Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python315 for openSUSE:Factory checked in at 2026-01-30 18:22:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python315 (Old) and /work/SRC/openSUSE:Factory/.python315.new.1995 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python315" Fri Jan 30 18:22:16 2026 rev:5 rq:1329830 version:3.15.0~a3 Changes: -------- --- /work/SRC/openSUSE:Factory/python315/python315.changes 2026-01-08 15:29:06.113234855 +0100 +++ /work/SRC/openSUSE:Factory/.python315.new.1995/python315.changes 2026-01-30 18:22:31.006108200 +0100 @@ -1,0 +2,27 @@ +Tue Jan 27 16:31:12 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is + a follow-up to the previous fix of CVE-2024-6923 further + encoding EOL possibly hidden in email headers (bsc#1257181). +- Add CVE-2025-11468-email-hdr-fold-comment.patch preserving + parens when folding comments in email headers (bsc#1257029, + CVE-2025-11468). +- Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch, which + rejects control characters in http cookies (bsc#1257031, + CVE-2026-0672). + +------------------------------------------------------------------- +Wed Jan 21 18:02:37 UTC 2026 - Matej Cepl <[email protected]> + +- Remodel python-3.3.0b1-fix_date_time_compiler.patch to be + upstreamable (make it dependent on the environment variable + $UNVERSIONED_COMPILER; gh#python/cpython#144121). + +------------------------------------------------------------------- +Fri Jan 9 10:41:47 UTC 2026 - Matej Cepl <[email protected]> + +- Rename skip-test_thread_time.patch to + longer-time-test_thread_time.patch and replace its content with + gh#python/cpython!143558 + +------------------------------------------------------------------- @@ -6681 +6708,2 @@ - Petr Viktorin in gh-121650.; CVE-2024-6923, bsc#1228780) + Petr Viktorin in gh-121650.; CVE-2024-6923, bsc#1228780, + bsc#1257181) Old: ---- skip-test_thread_time.patch New: ---- CVE-2024-6923-follow-up-EOL-email-headers.patch CVE-2025-11468-email-hdr-fold-comment.patch CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch longer-time-test_thread_time.patch ----------(Old B)---------- Old: - Rename skip-test_thread_time.patch to longer-time-test_thread_time.patch and replace its content with ----------(Old E)---------- ----------(New B)---------- New: - Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is a follow-up to the previous fix of CVE-2024-6923 further New: encoding EOL possibly hidden in email headers (bsc#1257181). - Add CVE-2025-11468-email-hdr-fold-comment.patch preserving parens when folding comments in email headers (bsc#1257029, New: CVE-2025-11468). - Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch, which rejects control characters in http cookies (bsc#1257031, New:- Rename skip-test_thread_time.patch to longer-time-test_thread_time.patch and replace its content with gh#python/cpython!143558 ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python315.spec ++++++ --- /var/tmp/diff_new_pack.frJWWy/_old 2026-01-30 18:22:32.466169473 +0100 +++ /var/tmp/diff_new_pack.frJWWy/_new 2026-01-30 18:22:32.470169641 +0100 @@ -201,7 +201,8 @@ Patch02: F00251-change-user-install-location.patch # support finding packages in /usr/local, install to /usr/local by default Patch03: python-3.3.0b1-localpath.patch -# replace DATE, TIME and COMPILER by fixed definitions to aid reproducible builds +# PATCH-FIX-UPSTREAM python-3.3.0b1-fix_date_time_compiler.patch gh#python/cpython#144121 [email protected] +# replace