| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: python38-devel | Distribution: openSUSE Tumbleweed |
| Version: 3.8.19 | Vendor: openSUSE |
| Release: 8.1 | Build date: Wed Aug 28 18:54:34 2024 |
| Group: Unspecified | Build host: reproducible |
| Size: 894507 | Source RPM: python38-core-3.8.19-8.1.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: https://www.python.org/ | |
| Summary: Include Files and Libraries Mandatory for Building Python Modules | |
The Python programming language's interpreter can be extended with dynamically loaded extensions and can be embedded in other programs. This package contains header files, a static library, and development tools for building Python modules, extending the Python interpreter or embedding Python in applications. This also includes the Python distutils, which were in the Python package up to version 2.2.2.
Python-2.0
* Wed Aug 28 2024 Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent
malformed payload to cause infinite loops in zipfile.Path
(bsc#1229704, CVE-2024-8088).
* Thu Aug 08 2024 Matej Cepl <mcepl@cepl.eu>
- Adding bso1227999-reproducible-builds.patch fixing bsc#1227999
adding reproducibility patches from gh#python/cpython!121872
and gh#python/cpython!121883.
- Add CVE-2024-6923-email-hdr-inject.patch to prevent email
header injection due to unquoted newlines (bsc#1228780,
CVE-2024-6923).
- Add CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch removing
support for anything but OpenSSL 1.1.1 or newer (bsc#1227233,
CVE-2024-5642).
- %{profileopt} variable is set according to the variable
%{do_profiling} (bsc#1227999)
* Mon Jul 22 2024 Matej Cepl <mcepl@cepl.eu>
- Remove %suse_update_desktop_file macro as it is not useful any
more.
* Mon Jul 15 2024 Matej Cepl <mcepl@cepl.eu>
- Stop using %%defattr, it seems to be breaking proper executable
attributes on /usr/bin/ scripts (bsc#1227378).
* Tue Jun 25 2024 Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
addresses.
* Fri Jun 21 2024 Matej Cepl <mcepl@cepl.eu>
- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
fixing bsc#1226447 (CVE-2024-0397) by removing memory race
condition in ssl.SSLContext certificate store methods.
* Sun Mar 24 2024 Matej Cepl <mcepl@cepl.eu>
- Add old-libexpat.patch making the test suite work with
libexpat < 2.6.0 (gh#python/cpython#117187).
* Thu Mar 21 2024 Matej Cepl <mcepl@cepl.eu>
- Update to 3.8.19:
- Security
- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
(CVE-2023-52425, bsc#1219559) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
- gh-115399: Update bundled libexpat to 2.6.0
- gh-113659: Skip .pth files with names starting with a dot
or hidden file attribute.
- Core and Builtins
- gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004
codecs read out of bounds
- Library
- gh-115197: urllib.request no longer resolves the hostname
before checking it against the system’s proxy bypass list
on macOS and Windows.
- gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
- gh-81194: Fix a crash in socket.if_indextoname() with
specific value (UINT_MAX). Fix an integer overflow in
socket.if_indextoname() on 64-bit non-Windows platforms.
- gh-109858: Protect zipfile from “quoted-overlap”
zipbomb. It now raises BadZipFile when try to read an entry
that overlaps with other entry or central directory
(CVE-2024-0450, bsc#1221854).
- gh-107077: Seems that in some conditions, OpenSSL will
return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL
when a certification verification has failed, but
the error parameters will still contain ERR_LIB_SSL
and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now
detecting this situation and raising the appropiate
ssl.SSLCertVerificationError. Patch by Pablo Galindo
- gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup,
which now no longer dereferences symlinks when working
around file system permission errors (CVE-2023-6597,
bsc#1219666).
- Documentation
- gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under
“XML vulnerabilities”.
- Tests
- gh-108310: SSL tests for pre-handshake close were
previously not enabled on Python 3.8 due to an incorrect
backport. This is now fixed. Patch by Lumír Balhar.
- Remove upstreamed patches:
- CVE-2023-6597-TempDir-cleaning-symlink.patch
- libexpat260.patch
- Refreshed patches:
- CVE-2019-5010-null-defer-x509-cert-DOS.patch
- F00102-lib64.patch
- F00251-change-user-install-location.patch
- python-3.3.0b1-localpath.patch
- skip_random_failing_tests.patch
- SUSE-FEDORA-multilib.patch
* Wed Mar 06 2024 Pedro Monreal <pmonreal@suse.com>
- Use the system-wide crypto-policies [bsc#1211301]
* Use the system default cipher list instead of hardcoded values
* Add the --with-ssl-default-suites=openssl configure option
* Fri Feb 23 2024 Matej Cepl <mcepl@suse.com>
- (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
* Tue Feb 20 2024 Matej Cepl <mcepl@cepl.eu>
- Remove double definition of /usr/bin/idle%%{version} in
%%files.
