Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python311 for openSUSE:Factory checked in at 2024-04-21 20:24:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python311 (Old) and /work/SRC/openSUSE:Factory/.python311.new.26366 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python311" Sun Apr 21 20:24:16 2024 rev:33 rq:1169286 version:3.11.9 Changes: -------- --- /work/SRC/openSUSE:Factory/python311/python311.changes 2024-03-25 21:06:08.532650919 +0100 +++ /work/SRC/openSUSE:Factory/.python311.new.26366/python311.changes 2024-04-21 20:24:30.923832555 +0200 @@ -1,0 +2,265 @@ +Mon Apr 15 10:31:32 UTC 2024 - Daniel Garcia <daniel.gar...@suse.com> + +- Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with + patched libexpat below 2.6.0 that doesn't update the version number, + just in SLE. + +------------------------------------------------------------------- +Mon Apr 8 05:44:04 UTC 2024 - Daniel Garcia <daniel.gar...@suse.com> + +- Remove not needed upstream patches: + * libexpat260.patch + * CVE-2023-6597-TempDir-cleaning-symlink.patch, bsc#1219666 + +- Update to 3.11.9: + * Security + - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral + (CVE-2023-52425, bsc#1219559) by adding five new methods: + xml.etree.ElementTree.XMLParser.flush() + xml.etree.ElementTree.XMLPullParser.flush() + xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() + xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() + xml.sax.expatreader.ExpatParser.flush() + - gh-115399: Update bundled libexpat to 2.6.0 + - gh-115243: Fix possible crashes in collections.deque.index() + when the deque is concurrently modified. + - gh-114572: ssl.SSLContext.cert_store_stats() and + ssl.SSLContext.get_ca_certs() now correctly lock access to the + certificate store, when the ssl.SSLContext is shared across + multiple threads. + * Core and Builtins + - gh-116296: Fix possible refleak in object.__reduce__() internal + error handling. + - gh-116034: Fix location of the error on a failed assertion. + - gh-115823: Properly calculate error ranges in the parser when + raising SyntaxError exceptions caused by invalid byte sequences. + Patch by Pablo Galindo + - gh-112087: For an empty reverse iterator for list will be + reduced to reversed(). Patch by Donghee Na. + - gh-115011: Setters for members with an unsigned integer type now + support the same range of valid values for objects that has a + __index__() method as for int. + - gh-96497: Fix incorrect resolution of mangled class variables + used in assignment expressions in comprehensions. + * Library + - gh-117310: Fixed an unlikely early & extra Py_DECREF triggered + crash in ssl when creating a new _ssl._SSLContext if CPython was + built implausibly such that the default cipher list is empty or + the SSL library it was linked against reports a failure from its + C SSL_CTX_set_cipher_list() API. + - gh-117178: Fix regression in lazy loading of self-referential + modules, introduced in gh-114781. + - gh-117084: Fix zipfile extraction for directory entries with the + name containing backslashes on Windows. + - gh-117110: Fix a bug that prevents subclasses of typing.Any to + be instantiated with arguments. Patch by Chris Fu. + - gh-90872: On Windows, subprocess.Popen.wait() no longer calls + WaitForSingleObject() with a negative timeout: pass 0 ms if the + timeout is negative. Patch by Victor Stinner. + - gh-116957: configparser: Donât leave ConfigParser values in an + invalid state (stored as a list instead of a str) after an + earlier read raised DuplicateSectionError or + DuplicateOptionError. + - gh-90095: Ignore empty lines and comments in .pdbrc + - gh-116764: Restore support of None and other false values in + urllib.parse functions parse_qs() and parse_qsl(). Also, they + now raise a TypeError for non-zero integers and non-empty + sequences. + - gh-116811: In PathFinder.invalidate_caches, delegate to + MetadataPathFinder.invalidate_caches. + - gh-116600: Fix repr() for global Flag members. + - gh-116484: Change automatically generated tkinter.Checkbutton + widget names to avoid collisions with automatically generated + tkinter.ttk.Checkbutton widget names within the same parent + widget. + - gh-116401: Fix blocking os.fwalk() and shutil.rmtree() on + opening named pipe. + - gh-116143: Fix a race in pydoc _start_server, eliminating a + window in which _start_server can return a thread that is + âservingâ but without a docserver set. + - gh-116325: typing: raise SyntaxError instead of AttributeError + on forward references as empty strings. + - gh-90535: Fix support of interval values > 1 in + logging.TimedRotatingFileHandler for when='MIDNIGHT' and + when='Wx'. + - gh-115978: Disable preadv(), readv(), pwritev(), and writev() on + WASI. + - Under wasmtime for WASI 0.2, these functions donât pass + test_posix + (https://github.com/bytecodealliance/wasmtime/issues/7830). + - gh-88352: Fix the computation of the next rollover time in the + logging.TimedRotatingFileHandler handler. computeRollover() now + always returns a timestamp larger than the specified time and + works correctly during the DST change. doRollover() no longer + overwrite the already rolled over file, saving from data loss + when run at midnight or during repeated time at the DST change. + - gh-87115: Set __main__.