash due to a race while iterating over
+    thread states in clearing threading.local.
+- Remove upstreamed patches:
+  - CVE-2023-24329-blank-URL-bypass.patch
+  - CVE-2007-4559-filter-tarfile_extractall.patch
+
+-------------------------------------------------------------------
@@ -14,5 +55,0 @@
-
--------------------------------------------------------------------
-Sun Apr 30 18:16:37 UTC 2023 - Matej Cepl <mc...@suse.com>
-
-- Why in the world we download from HTTP?

Old:
----
  CVE-2007-4559-filter-tarfile_extractall.patch
  CVE-2023-24329-blank-URL-bypass.patch
  Python-3.9.16.tar.xz
  Python-3.9.16.tar.xz.asc

New:
----
  Python-3.9.17.tar.xz
  Python-3.9.17.tar.xz.asc
  downport-Sphinx-features.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python39.spec ++++++
--- /var/tmp/diff_new_pack.eUowwe/_old  2023-07-01 23:18:11.370310029 +0200
+++ /var/tmp/diff_new_pack.eUowwe/_new  2023-07-01 23:18:11.374310053 +0200
@@ -93,7 +93,7 @@
 %define dynlib() 
%{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.9.16
+Version:        3.9.17
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@@ -161,16 +161,12 @@
 # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch 
gh#python/cpython#98366 mc...@suse.com
 # this patch makes things totally awesome
 Patch37:        98437-sphinx.locale._-as-gettext-in-pyspecific.patch
-# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 
mc...@suse.com
-# blocklist bypass via the urllib.parse component when supplying
-# a URL that starts with blank characters
-Patch38:        CVE-2023-24329-blank-URL-bypass.patch
-# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 
mc...@suse.com
-# Implement PEP-706 to filter outcome of the tarball extracing
-Patch39:        CVE-2007-4559-filter-tarfile_extractall.patch
 # PATCH-FIX-UPSTREAM 99366-patch.dict-can-decorate-async.patch bsc#[0-9]+ 
mc...@suse.com
 # Patch for gh#python/cpython#98086
 Patch40:        99366-patch.dict-can-decorate-async.patch
+# PATCH-FIX-OPENSUSE downport-Sphinx-features.patch mc...@suse.com
+# Make documentation build with older Sphinx
+Patch41:        downport-Sphinx-features.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -429,9 +425,10 @@
 %endif
 %patch35 -p1
 %patch37 -p1
-%patch38 -p1
-%patch39 -p1
 %patch40 -p1
+%if 0%{?sle_version} && 0%{?sle_version} <= 150500
+%patch41 -p1
+%endif
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

++++++ Python-3.9.16.tar.xz -> Python-3.9.17.tar.xz ++++++
/work/SRC/openSUSE:Factory/python39/Python-3.9.16.tar.xz 
/work/SRC/openSUSE:Factory/.python39.new.13546/Python-3.9.17.tar.xz differ: 
char 27, line 1

++++++ downport-Sphinx-features.patch ++++++
---
 Doc/library/tarfile.rst |   11 -----------
 1 file changed, 11 deletions(-)

--- a/Doc/library/tarfile.rst
+++ b/Doc/library/tarfile.rst
@@ -504,7 +504,6 @@ be finalized; only the internally used f
       Return an :class:`io.BufferedReader` object.
 
 .. attribute:: TarFile.errorlevel
-   :type: int
 
    If *errorlevel* is ``0``, errors are ignored when using 
:meth:`TarFile.extract`
    and :meth:`TarFile.extractall`.
@@ -683,19 +682,16 @@ A ``TarInfo`` object has the following p
 
 
 .. attribute:: TarInfo.name
-   :type: str
 
    Name of the archive member.
 
 
 .. attribute:: TarInfo.size
-   :type: int
 
    Size in bytes.
 
 
 .. attribute:: TarInfo.mtime
-   :type: int | float
 
    Time of last modification in seconds since the :ref:`epoch <epoch>`,
    as in :attr:`os.stat_result.st_mtime`.
@@ -707,7 +703,6 @@ A ``TarInfo`` object has the following p
       attribute.
 
 .. attribute:: TarInfo.mode
-   :type: int
 
    Permission bits, as for :func:`os.chmod`.
 
@@ -727,14 +722,12 @@ A ``TarInfo`` object has the following p
 
 
 .. attribute:: TarInfo.linkname
-   :type: str
 
    Name of the target file name, which is only present in :class:`TarInfo` 
objects
    of type :const:`LNKTYPE` and :const:`SYMTYPE`.
 
 
 .. attribute:: TarInfo.uid
-   :type: int
 
    User ID of the user who originally stored this member.
 
@@ -745,7 +738,6 @@ A ``TarInfo`` object has the following p
       attribute.
 
 .. attribute:: TarInfo.gid
-   :type: int
 
    Group ID of the user who originally stored this member.
 
@@ -756,7 +748,6 @@ A ``TarInfo`` object has the following p
       attribute.
 
 .. attribute:: TarInfo.uname
-   :type: str
 
    User name.
 
@@ -767,7 +758,6 @@ A ``TarInfo`` object has the following p
       attribute.
 
 .. attribute:: TarInfo.gname
-   :type: str
 
    Group name.
 
@@ -778,7 +768,6 @@ A ``TarInfo`` object has the following p
       attribute.
 
 .. attribute:: TarInfo.pax_headers
-   :type: dict
 
    A dictionary containing key-value pairs of an associated pax extended 
header.

Reply via email to