Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python310 for openSUSE:Factory checked in at 2022-12-12 18:59:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python310 (Old) and /work/SRC/openSUSE:Factory/.python310.new.1835 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python310" Mon Dec 12 18:59:10 2022 rev:26 rq:1041730 version:3.10.9 Changes: -------- --- /work/SRC/openSUSE:Factory/python310/python310.changes 2022-11-12 17:39:54.361716813 +0100 +++ /work/SRC/openSUSE:Factory/.python310.new.1835/python310.changes 2022-12-12 18:59:11.939982787 +0100 @@ -1,0 +2,175 @@ +Thu Dec 8 14:42:15 UTC 2022 - Matej Cepl <mc...@suse.com> + +- Update to 3.10.9: + - python -m http.server no longer allows terminal + control characters sent within a garbage request to be + printed to the stderr server lo This is done by changing + the http.server BaseHTTPRequestHandler .log_message method + to replace control characters with a \xHH hex escape before + printin + - Avoid publishing list of active per-interpreter + audit hooks via the gc module + - The IDNA codec decoder used on DNS hostnames by + socket or asyncio related name resolution functions no + longer involves a quadratic algorithm. This prevents a + potential CPU denial of service if an out-of-spec excessive + length hostname involving bidirectional characters were + decoded. Some protocols such as urllib http 3xx redirects + potentially allow for an attacker to supply such a name. + - Update bundled libexpat to 2.5.0 + - Port XKCPâs fix for the buffer overflows in SHA-3 + (CVE-2022-37454). + - On Linux the multiprocessing module returns + to using filesystem backed unix domain sockets for + communication with the forkserver process instead of the + Linux abstract socket namespace. Only code that chooses + to use the âforkserverâ start method is affected Abstract + sockets have no permissions and could allow any user + on the system in the same network namespace (often the + whole system) to inject code into the multiprocessing + forkserver process. This was a potential privilege + escalation. Filesystem based socket permissions restrict + this to the forkserver process user as was the default in + Python 3.8 and earlier This prevents Linux CVE-2022-42919 + - Fix a reference bug in _imp.create_builtin() + after the creation of the first sub-interpreter for modules + builtins and sys. Patch by Victor Stinner. + - Fixed a bug that was causing a buffer overflow if + the tokenizer copies a line missing the newline caracter + from a file that is as long as the available tokenizer + buffer. Patch by Pablo galindo + - Update faulthandler to emit an error message with + the proper unexpected signal number. Patch by Dong-hee Na. + - Fix subscription of types.GenericAlias instances + containing bare generic types: for example tuple[A, T][int], + where A is a generic type, and T is a type variable. + - Fix detection of MAC addresses for uuid on certain + OSs. Patch by Chaim Sanders + - Print exception class name instead of its string + representation when raising errors from ctypes calls. + - Allow pdb to locate source for frozen modules in + the standard library. + - Raise ValueError instead of SystemError when + methods of uninitialized io.IncrementalNewlineDecoder objects + are called. Patch by Oren Milman. + - Fix a possible assertion failure in io.FileIO when + the opener returns an invalid file descriptor. + - Also escape s in the http.server + BaseHTTPRequestHandler.log_message so that it is technically + possible to parse the line and reconstruct what the original + data was. Without this a xHH is ambiguious as to if it is a + hex replacement we put in or the characters râxâ came through + in the original request line. + - asyncio.get_event_loop() now only emits a + deprecation warning when a new event loop was created + implicitly. It no longer emits a deprecation warning if the + current event loop was set. + - Fix bug when calling trace.CoverageResults with + valid infile. + - Fix a bug in handling class cleanups in + unittest.TestCase. Now addClassCleanup() uses separate lists + for different TestCase subclasses, and doClassCleanups() only + cleans up the particular class. + - Release the GIL when calling termios APIs to avoid + blocking threads. + - Fix