* Thu Feb 15 2024 Daniel Garcia <daniel.garcia@suse.com>
- Add upstream patch libexpat260.patch, Fix tests for XMLPullParser
with Expat 2.6.0, gh#python/cpython#115289
* Mon Dec 18 2023 Matej Cepl <mcepl@cepl.eu>
- Refresh CVE-2023-27043-email-parsing-errors.patch to
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- Thus we can remove Revert-gh105127-left-tests.patch, which is
now useless.
* Wed Sep 06 2023 Daniel Garcia <daniel.garcia@suse.com>
- Update to 3.8.18 (bsc#1214692):
- gh-108310: Fixed an issue where instances of ssl.SSLSocket were
vulnerable to a bypass of the TLS handshake and included
protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.
Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by
Gregory P. Smith.
- gh-107845: tarfile.data_filter() now takes the location of
symlinks into account when determining their target, so it will no
longer reject some valid tarballs with
LinkOutsideDestinationError.
- gh-107565: Update multissltests and GitHub CI workflows to use
OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
* Thu Aug 03 2023 Matej Cepl <mcepl@suse.com>
- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
partially reverting CVE-2023-27043-email-parsing-errors.patch,
because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
address parsing errors and returns empty tuple to indicate the
parsing error (old API). (The patch is faulty,
gh#python/cpython#106669, but upstream decided not to just
revert it).
* Wed Jun 28 2023 Matej Cepl <mcepl@suse.com>
- Update to 3.8.17:
- gh-103142: The version of OpenSSL used in Windows and
Mac installers has been upgraded to 1.1.1u to address
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
fixed previously in 1.1.1t (gh-101727).
- gh-102153: urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329
(bsc#1208471).
- gh-99889: Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- gh-104049: Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- gh-103935: trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details (fixing
CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
- CVE-2023-24329-blank-URL-bypass.patch
- CVE-2007-4559-filter-tarfile_extractall.patch
* Sat May 06 2023 Matej Cepl <mcepl@suse.com>
- Add 99366-patch.dict-can-decorate-async.patch fixing
gh#python/cpython#98086 (backport from Python 3.10 patch in
gh#python/cpython!99366), fixing bsc#1211158.
* Wed May 03 2023 Matej Cepl <mcepl@suse.com>
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
CVE-2007-4559 (bsc#1203750) by adding the filter for
tarfile.extractall (PEP 706).
* Tue Apr 18 2023 Steve Kowalik <steven.kowalik@suse.com>
- Use python3 modules to build the documentation.
* Wed Mar 01 2023 Matej Cepl <mcepl@suse.com>
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
* Tue Feb 21 2023 Matej Cepl <mcepl@suse.com>
- Add provides for readline and sqlite3 to the main Python
package.
* Fri Jan 27 2023 Thorsten Kukuk <kukuk@suse.com>
- Disable NIS for new products, it's deprecated and gets removed
* Fri Jan 13 2023 Martin Liška <mliska@suse.cz>
- Suppress warnings for Sphinx 6.0+.
* Thu Dec 08 2022 Matej Cepl <mcepl@suse.com>
- Update to 3.8.16:
- python -m http.server no longer allows terminal
control characters sent within a garbage request to be
printed to the stderr server log.
This is done by changing the http.server
BaseHTTPRequestHandler .log_message method to replace control
characters with a \xHH hex escape before printing.
- Avoid publishing list of active per-interpreter
audit hooks via the gc module
- The IDNA codec decoder used on DNS hostnames by
socket or asyncio related name resolution functions no
longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive
length hostname involving bidirectional characters were
decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a
name (CVE-2022-45061).
- Update bundled libexpat to 2.5.0
- Port XKCP’s fix for the buffer overflows in SHA-3
(CVE-2022-37454).
- The deprecated mailcap module now refuses to inject
unsafe text (filenames, MIME types, parameters) into shell
commands. Instead of using such text, it will warn and act
as if a match was not found (or for test commands, as if the
test failed).
- Removed upstream patches:
- CVE-2022-37454-sha3-buffer-overflow.patch
- CVE-2022-45061-DoS-by-IDNA-decode.patch
* Wed Nov 09 2022 Matej Cepl <mcepl@suse.com>
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
extremely long domain names.