__spec__ to None when running a script + with pdb + - gh-76511: Fix UnicodeEncodeError in email.Message.as_string() + that results when a message that claims to be in the ascii + character set actually has non-ascii characters. Non-ascii + characters are now replaced with the U+FFFD replacement + character, like in the replace error handler. + - gh-75988: Fixed unittest.mock.create_autospec() to pass the call + through to the wrapped object to return the real result. + - gh-115881: Fix issue where ast.parse() would incorrectly flag + conditional context managers (such as with (x() if y else z()): + ...) as invalid syntax if feature_version=(3, 8) was passed. + This reverts changes to the grammar made as part of gh-94949. + - gh-115886: Fix silent truncation of the name with an embedded + null character in multiprocessing.shared_memory.SharedMemory. + - gh-115809: Improve algorithm for computing which rolled-over log + files to delete in logging.TimedRotatingFileHandler. It is now + reliable for handlers without namer and with arbitrary + deterministic namer that leaves the datetime part in the file + name unmodified. + - gh-74668: urllib.parse functions parse_qs() and parse_qsl() now + support bytes arguments containing raw and percent-encoded + non-ASCII data. + - gh-67044: csv.writer() now always quotes or escapes '\r' and + '\n', regardless of lineterminator value. + - gh-115712: csv.writer() now quotes empty fields if delimiter is + a space and skipinitialspace is true and raises exception if + quoting is not possible. + - gh-115618: Fix improper decreasing the reference count for None + argument in property methods getter(), setter() and deleter(). + - gh-115570: A DeprecationWarning is no longer omitted on access + to the __doc__ attributes of the deprecated typing.io and + typing.re pseudo-modules. + - gh-112006: Fix inspect.unwrap() for types with the __wrapper__ + data descriptor. + - gh-101293: Support callables with the __call__() method and + types with __new__() and __init__() methods set to class + methods, static methods, bound methods, partial functions, and + other types of methods and descriptors in + inspect.Signature.from_callable(). + - gh-115392: Fix a bug in doctest where incorrect line numbers + would be reported for decorated functions. + - gh-114563: Fix several format() bugs when using the C + implementation of Decimal: * memory leak in some rare cases when + using the z format option (coerce negative 0) * incorrect output + when applying the z format option to type F (fixed-point with + capital NAN / INF) * incorrect output when applying the # format + option (alternate form) + - gh-115197: urllib.request no longer resolves the hostname before + checking it against the systemâs proxy bypass list on macOS and + Windows. + - gh-115198: Fix support of Docutils >= 0.19 in distutils. + - gh-115165: Most exceptions are now ignored when attempting to + set the __orig_class__ attribute on objects returned when + calling typing generic aliases (including generic aliases + created using typing.Annotated). Previously only AttributeError + was ignored. Patch by Dave Shawley. + - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0. + - gh-115059: io.BufferedRandom.read1() now flushes the underlying + write buffer. + - gh-79382: Trailing ** no longer allows to match files and + non-existing paths in recursive glob(). + - gh-114763: Protect modules loaded with importlib.util.LazyLoader + from race conditions when multiple threads try to access + attributes before the loading is complete. + - gh-97959: Fix rendering class methods, bound methods, method and + function aliases in pydoc. Class methods no longer have âmethod + of builtins.type instanceâ note. Corresponding notes are now + added for class and unbound methods. Method and function aliases + now have references to the module or the class where the origin + was defined if it differs from the current. Bound methods are + now listed in the static methods section. Methods of builtin + classes are now supported as well as methods of Python