commit python311 for openSUSE:Factory

Wed, 18 Sep 2024 06:26:50 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package python311 for openSUSE:Factory 
checked in at 2024-09-18 15:25:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python311 (Old)
 and      /work/SRC/openSUSE:Factory/.python311.new.29891 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "python311"

Wed Sep 18 15:25:57 2024 rev:40 rq:1199725 version:3.11.10

Changes:
--------
--- /work/SRC/openSUSE:Factory/python311/python311.changes      2024-08-30 
13:25:46.293871008 +0200
+++ /work/SRC/openSUSE:Factory/.python311.new.29891/python311.changes   
2024-09-18 15:26:00.518656897 +0200
@@ -1,0 +2,91 @@
+Mon Sep  9 16:53:07 UTC 2024 - Matej Cepl <mc...@cepl.eu>
+
+- Update to 3.11.10:
+  - Security
+    - gh-123678: Upgrade libexpat to 2.6.3
+    - gh-121957: Fixed missing audit events around interactive
+      use of Python, now also properly firing for ``python -i``,
+      as well as for ``python -m asyncio``. The event in question
+      is ``cpython.run_stdin``.
+    - gh-122133: Authenticate the socket connection for the
+      ``socket.socketpair()`` fallback on platforms where
+      ``AF_UNIX`` is not available like Windows. Patch by
+      Gregory P. Smith <g...@krypto.org> and Seth Larson
+      <s...@python.org>. Reported by Ellie <e...@horse64.org>
+    - gh-121285: Remove backtracking from tarfile header parsing
+      for ``hdrcharset``, PAX, and GNU sparse headers
+      (bsc#1230227, CVE-2024-6232).
+    - gh-118486: :func:`os.mkdir` on Windows now accepts
+      *mode* of ``0o700`` to restrict the new directory to
+      the current user. This fixes CVE-2024-4030 affecting
+      :func:`tempfile.mkdtemp` in scenarios where the base
+      temporary directory is more permissive than the default.
+    - gh-116741: Update bundled libexpat to 2.6.2
+  - Library
+    - gh-123270: Applied a more surgical fix for malformed
+      payloads in :class:`zipfile.Path` causing infinite loops
+      (gh-122905) without breaking contents using legitimate
+      characters (bsc#1229704, CVE-2024-8088).
+    - gh-123067: Fix quadratic complexity in parsing ``"``-quoted
+      cookie values with backslashes by :mod:`http.cookies`
+      (bsc#1229596, CVE-2024-7592).
+    - gh-122905: :class:`zipfile.Path` objects now sanitize names
+      from the zipfile.
+    - gh-121650: :mod:`email` headers with embedded newlines are
+      now quoted on output. The :mod:`~email.generator` will now
+      refuse to serialize (write) headers that are unsafely folded
+      or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`.
+      (Contributed by Bas Bloemsaat and Petr Viktorin in
+      :gh:`121650`; CVE-2024-6923, bsc#1228780).
+    - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method
+      breaks internal buffer when the method is called again
+      during flushing internal buffer.
+    - gh-118643: Fix an AttributeError in the :mod:`email` module
+      when re-fold a long address list. Also fix more cases of
+      incorrect encoding of the address separator in the address
+      list.
+    - gh-113171: Fixed various false positives and false
+      negatives in * :attr:`ipaddress.IPv4Address.is_private`
+      (see these docs for details) *
+      :attr:`ipaddress.IPv4Address.is_global` *
+      :attr:`ipaddress.IPv6Address.is_private` *
+      :attr:`ipaddress.IPv6Address.is_global` Also in the
+      corresponding :class:`ipaddress.IPv4Network` and
+      :class:`ipaddress.IPv6Network` attributes.
+      Fixes bsc#1226448 (CVE-2024-4032).
+    - gh-102988: :func:`email.utils.getaddresses` and
+      :func:`email.utils.parseaddr` now return ``('', '')``
+      2-tuples in more situations where invalid email addresses
+      are encountered instead of potentially inaccurate
+      values. Add optional *strict* parameter to these two
+      functions: use ``strict=False`` to get the old behavior,
+      accept malformed inputs. ``getattr(email.utils,
+      'supports_strict_parsing', False)`` can be use to check if
+      the *strict* paramater is available. Patch by Thomas Dwyer
+      and Victor Stinner to improve the CVE-2023-27043 fix
+      (bsc#1210638).
+    - gh-67693: Fix :func:`urllib.parse.urlunparse` and
+      :func:`urllib.parse.urlunsplit` for URIs with path starting
+      with multiple slashes and no authority. Based on patch by
+      Ashwin Ramaswami.
+  - Core and Builtins
+    - gh-112275: A deadlock involving ``pystate.c``'s
+      ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now
+      fixed. Patch by ChuBoning based on previous Python 3.12 fix
+      by Victor Stinner.
+    - gh-109120: Added handle of incorrect star expressions, e.g
+      ``f(3, *)``. Patch by Grigoryev Semyon
+- Removed upstreamed patches:
+  - CVE-2023-27043-email-parsing-errors.patch
+  - CVE-2024-4032-private-IP-addrs.patch
+  - CVE-2024-6923-email-hdr-inject.patch
+  - CVE-2024-8088-inf-loop-zipfile_Path.patch
+
+-------------------------------------------------------------------
+Mon Sep  2 09:44:26 UTC 2024 - Matej Cepl <mc...@cepl.eu>
+
+- Add gh120226-fix-sendfile-test-kernel-610.patch to avoid
+  failing test_sendfile_close_peer_in_the_middle_of_receiving
+  tests on Linux >= 6.10 (GH-120227).
+
+-------------------------------------------------------------------

