Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python310 for openSUSE:Factory
checked in at 2022-12-12 18:59:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python310 (Old)
and /work/SRC/openSUSE:Factory/.python310.new.1835 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python310"
Mon Dec 12 18:59:10 2022 rev:26 rq:1041730 version:3.10.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/python310/python310.changes 2022-11-12
17:39:54.361716813 +0100
+++ /work/SRC/openSUSE:Factory/.python310.new.1835/python310.changes
2022-12-12 18:59:11.939982787 +0100
@@ -1,0 +2,175 @@
+Thu Dec 8 14:42:15 UTC 2022 - Matej Cepl <mc...@suse.com>
+
+- Update to 3.10.9:
+ - python -m http.server no longer allows terminal
+ control characters sent within a garbage request to be
+ printed to the stderr server lo This is done by changing
+ the http.server BaseHTTPRequestHandler .log_message method
+ to replace control characters with a \xHH hex escape before
+ printin
+ - Avoid publishing list of active per-interpreter
+ audit hooks via the gc module
+ - The IDNA codec decoder used on DNS hostnames by
+ socket or asyncio related name resolution functions no
+ longer involves a quadratic algorithm. This prevents a
+ potential CPU denial of service if an out-of-spec excessive
+ length hostname involving bidirectional characters were
+ decoded. Some protocols such as urllib http 3xx redirects
+ potentially allow for an attacker to supply such a name.
+ - Update bundled libexpat to 2.5.0
+ - Port XKCPâs fix for the buffer overflows in SHA-3
+ (CVE-2022-37454).
+ - On Linux the multiprocessing module returns
+ to using filesystem backed unix domain sockets for
+ communication with the forkserver process instead of the
+ Linux abstract socket namespace. Only code that chooses
+ to use the âforkserverâ start method is affected Abstract
+ sockets have no permissions and could allow any user
+ on the system in the same network namespace (often the
+ whole system) to inject code into the multiprocessing
+ forkserver process. This was a potential privilege
+ escalation. Filesystem based socket permissions restrict
+ this to the forkserver process user as was the default in
+ Python 3.8 and earlier This prevents Linux CVE-2022-42919
+ - Fix a reference bug in _imp.create_builtin()
+ after the creation of the first sub-interpreter for modules
+ builtins and sys. Patch by Victor Stinner.
+ - Fixed a bug that was causing a buffer overflow if
+ the tokenizer copies a line missing the newline caracter
+ from a file that is as long as the available tokenizer
+ buffer. Patch by Pablo galindo
+ - Update faulthandler to emit an error message with
+ the proper unexpected signal number. Patch by Dong-hee Na.
+ - Fix subscription of types.GenericAlias instances
+ containing bare generic types: for example tuple[A, T][int],
+ where A is a generic type, and T is a type variable.
+ - Fix detection of MAC addresses for uuid on certain
+ OSs. Patch by Chaim Sanders
+ - Print exception class name instead of its string
+ representation when raising errors from ctypes calls.
+ - Allow pdb to locate source for frozen modules in
+ the standard library.
+ - Raise ValueError instead of SystemError when
+ methods of uninitialized io.IncrementalNewlineDecoder objects
+ are called. Patch by Oren Milman.
+ - Fix a possible assertion failure in io.FileIO when
+ the opener returns an invalid file descriptor.
+ - Also escape s in the http.server
+ BaseHTTPRequestHandler.log_message so that it is technically
+ possible to parse the line and reconstruct what the original
+ data was. Without this a xHH is ambiguious as to if it is a
+ hex replacement we put in or the characters râxâ came through
+ in the original request line.
+ - asyncio.get_event_loop() now only emits a
+ deprecation warning when a new event loop was created
+ implicitly. It no longer emits a deprecation warning if the
+ current event loop was set.
+ - Fix bug when calling trace.CoverageResults with
+ valid infile.
+ - Fix a bug in handling class cleanups in
+ unittest.TestCase. Now addClassCleanup() uses separate lists
+ for different TestCase subclasses, and doClassCleanups() only
+ cleans up the particular class.
+ - Release the GIL when calling termios APIs to avoid
+ blocking threads.
+ - Fix ast.increment_lineno() to also cover
+ ast.TypeIgnore when changing line numbers.
+ - Fixed bug where inspect.signature() reported
+ incorrect arguments for decorated methods.
+ - Fix SystemError in ctypes when exception was not
+ set during __initsubclass__.
+ - Fix statistics.NormalDist pickle with 0 and 1
+ protocols.
