|
|
|
|
Changelog for python3-devel-3.6.10-lp151.6.24.1.x86_64.rpm :
* Mon Jul 20 2020 Matej Cepl - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 (CVE-2019-20907, bpo#39017) avoiding possible infinite loop in specifically crafted tarball. Add recursion.tar as a testing tarball for the patch. * Thu Jun 25 2020 Matej Cepl - Add CVE-2020-14422-ipaddress-hash-collision.patch fixing CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions in IPv4Interface and IPv6Interface could lead to DOS. * Tue Mar 10 2020 Matej Cepl - Change name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). * Sat Feb 08 2020 Matej Cepl - Add CVE-2019-9674-zip-bomb.patch to improve documentation warning about dangers of zip-bombs and other security problems with zipfile library. (bsc#1162825 CVE-2019-9674)- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug \"Python urrlib allowed an HTTP server to conduct Regular Expression Denial of Service (ReDoS)\" (bsc#1162367) * Sat Feb 08 2020 Matej Cepl - Add Requires: libpython%{so_version} == %{version}-%{release} to python3-base to keep both packages always synchronized (bsc#1162224). * Mon Feb 03 2020 Tomáš Chvátal - Reame idle icons to idle3 in order to not conflict with python2 variant of the package bsc#1165894 * renamed the icons * renamed icon load in desktop file * Tue Jan 28 2020 Matej Cepl - Add pep538_coerce_legacy_c_locale.patch to coerce locale to C.UTF-8 always (bsc#1162423). * Thu Dec 19 2019 Matej Cepl - Update to 3.6.10 (still in line with jsc#SLE-9426, jsc#SLE-9427, bsc#1159035): - Security: - bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process. - bpo-37228: Due to significant security concerns, the reuse_address parameter of asyncio.loop.create_datagram_endpoint() is no longer supported. This is because of the behavior of SO_REUSEADDR in UDP. For more details, see the documentation for loop.create_datagram_endpoint(). (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in bpo-37228.) - bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar. Patch by Ben Caller. - bpo-38243: Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (Contributed by Dong-hee Na in bpo-38243.) - bpo-38174: Update vendorized expat library version to 2.2.8, which resolves CVE-2019-15903. - bpo-37461: Fix an infinite loop when parsing specially crafted email headers. Patch by Abhilash Raj. - bpo-34155: Fix parsing of invalid email addresses with more than one AATT (e.g. aAATTbAATTc.com.) to not return the part before 2nd AATT as valid email address. Patch by maxking & jpic. - Library: - bpo-38216: Allow the rare code that wants to send invalid http requests from the http.client library a way to do so. The fixes for bpo-30458 led to breakage for some projects that were relying on this ability to test their own behavior in the face of bad requests. - bpo-36564: Fix infinite loop in email header folding logic that would be triggered when an email policy’s max_line_length is not long enough to include the required markup and any values in the message. Patch by Paul Ganssle- Remove patches included in the upstream tarball: - CVE-2019-16935-xmlrpc-doc-server_title.patch - CVE-2019-16056-email-parse-addr.patch- Move idle subpackage build from python3-base to python3 (bsc#1159622). appstream-glib required for packaging introduces considerable extra dependencies and a build loop via rust/librsvg.- Correct installation of idle IDE icons: + idle.png is not the target directory + non-GNOME-specific icons belong into icons/hicolor- Add required Name key to idle3 desktop file * Thu Dec 12 2019 Matej Cepl - Unify all Python 3.6 * SLE packages into one (jsc#SLE-9426, jsc#SLE-9427, bsc#1159035) - Patches which were already included upstream: - CVE-2018-1061-DOS-via-regexp-difflib.patch - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch * Tue Oct 22 2019 Matej Cepl - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py * Thu Sep 19 2019 Matej Cepl - Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes bsc#1149792- Add bpo36263-Fix_hashlib_scrypt.patch which works around bsc#1151490 * Mon Sep 16 2019 Matej Cepl - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, bnc#1149955, CVE-2019-16056] * Mon Sep 09 2019 Matej Cepl - jsc#PM-1350 bsc#1149121 Update python3 to the last version of the 3.6 line. This is just a bugfix release with no changes in functionality.