* Fri Oct 28 2022 Matej Cepl <mcepl@suse.com>
- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
overflow in hashlib.sha3_* implementations (originally from the
XKCP library).
* Fri Oct 21 2022 Matej Cepl <mcepl@suse.com>
- Add 98437-sphinx.locale._-as-gettext-in-pyspecific.patch to
allow building of documentation with the latest Sphinx 5.3.0
(gh#python/cpython#98366).
* Thu Oct 20 2022 Daniel Garcia <daniel.garcia@suse.com>
- Add platlibdir-in-sys.patch to provide sys.platlibdir attribute. This is used
by python-setuptools in distutils.sysconfig.get_python_lib bsc#1204395
* Wed Oct 19 2022 Matej Cepl <mcepl@suse.com>
- Update to 3.8.15:
- Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close
to the maximum size.
- Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no
longer uses a shell to run openssl commands. (originally
filed as CVE-2022-37460, later withdrawn)
- Fix command line parsing: reject -X int_max_str_digits option
with no value (invalid) when the PYTHONINTMAXSTRDIGITS
environment variable is set to a valid limit.
- When ValueError is raised if an integer is larger than the
limit, mention the sys.set_int_max_str_digits() function in
the error message.
- Update bundled libexpat to 2.4.9
- Fixes a potential buffer overrun in msilib.
* Sun Sep 11 2022 Matej Cepl <mcepl@suse.com>
- Update to 3.8.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- (CVE-2021-28861, bsc#1202624) http.server: Fix an open
redirection vulnerability in the HTTP server when an URI path
starts with //. Vulnerability discovered, and initial fix
proposed, by Hamza Avvan.
- Also other bugfixes:
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix ensurepip environment isolation for subprocess running
pip.
- Raise ProgrammingError instead of segfaulting on recursive
usage of cursors in sqlite3 converters. Patch by Sergey
Fedoseev.
- Add a new gh role to the documentation to link to GitHub
issues.
- Pin Jinja to a version compatible with Sphinx version
2.4.4.
- test_ssl is now checking for supported TLS version and
protocols in more tests.
- Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses
0xMNN00PP0L.
- Removed upstreamed patches:
- CVE-2021-28861-double-slash-path.patch
- Readjusted patches:
- bpo-31046_ensurepip_honours_prefix.patch
- sphinx-update-removed-function.patch
* Sat Sep 03 2022 Matej Cepl <mcepl@suse.com>
- (bsc#1196784, CVE-2022-25236) Add patch
support-expat-CVE-2022-25236-patched.patch to allow working
with different versions of libexpat.
* Thu Sep 01 2022 Steve Kowalik <steven.kowalik@suse.com>
- Add patch CVE-2021-28861-double-slash-path.patch:
* http.server: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
* Wed Aug 31 2022 Matej Cepl <mcepl@suse.com>
- Add bpo34990-2038-problem-compileall.patch making compileall.py
compliant with year 2038 (bsc#1202666, gh#python/cpython#79171),
backport of fix to Python 3.8.
- Add conditional for requiring rpm-build-python, so we should be
compilable on SLE/Leap.
* Thu Jul 21 2022 Matej Cepl <mcepl@suse.com>
- Switch from %primary_interpreter to prjconf-defined
%primary_python (gh#openSUSE/python-rpm-macros#127).
* Thu May 05 2022 Matej Cepl <mcepl@suse.com>
- Switch primary_interpreter from python38 to python310
* Sat Mar 26 2022 Matej Cepl <mcepl@suse.com>
- Update to 3.8.13:
Core and Builtins
bpo-46794: Bump up the libexpat version into 2.4.6
bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
bpo-46932: Update bundled libexpat to 2.4.7
bpo-46811: Make test suite support Expat >=2.4.5
bpo-46784: Fix libexpat symbols collisions with user
dynamically loaded or statically linked libexpat in embedded
Python.
bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid
potential REDoS by limiting ambiguity in consecutive
whitespace.
bpo-44849: Fix the os.set_inheritable() function on FreeBSD
14 for file descriptor opened with the O_PATH flag: ignore
the EBADF error on ioctl(), fallback on the fcntl()
implementation.
bpo-41028: Language and version switchers, previously
maintained in every cpython branches, are now handled by
docsbuild-script.
bpo-45195: Fix test_readline.test_nonascii(): sometimes, the
newline character is not written at the end, so don’t
expect it in the output.
bpo-44949: Fix auto history tests of test_readline:
sometimes, the newline character is not written at the end,
so don’t expect it in the output.
bpo-45405: Prevent internal configure error when running
configure with recent versions of clang.
