SUSE: 2022:1435-1 bci/python Security Update | LinuxSecurity.com

Advisories

SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:1435-1
Container Tags        : bci/python:3 , bci/python:3.10 , bci/python:3.10-4.10 , bci/python:latest
Container Release     : 4.10
Severity              : important
Type                  : security
References            : 1185637 1196025 1196026 1196168 1196169 1196171 1196784 1198511
                        1199166 1200550 1200734 1200735 1200736 1200737 1201099 CVE-2015-20107
                        CVE-2022-1292 CVE-2022-2068 CVE-2022-2097 CVE-2022-25235 CVE-2022-25236
                        CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 CVE-2022-32205 CVE-2022-32206
                        CVE-2022-32207 CVE-2022-32208 
-----------------------------------------------------------------

The container bci/python was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2291-1
Released:    Wed Jul  6 13:04:37 2022
Summary:     Security update for python310
Type:        security
Severity:    important
References:  1198511,CVE-2015-20107
This update for python310 fixes the following issues:

- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

- Update to 3.10.5:
  - Core and Builtins
    - gh-93418: Fixed an assert where an f-string has an equal
      sign '=' following an expression, but there's no trailing
      brace. For example, f'{i='.
    - gh-91924: Fix __ltrace__ debug feature if the stdout
      encoding is not UTF-8. Patch by Victor Stinner.
    - gh-93061: Backward jumps after async for loops are no
      longer given dubious line numbers.
    - gh-93065: Fix contextvars HAMT implementation to handle
      iteration over deep trees.
    - The bug was discovered and fixed by Eli Libman. See
      MagicStack/immutables#84 for more details.
    - gh-92311: Fixed a bug where setting frame.f_lineno to jump
      over a list comprehension could misbehave or crash.
    - gh-92112: Fix crash triggered by an evil custom mro() on
      a metaclass.
    - gh-92036: Fix a crash in subinterpreters related to the
      garbage collector. When a subinterpreter is deleted,
      untrack all objects tracked by its GC. To prevent a crash
      in deallocator functions expecting objects to be tracked by
      the GC, leak a strong reference to these objects on
      purpose, so they are never deleted and their deallocator
      functions are not called. Patch by Victor Stinner.
    - gh-91421: Fix a potential integer overflow in
      _Py_DecodeUTF8Ex.
    - bpo-47212: Raise IndentationError instead of SyntaxError
      for a bare except with no following indent. Improve
      SyntaxError locations for an un-parenthesized generator
      used as arguments. Patch by Matthieu Dartiailh.
    - bpo-47182: Fix a crash when using a named unicode character
      like '\N{digit nine}' after the main interpreter has been
      initialized a second time.
    - bpo-47117: Fix a crash if we fail to decode characters in
      interactive mode if the tokenizer buffers are
      uninitialized. Patch by Pablo Galindo.
    - bpo-39829: Removed the __len__() call when initializing
      a list and moved initializing to list_extend. Patch by
      Jeremiah Pascual.
    - bpo-46962: Classes and functions that unconditionally
      declared their docstrings ignoring the
      --without-doc-strings compilation flag no longer do so.
    - The classes affected are ctypes.UnionType,
      pickle.PickleBuffer, testcapi.RecursingInfinitelyError, and
      types.GenericAlias.
    - The functions affected are 24 methods in ctypes.
    - Patch by Oleg Iarygin.
    - bpo-36819: Fix crashes in built-in encoders with error
      handlers that return position less or equal than the
      starting position of non-encodable characters.
  - Library
    - gh-93156: Accessing the pathlib.PurePath.parents sequence
      of an absolute path using negative index values produced
      incorrect results.
    - gh-89973: Fix re.error raised in fnmatch if the pattern
      contains a character range with upper bound lower than
      lower bound (e.g. [c-a]). Now such ranges are interpreted
      as empty ranges.
    - gh-93010: In a very special case, the email package tried
      to append the nonexistent InvalidHeaderError to the defect
      list. It should have been InvalidHeaderDefect.
    - gh-92839: Fixed crash resulting from calling
      bisect.insort() or bisect.insort_left() with the key
      argument not equal to None.
    - gh-91581: utcfromtimestamp() no longer attempts to resolve
      fold in the pure Python implementation, since the fold is
      never 1 in UTC. In addition to being slightly faster in the
      common case, this also prevents some errors when the
      timestamp is close to datetime.min. Patch by Paul Ganssle.