classes. + - gh-112281: Allow creating union of types for typing.Annotated + with unhashable metadata. + - gh-111775: Fix importlib.resources.simple.ResourceHandle.open() + for text mode, added missed stream argument. + - gh-90095: Make .pdbrc and -c work with any valid pdb commands. + - gh-107155: Fix incorrect output of help(x) where x is a lambda + function, which has an __annotations__ dictionary attribute with + a "return" key. + - gh-105866: Fixed _get_slots bug which caused error when defining + dataclasses with slots and a weakref_slot. + - gh-60346: Fix ArgumentParser inconsistent with parse_known_args. + - gh-100985: Update HTTPSConnection to consistently wrap IPv6 + Addresses when using a proxy. + - gh-100884: email: fix misfolding of comma in address-lists over + multiple lines in combination with unicode encoding. + - gh-95782: Fix io.BufferedReader.tell(), + io.BufferedReader.seek(), _pyio.BufferedReader.tell(), + io.BufferedRandom.tell(), io.BufferedRandom.seek() and + _pyio.BufferedRandom.tell() being able to return negative + offsets. + - gh-96310: Fix a traceback in argparse when all options in a + mutually exclusive group are suppressed. + - gh-93205: Fixed a bug in + logging.handlers.TimedRotatingFileHandler where multiple + rotating handler instances pointing to files with the same name + but different extensions would conflict and not delete the + correct files. + - bpo-44865: Add missing call to localization function in + argparse. + - bpo-43952: Fix multiprocessing.connection.Listener.accept() to + accept empty bytes as authkey. Not accepting empty bytes as key + causes it to hang indefinitely. + - bpo-42125: linecache: get module name from __spec__ if + available. This allows getting source code for the __main__ + module when a custom loader is used. + - gh-66543: Make mimetypes.guess_type() properly parsing of URLs + with only a host name, URLs containing fragment or query, and + filenames with only a UNC sharepoint on Windows. Based on patch + by Dong-hee Na. + - bpo-33775: Add âdefaultâ and âversionâ help text for + localization in argparse. + * Documentation + - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under âXML + vulnerabilitiesâ. + - gh-115233: Fix an example for LoggerAdapter in the Logging + Cookbook. + * Tests + - gh-83434: Disable JUnit XML output (--junit-xml=FILE command + line option) in regrtest when hunting for reference leaks (-R + option). Patch by Victor Stinner. + - gh-117187: Fix XML tests for vanilla Expat <2.6.0. + - gh-115979: Update test_importlib so that it passes under WASI + SDK 21. + - gh-116307: Added import helper isolated_modules as CleanImport + does not remove modules imported during the context. + - gh-115720: Leak tests (-R, --huntrleaks) now show a summary of + the number of leaks found in each iteration. + - gh-115122: Add --bisect option to regrtest test runner: run + failed tests with test.bisect_cmd to identify failing tests. + Patch by Victor Stinner. + - gh-115596: Fix ProgramPriorityTests in test_os permanently + changing the process priority. + - gh-115198: Fix test_check_metadata_deprecate in distutils tests + with a newer Docutils. + * Build + - gh-116313: Get WASI builds to work under wasmtime 18 w/ WASI + 0.2/preview2 primitives. + - gh-115167: Avoid vendoring vcruntime140_threads.dll when + building with Visual Studio 2022 version 17.8. + * Windows + - gh-116773: Fix instances of <_overlapped.Overlapped object at + 0xXXX> still has pending operation at deallocation, the process + may crash. + - gh-91227: Fix the asyncio ProactorEventLoop implementation so + that sending a datagram to an address that is not listening does + not prevent receiving any more datagrams. + - gh-115554: The installer now has more strict rules about + updating the Python Launcher for Windows. In general, most users + only have a single launcher installed and will see no + difference. When multiple launchers have been installed, the + option to install the launcher is disabled until all but one + have been removed. Downgrading the launcher (which was never + allowed) is now more obviously blocked. + - gh-115543: Python Launcher for Windows can now detect Python + 3.13 when installed from the Microsoft Store, and will install + Python 3.12 by default when PYLAUNCHER_ALLOW_INSTALL is set. + - gh-115009: Update Windows installer to use SQLite 3.45.1. + * IDLE + - gh-88516: On macOS show a proxy icon in the title bar of editor + windows to match platform behaviour. + * Tools/Demos + - gh-113516: Donât set LDSHARED when building for WASI. + * C API + - gh-117021: Fix integer overflow in PyLong_AsPid() on non-Windows + 64-bit