- Remove upstreamed patches:
- support-expat-245.patch
* Tue Feb 22 2022 Steve Kowalik <steven.kowalik@suse.com>
- Add patch support-expat-245.patch:
* Support Expat >= 2.4.5
* Mon Nov 29 2021 Matej Cepl <mcepl@suse.com>
- Remove shebangs from from python-base libraries in _libdir
(bsc#1193179).
- Readjust patches:
- bpo-31046_ensurepip_honours_prefix.patch
- decimal.patch
- python-3.3.0b1-fix_date_time_compiler.patch
* Tue Oct 12 2021 Dominique Leuenberger <dimstar@opensuse.org>
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
* Tue Aug 31 2021 Fusion Future <qydwhotmail@gmail.com>
- Update to 3.8.12
* Complete list of changes is available at
https://docs.python.org/release/3.8.12/whatsnew/changelog.html
* Security
- bpo-42278: Replaced usage of tempfile.mktemp() with
TemporaryDirectory to avoid a potential race condition.
- bpo-44394: Update the vendored copy of libexpat to 2.4.1
(from 2.2.8) to get the fix for the CVE-2013-0340 “Billion
Laughs” vulnerability. This copy is most used on Windows and
macOS.
- bpo-43124: Made the internal putcmd function in smtplib
sanitize input for presence of \r and \n characters to avoid
(unlikely) command injection.
- bpo-36384: ipaddress module no longer accepts any leading
zeros in IPv4 address strings. Leading zeros are ambiguous
and interpreted as octal notation by some libraries. For
example the legacy function socket.inet_aton() treats leading
zeros as octal notation. glibc implementation of modern
inet_pton() does not accept any leading zeros. For a while
the ipaddress module used to accept ambiguous leading zeros.
- Refreshed patch:
* decimal-3.8.patch
* Fri Aug 27 2021 Matej Cepl <mcepl@suse.com>
- Add decimal-3.8.patch to add building with --with-system-libmpdec
option (bsc#1189356).
* Thu Aug 26 2021 Andreas Schwab <schwab@suse.de>
- test_faulthandler is still problematic under qemu linux-user emulation,
disable it there
- Reenable profileopt with qemu emulation, test_faulthandler is no longer
run during profiling
* Tue Aug 10 2021 Fusion Future <qydwhotmail@gmail.com>
- Update to 3.8.11
* Security
- bpo-44022 (boo#1189241): mod:http.client now avoids
infinitely reading potential HTTP headers after a 100
Continue status response from the server.
- bpo-43882: The presence of newline or tab characters in parts
of a URL could allow some forms of attacks.
Following the controlling specification for URLs defined by
WHATWG urllib.parse() now removes ASCII newlines and tabs
from URLs, preventing such attacks.
- bpo-42800: Audit hooks are now fired for frame.f_code,
traceback.tb_frame, and generator code/frame attribute
access.
* Core and Builtins
- bpo-44070: No longer eagerly makes import filenames absolute,
except for extension modules, which was introduced in 3.8.10.
* Library
- bpo-44061: Fix regression in previous release when calling
pkgutil.iter_modules() with a list of pathlib.Path objects
* Mon Aug 02 2021 Matej Cepl <mcepl@suse.com>
- Use versioned python-Sphinx to avoid dependency on other
version of Python (bsc#1183858).
* Fri Jun 18 2021 Matej Cepl <mcepl@suse.com>
- Add bpo44426-complex-keyword-sphinx.patch allowing generating
documentation with Sphinx 4 (bpo#44426).
* Tue Jun 08 2021 Dirk Müller <dmueller@suse.com>
- allow building against sphinx 3.x+
* Fri May 21 2021 Matej Cepl <mcepl@suse.com>
- Stop providing "python" symbol (bsc#1185588), which means
python2 currently.
* Wed May 05 2021 Matej Cepl <mcepl@suse.com>
- Update to 3.8.10:
- Security
- bpo-43434: Creating a sqlite3.Connection object now also
produces a sqlite3.connect auditing event. Previously this
event was only produced by sqlite3.connect() calls. Patch
by Erlend E. Aasland.
- bpo-43472: Ensures interpreter-level audit hooks receive
the cpython.PyInterpreterState_New event when called
through the _xxsubinterpreters module.
- bpo-43075: Fix Regular Expression Denial of Service (ReDoS)
vulnerability in urllib.request.AbstractBasicAuthHandler.