    - gh-92530: Fix an issue that occurred after interrupting
      threading.Condition.notify().
    - gh-92049: Forbid pickling constants re._constants.SUCCESS
      etc. Previously, pickling did not fail, but the result
      could not be unpickled.
    - bpo-47029: Always close the read end of the pipe used by
      multiprocessing.Queue after the last write of buffered data
      to the write end of the pipe to avoid BrokenPipeError at
      garbage collection and at multiprocessing.Queue.close()
      calls. Patch by G?ry Ogam.
    - gh-91401: Provide a fail-safe way to disable subprocess use
      of vfork() via a private subprocess._USE_VFORK attribute.
      While there is currently no known need for this, if you
      find a need please only set it to False. File a CPython
      issue as to why you needed it and link to that from
      a comment in your code. This attribute is documented as
      a footnote in 3.11.
    - gh-91910: Add missing f prefix to f-strings in error
      messages from the multiprocessing and asyncio modules.
    - gh-91810: ElementTree method write() and function
      tostring() now use the text file's encoding ('UTF-8' if not
      available) instead of locale encoding in XML declaration
      when encoding='unicode' is specified.
    - gh-91832: Add required attribute to argparse.Action repr
      output.
    - gh-91700: Compilation of regular expression containing
      a conditional expression (?(group)...) now raises an
      appropriate re.error if the group number refers to not
      defined group. Previously an internal RuntimeError was
      raised.
    - gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown
      the per test event loop executor before returning from its
      run method so that a not yet stopped or garbage collected
      executor state does not persist beyond the test.
    - gh-90568: Parsing \N escapes of Unicode Named Character
      Sequences in a regular expression raises now re.error
      instead of TypeError.
    - gh-91595: Fix the comparison of character and integer
      inside Tools.gdb.libpython.write_repr(). Patch by Yu Liu.
    - gh-90622: Worker processes for
      concurrent.futures.ProcessPoolExecutor are no longer
      spawned on demand (a feature added in 3.9) when the
      multiprocessing context start method is 'fork' as that can
      lead to deadlocks in the child processes due to a fork
      happening while threads are running.
    - gh-91575: Update case-insensitive matching in the re module
      to the latest Unicode version.
    - gh-91581: Remove an unhandled error case in the
      C implementation of calls to datetime.fromtimestamp with no
      time zone (i.e. getting a local time from an epoch
      timestamp). This should have no user-facing effect other
      than giving a possibly more accurate error message when
      called with timestamps that fall on 10000-01-01 in the
      local time. Patch by Paul Ganssle.
    - bpo-47260: Fix os.closerange() potentially being a no-op in
      a Linux seccomp sandbox.
    - bpo-39064: zipfile.ZipFile now raises zipfile.BadZipFile
      instead of ValueError when reading a corrupt zip file in
      which the central directory offset is negative.
    - bpo-47151: When subprocess tries to use vfork, it now falls
      back to fork if vfork returns an error. This allows use in
      situations where vfork isn't allowed by the OS kernel.
    - bpo-27929: Fix asyncio.loop.sock_connect() to only resolve
      names for socket.AF_INET or socket.AF_INET6 families.
      Resolution may not make sense for other families, like
      socket.AF_BLUETOOTH and socket.AF_UNIX.
    - bpo-43323: Fix errors in the email module if the charset
      itself contains undecodable/unencodable characters.
    - bpo-47101: hashlib.algorithms_available now lists only
      algorithms that are provided by activated crypto providers
      on OpenSSL 3.0. Legacy algorithms are not listed unless the
      legacy provider has been loaded into the default OSSL
      context.
    - bpo-46787: Fix concurrent.futures.ProcessPoolExecutor
      exception memory leak
    - bpo-45393: Fix the formatting for await x and not x in the
      operator precedence table when using the help() system.
    - bpo-46415: Fix ipaddress.ip_{address,interface,network}
      raising TypeError instead of ValueError if given invalid
      tuple as address parameter.
    - bpo-28249: Set doctest.DocTest.lineno to None when object
      does not have __doc__.
    - bpo-45138: Fix a regression in the sqlite3 trace callback
      where bound parameters were not expanded in the passed
      statement string. The regression was introduced in Python
      3.10 by bpo-40318. Patch by Erlend E. Aasland.