- The following patches were included in the upstream release as so they can be removed in the package: - CVE-2018-20852-cookie-domain-check.patch - CVE-2019-5010-null-defer-x509-cert-DOS.patch - CVE-2019-10160-netloc-port-regression.patch - CVE-2019-9636-urlsplit-NFKC-norm.patch - CVE-2019-9947-no-ctrl-char-http.patch- Patch bpo23395-PyErr_SetInterrupt-signal.patch has been reapplied on the upstream base without changing any functionality.- Add patch aarch64-prolong-timeout.patch to fix failing test_utime_current_old test. * Wed Jul 24 2019 Matej Cepl - FAKE RECORD FROM SLE-12 CHANNEL Apply \"CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch\" which converts shutil._call_external_zip to use subprocess rather than distutils.spawn. [bsc#1109663, CVE-2018-1000802] * Wed Jul 24 2019 Matej Cepl - FAKE RECORD FROM SLE-12 CHANNEL bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo#34623. * Fri Jul 19 2019 Matej Cepl - boo#1141853 (CVE-2018-20852) add CVE-2018-20852-cookie-domain-check.patch fixing http.cookiejar.DefaultPolicy.domain_return_ok which did not correctly validate the domain: it could be tricked into sending cookies to the wrong server. * Wed Jul 03 2019 Matej Cepl - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch which fixes regression introduced by the previous patch. (CVE-2019-10160) Upstream gh#python/cpython#13812 * Wed Jun 12 2019 Matej Cepl - FAKE RECORD FROM SLE-12 CHANNEL bsc#1137942: Avoid duplicate files with python3 * packages (https://fate.suse.com/327309) * Tue Jun 11 2019 Matej Cepl - bsc#1094814: Add bpo23395-PyErr_SetInterrupt-signal.patch to handle situation when the SIGINT signal is ignored or not handled * Tue Apr 30 2019 Matej Cepl - Update to 3.6.8: - bugfixes only - removed patches (subsumed in the upstream tarball): - CVE-2018-20406-pickle_LONG_BINPUT.patch - refreshed patches: - CVE-2019-5010-null-defer-x509-cert-DOS.patch - CVE-2019-9636-urlsplit-NFKC-norm.patch - Python-3.0b1-record-rpm.patch - python-3.3.0b1-fix_date_time_compiler.patch - python-3.3.0b1-test-posix_fadvise.patch - python-3.3.3-skip-distutils-test_sysconfig_module.patch - python-3.6.0-multilib-new.patch - python3-sorted_tar.patch - subprocess-raise-timeout.patch - switch off LTO and PGO optimization (bsc#1133452)- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. * Tue Apr 09 2019 Matej Cepl - bsc#1129346: add CVE-2019-9636-urlsplit-NFKC-norm.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``AATT``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, no error will be raised. (CVE-2019-9636) Upstream gh#python/cpython#12224 * Mon Jan 21 2019 Matěj Cepl - bsc#1120644 add CVE-2018-20406-pickle_LONG_BINPUT.patch fixing bpo#34656 Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. * Sat Jan 19 2019 mceplAATTsuse.com- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch fixing bpo-35746. An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. * Mon Sep 03 2018 Matěj Cepl - Add -fwrapv to OPTS, which is default for python3 anyway See for example https://github.com/zopefoundation/persistent/issues/86 for bugs which are caused by avoiding it. (bsc#1107030) * Fri Jun 29 2018 mceplAATTsuse.com- Apply \"CVE-2018-1061-DOS-via-regexp-difflib.patch\" to prevent low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS (CVE-2018-1061). Prior to this patch mail server\'s timestamp was susceptible to catastrophic backtracking on long evil response from the server. Also, it was susceptible to catastrophic backtracking, which was a potential DOS vector. [bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060] * Tue Apr 17 2018 tchvatalAATTsuse.com- As we run in main python package do not generate the pre_checkin from both now * Mon Apr 16 2018 