Old:
----
  CVE-2023-27043-email-parsing-errors.patch
  CVE-2024-4032-private-IP-addrs.patch
  CVE-2024-6923-email-hdr-inject.patch
  CVE-2024-8088-inf-loop-zipfile_Path.patch
  Python-3.11.9.tar.xz
  Python-3.11.9.tar.xz.asc

New:
----
  Python-3.11.10.tar.xz
  Python-3.11.10.tar.xz.asc
  gh120226-fix-sendfile-test-kernel-610.patch

BETA DEBUG BEGIN:
  Old:- Removed upstreamed patches:
  - CVE-2023-27043-email-parsing-errors.patch
  - CVE-2024-4032-private-IP-addrs.patch
  Old:  - CVE-2023-27043-email-parsing-errors.patch
  - CVE-2024-4032-private-IP-addrs.patch
  - CVE-2024-6923-email-hdr-inject.patch
  Old:  - CVE-2024-4032-private-IP-addrs.patch
  - CVE-2024-6923-email-hdr-inject.patch
  - CVE-2024-8088-inf-loop-zipfile_Path.patch
  Old:  - CVE-2024-6923-email-hdr-inject.patch
  - CVE-2024-8088-inf-loop-zipfile_Path.patch
BETA DEBUG END:

BETA DEBUG BEGIN:
  New:
- Add gh120226-fix-sendfile-test-kernel-610.patch to avoid
  failing test_sendfile_close_peer_in_the_middle_of_receiving
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python311.spec ++++++
--- /var/tmp/diff_new_pack.oHZlgG/_old  2024-09-18 15:26:03.974800789 +0200
+++ /var/tmp/diff_new_pack.oHZlgG/_new  2024-09-18 15:26:03.974800789 +0200
@@ -100,7 +100,7 @@
 %define dynlib() 
%{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.11.9
+Version:        3.11.10
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@@ -164,10 +164,6 @@
 # PATCH-FIX-UPSTREAM skip_if_buildbot-extend.patch gh#python/cpython#103053 
mc...@suse.com
 # Skip test_freeze_simple_script
 Patch13:        skip_if_buildbot-extend.patch
-# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 
mc...@suse.com
-# Detect email address parsing errors and return empty tuple to
-# indicate the parsing error (old API)
-Patch14:        CVE-2023-27043-email-parsing-errors.patch
 # PATCH-FIX-UPSTREAM bsc1221260-test_asyncio-ResourceWarning.patch bsc#1221260 
mc...@suse.com
 # prevent ResourceWarning in test_asyncio tests
 Patch15:        bsc1221260-test_asyncio-ResourceWarning.patch
@@ -177,18 +173,12 @@
 # by SUSE
 Patch16:        CVE-2023-52425-libexpat-2.6.0-backport.patch
 Patch17:        CVE-2023-52425-remove-reparse_deferral-tests.patch
-# PATCH-FIX-UPSTREAM CVE-2024-4032-private-IP-addrs.patch bsc#1226448 
mc...@suse.com
-# rearrange definition of private v global IP addresses
-Patch18:        CVE-2024-4032-private-IP-addrs.patch
 # PATCH-FIX-UPSTREAM bso1227999-reproducible-builds.patch bsc#1227999 
mc...@suse.com
 # reproducibility patches
 Patch19:        bso1227999-reproducible-builds.patch
-# PATCH-FIX-UPSTREAM CVE-2024-6923-email-hdr-inject.patch bsc#1228780 
mc...@suse.com
-# prevent email header injection, patch from gh#python/cpython!122608
-Patch20:        CVE-2024-6923-email-hdr-inject.patch
-# PATCH-FIX-UPSTREAM CVE-2024-8088-inf-loop-zipfile_Path.patch bsc#1229704 
mc...@suse.com
-# avoid denial of service in zipfile
-Patch21:        CVE-2024-8088-inf-loop-zipfile_Path.patch
+# PATCH-FIX-UPSTREAM gh120226-fix-sendfile-test-kernel-610.patch 
gh#python/cpython#120226 mc...@suse.com
+# Fix test_sendfile_close_peer_in_the_middle_of_receiving on Linux >= 6.10 
(GH-120227)
+Patch22:        gh120226-fix-sendfile-test-kernel-610.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -446,14 +436,11 @@
 %patch -p1 -P 10
 %patch -p1 -P 11
 %patch -p1 -P 13
-%patch -p1 -P 14
 %patch -p1 -P 15
 %patch -p1 -P 16
 %patch -p1 -P 17
-%patch -p1 -P 18
 %patch -p1 -P 19
-%patch -p1 -P 20
-%patch -p1 -P 21
+%patch -p1 -P 22
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

