Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python36 for openSUSE:Factory checked in at 2021-08-18 08:55:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python36 (Old) and /work/SRC/openSUSE:Factory/.python36.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python36" Wed Aug 18 08:55:19 2021 rev:18 rq:911137 version:3.6.14 Changes: -------- --- /work/SRC/openSUSE:Factory/python36/python36.changes 2021-08-02 12:05:06.461655550 +0200 +++ /work/SRC/openSUSE:Factory/.python36.new.1899/python36.changes 2021-08-18 08:55:34.922996706 +0200 @@ -1,0 +2,38 @@ +Tue Aug 10 00:09:41 UTC 2021 - Fusion Future <[email protected]> + +- Update to 3.6.14: + * Security + - bpo-44022 (boo#1189241): mod:http.client now avoids + infinitely reading potential HTTP headers after a 100 + Continue status response from the server. + - bpo-43882: The presence of newline or tab characters in parts + of a URL could allow some forms of attacks. + Following the controlling specification for URLs defined by + WHATWG urllib.parse() now removes ASCII newlines and tabs + from URLs, preventing such attacks. + - bpo-42988: CVE-2021-3426: Remove the getfile feature of the + pydoc module which could be abused to read arbitrary files on + the disk (directory traversal vulnerability). Moreover, even + source code of Python modules can contain sensitive data like + passwords. Vulnerability reported by David Schw??rer. + - bpo-43285: ftplib no longer trusts the IP address value + returned from the server in response to the PASV command by + default. This prevents a malicious FTP server from using the + response to probe IPv4 address and port combinations on the + client network. + Code that requires the former vulnerable behavior may set a + trust_server_pasv_ipv4_address attribute on their ftplib.FTP + instances to True to re-enable it. + - bpo-43075: Fix Regular Expression Denial of Service (ReDoS) + vulnerability in urllib.request.AbstractBasicAuthHandler. The + ReDoS-vulnerable regex has quadratic worst-case complexity + and it allows cause a denial of service when identifying + crafted invalid RFCs. This ReDoS issue is on the client side + and needs remote attackers to control the HTTP server. +- Upstreamed patches were removed: + - CVE-2021-3426-inf-disclosure-pydoc-getfile.patch +- Refreshed patches: + - python3-sorted_tar.patch + - riscv64-ctypes.patch + +------------------------------------------------------------------- Old: ---- CVE-2021-3426-inf-disclosure-pydoc-getfile.patch Python-3.6.13.tar.xz Python-3.6.13.tar.xz.asc New: ---- Python-3.6.14.tar.xz Python-3.6.14.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python36.spec ++++++ --- /var/tmp/diff_new_pack.NSvubM/_old 2021-08-18 08:55:35.986995512 +0200 +++ /var/tmp/diff_new_pack.NSvubM/_new 2021-08-18 08:55:35.990995508 +0200 @@ -87,7 +87,7 @@ %bcond_with profileopt %endif Name: %{python_pkg_name}%{psuffix} -Version: 3.6.13 +Version: 3.6.14 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -168,11 +168,8 @@ Patch39: ignore_pip_deprec_warn.patch # PATCH-FIX-UPSTREAM stop calling removed Sphinx function gh#python/cpython#13236 Patch40: sphinx-update-removed-function.patch -# PATCH-FIX-UPSTREAM CVE-2021-3426-inf-disclosure-pydoc-getfile.patch bsc#1183374 [email protected] -# Remove the pydoc getfile feature -Patch41: CVE-2021-3426-inf-disclosure-pydoc-getfile.patch # PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/22198 - adopted for 3.6 [email protected] -Patch42: 22198.patch +Patch41: 22198.patch BuildRequires: automake BuildRequires: fdupes BuildRequires: gmp-devel @@ -437,7 +434,6 @@ %patch39 -p1 %patch40 -p1 %patch41 -p1 -%patch42 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ Python-3.6.13.tar.xz -> Python-3.6.14.tar.xz ++++++ /work/SRC/openSUSE:Factory/python36/Python-3.6.13.tar.xz /work/SRC/openSUSE:Factory/.python36.new.1899/Python-3.6.14.tar.xz differ: char 27, line 1 ++++++ python3-sorted_tar.patch ++++++ --- /var/tmp/diff_new_pack.NSvubM/_old 2021-08-18 08:55:36.266995198 +0200 +++ /var/tmp/diff_new_pack.NSvubM/_new 2021-08-18 08:55:36.266995198 +0200 @@ -44,7 +44,7 @@ --- a/Lib/tarfile.py +++ b/Lib/tarfile.py -@@ -1954,7 +1954,7 @@ class TarFile(object): +@@ -1956,7 +1956,7 @@ class TarFile(object): elif tarinfo.isdir(): self.addfile(tarinfo) if recursive: @@ -55,7 +55,7 @@ --- a/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py -@@ -1129,6 +1129,30 @@ class WriteTest(WriteTestBase, unittest. +@@ -1136,6 +1136,30 @@ class WriteTest(WriteTestBase, unittest. finally: support.rmdir(path) ++++++ riscv64-ctypes.patch ++++++ --- /var/tmp/diff_new_pack.NSvubM/_old 2021-08-18 08:55:36.278995184 +0200 +++ /var/tmp/diff_new_pack.NSvubM/_new 2021-08-18 08:55:36.278995184 +0200 @@ -19,7 +19,7 @@ +RISC-V needed the CTYPES_PASS_BY_REF_HACK. Fixes ctypes Structure test_pass_by_value. --- a/Modules/_ctypes/callproc.c +++ b/Modules/_ctypes/callproc.c -@@ -1063,7 +1063,7 @@ GetComError(HRESULT errcode, GUID *riid, +@@ -1050,7 +1050,7 @@ GetComError(HRESULT errcode, GUID *riid, #endif #if (defined(__x86_64__) && (defined(__MINGW64__) || defined(__CYGWIN__))) || \