COMPILER by fixed definitions to aid reproducible builds Patch04: python-3.3.0b1-fix_date_time_compiler.patch # Raise timeout value for test_subprocess Patch06: subprocess-raise-timeout.patch @@ -224,9 +225,19 @@ Patch41: bsc1243155-sphinx-non-determinism.patch # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 [email protected] Patch42: gh139257-Support-docutils-0.22.patch -# PATCH-FIX-UPSTREAM skip-test_thread_time.patch gh#python/cpython#143528 [email protected] -# skip test.test_time.TimeTestCase.test_thread_time on s390x -Patch43: skip-test_thread_time.patch +# PATCH-FIX-UPSTREAM longer-time-test_thread_time.patch gh#python/cpython!143558 [email protected] +# tolerate 100 ms instead of 20 ms to support slow CIs. +Patch43: longer-time-test_thread_time.patch +# PATCH-FIX-UPSTREAM CVE-2024-6923-follow-up-EOL-email-headers.patch bsc#1257181 [email protected] +# Encode newlines in headers when using ByteGenerator +# patch from gh#python/cpython#144125 +Patch44: CVE-2024-6923-follow-up-EOL-email-headers.patch +# PATCH-FIX-UPSTREAM CVE-2025-11468-email-hdr-fold-comment.patch bsc#1257029 [email protected] +# Email preserve parens when folding comments +Patch45: CVE-2025-11468-email-hdr-fold-comment.patch +# PATCH-FIX-UPSTREAM CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch bsc#1257031 [email protected] +# Reject control characters in http cookies +Patch46: CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch #### Python 3.15 DEVELOPMENT PATCHES BuildRequires: autoconf-archive BuildRequires: automake @@ -575,6 +586,7 @@ %build export SUSE_VERSION="0%{?suse_version}" export SLE_VERSION="0%{?sle_version}" +export UNVERSIONED_COMPILER="[GCC]" %if %{with doc} TODAY_DATE=`date -r %{SOURCE0} "+%B %d, %Y"` ++++++ CVE-2024-6923-follow-up-EOL-email-headers.patch ++++++ >From 1132e45e8b588cd89bd168583afa37ba7c9f0afa Mon Sep 17 00:00:00 2001 From: Denis Ledoux <[email protected]> Date: Mon, 27 Oct 2025 17:47:59 +0100 Subject: [PATCH 1/3] gh-144125: email: verify headers are sound in BytesGenerator GH-122233 added an implementation to `Generator` to refuse to serialize (write) headers that are unsafely folded or delimited. This revision adds the same implementation to `BytesGenerator`, so it gets the same safety protections for unsafely folded or delimited headers Co-authored-by: Denis Ledoux <[email protected]> Co-authored-by: Petr Viktorin <[email protected]> Co-authored-by: Bas Bloemsaat <[email protected]> --- Lib/email/generator.py | 12 +++++++++- Lib/test/test_email/test_generator.py | 4 ++- Lib/test/test_email/test_policy.py | 6 ++++- Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst | 4 +++ 4 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst Index: Python-3.15.0a3/Lib/email/generator.py =================================================================== --- Python-3.15.0a3.orig/Lib/email/generator.py 2026-01-27 17:26:06.289940190 +0100 +++ Python-3.15.0a3/Lib/email/generator.py 2026-01-27 17:26:14.361081031 +0100 @@ -22,6 +22,7 @@ NLCRE = re.compile(r'\r\n|\r|\n') fcre = re.compile(r'^From ', re.MULTILINE) NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') +NEWLINE_WITHOUT_FWSP_BYTES = re.compile(br'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]') class Generator: @@ -429,7 +430,16 @@ # This is almost the same as the string version, except for handling # strings with 8bit bytes. for h, v in msg.raw_items(): - self._fp.write(self.policy.fold_binary(h, v)) + folded = self.policy.fold_binary(h, v) + if