|
|
|
|
Changelog for python3-tools-3.6.15-1.134.x86_64.rpm :
* Sun Nov 28 2021 Johannes Engel - Remove CVE-2021-3426-inf-disclosure-pydoc-getfile.patch- Remove faulthandler_stack_overflow_on_GCC10.patch- Update to 3.6.15 * Security + bpo-44022: http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server. + bpo-43882 Remove ASCII newlines and tabs from URLs + bpo-43285 ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. + bpo-43075 Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. + bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. + bpo-43124 Made the internal putcmd function in smtplib sanitize input for presence of \\r and \ characters to avoid (unlikely) command injection. + bpo-45001: Made email date parsing more robust against malformed input, namely a whitespace-only Date: header. * Sun May 02 2021 Ben Greiner - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. * Tue Apr 27 2021 Matej Cepl - Add CVE-2021-3426-inf-disclosure-pydoc-getfile.patch to remove getfile feature from pydoc, which is a security nightmare (among other things, CVE-2021-3426, allows disclosure of any file on the system; bsc#1183374, bpo#42988). * Fri Feb 19 2021 Matej Cepl Update to 3.6.13, final release of 3.6 branch: * Security - bpo#42967 (bsc#1182379, CVE-2021-23336): Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator. - bpo#42938 (bsc#1181126, CVE-2021-3177): Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values. - bpo#42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. - bpo#42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files. - bpo#40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely. * Core and Builtins - bpo#35560: Fix an assertion error in format() in debug build for floating point formatting with “n” format, zero padding and small width. Release build is not impacted. Patch by Karthikeyan Singaravelan. * Library - bpo#42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases). * Tests - bpo#42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na. - bpo#41944: Tests for CJK codecs no longer call eval() on content received via HTTP.- Patches removed, because they were included in the upstream tarball: - CVE-2020-27619-no-eval-http-content.patch - CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch * Mon Feb 08 2021 Matej Cepl - Resync with python36 Factory package.- Make this %primary_interpreter * Fri Jan 29 2021 Matej Cepl - Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution. * Wed Jan 27 2021 Matej Cepl - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). * Mon Dec 28 2020 Marcus Meissner - readd --with-fpectl (bsc#1180377) * Mon Dec 07 2020 Matej Cepl - Adjust sphinx-update-removed-function.patch * Sat Dec 05 2020 Matej Cepl - (bsc#1179630) Update sphinx-update-removed-function.patch to work with all versions of Sphinx (not binding the Python documentation build to the latest verison of Sphinx). Updated version mentioned on gh#python/cpython#13236. * Tue Dec 01 2020 Matej Cepl - Add CVE-2020-27619-no-eval-http-content.patch fixing CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. * Tue Dec 01 2020 Steve Kowalik - Add patch sphinx-update-removed-function.patch to no longer call a now removed function (gh#python/cpython#13236). As a consequence, no longer pin Sphinx version. * Fri Nov 27 2020 Markéta Machová - Pin Sphinx version to fix doc subpackage * Wed Nov 25 2020 Matej Cepl - Change setuptools and pip version numbers according to new wheels (bsc#1179756).- Add ignore_pip_deprec_warn.patch to switch of persistently failing test. * Tue Nov 24 2020 Matej Cepl - Replace bundled wheels for pip and setuptools with the updated ones (bsc#1176262 CVE-2019-20916). * Tue Oct 13 2020 Marketa Calabkova - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738)- Rebase bpo23395-PyErr_SetInterrupt-signal.patch * Fri Oct 09 2020 Dominique Leuenberger - Fix build with RPM 4.16: error: bare words are no longer supported, please use \"...