ast.increment_lineno() to also cover + ast.TypeIgnore when changing line numbers. + - Fixed bug where inspect.signature() reported + incorrect arguments for decorated methods. + - Fix SystemError in ctypes when exception was not + set during __initsubclass__. + - Fix statistics.NormalDist pickle with 0 and 1 + protocols. + - Update the bundled copy of pip to version 22.3.1. + - Apply bugfixes from importlib_metadata 4.11.4, + namely: In PathDistribution._name_from_stem, avoid + including parts of the extension in the result. In + PathDistribution._normalized_name, ensure names loaded from + the stem of the filename are also normalized, ensuring + duplicate entry points by packages varying only by + non-normalized name are hidden. + - Clean up refleak on failed module initialisation in + _zoneinfo + - Clean up refleaks on failed module initialisation + in in _pickle + - Clean up refleak on failed module initialisation in + _io. + - Fix memory leak in math.dist() when both points + donât have the same dimension. Patch by Kumar Aditya. + - Fix argument typechecks in _overlapped.WSAConnect() + and _overlapped.Overlapped.WSASendTo() functions. + - Fix internal error in the re module which in + very rare circumstances prevented compilation of a regular + expression containing a conditional expression without the + âelseâ branch. + - Fix asyncio.StreamWriter.drain() to call + protocol.connection_lost callback only once on Windows. + - Add a mutex to unittest.mock.NonCallableMock to + protect concurrent access to mock attributes. + - Fix hang on Windows in subprocess.wait_closed() in + asyncio with ProactorEventLoop. Patch by Kumar Aditya. + - Fix infinite loop in unittest when a + self-referencing chained exception is raised + - tkinter.Text.count() raises now an exception for + options starting with â-â instead of silently ignoring them. + - On uname_result, restored expectation that _fields + and _asdict would include all six properties including + processor. + - Update the bundled copies of pip and setuptools to + versions 22.3 and 65.5.0 respectively. + - Fix bug in urllib.parse.urlparse() that causes + certain port numbers containing whitespace, underscores, + plus and minus signs, or non-ASCII digits to be incorrectly + accepted. + - Allow venv to pass along PYTHON* variables to + ensurepip and pip when they do not impact path resolution + - On macOS, fix a crash in syslog.syslog() in + multi-threaded applications. On macOS, the libc syslog() + function is not thread-safe, so syslog.syslog() no longer + releases the GIL to call it. Patch by Victor Stinner. + - Allow BUILTINS to be a valid field name for frozen + dataclasses. + - Make sure patch.dict() can be applied on async + functions. + - To avoid apparent memory leaks when + asyncio.open_connection() raises, break reference cycles + generated by local exception and future instances (which has + exception instance as its member var). Patch by Dong Uk, + Kang. + - Prevent error when activating venv in nested fish + instances. + - Restrict use of sockets instead of pipes for stdin + of subprocesses created by asyncio to AIX platform only. + - shutil.copytree() now applies the + ignore_dangling_symlinks argument recursively. + - Fix IndexError in argparse.ArgumentParser when a + store_true action is given an explicit argument. + - Document that calling variadic functions with + ctypes requires special care on macOS/arm64 (and possibly + other platforms). + - Skip test_normalization() of test_unicodedata + if it fails to download NormalizationTest.txt file from + pythontest.net. Patch by Victor Stinner. + - Some C API tests were moved into the new + Lib/test/test_capi/ directory. + - Fix -Wimplicit-int, -Wstrict-prototypes, and + -Wimplicit-function-declaration compiler warnings in + configure checks. + - Fix -Wimplicit-int compiler warning in configure + check for PTHREAD_SCOPE_SYSTEM. + - Specify the full path to the source location for + make docclean (needed for cross-builds). + - Fix NO_MISALIGNED_ACCESSES being not defined + for the SHA3 extension when HAVE_ALIGNED_REQUIRED is + set. Allowing builds on hardware that unaligned memory + accesses are not allowed. + - Fix handling of module docstrings in + Tools/i18n/pygettext.py. + +- Remove upstreamed patches: + - 98437-sphinx.locale._-as-gettext-in-pyspecific.patch + - CVE-2015-20107-mailcap-unsafe-filenames.patch + - CVE-2022-42919-loc-priv-mulitproc-forksrv.patch + - CVE-2022-45061-DoS-by-IDNA-decode.patch + +------------------------------------------------------------------- Old: ---- 98437-sphinx.locale._-as-gettext-in-pyspecific.patch CVE-2015-20107-mailcap-unsafe-filenames.patch CVE-2022-42919-loc-priv-mulitproc-forksrv.patch CVE-2022-45061-DoS-by-IDNA-decode.patch Python-3.10.8.tar.xz Python-3.10.8.tar.xz.asc New: ---- Python-3.10.9.tar.xz Python-3.10.9.