self.policy.verify_generated_headers: + linesep = self.policy.linesep.encode() + if not folded.endswith(linesep): + raise HeaderWriteError( + f'folded header does not end with {linesep!r}: {folded!r}') + if NEWLINE_WITHOUT_FWSP_BYTES.search(folded.removesuffix(linesep)): + raise HeaderWriteError( + f'folded header contains newline: {folded!r}') + self._fp.write(folded) # A blank line always separates headers from body self.write(self._NL) Index: Python-3.15.0a3/Lib/test/test_email/test_generator.py =================================================================== --- Python-3.15.0a3.orig/Lib/test/test_email/test_generator.py 2026-01-27 17:26:08.009520772 +0100 +++ Python-3.15.0a3/Lib/test/test_email/test_generator.py 2026-01-27 17:26:14.363103139 +0100 @@ -313,7 +313,7 @@ self.assertEqual(s.getvalue(), self.typ(expected)) def test_verify_generated_headers(self): - """gh-121650: by default the generator prevents header injection""" + # gh-121650: by default the generator prevents header injection class LiteralHeader(str): name = 'Header' def fold(self, **kwargs): @@ -334,6 +334,8 @@ with self.assertRaises(email.errors.HeaderWriteError): message.as_string() + with self.assertRaises(email.errors.HeaderWriteError): + message.as_bytes() class TestBytesGenerator(TestGeneratorBase, TestEmailBase): Index: Python-3.15.0a3/Lib/test/test_email/test_policy.py =================================================================== --- Python-3.15.0a3.orig/Lib/test/test_email/test_policy.py 2026-01-27 17:26:08.021649854 +0100 +++ Python-3.15.0a3/Lib/test/test_email/test_policy.py 2026-01-27 17:26:14.363238384 +0100 @@ -296,7 +296,7 @@ policy.fold("Subject", subject) def test_verify_generated_headers(self): - """Turning protection off allows header injection""" + # Turning protection off allows header injection policy = email.policy.default.clone(verify_generated_headers=False) for text in ( 'Header: Value\r\nBad: Injection\r\n', @@ -319,6 +319,10 @@ message.as_string(), f"{text}\nBody", ) + self.assertEqual( + message.as_bytes(), + f"{text}\nBody".encode(), + ) # XXX: Need subclassing tests. # For adding subclassed objects, make sure the usual rules apply (subclass Index: Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst 2026-01-27 17:26:14.362392400 +0100 @@ -0,0 +1,4 @@ +:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers +that are unsafely folded or delimited; see +:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas +Bloemsaat and Petr Viktorin in :gh:`121650`). ++++++ CVE-2025-11468-email-hdr-fold-comment.patch ++++++ >From 0b64fd5f8854703eb47ed89a3b0d472a13d0d651 Mon Sep 17 00:00:00 2001 From: Denis Ledoux <[email protected]> Date: Thu, 6 Nov 2025 17:42:34 +0100 Subject: [PATCH 1/5] email: correctly indent with a least one space folded comments --- Lib/email/_header_value_parser.py | 15 ++++++ Lib/test/test_email/test__header_value_parser.py | 23 ++++++++++ Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst | 6 ++ 3 files changed, 43 insertions(+), 1 deletion(-) Index: Python-3.15.0a3/Lib/email/_header_value_parser.py =================================================================== --- Python-3.15.0a3.orig/Lib/email/_header_value_parser.py 2026-01-29 13:44:51.429261309 +0100 +++ Python-3.15.0a3/Lib/email/_header_value_parser.py 2026-01-29 13:45:04.109091639 +0100 @@ -101,6 +101,12 @@ return str(value).replace('\\', '\\\\').replace('"', '\\"') +def make_parenthesis_pairs(value): + """Escape parenthesis and