platforms. + +------------------------------------------------------------------- Old: ---- CVE-2023-6597-TempDir-cleaning-symlink.patch Python-3.11.8.tar.xz Python-3.11.8.tar.xz.asc libexpat260.patch New: ---- CVE-2023-52425-libexpat-2.6.0-backport.patch Python-3.11.9.tar.xz Python-3.11.9.tar.xz.asc BETA DEBUG BEGIN: Old: * libexpat260.patch * CVE-2023-6597-TempDir-cleaning-symlink.patch, bsc#1219666 Old:- Remove not needed upstream patches: * libexpat260.patch * CVE-2023-6597-TempDir-cleaning-symlink.patch, bsc#1219666 BETA DEBUG END: BETA DEBUG BEGIN: New: - Add CVE-2023-52425-libexpat-2.6.0-backport.patch to fix tests with patched libexpat below 2.6.0 that doesn't update the version number, BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python311.spec ++++++ --- /var/tmp/diff_new_pack.o01nzb/_old 2024-04-21 20:24:34.963980799 +0200 +++ /var/tmp/diff_new_pack.o01nzb/_new 2024-04-21 20:24:34.971981093 +0200 @@ -94,7 +94,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.11.8 +Version: 3.11.9 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -165,15 +165,14 @@ # Detect email address parsing errors and return empty tuple to # indicate the parsing error (old API) Patch14: CVE-2023-27043-email-parsing-errors.patch -# PATCH-FIX-UPSTREAM libexpat260.patch gh#python/cpython#115289 -# Fix tests for XMLPullParser with Expat 2.6.0 -Patch15: libexpat260.patch -# PATCH-FIX-UPSTREAM CVE-2023-6597-TempDir-cleaning-symlink.patch bsc#1219666 mc...@suse.com -# tempfile.TemporaryDirectory: fix symlink bug in cleanup (from gh#python/cpython!99930) -Patch16: CVE-2023-6597-TempDir-cleaning-symlink.patch # PATCH-FIX-UPSTREAM bsc1221260-test_asyncio-ResourceWarning.patch bsc#1221260 mc...@suse.com # prevent ResourceWarning in test_asyncio tests -Patch17: bsc1221260-test_asyncio-ResourceWarning.patch +Patch15: bsc1221260-test_asyncio-ResourceWarning.patch +# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-backport.patch +# This problem on libexpat is patched on SLE without version +# update, this patch changes the tests to match the libexpat provided +# by SUSE +Patch16: CVE-2023-52425-libexpat-2.6.0-backport.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -435,7 +434,6 @@ %patch -p1 -P 14 %patch -p1 -P 15 %patch -p1 -P 16 -%patch -p1 -P 17 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ CVE-2023-52425-libexpat-2.6.0-backport.patch ++++++ Index: Python-3.11.9/Lib/test/test_xml_etree.py =================================================================== --- Python-3.11.9.orig/Lib/test/test_xml_etree.py +++ Python-3.11.9/Lib/test/test_xml_etree.py @@ -1424,9 +1424,13 @@ class XMLPullParserTest(unittest.TestCas self.assert_event_tags(parser, [('end', 'root')]) self.assertIsNone(parser.close()) + @unittest.skipIf(pyexpat.version_info < (2, 6, 0), + f'Fail with patched version of Expat {pyexpat.version_info}') def test_simple_xml_chunk_1(self): self.test_simple_xml(chunk_size=1, flush=True) + @unittest.skipIf(pyexpat.version_info < (2, 6, 0), + f'Fail with patched version of Expat {pyexpat.version_info}') def test_simple_xml_chunk_5(self): self.test_simple_xml(chunk_size=5, flush=True) @@ -1651,6 +1655,9 @@ class XMLPullParserTest(unittest.TestCas self.assert_event_tags(parser, [('end', 'doc')]) + @unittest.skipIf(pyexpat.version_info < (2, 6, 0), + f'Expat {pyexpat.version_info} does not ' + 'support reparse deferral') def test_flush_reparse_deferral_disabled(self): parser = ET.XMLPullParser(events=('start', 'end')) Index: Python-3.11.9/Lib/test/test_sax.py =================================================================== --- Python-3.11.9.orig/Lib/test/test_sax.py +++ Python-3.11.9/Lib/test/test_sax.py @@ -1240,6 +1240,9 @@ class ExpatReaderTest(XmlTestBase): self.assertEqual(result.getvalue(), start + b"<doc></doc>") + @unittest.skipIf(pyexpat.version_info < (2, 6, 0), + f'Expat {pyexpat.version_info} does not ' + 'support reparse deferral') def test_flush_reparse_deferral_disabled(self): result = BytesIO() xmlgen = XMLGenerator(result) Index: Python-3.11.9/Lib/test/test_pyexpat.py =================================================================== --- Python-3.11.9.orig/Lib/test/test_pyexpat.py +++ Python-3.11.9/Lib/test/test_pyexpat.py @@ -794,6 +794,10 @@ class ReparseDeferralTest(unittest.TestC self.assertEqual(started, ['doc']) def test_reparse_deferral_disabled(self): + if expat.version_info < (2, 6, 0): + self.skipTest(f'Expat {expat.version_info} does not ' + 'support reparse deferral') + started = [] def start_element(name, _): ++++++ Python-3.11.8.tar.xz -> Python-3.11.9.tar.xz ++++++ /work/SRC/openSUSE:Factory/python311/Python-3.11.8.tar.xz /work/SRC/openSUSE:Factory/.python311.new.26366/Python-3.11.9.tar.xz differ: char 13, line 1