\": x86 == ppc. * Fri Oct 09 2020 Matej Cepl - Fix installing .desktop file * Fri Sep 25 2020 Dominique Leuenberger - Buildrequire timezone only for general flavor. It\'s used in this flavor for the test suite. * Wed Sep 02 2020 Matej Cepl - Add faulthandler_stack_overflow_on_GCC10.patch to make build working even with GCC10 (bpo#38965). * Tue Sep 01 2020 Matej Cepl - Just cleanup and reordering items to synchronize with python38 * Mon Aug 31 2020 Tomáš Chvátal - Format with spec-cleaner * Fri Aug 21 2020 Andreas Schwab - riscv64-support.patch: bpo-33377: add triplets for mips-r6 and riscv (#6655)- riscv64-ctypes.patch: bpo-35847: RISC-V needs CTYPES_PASS_BY_REF_HACK (GH-11694)- Update list of tests to exclude under qemu linux-user * Thu Aug 20 2020 Marketa Calabkova - Update the python keyring- Correct libpython name * Thu Aug 20 2020 Marketa Calabkova - Drop patches which are not mentioned in spec: * CVE-2019-5010-null-defer-x509-cert-DOS.patch * F00102-lib64.patch * F00251-change-user-install-location.patch * OBS_dev-shm.patch * SUSE-FEDORA-multilib.patch * bpo-31046_ensurepip_honours_prefix.patch * bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch * bpo36302-sort-module-sources.patch * bpo40784-Fix-sqlite3-deterministic-test.patch * bsc1167501-invalid-alignment.patch * python3-imp-returntype.patch- Working around missing python-packaging dependency in python-Sphinx (bsc#1174571) is not necessary anymore. * Wed Aug 19 2020 Marketa Calabkova - Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(…). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module- Drop merged fixtures: * CVE-2020-14422-ipaddress-hash-collision.patch * CVE-2019-20907_tarfile-inf-loop.patch * recursion.tar- This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). * Mon Jul 20 2020 Matej Cepl - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 (CVE-2019-20907, bpo#39017) avoiding possible infinite loop in specifically crafted tarball. Add recursion.tar as a testing tarball for the patch. * Fri Jul 17 2020 Marketa Calabkova - Make library names internally consistent * Fri Jul 17 2020 Tomáš Chvátal - Disable profile optimalizations as they deadlock in test_faulthandler * Fri Jul 17 2020 Tomáš Chvátal - Disable lto as it causes mess and works with 3.7 onwards only * Fri Jul 17 2020 Tomáš Chvátal - Sync the test disablements from the python3 in sle15 * Fri Jul 17 2020 Tomáš Chvátal - Update to 3.6.11: - bpo-39073: Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - bpo-38576 (bsc#1155094): Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. - bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. - bpo-39401: Avoid unsafe load of api-ms-win-core-path-l1-1-0.dll at startup on Windows 7.- Remove merged patch CVE-2020-8492-urllib-ReDoS.patch * Wed Jul 15 2020 Tomáš Chvátal - Fix minor issues found in the staging. * Wed Jul 15 2020 Tomáš Chvátal - Do not set ourselves as a primary interpreter * Thu Jun 25 2020 Matej Cepl - Add CVE-2020-14422-ipaddress-hash-collision.patch fixing CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions in IPv4Interface and IPv6Interface could lead to DOS. * Tue Mar 10 2020 Matej Cepl - Change name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). * Sat Feb 08 2020 Matej Cepl - Add CVE-2019-9674-zip-bomb.patch to improve documentation warning about dangers of zip-bombs and other security problems with zipfile library. (bsc#1162825 CVE-2019-9674)- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug \"Python urrlib allowed an HTTP server to conduct Regular Expression Denial of Service (ReDoS)\" (bsc#1162367) * Sat Feb 08 2020 Matej Cepl - Add Requires: libpython%{so_version} == %{version}-%{release} to python3-base to keep both packages always synchronized (bsc#1162224). * Mon Feb 03 2020 Tomáš Chvátal - Reame idle icons to idle3 in order to not conflict with python2 variant of the package bsc#1165894 * renamed the icons * renamed icon load in desktop file * Tue Jan 28 2020 Matej Cepl - Add pep538_coerce_legacy_c_locale.patch to coerce locale to C.UTF-8 always (bsc#1162423). * Thu Dec 19 2019 Matej Cepl - Update to 3.6.10 (still in line with jsc#SLE-9426, jsc#SLE-9427, bsc#1159035): - Security: - bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process. - bpo-37228: Due to significant security concerns, the reuse_address parameter of asyncio.loop.create_datagram_endpoint() is no longer supported. This is because of the behavior of SO_REUSEADDR in UDP. For more details, see the documentation for loop.create_datagram_endpoint(). (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in bpo-37228.) - bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar. Patch by Ben Caller. - bpo-38243: Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (Contributed by Dong-hee Na in bpo-38243.) - bpo-38174: Update vendorized expat library version to 2.2.8, which resolves CVE-2019-15903. - bpo-37461: Fix an infinite loop when parsing specially crafted email headers. Patch by Abhilash Raj. - bpo-34155: Fix parsing of invalid email addresses with more than one AATT (e.g. aAATTbAATTc.com.) to not return the part before 2nd AATT as valid email address. Patch by maxking & jpic. - Library: - bpo-38216: Allow the rare code that wants to send invalid http requests from the http.client library a way to do so. The fixes for bpo-30458 led to breakage