backslash for use within a comment.""" + return str(value).replace('\\', '\\\\') \ + .replace('(', '\\(').replace(')', '\\)') + + def quote_string(value): escaped = make_quoted_pairs(value) return f'"{escaped}"' @@ -943,7 +949,7 @@ return ' ' def startswith_fws(self): - return True + return self and self[0] in WSP class ValueTerminal(Terminal): @@ -2963,6 +2969,13 @@ [ValueTerminal(make_quoted_pairs(p), 'ptext') for p in newparts] + [ValueTerminal('"', 'ptext')]) + if part.token_type == 'comment': + newparts = ( + [ValueTerminal('(', 'ptext')] + + [ValueTerminal(make_parenthesis_pairs(p), 'ptext') + if p.token_type == 'ptext' else p + for p in newparts] + + [ValueTerminal(')', 'ptext')]) if not part.as_ew_allowed: wrap_as_ew_blocked += 1 newparts.append(end_ew_not_allowed) Index: Python-3.15.0a3/Lib/test/test_email/test__header_value_parser.py =================================================================== --- Python-3.15.0a3.orig/Lib/test/test_email/test__header_value_parser.py 2026-01-29 13:44:53.065308861 +0100 +++ Python-3.15.0a3/Lib/test/test_email/test__header_value_parser.py 2026-01-29 13:45:04.109478618 +0100 @@ -3294,6 +3294,29 @@ with self.subTest(to=to): self._test(parser.get_address_list(to)[0], folded, policy=policy) + def test_address_list_with_long_unwrapable_comment(self): + policy = self.policy.clone(max_line_length=40) + cases = [ + # (to, folded) + ('(loremipsumdolorsitametconsecteturadipi)<[email protected]>', + '(loremipsumdolorsitametconsecteturadipi)<[email protected]>\n'), + ('<[email protected]>(loremipsumdolorsitametconsecteturadipi)', + '<[email protected]>(loremipsumdolorsitametconsecteturadipi)\n'), + ('(loremipsum dolorsitametconsecteturadipi)<[email protected]>', + '(loremipsum dolorsitametconsecteturadipi)<[email protected]>\n'), + ('<[email protected]>(loremipsum dolorsitametconsecteturadipi)', + '<[email protected]>(loremipsum\n dolorsitametconsecteturadipi)\n'), + ('(Escaped \\( \\) chars \\\\ in comments stay escaped)<[email protected]>', + '(Escaped \\( \\) chars \\\\ in comments stay\n escaped)<[email protected]>\n'), + ('((loremipsum)(loremipsum)(loremipsum)(loremipsum))<[email protected]>', + '((loremipsum)(loremipsum)(loremipsum)(loremipsum))<[email protected]>\n'), + ('((loremipsum)(loremipsum)(loremipsum) (loremipsum))<[email protected]>', + '((loremipsum)(loremipsum)(loremipsum)\n (loremipsum))<[email protected]>\n'), + ] + for (to, folded) in cases: + with self.subTest(to=to): + self._test(parser.get_address_list(to)[0], folded, policy=policy) + # XXX Need tests with comments on various sides of a unicode token, # and with unicode tokens in the comments. Spaces inside the quotes # currently don't do the right thing. Index: Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-14-40-31.gh-issue-143935.U2YtKl.rst 2026-01-29 13:45:04.109846601 +0100 @@ -0,0 +1,6 @@ +Fixed a bug in the folding of comments when flattening an email message +using a modern email policy. Comments consisting of a very long sequence of +non-foldable characters could trigger a forced line wrap that omitted the +required leading space on the continuation line, causing the remainder of +the comment to be interpreted as a new header field. This enabled header +injection with carefully crafted inputs. ++++++ CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch ++++++ >From ef01008e47a7741808ab223087a458f33e4dd922 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson <[email protected]> Date: Fri, 16 Jan 