    - bpo-44493: Add missing terminated NUL in sockaddr_un's
      length
    - This was potentially observable when using non-abstract
      AF_UNIX datagram sockets to processes written in another
      programming language.
    - bpo-42627: Fix incorrect parsing of Windows registry proxy
      settings
    - bpo-36073: Raise ProgrammingError instead of segfaulting on
      recursive usage of cursors in sqlite3 converters. Patch by
      Sergey Fedoseev.
  - Documentation
    - gh-86438: Clarify that -W and PYTHONWARNINGS are matched
      literally and case-insensitively, rather than as regular
      expressions, in warnings.
    - gh-92240: Added release dates for 'What's New in Python
      3.X' for 3.0, 3.1, 3.2, 3.8 and 3.10
    - gh-91888: Add a new gh role to the documentation to link to
      GitHub issues.
    - gh-91783: Document security issues concerning the use of
      the function shutil.unpack_archive()
    - gh-91547: Remove 'Undocumented modules' page.
    - bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of
      shutil.copytree().
    - bpo-38668: Update the introduction to documentation for
      os.path to remove warnings that became irrelevant after the
      implementations of PEP 383 and PEP 529.
    - bpo-47138: Pin Jinja to a version compatible with Sphinx
      version 3.2.1.
    - bpo-46962: All docstrings in code snippets are now wrapped
      into PyDoc_STR() to follow the guideline of PEP 7's
      Documentation Strings paragraph. Patch by Oleg Iarygin.
    - bpo-26792: Improve the docstrings of runpy.run_module() and
      runpy.run_path(). Original patch by Andrew Brezovsky.
    - bpo-40838: Document that inspect.getdoc(),
      inspect.getmodule(), and inspect.getsourcefile() might
      return None.
    - bpo-45790: Adjust inaccurate phrasing in Defining Extension
      Types: Tutorial about the ob_base field and the macros used
      to access its contents.
    - bpo-42340: Document that in some circumstances
      KeyboardInterrupt may cause the code to enter an
      inconsistent state. Provided a sample workaround to avoid
      it if needed.
    - bpo-41233: Link the errnos referenced in
      Doc/library/exceptions.rst to their respective section in
      Doc/library/errno.rst, and vice versa. Previously this was
      only done for EINTR and InterruptedError. Patch by Yan
      'yyyyyyyan' Orestes.
    - bpo-38056: Overhaul the Error Handlers documentation in
      codecs.
    - bpo-13553: Document tkinter.Tk args.
  - Tests
    - gh-92886: Fixing tests that fail when running with
      optimizations (-O) in test_imaplib.py.
    - gh-92670: Skip
      test_shutil.TestCopy.test_copyfile_nonexistent_dir test on
      AIX as the test uses a trailing slash to force the OS
      consider the path as a directory, but on AIX the trailing
      slash has no effect and is considered as a file.
    - gh-91904: Fix initialization of
      PYTHONREGRTEST_UNICODE_GUARD which prevented running
      regression tests on non-UTF-8 locale.
    - gh-91607: Fix test_concurrent_futures to test the correct
      multiprocessing start method context in several cases where
      the test logic mixed this up.
    - bpo-47205: Skip test for sched_getaffinity() and
      sched_setaffinity() error case on FreeBSD.
    - bpo-47104: Rewrite asyncio.to_thread() tests to use
      unittest.IsolatedAsyncioTestCase.
    - bpo-29890: Add tests for ipaddress.IPv4Interface and
      ipaddress.IPv6Interface construction with tuple arguments.
      Original patch and tests by louisom.
  - Tools/Demos
    - gh-91583: Fix regression in the code generated by Argument
      Clinic for functions with the defining_class parameter.

- Update to 3.10.4:
  - bpo-46968: Check for the existence of the 'sys/auxv.h' header
    in faulthandler to avoid compilation problems in systems
    where this header doesn't exist. Patch by Pablo Galindo
  - bpo-23691: Protect the re.finditer() iterator from
    re-entering.
  - bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to
    avoid a 'zipfile.BadZipFile: Bad CRC-32 for file' exception
    when reading a ZipFile from multiple threads.
  - bpo-38256: Fix binascii.crc32() when it is compiled to use
    zlib'c crc32 to work properly on inputs 4+GiB in length
    instead of returning the wrong result. The workaround prior
    to this was to always feed the function data in increments
    smaller than 4GiB or to just call the zlib module function.