for some projects that were relying on this ability to test their own behavior in the face of bad requests. - bpo-36564: Fix infinite loop in email header folding logic that would be triggered when an email policy’s max_line_length is not long enough to include the required markup and any values in the message. Patch by Paul Ganssle- Remove patches included in the upstream tarball: - CVE-2019-16935-xmlrpc-doc-server_title.patch (and also bpo37614-race_test_docxmlrpc_srv_setup.patch, which was resolving bsc#1174701). - CVE-2019-16056-email-parse-addr.patch- Move idle subpackage build from python3-base to python3 (bsc#1159622). appstream-glib required for packaging introduces considerable extra dependencies and a build loop via rust/librsvg.- Correct installation of idle IDE icons: + idle.png is not the target directory + non-GNOME-specific icons belong into icons/hicolor- Add required Name key to idle3 desktop file * Thu Dec 12 2019 Matej Cepl - Unify all Python 3.6 * SLE packages into one (jsc#SLE-9426, jsc#SLE-9427, bsc#1159035) - Patches which were already included upstream: - CVE-2018-1061-DOS-via-regexp-difflib.patch - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch * Tue Oct 22 2019 Matej Cepl - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py * Thu Sep 19 2019 Matej Cepl - Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes bsc#1149792- Add bpo36263-Fix_hashlib_scrypt.patch which works around bsc#1151490 * Mon Sep 16 2019 Matej Cepl - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, bnc#1149955, CVE-2019-16056] * Mon Sep 09 2019 Matej Cepl - jsc#PM-1350 bsc#1149121 Update python3 to the last version of the 3.6 line. This is just a bugfix release with no changes in functionality.- The following patches were included in the upstream release as so they can be removed in the package: - CVE-2018-20852-cookie-domain-check.patch - CVE-2019-5010-null-defer-x509-cert-DOS.patch - CVE-2019-10160-netloc-port-regression.patch - CVE-2019-9636-urlsplit-NFKC-norm.patch - CVE-2019-9947-no-ctrl-char-http.patch- Patch bpo23395-PyErr_SetInterrupt-signal.patch has been reapplied on the upstream base without changing any functionality.- Add patch aarch64-prolong-timeout.patch to fix failing test_utime_current_old test. * Wed Jul 24 2019 Matej Cepl - FAKE RECORD FROM SLE-12 CHANNEL Apply \"CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch\" which converts shutil._call_external_zip to use subprocess rather than distutils.spawn. [bsc#1109663, CVE-2018-1000802] * Wed Jul 24 2019 Matej Cepl - FAKE RECORD FROM SLE-12 CHANNEL bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo#34623. * Fri Jul 19 2019 Matej Cepl - boo#1141853 (CVE-2018-20852) add CVE-2018-20852-cookie-domain-check.patch fixing http.cookiejar.DefaultPolicy.domain_return_ok which did not correctly validate the domain: it could be tricked into sending cookies to the wrong server. * Wed Jul 03 2019 Matej Cepl - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch which fixes regression introduced by the previous patch. (CVE-2019-10160) Upstream gh#python/cpython#13812 * Wed Jun 12 2019 Matej Cepl - FAKE RECORD FROM SLE-12 CHANNEL bsc#1137942: Avoid duplicate files with python3 * packages (https://fate.suse.com/327309) * Tue Jun 11 2019 Matej Cepl - bsc#1094814: Add bpo23395-PyErr_SetInterrupt-signal.patch to handle situation when the SIGINT signal is ignored or not handled * Tue Apr 30 2019 Matej Cepl - Update to 3.6.8: - bugfixes only - removed patches (subsumed in the upstream tarball): - CVE-2018-20406-pickle_LONG_BINPUT.patch - refreshed patches: - CVE-2019-5010-null-defer-x509-cert-DOS.patch - CVE-2019-9636-urlsplit-NFKC-norm.patch - Python-3.0b1-record-rpm.patch - python-3.3.0b1-fix_date_time_compiler.patch - python-3.3.0b1-test-posix_fadvise.patch - python-3.3.3-skip-distutils-test_sysconfig_module.patch - python-3.6.0-multilib-new.patch - python3-sorted_tar.patch - subprocess-raise-timeout.patch - switch off LTO and PGO optimization (bsc#1133452)- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. * Tue Apr 09 2019 Matej Cepl - bsc#1129346: add CVE-2019-9636-urlsplit-NFKC-norm.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``AATT``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, no error will be raised. (CVE-2019-9636) Upstream gh#python/cpython#12224 * Mon Jan 21 2019 Matěj Cepl - bsc#1120644 add CVE-2018-20406-pickle_LONG_BINPUT.patch fixing bpo#34656 Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. * Sat Jan 19 2019 mceplAATTsuse.com- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch fixing bpo-35746. An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
|
|
|