The ReDoS-vulnerable regex has quadratic worst-case
complexity and it allows cause a denial of service when
identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the
HTTP server.
- Core and Builtins
- bpo-43105: Importlib now resolves relative paths when
creating module spec objects from file locations.
- bpo-42924: Fix bytearray repetition incorrectly copying
data from the start of the buffer, even if the data is
offset within the buffer (e.g. after reassigning a slice at
the start of the bytearray to a shorter byte string).
- Library
- bpo-43993: Update bundled pip to 21.1.1.
- bpo-43937: Fixed the turtle module working with non-default
root window.
- bpo-43930: Update bundled pip to 21.1 and setuptools to
56.0.0
- bpo-43920: OpenSSL 3.0.0: load_verify_locations() now
returns a consistent error message when cadata contains no
valid certificate.
- bpo-43607: urllib can now convert Windows paths with \\?\
prefixes into URL paths.
- bpo-43284: platform.win32_ver derives the windows version
from sys.getwindowsversion().platform_version which in turn
derives the version from kernel32.dll (which can be of
a different version than Windows itself). Therefore change
the platform.win32_ver to determine the version using the
platform module’s _syscmd_ver private function to return an
accurate version.
- bpo-42248: [Enum] ensure exceptions raised in _missing__
are released
- bpo-43799: OpenSSL 3.0.0: define OPENSSL_API_COMPAT 1.1.1
to suppress deprecation warnings. Python requires OpenSSL
1.1.1 APIs.
- bpo-43794: Add ssl.OP_IGNORE_UNEXPECTED_EOF constants
(OpenSSL 3.0.0)
- bpo-43789: OpenSSL 3.0.0: Don’t call the password callback
function a second time when first call has signaled an
error condition.
- bpo-43788: The header files for ssl error codes are now
OpenSSL version-specific. Exceptions will now show correct
reason and library codes. The make_ssl_data.py script has
been rewritten to use OpenSSL’s text file with error codes.
- bpo-43655: tkinter dialog windows are now recognized as
dialogs by window managers on macOS and X Window.
- bpo-43534: turtle.textinput() and turtle.numinput() create
now a transient window working on behalf of the canvas
window.
- bpo-43522: Fix problem with hostname_checks_common_name.
OpenSSL does not copy hostflags from struct SSL_CTX to
struct SSL.
- bpo-42967: Allow bytes separator argument in
urllib.parse.parse_qs and urllib.parse.parse_qsl when
parsing str query strings. Previously, this raised
a TypeError.
- bpo-43176: Fixed processing of a dataclass that inherits
from a frozen dataclass with no fields. It is now correctly
detected as an error.
- bpo-34463: Fixed discrepancy between traceback and the
interpreter in formatting of SyntaxError with lineno not
set (traceback was changed to match interpreter).
- bpo-41735: Fix thread locks in zlib module may go wrong in
rare case. Patch by Ma Lin.
- bpo-26053: Fixed bug where the pdb interactive run command
echoed the args from the shell command line, even if those
have been overridden at the pdb prompt.
- bpo-36470: Fix dataclasses with InitVars and replace().
Patch by Claudiu Popa.
- bpo-28577: The hosts method on 32-bit prefix length
IPv4Networks and 128-bit prefix IPv6Networks now returns
a list containing the single Address instead of an empty
list.
- bpo-32745: Fix a regression in the handling of ctypes’
ctypes.c_wchar_p type: embedded null characters would cause
a ValueError to be raised. Patch by Zackery Spytz.
- Documentation
- bpo-43959: The documentation on the PyContextVar C-API was
clarified.
- bpo-43938: Update dataclasses documentation to express that
FrozenInstanceError is derived from AttributeError.
- bpo-43739: Fixing the example code in
Doc/extending/extending.rst to declare and initialize the
pmodule variable to be of the right type.
- Tests
- bpo-43842: Fix a race condition in the SMTP test of
test_logging. Don’t close a file descriptor (socket) from
a different thread while asyncore.loop() is polling the
file descriptor. Patch by Victor Stinner.
- bpo-43811: Tests multiple OpenSSL versions on GitHub
Actions. Use ccache to speed up testing.
- bpo-43791: OpenSSL 3.0.0: Disable testing of legacy
protocols TLS 1.0 and 1.1. Tests are failing with
TLSV1_ALERT_INTERNAL_ERROR.
- IDLE
- bpo-43655: IDLE dialog windows are now recognized as
dialogs by window managers on macOS and X Window.