  - bpo-39394: A warning about inline flags not at the start of
    the regular expression now contains the position of the flag.
  - bpo-47061: Deprecate the various modules listed by PEP 594:
  - aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt,
    imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd,
    sndhdr, spwd, sunau, telnetlib, uu, xdrlib
  - bpo-2604: Fix bug where doctests using globals would fail
    when run multiple times.
  - bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
  - bpo-47022: The asynchat, asyncore and smtpd modules have been
    deprecated since at least Python 3.6. Their documentation and
    deprecation warnings and have now been updated to note they
    will removed in Python 3.12 (PEP 594).
  - bpo-46421: Fix a unittest issue where if the command was
    invoked as python -m unittest and the filename(s) began with
    a dot (.), a ValueError is returned.
  - bpo-40296: Fix supporting generic aliases in pydoc.

- Update to 3.10.3:
  - bpo-46940: Avoid overriding AttributeError metadata
    information for nested attribute access calls. Patch by Pablo
    Galindo.
  - bpo-46852: Rename the private undocumented
    float.__set_format__() method to float.__setformat__() to fix
    a typo introduced in Python 3.7. The method is only used by
    test_float. Patch by Victor Stinner.
  - bpo-46794: Bump up the libexpat version into 2.4.6
  - bpo-46820: Fix parsing a numeric literal immediately (without
    spaces) followed by 'not in' keywords, like in 1not in x. Now
    the parser only emits a warning, not a syntax error.
  - bpo-46762: Fix an assert failure in debug builds when a '<',
    '>', or '=' is the last character in an f-string that's
    missing a closing right brace.
  - bpo-46724: Make sure that all backwards jumps use the
    JUMP_ABSOLUTE instruction, rather than JUMP_FORWARD with an
    argument of (2**32)+offset.
  - bpo-46732: Correct the docstring for the __bool__() method.
    Patch by Jelle Zijlstra.
  - bpo-46707: Avoid potential exponential backtracking when
    producing some syntax errors involving lots of brackets.
    Patch by Pablo Galindo.
  - bpo-40479: Add a missing call to va_end() in
    Modules/_hashopenssl.c.
  - bpo-46615: When iterating over sets internally in
    setobject.c, acquire strong references to the resulting items
    from the set. This prevents crashes in corner-cases of
    various set operations where the set gets mutated.
  - bpo-45773: Remove two invalid 'peephole' optimizations from
    the bytecode compiler.
  - bpo-43721: Fix docstrings of getter, setter, and deleter to
    clarify that they create a new copy of the property.
  - bpo-46503: Fix an assert when parsing some invalid N escape
    sequences in f-strings.
  - bpo-46417: Fix a race condition on setting a type __bases__
    attribute: the internal function add_subclass() now gets the
    PyTypeObject.tp_subclasses member after calling
    PyWeakref_NewRef() which can trigger a garbage collection
    which can indirectly modify PyTypeObject.tp_subclasses. Patch
    by Victor Stinner.
  - bpo-46383: Fix invalid signature of _zoneinfo's module_free
    function to resolve a crash on wasm32-emscripten platform.
  - bpo-46070: Py_EndInterpreter() now explicitly untracks all
    objects currently tracked by the GC. Previously, if an object
    was used later by another interpreter, calling
    PyObject_GC_UnTrack() on the object crashed if the previous
    or the next object of the PyGC_Head structure became
    a dangling pointer. Patch by Victor Stinner.
  - bpo-46339: Fix a crash in the parser when retrieving the
    error text for multi-line f-strings expressions that do not
    start in the first line of the string. Patch by Pablo Galindo
  - bpo-46240: Correct the error message for unclosed parentheses
    when the tokenizer doesn't reach the end of the source when
    the error is reported. Patch by Pablo Galindo
  - bpo-46091: Correctly calculate indentation levels for lines
    with whitespace character that are ended by line continuation
    characters. Patch by Pablo Galindo
  - bpo-43253: Fix a crash when closing transports where the
    underlying socket handle is already invalid on the Proactor
    event loop.
  - bpo-47004: Apply bugfixes from importlib_metadata 4.11.3,
    including bugfix for EntryPoint.extras, which was returning
    match objects and not the extras strings.
