Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package python310 for openSUSE:Factory 
checked in at 2022-12-12 18:59:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python310 (Old)
 and      /work/SRC/openSUSE:Factory/.python310.new.1835 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "python310"

Mon Dec 12 18:59:10 2022 rev:26 rq:1041730 version:3.10.9

Changes:
--------
--- /work/SRC/openSUSE:Factory/python310/python310.changes      2022-11-12 
17:39:54.361716813 +0100
+++ /work/SRC/openSUSE:Factory/.python310.new.1835/python310.changes    
2022-12-12 18:59:11.939982787 +0100
@@ -1,0 +2,175 @@
+Thu Dec  8 14:42:15 UTC 2022 - Matej Cepl <mc...@suse.com>
+
+- Update to 3.10.9:
+  - python -m http.server no longer allows terminal
+    control characters sent within a garbage request to be
+    printed to the stderr server lo This is done by changing
+    the http.server BaseHTTPRequestHandler .log_message method
+    to replace control characters with a \xHH hex escape before
+    printin
+  - Avoid publishing list of active per-interpreter
+    audit hooks via the gc module
+  - The IDNA codec decoder used on DNS hostnames by
+    socket or asyncio related name resolution functions no
+    longer involves a quadratic algorithm. This prevents a
+    potential CPU denial of service if an out-of-spec excessive
+    length hostname involving bidirectional characters were
+    decoded. Some protocols such as urllib http 3xx redirects
+    potentially allow for an attacker to supply such a name.
+  - Update bundled libexpat to 2.5.0
+  - Port XKCP’s fix for the buffer overflows in SHA-3
+    (CVE-2022-37454).
+  - On Linux the multiprocessing module returns
+    to using filesystem backed unix domain sockets for
+    communication with the forkserver process instead of the
+    Linux abstract socket namespace. Only code that chooses
+    to use the “forkserver” start method is affected Abstract
+    sockets have no permissions and could allow any user
+    on the system in the same network namespace (often the
+    whole system) to inject code into the multiprocessing
+    forkserver process. This was a potential privilege
+    escalation. Filesystem based socket permissions restrict
+    this to the forkserver process user as was the default in
+    Python 3.8 and earlier This prevents Linux CVE-2022-42919
+  - Fix a reference bug in _imp.create_builtin()
+    after the creation of the first sub-interpreter for modules
+    builtins and sys. Patch by Victor Stinner.
+  - Fixed a bug that was causing a buffer overflow if
+    the tokenizer copies a line missing the newline caracter
+    from a file that is as long as the available tokenizer
+    buffer. Patch by Pablo galindo
+  - Update faulthandler to emit an error message with
+    the proper unexpected signal number. Patch by Dong-hee Na.
+  - Fix subscription of types.GenericAlias instances
+    containing bare generic types: for example tuple[A, T][int],
+    where A is a generic type, and T is a type variable.
+  - Fix detection of MAC addresses for uuid on certain
+    OSs. Patch by Chaim Sanders
+  - Print exception class name instead of its string
+    representation when raising errors from ctypes calls.
+  - Allow pdb to locate source for frozen modules in
+    the standard library.
+  - Raise ValueError instead of SystemError when
+    methods of uninitialized io.IncrementalNewlineDecoder objects
+    are called. Patch by Oren Milman.
+  - Fix a possible assertion failure in io.FileIO when
+    the opener returns an invalid file descriptor.
+  - Also escape s in the http.server
+    BaseHTTPRequestHandler.log_message so that it is technically
+    possible to parse the line and reconstruct what the original
+    data was. Without this a xHH is ambiguious as to if it is a
+    hex replacement we put in or the characters r”x” came through
+    in the original request line.
+  - asyncio.get_event_loop() now only emits a
+    deprecation warning when a new event loop was created
+    implicitly. It no longer emits a deprecation warning if the
+    current event loop was set.
+  - Fix bug when calling trace.CoverageResults with
+    valid infile.
+  - Fix a bug in handling class cleanups in
+    unittest.TestCase. Now addClassCleanup() uses separate lists
+    for different TestCase subclasses, and doClassCleanups() only
+    cleans up the particular class.
+  - Release the GIL when calling termios APIs to avoid
+    blocking threads.
+  - Fix ast.increment_lineno() to also cover
+    ast.TypeIgnore when changing line numbers.
+  - Fixed bug where inspect.signature() reported
+    incorrect arguments for decorated methods.
+  - Fix SystemError in ctypes when exception was not
+    set during __initsubclass__.
