|
|
|
|
Changelog for python36-base-3.6.15-56.1.x86_64.rpm :
* Tue May 07 2024 Matej Cepl - Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109, gh#python/cpython!16557) fixes syslog making default \"ident\" from sys.argv[0].- Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that it uses features sniffing, not just comparing version number (bsc#1220664, bsc#1219559, bsc#1221563, bsc#1222075).- Remove support-expat-CVE-2022-25236-patched.patch, which was the previous name of this patch.- Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping failing tests.- Refresh patches: - CVE-2023-27043-email-parsing-errors.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch * Thu Apr 25 2024 Matej Cepl - bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the \"quoted-overlap\" zipbomb (from gh#python/cpython!110016).- Add bh42369-thread-safety-zipfile-SharedFile.patch (from gh#python/cpython!26974) required by the previous patch.- Add expat-260-test_xml_etree-reparse-deferral.patch to make the interpreter work with patched libexpat in our distros.- Move all patches from locally sourced to the branch opensuse-3.6 branch at GitHub repo, and move all metadata to commits themselves (readable in the headers of each patch).- Add bpo-41675-modernize-siginterrupt.patch to make Python build cleanly even on more recent SPs of SLE-15 (gh#python/cpython#85841).- Remove patches: - bpo36263-Fix_hashlib_scrypt.patch - fix against bug in OpenSSL fixed in 1.1.1c (gh#openssl/openssl!8483), so this patch is redundant on all SUSE-supported distros - python-3.3.0b1-test-posix_fadvise.patch - protection against the kernel issues which has been fixed in gh#torvalds/linuxAATT3d3727cdb07f, which has been included in all our kernels more recent than SLE-11. - python-3.3.3-skip-distutils-test_sysconfig_module.patch - skips a test, which should be relevant only for testing on Mac OS X systems with universal builds. I have no valid record, that this test would be ever problematic on Linux. - bpo-36576-skip_tests_for_OpenSSL-111.patch, which was included already in Python 3.5. * Fri Feb 23 2024 Matej Cepl - (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory.- Merge together bpo-36576-skip_tests_for_OpenSSL-111.patch into skip_SSL_tests.patch, and make them include all conditionals. * Mon Dec 18 2023 Matej Cepl - Refresh CVE-2023-27043-email-parsing-errors.patch to gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). * Mon Sep 11 2023 Daniel Garcia - Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing gh#python/cpython#108310, backport from upstream patch gh#python/cpython#108315 (bsc#1214692, CVE-2023-40217) * Sat May 06 2023 Matej Cepl - Add 99366-patch.dict-can-decorate-async.patch fixing gh#python/cpython#98086 (backport from Python 3.10 patch in gh#python/cpython!99366), fixing bsc#1211158. * Wed May 03 2023 Matej Cepl - Add CVE-2007-4559-filter-tarfile_extractall.patch to fix CVE-2007-4559 (bsc#1203750) by adding the filter for tarfile.extractall (PEP 706). * Tue Apr 18 2023 Steve Kowalik - Use python3 modules to build the documentation. * Wed Mar 15 2023 Matej Cepl - Add bpo-44434-libgcc_s-for-pthread_cancel.patch which eliminates unnecessary and dangerous calls to PyThread_exit_thread() (bsc#1203355). * Wed Mar 01 2023 Matej Cepl - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters * Wed Feb 22 2023 Matej Cepl - Add bpo27321-email-no-replace-header.patch to stop email.generator.py from replacing a non-existent header (bsc#1208443, gh#python/cpython#71508). * Thu Nov 17 2022 Matej Cepl - Add bsc1188607-pythreadstate_clear-decref.patch to fix crash in the garbage collection (bsc#1188607). * Wed Nov 09 2022 Matej Cepl - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding extremely long domain names. * Fri Oct 28 2022 Matej Cepl - Add CVE-2022-37454-sha3-buffer-overflow.patch to fix bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer overflow in hashlib.sha3_ * implementations (originally from the XKCP library). * Fri Sep 16 2022 Matej Cepl - Add CVE-2020-10735-DoS-no-limit-int-size.patch to fix CVE-2020-10735 (bsc#1203125) to limit amount of digits converting text to int and vice vera (potential for DoS). Originally by Victor Stinner of Red Hat. * Thu Sep 01 2022 Steve Kowalik - Add patch CVE-2021-28861-double-slash-path.patch: * http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. (bsc#1202624, CVE-2021-28861) * Thu Jun 09 2022 Matej Cepl - Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the command injection in the mailcap module.- Rename support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch to unify the patch with other packages.- Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests on s390x. * Sat Feb 26 2022 Matej Cepl - Update bundled pip wheel to the latest SLE version patched against bsc#1186819 (CVE-2021-3572). * Tue Feb 22 2022 Steve Kowalik - Add patch support-expat-245.patch: * Support Expat >= 2.4.5 * Fri Feb 04 2022 Matej Cepl - Rename 22198.patch into more descriptive remove-sphinx40-warning.patch. * Thu Dec 16 2021 Matej Cepl - Don\'t use appstream-glib on SLE-12.- Use Python 2-based Sphinx on SLE-12.- No documentation on SLE-12.