- C API
- bpo-43962: _PyInterpreterState_IDIncref() now calls
_PyInterpreterState_IDInitref() and always increments
id_refcount. Previously, calling
_xxsubinterpreters.get_current() could create an
id_refcount inconsistency when
a _xxsubinterpreters.InterpreterID object was deallocated.
Patch by Victor Stinner.
- Reapplied patches:
- CVE-2019-5010-null-defer-x509-cert-DOS.patch
- F00102-lib64.patch
- SUSE-FEDORA-multilib.patch
- bpo-31046_ensurepip_honours_prefix.patch
- python-3.3.0b1-fix_date_time_compiler.patch
* Sun May 02 2021 Ben Greiner <code@bnavigator.de>
- Make sure to close the import_failed.map file after the exception
has been raised in order to avoid ResourceWarnings when the
failing import is part of a try...except block.
* Wed Apr 28 2021 Matej Cepl <mcepl@suse.com>
- Update to 3.8.9:
- bpo#42988 (bsc#1183374) CVE-2021-3426: Remove the getfile
feature of the pydoc module which could be abused to read
arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
- bpo-43285: ftplib no longer trusts the IP address value
returned from the server in response to the PASV command by
default. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the
client network.
- Code that requires the former vulnerable behavior may set
a trust_server_pasv_ipv4_address attribute on their
ftplib.FTP instances to True to re-enable it.
- bpo-43439: Add audit hooks for gc.get_objects(),
gc.get_referrers() and gc.get_referents(). Patch by Pablo
Galindo.
- bpo-43660: Fix crash that happens when replacing sys.stderr
with a callable that can remove the object while an exception
is being printed. Patch by Pablo Galindo.
- bpo-35883: Python no longer fails at startup with a fatal
error if a command line argument contains an invalid Unicode
character. The Py_DecodeLocale() function now escapes byte
sequences which would be decoded as Unicode characters
outside the [U+0000; U+10ffff] range.
- bpo-43406: Fix a possible race condition where
PyErr_CheckSignals tries to execute a non-Python signal
handler.
- bpo-35930: Raising an exception raised in a “future” instance
will create reference cycles.
- bpo-43577: Fix deadlock when using ssl.SSLContext debug
callback with ssl.SSLContext.sni_callback().
- bpo-43423: subprocess.communicate() no longer raises an
IndexError when there is an empty stdout or stderr IO buffer
during a timeout on Windows.
- bpo-27820: Fixed long-standing bug of smtplib.SMTP where
doing AUTH LOGIN with initial_response_ok=False will fail.
The cause is that SMTP.auth_login _always_ returns a password
if provided with a challenge string, thus non-compliant with
the standard for AUTH LOGIN. Also fixes bug with the test for
smtpd.
- bpo-43399: Fix ElementTree.extend not working on iterators
when using the Python implementation
- bpo-43316: The python -m gzip command line application now
properly fails when detecting an unsupported extension. It
exits with a non-zero exit code and prints an error message
to stderr.
- bpo-43260: Fix TextIOWrapper can not flush internal buffer
forever after very large text is written.
- bpo-42782: Fail fast in shutil.move() to avoid creating
destination directories on failure.
- bpo-37193: Fixed memory leak in socketserver.ThreadingMixIn
introduced in Python 3.7.
- bpo-43199: Answer “Why is there no goto?” in the Design and
History FAQ.
- bpo-43407: Clarified that a result from time.monotonic(),
time.perf_counter(), time.process_time(), or
time.thread_time() can be compared with the result from any
following call to the same function - not just the next
immediate call.
- bpo-27646: Clarify that ‘yield from <expr>’ works with any
iterable, not just iterators.
- bpo-36346: Update some deprecated unicode APIs which are
documented as “will be removed in 4.0” to “3.12”. See PEP 623
for detail.
- bpo-37945: Fix test_getsetlocale_issue1813() of test_locale:
skip the test if setlocale() fails. Patch by Victor Stinner.
- bpo-41561: Add workaround for Ubuntu’s custom OpenSSL
security level policy.
- bpo-43631: Update macOS, Windows, and CI to OpenSSL 1.1.1k.
- bpo-43617: Improve configure.ac: Check for presence of
autoconf-archive package and remove our copies of M4 macros.
- bpo-41837: Update macOS installer build to use OpenSSL
1.1.1j.
- bpo-42225: Document that IDLE can fail on Unix either from
misconfigured IP masquerage rules or failure displaying
complex colored (non-ascii) characters.
- bpo-43283: Document why printing to IDLE’s Shell is often
slower than printing to a system terminal and that it can be
made faster by pre-formatting a single string before
printing.