+  - Fix statistics.NormalDist pickle with 0 and 1
+    protocols.
+  - Update the bundled copy of pip to version 22.3.1.
+  - Apply bugfixes from importlib_metadata 4.11.4,
+    namely: In PathDistribution._name_from_stem, avoid
+    including parts of the extension in the result. In
+    PathDistribution._normalized_name, ensure names loaded from
+    the stem of the filename are also normalized, ensuring
+    duplicate entry points by packages varying only by
+    non-normalized name are hidden.
+  - Clean up refleak on failed module initialisation in
+    _zoneinfo
+  - Clean up refleaks on failed module initialisation
+    in in _pickle
+  - Clean up refleak on failed module initialisation in
+    _io.
+  - Fix memory leak in math.dist() when both points
+    don’t have the same dimension. Patch by Kumar Aditya.
+  - Fix argument typechecks in _overlapped.WSAConnect()
+    and _overlapped.Overlapped.WSASendTo() functions.
+  - Fix internal error in the re module which in
+    very rare circumstances prevented compilation of a regular
+    expression containing a conditional expression without the
+    “else” branch.
+  - Fix asyncio.StreamWriter.drain() to call
+    protocol.connection_lost callback only once on Windows.
+  - Add a mutex to unittest.mock.NonCallableMock to
+    protect concurrent access to mock attributes.
+  - Fix hang on Windows in subprocess.wait_closed() in
+    asyncio with ProactorEventLoop. Patch by Kumar Aditya.
+  - Fix infinite loop in unittest when a
+    self-referencing chained exception is raised
+  - tkinter.Text.count() raises now an exception for
+    options starting with “-” instead of silently ignoring them.
+  - On uname_result, restored expectation that _fields
+    and _asdict would include all six properties including
+    processor.
+  - Update the bundled copies of pip and setuptools to
+    versions 22.3 and 65.5.0 respectively.
+  - Fix bug in urllib.parse.urlparse() that causes
+    certain port numbers containing whitespace, underscores,
+    plus and minus signs, or non-ASCII digits to be incorrectly
+    accepted.
+  - Allow venv to pass along PYTHON* variables to
+    ensurepip and pip when they do not impact path resolution
+  - On macOS, fix a crash in syslog.syslog() in
+    multi-threaded applications. On macOS, the libc syslog()
+    function is not thread-safe, so syslog.syslog() no longer
+    releases the GIL to call it. Patch by Victor Stinner.
+  - Allow BUILTINS to be a valid field name for frozen
+    dataclasses.
+  - Make sure patch.dict() can be applied on async
+    functions.
+  - To avoid apparent memory leaks when
+    asyncio.open_connection() raises, break reference cycles
+    generated by local exception and future instances (which has
+    exception instance as its member var). Patch by Dong Uk,
+    Kang.
+  - Prevent error when activating venv in nested fish
+    instances.
+  - Restrict use of sockets instead of pipes for stdin
+    of subprocesses created by asyncio to AIX platform only.
+  - shutil.copytree() now applies the
+    ignore_dangling_symlinks argument recursively.
+  - Fix IndexError in argparse.ArgumentParser when a
+    store_true action is given an explicit argument.
+  - Document that calling variadic functions with
+    ctypes requires special care on macOS/arm64 (and possibly
+    other platforms).
+  - Skip test_normalization() of test_unicodedata
+    if it fails to download NormalizationTest.txt file from
+    pythontest.net. Patch by Victor Stinner.
+  - Some C API tests were moved into the new
+    Lib/test/test_capi/ directory.
+  - Fix -Wimplicit-int, -Wstrict-prototypes, and
+    -Wimplicit-function-declaration compiler warnings in
+    configure checks.
+  - Fix -Wimplicit-int compiler warning in configure
+    check for PTHREAD_SCOPE_SYSTEM.
+  - Specify the full path to the source location for
+    make docclean (needed for cross-builds).
+  - Fix NO_MISALIGNED_ACCESSES being not defined
+    for the SHA3 extension when HAVE_ALIGNED_REQUIRED is
+    set. Allowing builds on hardware that unaligned memory
+    accesses are not allowed.
+  - Fix handling of module docstrings in
+    Tools/i18n/pygettext.py.
+
+- Remove upstreamed patches:
+  - 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
+  - CVE-2015-20107-mailcap-unsafe-filenames.patch
+  - CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
+  - CVE-2022-45061-DoS-by-IDNA-decode.patch
+
+-------------------------------------------------------------------

Old:
----
  98437-sphinx.locale._-as-gettext-in-pyspecific.patch
  CVE-2015-20107-mailcap-unsafe-filenames.patch
  CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
  CVE-2022-45061-DoS-by-IDNA-decode.patch
  Python-3.10.8.tar.xz
  Python-3.10.8.tar.xz.asc

