Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python38 for openSUSE:Factory checked in at 2023-06-29 17:29:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python38 (Old) and /work/SRC/openSUSE:Factory/.python38.new.13546 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python38" Thu Jun 29 17:29:29 2023 rev:38 rq:1095964 version:3.8.17 Changes: -------- --- /work/SRC/openSUSE:Factory/python38/python38.changes 2023-06-04 00:13:27.809842830 +0200 +++ /work/SRC/openSUSE:Factory/.python38.new.13546/python38.changes 2023-06-29 17:29:48.078777018 +0200 @@ -1,0 +2,31 @@ +Wed Jun 28 16:57:46 UTC 2023 - Matej Cepl <[email protected]> + +- Update to 3.8.17: + - gh-103142: The version of OpenSSL used in Windows and + Mac installers has been upgraded to 1.1.1u to address + CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, + as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 + fixed previously in 1.1.1t (gh-101727). + - gh-102153: urllib.parse.urlsplit() now strips leading C0 + control and space characters following the specification for + URLs defined by WHATWG in response to CVE-2023-24329 + (bsc#1208471). + - gh-99889: Fixed a security in flaw in uu.decode() that could + allow for directory traversal based on the input if no + out_file was specified. + - gh-104049: Do not expose the local on-disk + location in directory indexes produced by + http.client.SimpleHTTPRequestHandler. + - gh-103935: trace.__main__ now uses io.open_code() for files + to be executed instead of raw open(). + - gh-102953: The extraction methods in tarfile, and + shutil.unpack_archive(), have a new filter argument that + allows limiting tar features than may be surprising or + dangerous, such as creating files outside the destination + directory. See Extraction filters for details (fixing + CVE-2007-4559, bsc#1203750). +- Remove upstreamed patches: + - CVE-2023-24329-blank-URL-bypass.patch + - CVE-2007-4559-filter-tarfile_extractall.patch + +------------------------------------------------------------------- Old: ---- CVE-2007-4559-filter-tarfile_extractall.patch CVE-2023-24329-blank-URL-bypass.patch Python-3.8.16.tar.xz Python-3.8.16.tar.xz.asc New: ---- Python-3.8.17.tar.xz Python-3.8.17.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python38.spec ++++++ --- /var/tmp/diff_new_pack.PEeMh6/_old 2023-06-29 17:29:49.294784140 +0200 +++ /var/tmp/diff_new_pack.PEeMh6/_new 2023-06-29 17:29:49.298784163 +0200 @@ -92,7 +92,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.8.16 +Version: 3.8.17 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -176,13 +176,6 @@ # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 [email protected] # this patch makes things totally awesome Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch -# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 [email protected] -# blocklist bypass via the urllib.parse component when supplying -# a URL that starts with blank characters -Patch39: CVE-2023-24329-blank-URL-bypass.patch -# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 [email protected] -# Implement PEP-706 to filter outcome of the tarball extracing -Patch40: CVE-2007-4559-filter-tarfile_extractall.patch # PATCH-FIX-UPSTREAM 99366-patch.dict-can-decorate-async.patch bsc#[0-9]+ [email protected] # Patch for gh#python/cpython#98086 Patch41: 99366-patch.dict-can-decorate-async.patch @@ -458,8 +451,6 @@ %patch36 -p1 %patch37 -p1 %patch38 -p1 -%patch39 -p1 -%patch40 -p1 %patch41 -p1 # drop Autoconf version requirement ++++++ Python-3.8.16.tar.xz -> Python-3.8.17.tar.xz ++++++ /work/SRC/openSUSE:Factory/python38/Python-3.8.16.tar.xz /work/SRC/openSUSE:Factory/.python38.new.13546/Python-3.8.17.tar.xz differ: char 26, line 1