+ - Update the bundled copy of pip to version 22.3.1.
+ - Apply bugfixes from importlib_metadata 4.11.4,
+ namely: In PathDistribution._name_from_stem, avoid
+ including parts of the extension in the result. In
+ PathDistribution._normalized_name, ensure names loaded from
+ the stem of the filename are also normalized, ensuring
+ duplicate entry points by packages varying only by
+ non-normalized name are hidden.
+ - Clean up refleak on failed module initialisation in
+ _zoneinfo
+ - Clean up refleaks on failed module initialisation
+ in in _pickle
+ - Clean up refleak on failed module initialisation in
+ _io.
+ - Fix memory leak in math.dist() when both points
+ donât have the same dimension. Patch by Kumar Aditya.
+ - Fix argument typechecks in _overlapped.WSAConnect()
+ and _overlapped.Overlapped.WSASendTo() functions.
+ - Fix internal error in the re module which in
+ very rare circumstances prevented compilation of a regular
+ expression containing a conditional expression without the
+ âelseâ branch.
+ - Fix asyncio.StreamWriter.drain() to call
+ protocol.connection_lost callback only once on Windows.
+ - Add a mutex to unittest.mock.NonCallableMock to
+ protect concurrent access to mock attributes.
+ - Fix hang on Windows in subprocess.wait_closed() in
+ asyncio with ProactorEventLoop. Patch by Kumar Aditya.
+ - Fix infinite loop in unittest when a
+ self-referencing chained exception is raised
+ - tkinter.Text.count() raises now an exception for
+ options starting with â-â instead of silently ignoring them.
+ - On uname_result, restored expectation that _fields
+ and _asdict would include all six properties including
+ processor.
+ - Update the bundled copies of pip and setuptools to
+ versions 22.3 and 65.5.0 respectively.
+ - Fix bug in urllib.parse.urlparse() that causes
+ certain port numbers containing whitespace, underscores,
+ plus and minus signs, or non-ASCII digits to be incorrectly
+ accepted.
+ - Allow venv to pass along PYTHON* variables to
+ ensurepip and pip when they do not impact path resolution
+ - On macOS, fix a crash in syslog.syslog() in
+ multi-threaded applications. On macOS, the libc syslog()
+ function is not thread-safe, so syslog.syslog() no longer
+ releases the GIL to call it. Patch by Victor Stinner.
+ - Allow BUILTINS to be a valid field name for frozen
+ dataclasses.
+ - Make sure patch.dict() can be applied on async
+ functions.
+ - To avoid apparent memory leaks when
+ asyncio.open_connection() raises, break reference cycles
+ generated by local exception and future instances (which has
+ exception instance as its member var). Patch by Dong Uk,
+ Kang.
+ - Prevent error when activating venv in nested fish
+ instances.
+ - Restrict use of sockets instead of pipes for stdin
+ of subprocesses created by asyncio to AIX platform only.
+ - shutil.copytree() now applies the
+ ignore_dangling_symlinks argument recursively.
+ - Fix IndexError in argparse.ArgumentParser when a
+ store_true action is given an explicit argument.
+ - Document that calling variadic functions with
+ ctypes requires special care on macOS/arm64 (and possibly
+ other platforms).
+ - Skip test_normalization() of test_unicodedata
+ if it fails to download NormalizationTest.txt file from
+ pythontest.net. Patch by Victor Stinner.
+ - Some C API tests were moved into the new
+ Lib/test/test_capi/ directory.
+ - Fix -Wimplicit-int, -Wstrict-prototypes, and
+ -Wimplicit-function-declaration compiler warnings in
+ configure checks.
+ - Fix -Wimplicit-int compiler warning in configure
+ check for PTHREAD_SCOPE_SYSTEM.
+ - Specify the full path to the source location for
+ make docclean (needed for cross-builds).
+ - Fix NO_MISALIGNED_ACCESSES being not defined
+ for the SHA3 extension when HAVE_ALIGNED_REQUIRED is
+ set. Allowing builds on hardware that unaligned memory
+ accesses are not allowed.
+ - Fix handling of module docstrings in
+ Tools/i18n/pygettext.py.