  - bpo-46985: Upgrade pip wheel bundled with ensurepip (pip
    22.0.4)
  - bpo-46968: faulthandler: On Linux 5.14 and newer, dynamically
    determine size of signal handler stack size CPython allocates
    using getauxval(AT_MINSIGSTKSZ). This changes allows for
    Python extension's request to Linux kernel to use AMX_TILE
    instruction set on Sapphire Rapids Xeon processor to succeed,
    unblocking use of the ISA in frameworks.
  - bpo-46955: Expose asyncio.base_events.Server as
    asyncio.Server. Patch by Stefan Zabka.
  - bpo-23325: The signal module no longer assumes that SIG_IGN
    and SIG_DFL are small int singletons.
  - bpo-46932: Update bundled libexpat to 2.4.7
  - bpo-25707: Fixed a file leak in
    xml.etree.ElementTree.iterparse() when the iterator is not
    exhausted. Patch by Jacob Walls.
  - bpo-44886: Inherit asyncio proactor datagram transport from
    asyncio.DatagramTransport.
  - bpo-46827: Support UDP sockets in asyncio.loop.sock_connect()
    for selector-based event loops. Patch by Thomas Grainger.
  - bpo-46811: Make test suite support Expat >=2.4.5
  - bpo-46252: Raise TypeError if ssl.SSLSocket is passed to
    transport-based APIs.
  - bpo-46784: Fix libexpat symbols collisions with user
    dynamically loaded or statically linked libexpat in embedded
    Python.
  - bpo-39327: shutil.rmtree() can now work with VirtualBox
    shared folders when running from the guest operating-system.
  - bpo-46756: Fix a bug in
    urllib.request.HTTPPasswordMgr.find_user_password() and
    urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated()
    which allowed to bypass authorization. For example, access to
    URI example.org/foobar was allowed if the user was authorized
    for URI example.org/foo.
  - bpo-46643: In typing.get_type_hints(), support evaluating
    stringified ParamSpecArgs and ParamSpecKwargs annotations.
    Patch by Gregory Beauregard.
  - bpo-45863: When the tarfile module creates a pax format
    archive, it will put an integer representation of timestamps
    in the ustar header (if possible) for the benefit of older
    unarchivers, in addition to the existing full-precision
    timestamps in the pax extended header.
  - bpo-46676: Make typing.ParamSpec args and kwargs equal to
    themselves. Patch by Gregory Beauregard.
  - bpo-46672: Fix NameError in asyncio.gather() when initial
    type check fails.
  - bpo-46655: In typing.get_type_hints(), support evaluating
    bare stringified TypeAlias annotations. Patch by Gregory
    Beauregard.
  - bpo-45948: Fixed a discrepancy in the C implementation of the
    xml.etree.ElementTree module. Now, instantiating an
    xml.etree.ElementTree.XMLParser with a target=None keyword
    provides a default xml.etree.ElementTree.TreeBuilder target
    as the Python implementation does.
  - bpo-46521: Fix a bug in the codeop module that was
    incorrectly identifying invalid code involving string quotes
    as valid code.
  - bpo-46581: Brings ParamSpec propagation for GenericAlias in
    line with Concatenate (and others).
  - bpo-46591: Make the IDLE doc URL on the About IDLE dialog
    clickable.
  - bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
  - bpo-46487: Add the get_write_buffer_limits method to
    asyncio.transports.WriteTransport and to the SSL transport.
  - bpo-45173: Note the configparser deprecations will be removed
    in Python 3.12.
  - bpo-46539: In typing.get_type_hints(), support evaluating
    stringified ClassVar and Final annotations inside Annotated.
    Patch by Gregory Beauregard.
  - bpo-46491: Allow typing.Annotated to wrap typing.Final and
    typing.ClassVar. Patch by Gregory Beauregard.
  - bpo-46436: Fix command-line option -d/--directory in module
    http.server which is ignored when combined with command-line
    option --cgi. Patch by G?ry Ogam.
  - bpo-41403: Make mock.patch() raise a TypeError with
    a relevant error message on invalid arg. Previously it
    allowed a cryptic AttributeError to escape.
  - bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid
    potential REDoS by limiting ambiguity in consecutive
    whitespace.
  - bpo-46469: asyncio generic classes now return
    types.GenericAlias in __class_getitem__ instead of the same
    class.