++++++ Python-3.11.9.tar.xz -> Python-3.11.10.tar.xz ++++++
/work/SRC/openSUSE:Factory/python311/Python-3.11.9.tar.xz 
/work/SRC/openSUSE:Factory/.python311.new.29891/Python-3.11.10.tar.xz differ: 
char 13, line 1

++++++ fix_configure_rst.patch ++++++
--- /var/tmp/diff_new_pack.oHZlgG/_old  2024-09-18 15:26:04.210810615 +0200
+++ /var/tmp/diff_new_pack.oHZlgG/_new  2024-09-18 15:26:04.214810781 +0200
@@ -29,7 +29,7 @@
     Create a Python.framework rather than a traditional Unix install. Optional
 --- a/Misc/NEWS
 +++ b/Misc/NEWS
-@@ -9768,7 +9768,7 @@ C API
+@@ -9774,7 +9774,7 @@ C API
  - bpo-40939: Removed documentation for the removed ``PyParser_*`` C API.
  
  - bpo-43795: The list in :ref:`limited-api-list` now shows the public name

++++++ gh120226-fix-sendfile-test-kernel-610.patch ++++++
>From 1b3f6523a5c83323cdc44031b33a1c062e5dc698 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry...@xry111.site>
Date: Fri, 7 Jun 2024 23:51:32 +0800
Subject: [PATCH] gh-120226: Fix
 test_sendfile_close_peer_in_the_middle_of_receiving on Linux >= 6.10
 (GH-120227)

The worst case is that the kernel buffers 17 pages with a page size of 64k.
(cherry picked from commit a7584245661102a5768c643fbd7db8395fd3c90e)

Co-authored-by: Xi Ruoyao <xry...@xry111.site>
---
 Lib/test/test_asyncio/test_sendfile.py |   11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

--- a/Lib/test/test_asyncio/test_sendfile.py
+++ b/Lib/test/test_asyncio/test_sendfile.py
@@ -93,13 +93,10 @@ class MyProto(asyncio.Protocol):
 
 class SendfileBase:
 
-    # 256 KiB plus small unaligned to buffer chunk
-    # Newer versions of Windows seems to have increased its internal
-    # buffer and tries to send as much of the data as it can as it
-    # has some form of buffering for this which is less than 256KiB
-    # on newer server versions and Windows 11.
-    # So DATA should be larger than 256 KiB to make this test reliable.
-    DATA = b"x" * (1024 * 256 + 1)
+    # Linux >= 6.10 seems buffering up to 17 pages of data.
+    # So DATA should be large enough to make this test reliable even with a
+    # 64 KiB page configuration.
+    DATA = b"x" * (1024 * 17 * 64 + 1)
     # Reduce socket buffer size to test on relative small data sets.
     BUF_SIZE = 4 * 1024   # 4 KiB

Reply via email to