tchvatalAATTsuse.com- Move the tests from base to generic package wrt bsc#1088573 * We still fail the whole distro if python3 is not build * The other archs than x86_64 took couple of hours to unblock build of other software, this way we work around the issue- Some tests are still run in -base for the LTO tweaking, but at least it is not run twice * Sat Mar 31 2018 mimi.vxAATTgmail.com- update to 3.6.5 * bugfix release * see Misc/NEWS for details- drop ctypes-pass-by-value.patch- drop fix-localeconv-encoding-for-LC_NUMERIC.patch- refresh python-3.6.0-multilib-new.patch * Tue Mar 13 2018 psimonsAATTsuse.com- Apply \"python-3.6-CVE-2017-18207.patch\" to add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this check, attackers could cause a denial of service (divide-by-zero error and application crash) via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] * Wed Mar 07 2018 adamAATTmizerski.pl- Created %so_major and %so_minor macros- Put Tools/gdb/libpython.py script into proper place and ship it with devel subpackage. * Tue Feb 20 2018 schwabAATTsuse.de- ctypes-pass-by-value.patch: Fix pass by value for structs on aarch64 * Tue Feb 20 2018 bwiedemannAATTsuse.com- Add python3-sorted_tar.patch (boo#1081750, bsc#1086001) * Wed Feb 07 2018 tchvatalAATTsuse.com- Add patch to fix glibc 2.27 fail bsc#1079761: * fix-localeconv-encoding-for-LC_NUMERIC.patch * Wed Jan 24 2018 jmatejekAATTsuse.com- move XML modules and python3-xml provide to python3-base (fixes bsc#1077230)- move ensurepip to base * Thu Jan 18 2018 normandAATTlinux.vnet.ibm.com- Add skip_random_failing_tests.patch only for PowerPC * Wed Jan 03 2018 jmatejekAATTsuse.com- update to 3.6.4 * bugfix release, over a hundred bugs fixed * see Misc/NEWS for details- drop upstreamed python3-ncurses-6.0-accessors.patch- drop PYTHONSTARTUP hooks that cause spurious startup errors * fixes bsc#1070738 * the relevant feature (REPL history) is now built into Python itself * Sat Dec 02 2017 dimstarAATTopensuse.org- Install 2to3-%{python_version} executable (override defattr of the -tools package). 2to3 (unversioned) is a symlink and does not carry permissions (bsc#1070853). * Thu Nov 16 2017 mimi.vxAATTgmail.com- move 2to3 to python3-tools package * Wed Oct 11 2017 jmatejekAATTsuse.com- update to 3.6.3 * bugfix release, over a hundred bugs fixed * see Misc/NEWS for details- drop upstreamed 0001-3.6-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-3093.patch * Wed Sep 20 2017 dmuellerAATTsuse.com- drop python-2.7-libffi-aarch64.patch: this patches the intree copy of libffi which is unused/deleted in the line afterwards- fix build against system libffi: include flags weren\'t set so it actually used the in-tree libffi headers. * Thu Sep 14 2017 vcizekAATTsuse.com- Fix test broken with OpenSSL 1.1 (bsc#1042670) * add 0001-3.6-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-3093.patch * Thu Aug 31 2017 schwabAATTsuse.de- fix missing %{?armsuffix} * Wed Aug 30 2017 jmatejekAATTsuse.com- distutils-reproducible-compile.patch: ensure distutils order files before compiling, which works around bsc#1049186 * Thu Aug 17 2017 kukukAATTsuse.de- Add libnsl-devel build requires for glibc obsoleting libnsl * Thu Aug 03 2017 jmatejekAATTsuse.com- update to 3.6.2 * bugfix release, over a hundred bugs fixed * see Misc/NEWS for details- drop upstreamed test-socket-aead-kernel49.patch- add Provides: python3-typing (fixes bsc#1050653)- drop duplicate Provides: python3 * Tue Jun 20 2017 asnAATTcryptomilk.org- Add missing link to python library in config dir (bsc#1040164) * Thu Mar 23 2017 jmatejekAATTsuse.com- update to 3.6.1 * bugfix release, over a hundred bugs fixed * never add import location\'s parent directory to sys.path * switch to git for version control, build changes related to that * fix \"failed to get random numbers\" on old kernels (bsc#1029902) * several crashes and memory leaks corrected * f-string are no longer accepted as docstrings * Mon Mar 13 2017 jmatejekAATTsuse.com- prevent regenerating AST at build-time more robustly- add \"--without profileopt\" and \"--without testsuite\" options to python3-base to allow short circuiting when working on the package * Wed Mar 01 2017 jmatejekAATTsuse.com- FAKE RECORD FROM SLE-12 CHANNEL update to 3.4.6 (bsc#1027282): * fixed potential crash in PyUnicode_AsDecodedObject() in debug build * fixed possible DoS and arbitrary execution in gettext plurals * fix possible use of uninitialized memory in operator.methodcaller * fix possible Py_DECREF on unowned object in _sre * fix possible integer overflow in _csv module * prevent HTTPoxy attack (CVE-2016-1000110) * fix selectors incorrectly retaining invalid fds- drop upstreamed python-3.4-CVE-2016-1000110-fix.patch- move _elementtree to python3.rpm to match its pyexpat dependency (bsc#1029377) * Sat Feb 25 2017 bwiedemannAATTsuse.com- Add 0001-allow-for-reproducible-builds-of-python-packages.patch upstream https://github.com/python/cpython/pull/296 * Wed Feb 08 2017 jmatejekAATTsuse.com- reenable test_socket with AEAD patch (test-socket-aead-kernel49.patch)- reintroduce %py3_soflags macro (and better named %cpython3_soabi equivalent) * Wed Jan 11 2017 jmatejekAATTsuse.com- update to 3.6.0 * PEP 498 Formated string literals * PEP 515 Underscores in numeric literals * PEP 526 Syntax for variable annotations * PEP 525 Asynchronous generators * PEP 530 Asynchronous comprehensions * PEP 506 New \"secrets\" module for safe key generation * less memory consumed by dicts * dtrace and systemtap support * improved asyncio module * better defaults for ssl * new hashing algorithms in hashlib * bytecode format changed to allow more optimizations * \"async\" and \"await\" are on track to be reserved words * StopIteration from generators is deprecated * support for openssl < 1.0.2 is deprecated * os.urandom now blocks when getrandom() blocks * huge number of new features, bugfixes and optimizations * see https://docs.python.org/3.6/whatsnew/3.6.html for details- rework multilib patch: drop Python-3.5.0-multilib.patch, implement upstreamable python-3.6.0-multilib-new.patch- refresh python-3.3.0b1-localpath.patch, subprocess-raise-timeout.patch- drop upstreamed Python-3.5.1-fix_lru_cache_copying.patch- finally drop python-2.6b1-canonicalize2.patch that was not applied in source and only kept around in case we needed it in the future. (which we don\'t, as it seems)- update import_failed map and baselibs- build ctypes against system libffi (buildrequire libffi-devel in python3-base)- add new key to keyring (signed by keys already in keyring)- introduced common configure section between python3 and python3-base- moved pyconfig.h and Makefile to devel subpackage as distutils no longer need it at runtime- added python-rpm-macros dependency, regenerated macros file, drop macros.python3.py because it is not used now- improve summaries and descriptions (fixes bsc#917607)- enabled Link-Time Optimization, see what happens- including skipped_tests.py in pre_checkin.sh run- run specs through spec-cleaner, rearrange sections * Sat Aug 06 2016 hpjAATTurpla.net- FAKE RECORD FROM SLE-12 CHANNEL apply fix for CVE-2016-1000110 - CGIHandler: sets environmental variable based on user supplied Proxy request header: python-3.4-CVE-2016-1000110-fix.patch (fixes bsc#989523, CVE-2016-1000110)- refresh python3-urllib-prefer-lowercase-proxies.patch * Sun Jul 03 2016 hpjAATTurpla.net- FAKE RECORD FROM SLE-12 CHANNEL update to 3.4.5 check: https://docs.python.org/3.4/whatsnew/changelog.html (fixes bsc#984751, CVE-2016-0772) (fixes bsc#985177, CVE-2016-5636) (fixes bsc#985348, CVE-2016-5699)- drop upstreamed werror-declaration-after-statement.patch * Tue Jun 14 2016 hpjAATTurpla.net- FAKE RECORD FROM SLE-12 CHANNEL Due to being fixed upstream (differently), removed outdated patch CVE-2014-4650-CGIHTTPServer-traversal.patch (bsc#983582) * Fri Apr 22 2016 jmatejekAATTsuse.com- move _hashlib and _ssl modules and tests to python3-base- recommend python3 * Mon Mar 07 2016 toddrme2178AATTgmail.com- Add Python-3.5.1-fix_lru_cache_copying.patch Fix copying the lru_cache() wrapper