+
+- Remove upstreamed patches:
+ - 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
+ - CVE-2015-20107-mailcap-unsafe-filenames.patch
+ - CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
+ - CVE-2022-45061-DoS-by-IDNA-decode.patch
+
+-------------------------------------------------------------------
Old:
----
98437-sphinx.locale._-as-gettext-in-pyspecific.patch
CVE-2015-20107-mailcap-unsafe-filenames.patch
CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
CVE-2022-45061-DoS-by-IDNA-decode.patch
Python-3.10.8.tar.xz
Python-3.10.8.tar.xz.asc
New:
----
Python-3.10.9.tar.xz
Python-3.10.9.tar.xz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python310.spec ++++++
--- /var/tmp/diff_new_pack.16o6I6/_old 2022-12-12 18:59:13.227990041 +0100
+++ /var/tmp/diff_new_pack.16o6I6/_new 2022-12-12 18:59:13.235990085 +0100
@@ -103,7 +103,7 @@
%define dynlib()
%{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
-Version: 3.10.8
+Version: 3.10.9
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@@ -166,18 +166,6 @@
# PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mc...@suse.com
# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
Patch36: support-expat-CVE-2022-25236-patched.patch
-# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511
mc...@suse.com
-# avoid the command injection in the mailcap module.
-Patch37: CVE-2015-20107-mailcap-unsafe-filenames.patch
-# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
gh#python/cpython#98366 mc...@suse.com
-# this patch makes things totally awesome
-Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
-# PATCH-FIX-UPSTREAM CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
bsc#1204886 mc...@suse.com
-# Avoid Linux specific local privilege escalation via the multiprocessing
forkserver start method
-Patch39: CVE-2022-42919-loc-priv-mulitproc-forksrv.patch
-# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244
mc...@suse.com
-# Avoid DoS by decoding IDNA for too long domain names
-Patch40: CVE-2022-45061-DoS-by-IDNA-decode.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@@ -446,10 +434,6 @@
%endif
%patch35 -p1
%patch36 -p1
-%patch37 -p1
-%patch38 -p1
-%patch39 -p1
-%patch40 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
++++++ Python-3.10.8.tar.xz -> Python-3.10.9.tar.xz ++++++
/work/SRC/openSUSE:Factory/python310/Python-3.10.8.tar.xz
/work/SRC/openSUSE:Factory/.python310.new.1835/Python-3.10.9.tar.xz differ:
char 26, line 1
++++++ bpo-31046_ensurepip_honours_prefix.patch ++++++
--- /var/tmp/diff_new_pack.16o6I6/_old 2022-12-12 18:59:13.343990694 +0100
+++ /var/tmp/diff_new_pack.16o6I6/_new 2022-12-12 18:59:13.351990739 +0100
@@ -15,7 +15,7 @@
--- a/Doc/library/ensurepip.rst
+++ b/Doc/library/ensurepip.rst
-@@ -56,8 +56,9 @@ is at least as recent as the one availab
+@@ -58,8 +58,9 @@ is at least as recent as the one availab
By default, ``pip`` is installed into the current virtual environment
(if one is active) or into the system site packages (if there is no
active virtual environment). The installation location can be controlled
@@ -26,7 +26,7 @@
* ``--root <dir>``: Installs ``pip`` relative to the given root directory
rather than the root of the currently active virtual environment (if any)
or the default root for the current Python installation.
-@@ -89,7 +90,7 @@ Module API
+@@ -91,7 +92,7 @@ Module API
Returns a string specifying the available version of pip that will be
installed when bootstrapping an environment.
@@ -35,7 +35,7 @@
altinstall=False, default_pip=False, \
verbosity=0)
-@@ -99,6 +100,8 @@ Module API
+@@ -101,6 +102,8 @@ Module API
If *root* is ``None``, then installation uses the default install location
for the current environment.
@@ -44,7 +44,7 @@
*upgrade* indicates whether or not to upgrade an existing installation
of an earlier version of ``pip`` to the available version.
-@@ -119,6 +122,8 @@ Module API
+@@ -121,6 +124,8 @@ Module API
*verbosity* controls the level of output to :data:`sys.stdout` from the
bootstrapping operation.
++++++ fix_configure_rst.patch ++++++
--- /var/tmp/diff_new_pack.16o6I6/_old 2022-12-12 18:59:13.363990806 +0100
+++ /var/tmp/diff_new_pack.16o6I6/_new 2022-12-12 18:59:13.367990829 +0100
@@ -29,7 +29,7 @@
Create a Python.framework rather than a traditional Unix install. Optional
--- a/Misc/NEWS
+++ b/Misc/NEWS
-@@ -2979,7 +2979,7 @@ C API
+@@ -3254,7 +3254,7 @@ C API
-----
- bpo-43795: The list in :ref:`stable-abi-list` now shows the public name