2026 10:54:09 -0600 Subject: [PATCH 1/5] Add 'test.support' fixture for C0 control characters --- Doc/library/http.cookies.rst | 4 Lib/http/cookies.py | 25 ++++ Lib/test/support/__init__.py | 7 + Lib/test/test_http_cookies.py | 52 +++++++++- Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst | 1 5 files changed, 80 insertions(+), 9 deletions(-) Index: Python-3.15.0a3/Doc/library/http.cookies.rst =================================================================== --- Python-3.15.0a3.orig/Doc/library/http.cookies.rst 2025-12-16 13:26:12.000000000 +0100 +++ Python-3.15.0a3/Doc/library/http.cookies.rst 2026-01-29 14:05:16.590570536 +0100 @@ -294,9 +294,9 @@ Set-Cookie: chips=ahoy Set-Cookie: vienna=finger >>> C = cookies.SimpleCookie() - >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";') + >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";') >>> print(C) - Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;" + Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;" >>> C = cookies.SimpleCookie() >>> C["oreo"] = "doublestuff" >>> C["oreo"]["path"] = "/" Index: Python-3.15.0a3/Lib/http/cookies.py =================================================================== --- Python-3.15.0a3.orig/Lib/http/cookies.py 2026-01-29 14:04:58.842924007 +0100 +++ Python-3.15.0a3/Lib/http/cookies.py 2026-01-29 14:05:16.590357855 +0100 @@ -87,9 +87,9 @@ such trickeries do not confuse it. >>> C = cookies.SimpleCookie() - >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";') + >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";') >>> print(C) - Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;" + Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;" Each element of the Cookie also supports all of the RFC 2109 Cookie attributes. Here's an example which sets the Path @@ -170,6 +170,15 @@ }) _is_legal_key = re.compile('[%s]+' % re.escape(_LegalChars)).fullmatch +_control_character_re = re.compile(r'[\x00-\x1F\x7F]') + + +def _has_control_character(*val): + """Detects control characters within a value. + Supports any type, as header values can be any type. + """ + return any(_control_character_re.search(str(v)) for v in val) + def _quote(str): r"""Quote a string for use in a cookie header. @@ -294,12 +303,16 @@ K = K.lower() if not K in self._reserved: raise CookieError("Invalid attribute %r" % (K,)) + if _has_control_character(K, V): + raise CookieError(f"Control characters are not allowed in cookies {K!r} {V!r}") dict.__setitem__(self, K, V) def setdefault(self, key, val=None): key = key.lower() if key not in self._reserved: raise CookieError("Invalid attribute %r" % (key,)) + if _has_control_character(key, val): + raise CookieError("Control characters are not allowed in cookies %r %r" % (key, val,)) return dict.setdefault(self, key, val) def __eq__(self, morsel): @@ -335,6 +348,9 @@ raise CookieError('Attempt to set a reserved key %r' % (key,)) if not _is_legal_key(key): raise CookieError('Illegal key %r' % (key,)) + if _has_control_character(key, val, coded_val): + raise CookieError( + "Control characters are not allowed in cookies %r %r %r" % (key, val, coded_val,)) # It's a good key, so save it. self._key = key @@ -488,7 +504,10 @@ result = [] items = sorted(self.items()) for key, value in items: - result.append(value.output(attrs, header)) + value_output = value.output(attrs, header) + if _has_control_character(value_output): + raise CookieError("Control characters are not allowed in cookies") + result.append(value_output) return