* Fri Feb 19 2021 Matej Cepl <mcepl@suse.com>
- Update to 3.8.8:
- bpo#42938 (bsc#1181126): Avoid static buffers when computing
the repr of ctypes.c_double and ctypes.c_longdouble
values. This issue was assigned CVE-2021-3177.
- bpo#42967 (bsc#1182379): Fix web cache poisoning
vulnerability by defaulting the query args separator to &,
and allowing the user to choose a custom separator. This
issue was assigned CVE-2021-23336.
- Remove bsc1167501-invalid-alignment.patch and
CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch, which were included
into the upstream tarball.
* Tue Feb 09 2021 Steve Kowalik <steven.kowalik@suse.com>
- Add Obsoletes for python3-base when primary interpreter is set to
properly replace it during upgrades. (bsc#1181324)
* Fri Feb 05 2021 Ben Greiner <code@bnavigator.de>
- Provide %have_<flavor> for all python flavors
gh#openSUSE/python-rpm-macros#96
- Add %python3_default and %default_python3 for the primary python3
flavor
* Fri Jan 29 2021 Matej Cepl <mcepl@suse.com>
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
* Tue Jan 05 2021 Matej Cepl <mcepl@suse.com>
- (bsc#1180125) We really don't Require python-rpm-macros package.
Unnecessary dependency.
/usr/bin/python3.8-config /usr/include/python3.8 /usr/include/python3.8/Python-ast.h /usr/include/python3.8/Python.h /usr/include/python3.8/abstract.h /usr/include/python3.8/asdl.h /usr/include/python3.8/ast.h /usr/include/python3.8/bitset.h /usr/include/python3.8/bltinmodule.h /usr/include/python3.8/boolobject.h /usr/include/python3.8/bytearrayobject.h /usr/include/python3.8/bytes_methods.h /usr/include/python3.8/bytesobject.h /usr/include/python3.8/cellobject.h /usr/include/python3.8/ceval.h /usr/include/python3.8/classobject.h /usr/include/python3.8/code.h /usr/include/python3.8/codecs.h /usr/include/python3.8/compile.h /usr/include/python3.8/complexobject.h /usr/include/python3.8/context.h /usr/include/python3.8/cpython /usr/include/python3.8/cpython/abstract.h /usr/include/python3.8/cpython/dictobject.h /usr/include/python3.8/cpython/fileobject.h /usr/include/python3.8/cpython/initconfig.h /usr/include/python3.8/cpython/interpreteridobject.h /usr/include/python3.8/cpython/object.h /usr/include/python3.8/cpython/objimpl.h /usr/include/python3.8/cpython/pyerrors.h /usr/include/python3.8/cpython/pylifecycle.h /usr/include/python3.8/cpython/pymem.h /usr/include/python3.8/cpython/pystate.h /usr/include/python3.8/cpython/sysmodule.h /usr/include/python3.8/cpython/traceback.h /usr/include/python3.8/cpython/tupleobject.h /usr/include/python3.8/cpython/unicodeobject.h /usr/include/python3.8/datetime.h /usr/include/python3.8/descrobject.h /usr/include/python3.8/dictobject.h /usr/include/python3.8/dtoa.h /usr/include/python3.8/dynamic_annotations.h /usr/include/python3.8/enumobject.h /usr/include/python3.8/errcode.h /usr/include/python3.8/eval.h /usr/include/python3.8/fileobject.h /usr/include/python3.8/fileutils.h /usr/include/python3.8/floatobject.h /usr/include/python3.8/frameobject.h /usr/include/python3.8/funcobject.h /usr/include/python3.8/genobject.h /usr/include/python3.8/graminit.h /usr/include/python3.8/grammar.h /usr/include/python3.8/import.h /usr/include/python3.8/internal /usr/include/python3.8/internal/pycore_accu.h /usr/include/python3.8/internal/pycore_atomic.h /usr/include/python3.8/internal/pycore_ceval.h /usr/include/python3.8/internal/pycore_code.h /usr/include/python3.8/internal/pycore_condvar.h /usr/include/python3.8/internal/pycore_context.h /usr/include/python3.8/internal/pycore_fileutils.h /usr/include/python3.8/internal/pycore_getopt.h /usr/include/python3.8/internal/pycore_gil.h /usr/include/python3.8/internal/pycore_hamt.h /usr/include/python3.8/internal/pycore_initconfig.h /usr/include/python3.8/internal/pycore_long.h /usr/include/python3.8/internal/pycore_object.h /usr/include/python3.8/internal/pycore_pathconfig.h /usr/include/python3.8/internal/pycore_pyerrors.h /usr/include/python3.8/internal/pycore_pyhash.h /usr/include/python3.8/internal/pycore_pylifecycle.h /usr/include/python3.8/internal/pycore_pymem.h /usr/include/python3.8/internal/pycore_pystate.h /usr/include/python3.8/internal/pycore_traceback.h /usr/include/python3.8/internal/pycore_tupleobject.h /usr/include/python3.8/internal/pycore_warnings.h /usr/include/python3.8/interpreteridobject.h /usr/include/python3.8/intrcheck.h /usr/include/python3.8/iterobject.h /usr/include/python3.8/listobject.h /usr/include/python3.8/longintrepr.h /usr/include/python3.8/longobject.h /usr/include/python3.8/marshal.h /usr/include/python3.8/memoryobject.h /usr/include/python3.8/methodobject.h /usr/include/python3.8/modsupport.h /usr/include/python3.8/moduleobject.h /usr/include/python3.8/namespaceobject.h /usr/include/python3.8/node.h /usr/include/python3.8/object.h /usr/include/python3.8/objimpl.h /usr/include/python3.8/odictobject.h /usr/include/python3.8/opcode.h /usr/include/python3.8/osdefs.h /usr/include/python3.8/osmodule.h /usr/include/python3.8/parsetok.h /usr/include/python3.8/patchlevel.h /usr/include/python3.8/picklebufobject.h /usr/include/python3.8/py_curses.h /usr/include/python3.8/pyarena.h /usr/include/python3.8/pycapsule.h /usr/include/python3.8/pyconfig.h /usr/include/python3.8/pyctype.h /usr/include/python3.8/pydebug.h /usr/include/python3.8/pydtrace.h /usr/include/python3.8/pyerrors.h /usr/include/python3.8/pyexpat.h /usr/include/python3.8/pyfpe.h /usr/include/python3.8/pyhash.h /usr/include/python3.8/pylifecycle.h /usr/include/python3.8/pymacconfig.h /usr/include/python3.8/pymacro.h /usr/include/python3.8/pymath.h /usr/include/python3.8/pymem.h /usr/include/python3.8/pyport.h /usr/include/python3.8/pystate.h /usr/include/python3.8/pystrcmp.h /usr/include/python3.8/pystrhex.h /usr/include/python3.8/pystrtod.h /usr/include/python3.8/pythonrun.h /usr/include/python3.8/pythread.h /usr/include/python3.8/pytime.h /usr/include/python3.8/rangeobject.h /usr/include/python3.8/setobject.h /usr/include/python3.8/sliceobject.h /usr/include/python3.8/structmember.h /usr/include/python3.8/structseq.h /usr/include/python3.8/symtable.h /usr/include/python3.8/sysmodule.h /usr/include/python3.8/token.h /usr/include/python3.8/traceback.h /usr/include/python3.8/tracemalloc.h /usr/include/python3.8/tupleobject.h /usr/include/python3.8/typeslots.h /usr/include/python3.8/ucnhash.h /usr/include/python3.8/unicodeobject.h /usr/include/python3.8/warnings.h /usr/include/python3.8/weakrefobject.h /usr/lib/libpython3.8.so /usr/lib/pkgconfig/python-3.8-embed.pc /usr/lib/pkgconfig/python-3.8.pc /usr/lib/python3.8/config-3.8-i386-linux-gnu /usr/lib/python3.8/config-3.8-i386-linux-gnu/Makefile /usr/lib/python3.8/config-3.8-i386-linux-gnu/Setup /usr/lib/python3.8/config-3.8-i386-linux-gnu/Setup.local /usr/lib/python3.8/config-3.8-i386-linux-gnu/config.c /usr/lib/python3.8/config-3.8-i386-linux-gnu/config.c.in /usr/lib/python3.8/config-3.8-i386-linux-gnu/install-sh /usr/lib/python3.8/config-3.8-i386-linux-gnu/libpython3.8.so /usr/lib/python3.8/config-3.8-i386-linux-gnu/makesetup /usr/lib/python3.8/config-3.8-i386-linux-gnu/python-config.py /usr/lib/python3.8/config-3.8-i386-linux-gnu/python.o /usr/share/gdb /usr/share/gdb/auto-load /usr/share/gdb/auto-load/usr /usr/share/gdb/auto-load/usr/lib /usr/share/gdb/auto-load/usr/lib/libpython3.8.so.1.0-gdb.py
Generated by rpm2html 1.8.1
Fabrice Bellet, Mon Sep 16 00:42:55 2024