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python310.spec ++++++ --- /var/tmp/diff_new_pack.16o6I6/_old 2022-12-12 18:59:13.227990041 +0100 +++ /var/tmp/diff_new_pack.16o6I6/_new 2022-12-12 18:59:13.235990085 +0100 @@ -103,7 +103,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.10.8 +Version: 3.10.9 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -166,18 +166,6 @@ # PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mc...@suse.com # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236 Patch36: support-expat-CVE-2022-25236-patched.patch -# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mc...@suse.com -# avoid the command injection in the mailcap module. -Patch37: CVE-2015-20107-mailcap-unsafe-filenames.patch -# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mc...@suse.com -# this patch makes things totally awesome -Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch -# PATCH-FIX-UPSTREAM CVE-2022-42919-loc-priv-mulitproc-forksrv.patch bsc#1204886 mc...@suse.com -# Avoid Linux specific local privilege escalation via the multiprocessing forkserver start method -Patch39: CVE-2022-42919-loc-priv-mulitproc-forksrv.patch -# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mc...@suse.com -# Avoid DoS by decoding IDNA for too long domain names -Patch40: CVE-2022-45061-DoS-by-IDNA-decode.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -446,10 +434,6 @@ %endif %patch35 -p1 %patch36 -p1 -%patch37 -p1 -%patch38 -p1 -%patch39 -p1 -%patch40 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ Python-3.10.8.tar.xz -> Python-3.10.9.tar.xz ++++++ /work/SRC/openSUSE:Factory/python310/Python-3.10.8.tar.xz /work/SRC/openSUSE:Factory/.python310.new.1835/Python-3.10.9.tar.xz differ: char 26, line 1 ++++++ bpo-31046_ensurepip_honours_prefix.patch ++++++ --- /var/tmp/diff_new_pack.16o6I6/_old 2022-12-12 18:59:13.343990694 +0100 +++ /var/tmp/diff_new_pack.16o6I6/_new 2022-12-12 18:59:13.351990739 +0100 @@ -15,7 +15,7 @@ --- a/Doc/library/ensurepip.rst +++ b/Doc/library/ensurepip.rst -@@ -56,8 +56,9 @@ is at least as recent as the one availab +@@ -58,8 +58,9 @@ is at least as recent as the one availab By default, ``pip`` is installed into the current virtual environment (if one is active) or into the system site packages (if there is no active virtual environment). The installation location can be controlled @@ -26,7 +26,7 @@ * ``--root <dir>``: Installs ``pip`` relative to the given root directory rather than the root of the currently active virtual environment (if any) or the default root for the current Python installation. -@@ -89,7 +90,7 @@ Module API +@@ -91,7 +92,7 @@ Module API Returns a string specifying the available version of pip that will be installed when bootstrapping an environment. @@ -35,7 +35,7 @@ altinstall=False, default_pip=False, \ verbosity=0) -@@ -99,6 +100,8 @@ Module API +@@ -101,6 +102,8 @@ Module API If *root* is ``None``, then installation uses the default install location for the current environment. @@ -44,7 +44,7 @@ *upgrade* indicates whether or not to upgrade an existing installation of an earlier version of ``pip`` to the available version. -@@ -119,6 +122,8 @@ Module API +@@ -121,6 +124,8 @@ Module API *verbosity* controls the level of output to :data:`sys.stdout` from the bootstrapping operation. ++++++ fix_configure_rst.patch ++++++ --- /var/tmp/diff_new_pack.16o6I6/_old 2022-12-12 18:59:13.363990806 +0100 +++ /var/tmp/diff_new_pack.16o6I6/_new 2022-12-12 18:59:13.367990829 +0100 @@ -29,7 +29,7 @@ Create a Python.framework rather than a traditional Unix install. Optional --- a/Misc/NEWS +++ b/Misc/NEWS -@@ -2979,7 +2979,7 @@ C API +@@ -3254,7 +3254,7 @@ C API ----- - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name