New:
----
  Python-3.10.9.tar.xz
  Python-3.10.9.tar.xz.asc

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python310.spec ++++++
--- /var/tmp/diff_new_pack.16o6I6/_old  2022-12-12 18:59:13.227990041 +0100
+++ /var/tmp/diff_new_pack.16o6I6/_new  2022-12-12 18:59:13.235990085 +0100
@@ -103,7 +103,7 @@
 %define dynlib() 
%{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 %bcond_without profileopt
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.10.8
+Version:        3.10.9
 Release:        0
 Summary:        Python 3 Interpreter
 License:        Python-2.0
@@ -166,18 +166,6 @@
 # PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mc...@suse.com
 # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
 Patch36:        support-expat-CVE-2022-25236-patched.patch
-# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 
mc...@suse.com
-# avoid the command injection in the mailcap module.
-Patch37:        CVE-2015-20107-mailcap-unsafe-filenames.patch
-# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch 
gh#python/cpython#98366 mc...@suse.com
-# this patch makes things totally awesome
-Patch38:        98437-sphinx.locale._-as-gettext-in-pyspecific.patch
-# PATCH-FIX-UPSTREAM CVE-2022-42919-loc-priv-mulitproc-forksrv.patch 
bsc#1204886 mc...@suse.com
-# Avoid Linux specific local privilege escalation via the multiprocessing 
forkserver start method
-Patch39:        CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
-# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 
mc...@suse.com
-# Avoid DoS by decoding IDNA for too long domain names
-Patch40:        CVE-2022-45061-DoS-by-IDNA-decode.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -446,10 +434,6 @@
 %endif
 %patch35 -p1
 %patch36 -p1
-%patch37 -p1
-%patch38 -p1
-%patch39 -p1
-%patch40 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

++++++ Python-3.10.8.tar.xz -> Python-3.10.9.tar.xz ++++++
/work/SRC/openSUSE:Factory/python310/Python-3.10.8.tar.xz 
/work/SRC/openSUSE:Factory/.python310.new.1835/Python-3.10.9.tar.xz differ: 
char 26, line 1

++++++ bpo-31046_ensurepip_honours_prefix.patch ++++++
--- /var/tmp/diff_new_pack.16o6I6/_old  2022-12-12 18:59:13.343990694 +0100
+++ /var/tmp/diff_new_pack.16o6I6/_new  2022-12-12 18:59:13.351990739 +0100
@@ -15,7 +15,7 @@
 
 --- a/Doc/library/ensurepip.rst
 +++ b/Doc/library/ensurepip.rst
-@@ -56,8 +56,9 @@ is at least as recent as the one availab
+@@ -58,8 +58,9 @@ is at least as recent as the one availab
  By default, ``pip`` is installed into the current virtual environment
  (if one is active) or into the system site packages (if there is no
  active virtual environment). The installation location can be controlled
@@ -26,7 +26,7 @@
  * ``--root <dir>``: Installs ``pip`` relative to the given root directory
    rather than the root of the currently active virtual environment (if any)
    or the default root for the current Python installation.
-@@ -89,7 +90,7 @@ Module API
+@@ -91,7 +92,7 @@ Module API
     Returns a string specifying the available version of pip that will be
     installed when bootstrapping an environment.
  
@@ -35,7 +35,7 @@
                          altinstall=False, default_pip=False, \
                          verbosity=0)
  
-@@ -99,6 +100,8 @@ Module API
+@@ -101,6 +102,8 @@ Module API
     If *root* is ``None``, then installation uses the default install location
     for the current environment.
  
@@ -44,7 +44,7 @@
     *upgrade* indicates whether or not to upgrade an existing installation
     of an earlier version of ``pip`` to the available version.
  
-@@ -119,6 +122,8 @@ Module API
+@@ -121,6 +124,8 @@ Module API
     *verbosity* controls the level of output to :data:`sys.stdout` from the
     bootstrapping operation.
  

++++++ fix_configure_rst.patch ++++++
--- /var/tmp/diff_new_pack.16o6I6/_old  2022-12-12 18:59:13.363990806 +0100
+++ /var/tmp/diff_new_pack.16o6I6/_new  2022-12-12 18:59:13.367990829 +0100
@@ -29,7 +29,7 @@
     Create a Python.framework rather than a traditional Unix install. Optional
 --- a/Misc/NEWS
 +++ b/Misc/NEWS
-@@ -2979,7 +2979,7 @@ C API
+@@ -3254,7 +3254,7 @@ C API
  -----
  
  - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name

Reply via email to