Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=3&version=Tumbleweed&build=20251229 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: neon (0.35.0 -> 0.36.0) openSUSE-release (20251228 -> 20251229) python-Twisted python311 python311-core python313 (3.13.9 -> 3.13.11) python313-core (3.13.9 -> 3.13.11) === Details === ==== neon ==== Version update (0.35.0 -> 0.36.0) - update to 0.36.0: * Interface changes: - API and ABI backwards-compatible with 0.27.x and later * New interfaces and features: - ne_xml.h: add ne_xml_set_encoding() - ne_xmlreq.h: add ne_xml_dispatchif_request(); this and ne_xml_dispatch_request() both invoke ne_xml_set_encoding() with the charset= from the Content-Type, if present - ne_request.h: add ne_read_response_to_buffer() - ne_basic.h: add ne_getbuf() * Bug fixes: - fix ne_simple_request() failures on non-207 XML responses - invoke the notifier callback again at the end of a chunked response - fix a failure case where a proxy connection could get reused after SSL proxy tunnel setup failed at the proxy - fix ne_sock_* OpenSSL 3.4 error handling on Windows (#213) - ne_get_content_type() updated for RFC 7303: default charset for text/ media types is removed * Various documentation updates. ==== openSUSE-release ==== Version update (20251228 -> 20251229) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== python-Twisted ==== Subpackages: python311-Twisted python311-Twisted-tls - Add createElement.patch to fix tests with fixed python interpreters ==== python311 ==== Subpackages: python311-curses python311-dbm - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ==== python311-core ==== Subpackages: libpython3_11-1_0 python311-base - Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. - Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic behavior in node ID cache clearing (CVE-2025-12084, bsc#1254997). - Add CVE-2025-13837-plistlib-mailicious-length.patch protect against OOM when loading malicious content (CVE-2025-13837, bsc#1254401). ==== python313 ==== Version update (3.13.9 -> 3.13.11) Subpackages: python313-curses python313-dbm python313-tk - Update to 3.13.11: - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing (CVE-2025-12084, bsc#1254997). - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (bsc#1254400, CVE-2025-13836). - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - Library - gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions. - gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such âin-placeâ upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15). - Core and Builtins - gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key. - Update to 3.13.10: - Tools/Demos - gh-141442: The iOS testbed now correctly handles test arguments that contain spaces. - Tests - gh-140482: Preserve and restore the state of stty echo as part of the test environment. - gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color enabled so that unittest which is run by it with redirected output will output in color. - gh-136442: Use exitcode 1 instead of 5 if unittest.TestCase.setUpClass() raises an exception - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with âzip64 extensible dataâ if there are no bytes prepended to the ZIP file. (CVE-2025-8291, bsc#1251305) - gh-137836: Add support of the âplaintextâ element, RAWTEXT elements âxmpâ, âiframeâ, ânoembedâ and ânoframesâ, and optionally RAWTEXT element ânoscriptâ in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (CVE-2025-6075, bsc#1252974). - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13837, bsc#1254401). - Library - gh-74389: When the stdin being used by a subprocess.Popen instance is closed, this is now ignored in subprocess.Popen.communicate() instead of leaving the class in an inconsistent state. - gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced. - gh-141473: When subprocess.Popen.communicate() was called with input and a timeout and is called for a second time after a TimeoutExpired exception before the process has died, it should no longer hang. - gh-59000: Fix pdb breakpoint resolution for class methods when the module defining the class is not imported. - gh-141570: Support file-like object raising OSError from fileno() in color detection (_colorize.can_colorize()). This can occur when sys.stdout is redirected. - gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX. - gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and IPv6Network.hosts() always return an iterator. - gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a ValueError when the input contains an infinity or a NaN. - gh-124111: Updated Tcl threading configuration in _tkinter to assume that threads are always available in Tcl 9 and later. - gh-137109: The os.fork and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and ... changelog too long, skipping 192 lines ... - CVE-2025-6075-expandvars-perf-degrad.patch ==== python313-core ==== Version update (3.13.9 -> 3.13.11) Subpackages: libpython3_13-1_0 python313-base python313-devel - Update to 3.13.11: - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing (CVE-2025-12084, bsc#1254997). - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (bsc#1254400, CVE-2025-13836). - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. - Library - gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions. - gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such âin-placeâ upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15). - Core and Builtins - gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key. - Update to 3.13.10: - Tools/Demos - gh-141442: The iOS testbed now correctly handles test arguments that contain spaces. - Tests - gh-140482: Preserve and restore the state of stty echo as part of the test environment. - gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color enabled so that unittest which is run by it with redirected output will output in color. - gh-136442: Use exitcode 1 instead of 5 if unittest.TestCase.setUpClass() raises an exception - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with âzip64 extensible dataâ if there are no bytes prepended to the ZIP file. (CVE-2025-8291, bsc#1251305) - gh-137836: Add support of the âplaintextâ element, RAWTEXT elements âxmpâ, âiframeâ, ânoembedâ and ânoframesâ, and optionally RAWTEXT element ânoscriptâ in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (CVE-2025-6075, bsc#1252974). - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13837, bsc#1254401). - Library - gh-74389: When the stdin being used by a subprocess.Popen instance is closed, this is now ignored in subprocess.Popen.communicate() instead of leaving the class in an inconsistent state. - gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced. - gh-141473: When subprocess.Popen.communicate() was called with input and a timeout and is called for a second time after a TimeoutExpired exception before the process has died, it should no longer hang. - gh-59000: Fix pdb breakpoint resolution for class methods when the module defining the class is not imported. - gh-141570: Support file-like object raising OSError from fileno() in color detection (_colorize.can_colorize()). This can occur when sys.stdout is redirected. - gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX. - gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and IPv6Network.hosts() always return an iterator. - gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a ValueError when the input contains an infinity or a NaN. - gh-124111: Updated Tcl threading configuration in _tkinter to assume that threads are always available in Tcl 9 and later. - gh-137109: The os.fork and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and ... changelog too long, skipping 192 lines ... - CVE-2025-6075-expandvars-perf-degrad.patch