object. Fixes deep-copying lru_cache regression, which worked on previous versions of python but fails on python 3.5. This fixes a bunch of packages in devel:languages:python3. See: https://bugs.python.org/issue25447 * Wed Dec 09 2015 toddrme2178AATTgmail.com- update to 3.5.1 * bugfix-only release, dozens of bugs fixed- Drop upstreamed Python-3.5.0-_Py_atomic_xxx-symbols.patch- \"Python3\" to \"Python 3\" in summary * This seems cleaner and fixes and rpmlint warning * Fri Oct 23 2015 jmatejekAATTsuse.com- FAKE RECORD FROM SLE-12 CHANNEL Issue #21121: Don\'t force 3rd party C extensions to be built with -Werror=declaration-after-statement. (werror-declaration-after-statement.patch, bsc#951166) * Wed Oct 14 2015 toddrme2178AATTgmail.com- Add Python-3.5.0-_Py_atomic_xxx-symbols.patch This fixes a build error for many packages that use the Python, C-API. This patch is already accepted upstream and is slated to appear in python 3.5.1. * Tue Sep 29 2015 jmatejekAATTsuse.com- update to 3.5.0 * coroutines with async/await syntax * matrix multiplication operator `AATT` * unpacking generalizations * new modules `typing` and `zipapp` * type annotations * .pyo files replaced by custom suffixes for optimization levels in __pycache__ * support for memory BIO in ssl module * performance improvements in several modules * and many more- removals and behavior changes * deprecated `__version__` is removed * support for .pyo files was removed * system calls are auto-retried on EINTR * bare generator expressions in function calls now cause SyntaxError (change \"f(x for x in i)\" to \"f((x for x in i))\" to fix) * removed undocumented `format` member of private `PyMemoryViewObject` struct * renamed `PyMemAllocator` to `PyMemAllocatorEx`- redefine %dynlib macro to reflect that modules now have arch+os as part of name- module `time` is now built-in- dropped upstreamed patches: python-3.4.1-fix-faulthandler.patch python-3.4.3-test-conditional-ssl.patch python-fix-short-dh.patch (also dropped dh2048.pem required for this patch)- updated patch Python-3.3.0b2-multilib.patch to Python-3.5.0-multilib.patch- python-ncurses-6.0-accessors.patch taken from python 2 to fix build failure with new gcc + ncurses * Wed Sep 09 2015 dimstarAATTopensuse.org- Add python3-ncurses-6.0-accessors.patch: Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1. * Mon Aug 24 2015 jmatejekAATTsuse.com- improve import_failed hook to do the right thing when invoking missing modules with \"python3 -m modulename\" (boo#942751) * Thu Jul 23 2015 fisiuAATTopensuse.org- Build with --enable-loadable-sqlite-extensions to make it works as geospatial database. * Wed Jun 24 2015 meissnerAATTsuse.com- dh2048.pem: added generated 2048 dh parameter set to fix ssl test (bsc#935856)- python-fix-short-dh.patch: replace the 512 bits dh parameter set by 2048 bits to fix build with new openssl 1.0.2c (bsc#935856) * Tue May 19 2015 schwabAATTsuse.de- ctypes-libffi-aarch64.patch: remove upstreamed patch- python-2.7-libffi-aarch64.patch: Fix argument passing in libffi for aarch64 * Thu May 14 2015 jmatejekAATTsuse.com- python-3.4.3-test-conditional-ssl.patch - restore tests failing because test_urllib was unconditionally importing ssl (without really needing it)- restore functionality of multilib patch- drop libffi-ppc64le.diff because upstream completely changed everything yet again (sorry ppc64 folks :| ) * Fri May 01 2015 mailaenderAATTopensuse.org- Update to version 3.4.3- Drop upstreamed CVE-2014-4650-CGIHTTPServer-traversal.patch (bpo#21766) * Wed Mar 25 2015 rguentherAATTsuse.com- Add python-3.4.1-fix-faulthandler.patch, upstream patch for bogus faulthandler which fails with GCC 5. * Sun Jan 11 2015 p.drouandAATTgmail.com- asyncio has been merged in python3 main package; provide and obsolete it- Remove obsolete AUTHORS section- Remove redundant %clean section * Mon Oct 13 2014 jmatejekAATTsuse.com- add %python3_version rpm macro for Fedora compatibility- add missing argument in import_failed, rename Novell Bugzilla to SUSE Bugzilla
|
|
|