sep.join(result) __str__ = output Index: Python-3.15.0a3/Lib/test/support/__init__.py =================================================================== --- Python-3.15.0a3.orig/Lib/test/support/__init__.py 2026-01-29 14:04:59.594499984 +0100 +++ Python-3.15.0a3/Lib/test/support/__init__.py 2026-01-29 14:05:16.588221721 +0100 @@ -3272,3 +3272,10 @@ return _linked_to_musl _linked_to_musl = tuple(map(int, version.split('.'))) return _linked_to_musl + + +def control_characters_c0() -> list[str]: + """Returns a list of C0 control characters as strings. + C0 control characters defined as the byte range 0x00-0x1F, and 0x7F. + """ + return [chr(c) for c in range(0x00, 0x20)] + ["\x7F"] Index: Python-3.15.0a3/Lib/test/test_http_cookies.py =================================================================== --- Python-3.15.0a3.orig/Lib/test/test_http_cookies.py 2026-01-29 14:05:00.455994675 +0100 +++ Python-3.15.0a3/Lib/test/test_http_cookies.py 2026-01-29 14:05:16.590146527 +0100 @@ -17,10 +17,10 @@ 'repr': "<SimpleCookie: chips='ahoy' vienna='finger'>", 'output': 'Set-Cookie: chips=ahoy\nSet-Cookie: vienna=finger'}, - {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"', - 'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=\012;'}, - 'repr': '''<SimpleCookie: keebler='E=mc2; L="Loves"; fudge=\\n;'>''', - 'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"'}, + {'data': 'keebler="E=mc2; L=\\"Loves\\"; fudge=;"', + 'dict': {'keebler' : 'E=mc2; L="Loves"; fudge=;'}, + 'repr': '''<SimpleCookie: keebler='E=mc2; L="Loves"; fudge=;'>''', + 'output': 'Set-Cookie: keebler="E=mc2; L=\\"Loves\\"; fudge=;"'}, # Check illegal cookies that have an '=' char in an unquoted value {'data': 'keebler=E=mc2', @@ -594,6 +594,50 @@ r'Set-Cookie: key=coded_val; ' r'expires=\w+, \d+ \w+ \d+ \d+:\d+:\d+ \w+') + def test_control_characters(self): + for c0 in support.control_characters_c0(): + morsel = cookies.Morsel() + + # .__setitem__() + with self.assertRaises(cookies.CookieError): + morsel[c0] = "val" + with self.assertRaises(cookies.CookieError): + morsel["path"] = c0 + + # .setdefault() + with self.assertRaises(cookies.CookieError): + morsel.setdefault("path", c0) + with self.assertRaises(cookies.CookieError): + morsel.setdefault(c0, "val") + + # .set() + with self.assertRaises(cookies.CookieError): + morsel.set(c0, "val", "coded-value") + with self.assertRaises(cookies.CookieError): + morsel.set("path", c0, "coded-value") + with self.assertRaises(cookies.CookieError): + morsel.set("path", "val", c0) + + def test_control_characters_output(self): + # Tests that even if the internals of Morsel are modified + # that a call to .output() has control character safeguards. + for c0 in support.control_characters_c0(): + morsel = cookies.Morsel() + morsel.set("key", "value", "coded-value") + morsel._key = c0 # Override private variable. + cookie = cookies.SimpleCookie() + cookie["cookie"] = morsel + with self.assertRaises(cookies.CookieError): + cookie.output() + + morsel = cookies.Morsel() + morsel.set("key", "value", "coded-value") + morsel._coded_value = c0 # Override private variable. + cookie = cookies.SimpleCookie() + cookie["cookie"] = morsel + with self.assertRaises(cookies.CookieError): + cookie.output() + def load_tests(loader, tests, pattern): tests.addTest(doctest.DocTestSuite(cookies)) Index: Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.15.0a3/Misc/NEWS.d/next/Security/2026-01-16-11-13-15.gh-issue-143919.kchwZV.rst 2026-01-29 14:05:16.589009315 +0100 @@ -0,0 +1 @@ +Reject control characters in :class:`http.cookies.Morsel` fields and values. ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.frJWWy/_old 2026-01-30 18:22:32.790183070 +0100 +++ /var/tmp/diff_new_pack.frJWWy/_new 2026-01-30 18:22:32.798183406 +0100 @@ -1,6 +1,6 @@ -mtime: 1767806143 -commit: 844aa522400f651cf6e09a385f8c5e7daf7ff689e0dd0c811501d1f8abd65e5c +mtime: 1769691931 +commit: 699574482616cd14535b890206a88920be7ee5f0f66abeece2826d05df83d092 url: https://src.opensuse.org/python-interpreters/python315.git -revision: 844aa522400f651cf6e09a385f8c5e7daf7ff689e0dd0c811501d1f8abd65e5c +revision: 699574482616cd14535b890206a88920be7ee5f0f66abeece2826d05df83d092 projectscmsync: https://src.opensuse.org/python-interpreters/_ObsPrj ++++++ bpo-31046_ensurepip_honours_prefix.patch ++++++ --- /var/tmp/diff_new_pack.frJWWy/_old 2026-01-30 18:22:32.842185253 +0100 +++ /var/tmp/diff_new_pack.frJWWy/_new 2026-01-30 18:22:32.846185421 +0100 @@ -16,7 +16,7 @@ Index: Python-3.15.0a3/Doc/library/ensurepip.rst =================================================================== --- Python-3.15.0a3.orig/Doc/library/ensurepip.rst 2025-12-16 13:26:12.000000000 +0100 -+++ Python-3.15.0a3/Doc/library/ensurepip.rst 2025-12-19 02:25:25.531895542 +0100 ++++ Python-3.15.0a3/Doc/library/ensurepip.rst 2026-01-21 18:16:58.317178174 +0100 @@ -65,7 +65,11 @@ By default, ``pip`` is installed into the current virtual environment (if one is active) or into the system site packages (if there is no @@ -59,8 +59,8 @@ .. note:: Index: Python-3.15.0a3/Lib/ensurepip/__init__.py =================================================================== ---- Python-3.15.0a3.orig/Lib/ensurepip/__init__.py 2025-12-19 02:25:10.205902876 +0100 -+++ Python-3.15.0a3/Lib/ensurepip/__init__.py 2025-12-19 02:25:25.532348886 +0100 +--- Python-3.15.0a3.orig/Lib/ensurepip/__init__.py 2026-01-21 18:16:36.646076159 +0100 ++++ Python-3.15.0a3/Lib/ensurepip/__init__.py 2026-01-21 18:16:58.317562933 +0100 @@ -106,27 +106,27 @@ os.environ['PIP_CONFIG_FILE'] = os.devnull @@ -125,8 +125,8 @@ verbosity=args.verbosity, Index: Python-3.15.0a3/Lib/test/test_ensurepip.py =================================================================== ---- Python-3.15.0a3.orig/Lib/test/test_ensurepip.py 2025-12-19 02:25:11.631602338 +0100 -+++ Python-3.15.0a3/Lib/test/test_ensurepip.py 2025-12-19 02:25:25.532817735 +0100 +--- Python-3.15.0a3.orig/Lib/test/test_ensurepip.py 2026-01-21 18:16:38.055385060 +0100 ++++ Python-3.15.0a3/Lib/test/test_ensurepip.py 2026-01-21 18:16:58.317858155 +0100 @@ -105,6 +105,17 @@ unittest.mock.ANY, ) @@ -147,9 +147,9 @@ Index: Python-3.15.0a3/Makefile.pre.in =================================================================== ---- Python-3.15.0a3.orig/Makefile.pre.in 2025-12-19 02:25:24.201299566 +0100 -+++ Python-3.15.0a3/Makefile.pre.in 2025-12-19 02:25:25.533184405 +0100 -@@ -2389,7 +2389,7 @@ +--- Python-3.15.0a3.orig/Makefile.pre.in 2026-01-21 18:16:49.104742043 +0100 ++++ Python-3.15.0a3/Makefile.pre.in 2026-01-21 18:16:58.318353823 +0100 +@@ -2391,7 +2391,7 @@ install|*) ensurepip="" ;; \ esac; \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ @@ -158,7 +158,7 @@ fi .PHONY: altinstall -@@ -2400,7 +2400,7 @@ +@@ -2402,7 +2402,7 @@ install|*) ensurepip="--altinstall" ;; \ esac; \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ @@ -170,7 +170,7 @@ Index: Python-3.15.0a3/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.15.0a3/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst 2025-12-19 02:25:25.534506792 +0100 ++++ Python-3.15.0a3/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst 2026-01-21 18:16:58.318910394 +0100 @@ -0,0 +1 @@ +A directory prefix can now be specified when using :mod:`ensurepip`. ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-01-29 14:06:45.000000000 +0100 @@ -0,0 +1,5 @@ +*.obscpio +*.osc +_build.* +.pbuild +python315-*-build/ ++++++ longer-time-test_thread_time.patch ++++++ >From 6c6636477245f87b200f2f2c5a9043ee1d69842e Mon Sep 17 00:00:00 2001 From: Victor Stinner <[email protected]> Date: Thu, 8 Jan 2026 13:18:50 +0100 Subject: [PATCH] gh-143528: Fix test_time.test_thread_time() Tolerate 100 ms instead of 20 ms to support slow CIs. --- Lib/test/test_time.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) Index: Python-3.15.0a3/Lib/test/test_time.py =================================================================== --- Python-3.15.0a3.orig/Lib/test/test_time.py 2026-01-09 11:44:20.543009433 +0100 +++ Python-3.15.0a3/Lib/test/test_time.py 2026-01-09 11:44:27.380993477 +0100 @@ -580,11 +580,10 @@ # thread_time() should not include time spend during a sleep start = time.thread_time() - time.sleep(0.100) + time.sleep(0.200) stop = time.thread_time() - # use 20 ms because thread_time() has usually a resolution of 15 ms - # on Windows - self.assertLess(stop - start, 0.020) + # gh-143528: use 100 ms to support slow CI + self.assertLess(stop - start, 0.100) info = time.get_clock_info('thread_time') self.assertTrue(info.monotonic) ++++++ python-3.3.0b1-fix_date_time_compiler.patch ++++++ --- /var/tmp/diff_new_pack.frJWWy/_old 2026-01-30 18:22:33.122197004 +0100 +++ /var/tmp/diff_new_pack.frJWWy/_new 2026-01-30 18:22:33.126197172 +0100 @@ -1,19 +1,35 @@ +From 8323be9cee608439cd1a7c1e026d744bbbc83805 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <[email protected]> +Date: Wed, 21 Jan 2026 17:10:46 +0100 +Subject: [PATCH] Allow overriding COMPILER with UNVERSIONED_COMPILER + +Introduce UNVERSIONED_COMPILER variable in Makefile.pre.in to allow +overriding the COMPILER macro definition during the build of +Python/getcompiler.o. + +This enables reproducible builds by providing a way to set a generic +compiler identification string (e.g., "[GCC]") instead of the default +versioned one. + +The rule is made conditional on UNVERSIONED_COMPILER being defined. --- - Makefile.pre.in | 5 +++++ - 1 file changed, 5 insertions(+) + Makefile.pre.in | 7 +++++++ + 1 file changed, 7 insertions(+) Index: Python-3.15.0a3/Makefile.pre.in =================================================================== ---- Python-3.15.0a3.orig/Makefile.pre.in 2025-12-19 02:26:23.594002103 +0100 -+++ Python-3.15.0a3/Makefile.pre.in 2025-12-19 02:26:28.185444105 +0100 -@@ -1926,6 +1926,11 @@ +--- Python-3.15.0a3.orig/Makefile.pre.in 2025-12-16 13:26:12.000000000 +0100 ++++ Python-3.15.0a3/Makefile.pre.in 2026-01-21 18:16:49.104742043 +0100 +@@ -1926,6 +1926,13 @@ -DGITBRANCH="\"`LC_ALL=C $(GITBRANCH)`\"" \ -o $@ $(srcdir)/Modules/getbuildinfo.c ++ifdef UNVERSIONED_COMPILER +Python/getcompiler.o: $(srcdir)/Python/getcompiler.c Makefile + $(CC) -c $(PY_CORE_CFLAGS) \ -+ -DCOMPILER='"[GCC]"' \ ++ -DCOMPILER='"$(UNVERSIONED_COMPILER)"' \ + -o $@ $(srcdir)/Python/getcompiler.c ++endif + Modules/getpath.o: $(srcdir)/Modules/getpath.c Python/frozen_modules/getpath.h Makefile $(PYTHON_HEADERS) $(CC) -c $(PY_CORE_CFLAGS) -DPYTHONPATH='"$(PYTHONPATH)"' \