- Add skip_SSL_tests.patch skipping tests because of patched OpenSSL (bpo#9425). * Thu Dec 16 2021 Matej Cepl - Don\'t use appstream-glib on SLE-12.- Use Python 2-based Sphinx on SLE-12.- No documentation on SLE-12.- Add skip_SSL_tests.patch skipping tests because of patched OpenSSL (bpo#9425). * Thu Dec 09 2021 Matej Cepl - Don\'t use OpenSSL 1.1 on platforms which don\'t have it. * Mon Nov 29 2021 Matej Cepl - Remove shebangs from from python-base libraries in _libdir (bsc#1193179, bsc#1192249).- Readjust patches: - bpo-31046_ensurepip_honours_prefix.patch - decimal.patch - python-3.3.0b1-fix_date_time_compiler.patch * Sat Nov 27 2021 Dirk Müller - build against openssl 1.1 as it is incompatible with openssl 3.0+ (bsc#1190566) * Wed Nov 03 2021 Andreas Schwab - 0001-allow-for-reproducible-builds-of-python-packages.patch: ignore permission error when changing the mtime of the source file in presence of SOURCE_DATE_EPOCH * Wed Oct 27 2021 Matej Cepl - The previous construct works only on the current Factory, not in SLE. * Wed Oct 13 2021 Dominique Leuenberger - BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation. * Wed Oct 06 2021 Matej Cepl - Due to conflicting demands of bsc#1183858 and platforms where Python 3.6 is only in interpreter+pip set we have to make complicated ugly construct about Sphinx BR. * Thu Sep 23 2021 Matej Cepl - Make python36 primary interpreter on SLE-15 * Thu Sep 23 2021 Matej Cepl - Make build working even on older SLEs. * Wed Sep 15 2021 Matej Cepl - Update to 3.6.15: - bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \\r and \ characters to avoid (unlikely) command injection. Library - bpo-45001: Made email date parsing more robust against malformed input, namely a whitespace-only Date: header. Patch by Wouter Bolsterlee. Tests - bpo-38965: Fix test_faulthandler on GCC 10. Use the “volatile” keyword in faulthandler._stack_overflow() to prevent tail call optimization on any compiler, rather than relying on compiler specific pragma. - bpo-40791: Make compare_digest more constant-time (bsc#1214691, CVE-2022-48566).- Remove upstreamed patches: - faulthandler_stack_overflow_on_GCC10.patch * Thu Aug 26 2021 Andreas Schwab - test_faulthandler is still problematic under qemu linux-user emulation, disable it there * Tue Aug 10 2021 Fusion Future - Update to 3.6.14: * Security - bpo-44022 (bsc#1189241, CVE-2021-3737): mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server. - bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks. Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks. - bpo-42988 (CVE-2021-3426, bsc#1183374): Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer. - bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it. - bpo-43075 (CVE-2021-3733, bsc#1189287): Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.- Upstreamed patches were removed: - CVE-2021-3426-inf-disclosure-pydoc-getfile.patch - CVE-2021-3733-ReDoS-urllib-AbstractBasicAuthHandler.patch- Refreshed patches: - python3-sorted_tar.patch - riscv64-ctypes.patch * Mon Jul 26 2021 Matej Cepl - Rebuild to get new headers, avoid building in support for stropts.h (bsc#1187338). * Tue Jul 20 2021 Matej Cepl - Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858). * Fri Jul 16 2021 Matej Cepl - Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668). * Tue Jun 08 2021 Dirk Müller - add 22198.patch to build with Sphinx 4 * Fri May 21 2021 Matej Cepl - Stop providing \"python\" symbol (bsc#1185588), which means python2 currently. * Sun May 02 2021 Ben Greiner - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. * Tue Apr 27 2021 Matej Cepl - Add CVE-2021-3426-inf-disclosure-pydoc-getfile.patch to remove getfile feature from pydoc, which is a security nightmare (among other things, CVE-2021-3426, allows disclosure of any file on the system; bsc#1183374, bpo#42988). * Fri Feb 19 2021 Matej Cepl Update to 3.6.13, final release of 3.6 branch: * Security - bpo#42967 (bsc#1182379, CVE-2021-23336): Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator. - bpo#42938 (bsc#1181126, CVE-2021-3177): Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values. - bpo#42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. - bpo#42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files. - bpo#40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely. * Core and Builtins - bpo#35560: Fix an assertion error in format() in debug build for floating point formatting with “n” format, zero padding and small width. Release build is not impacted. Patch by Karthikeyan Singaravelan. * Library - bpo#42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases). * Tests - bpo#42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na. - bpo#41944: Tests for CJK codecs no longer call eval() on content received via HTTP.- Patches removed, because they were included in the upstream tarball: - CVE-2020-27619-no-eval-http-content.patch - CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch * Fri Jan 29 2021 Matej Cepl - Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution. * Wed Jan 27 2021 Matej Cepl - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). * Tue Jan 05 2021 Matej Cepl - (bsc#1180125) We really don\'t Require python-rpm-macros package. Unnecessary dependency.
|
|
|