  - bpo-46434: pdb now gracefully handles help when __doc__ is
    missing, for example when run with pregenerated optimized
    .pyc files.
  - bpo-46333: The __eq__() and __hash__() methods of
    typing.ForwardRef now honor the module parameter of
    typing.ForwardRef. Forward references from different modules
    are now differentiated.
  - bpo-46246: Add missing __slots__ to
    importlib.metadata.DeprecatedList. Patch by Arie Bovenberg.
  - bpo-46266: Improve day constants in calendar.
  - Now all constants (MONDAY ... SUNDAY) are documented, tested,
    and added to __all__.
  - bpo-46232: The ssl module now handles certificates with bit
    strings in DN correctly.
  - bpo-43118: Fix a bug in inspect.signature() that was causing
    it to fail on some subclasses of classes with
    a __text_signature__ referencing module globals. Patch by
    Weipeng Hong.
  - bpo-26552: Fixed case where failing asyncio.ensure_future()
    did not close the coroutine. Patch by Kumar Aditya.
  - bpo-21987: Fix an issue with tarfile.TarFile.getmember()
    getting a directory name with a trailing slash.
  - bpo-20392: Fix inconsistency with uppercase file extensions
    in MimeTypes.guess_type(). Patch by Kumar Aditya.
  - bpo-46080: Fix exception in argparse help text generation if
    a argparse.BooleanOptionalAction argument's default is
    argparse.SUPPRESS and it has help specified. Patch by Felix
    Fontein.
  - bpo-44439: Fix .write() method of a member file in ZipFile,
    when the input data is an object that supports the buffer
    protocol, the file length may be wrong.
  - bpo-45703: When a namespace package is imported before
    another module from the same namespace is created/installed
    in a different sys.path location while the program is
    running, calling the importlib.invalidate_caches() function
    will now also guarantee the new module is noticed.
  - bpo-24959: Fix bug where unittest sometimes drops frames from
    tracebacks of exceptions raised in tests.
  - bpo-44791: Fix substitution of ParamSpec in Concatenate with
    different parameter expressions. Substitution with a list of
    types returns now a tuple of types. Substitution with
    Concatenate returns now a Concatenate with concatenated lists
    of arguments.
  - bpo-14156: argparse.FileType now supports an argument of '-'
    in binary mode, returning the .buffer attribute of
    sys.stdin/sys.stdout as appropriate. Modes including 'x' and
    'a' are treated equivalently to 'w' when argument is '-'.
    Patch contributed by Josh Rosenberg
  - bpo-46463: Fixes escape4chm.py script used when building the
    CHM documentation file
  - bpo-46913: Fix test_faulthandler.test_sigfpe() if Python is
    built with undefined behavior sanitizer (UBSAN): disable
    UBSAN on the faulthandler_sigfpe() function. Patch by Victor
    Stinner.
  - bpo-46708: Prevent default asyncio event loop policy
    modification warning after test_asyncio execution.
  - bpo-46678: The function make_legacy_pyc in
    Lib/test/support/import_helper.py no longer fails when
    PYTHONPYCACHEPREFIX is set to a directory on a different
    device from where tempfiles are stored.
  - bpo-46616: Ensures test_importlib.test_windows cleans up
    registry keys after completion.
  - bpo-44359: test_ftplib now silently ignores socket errors to
    prevent logging unhandled threading exceptions. Patch by
    Victor Stinner.
  - bpo-46542: Fix a Python crash in test_lib2to3 when using
    Python built in debug mode: limit the recursion limit. Patch
    by Victor Stinner.
  - bpo-46576: test_peg_generator now disables compiler
    optimization when testing compilation of its own C extensions
    to significantly speed up the testing on non-debug builds of
    CPython.
  - bpo-46542: Fix test_json tests checking for RecursionError:
    modify these tests to use support.infinite_recursion(). Patch
    by Victor Stinner.
  - bpo-13886: Skip test_builtin PTY tests on non-ASCII
    characters if the readline module is loaded. The readline
    module changes input() behavior, but test_builtin is not
    intented to test the readline module. Patch by Victor
    Stinner.
  - bpo-38472: Fix GCC detection in setup.py when
    cross-compiling. The C compiler is now run with LC_ALL=C.
    Previously, the detection failed with a German locale.
  - bpo-46513: configure no longer uses AC_C_CHAR_UNSIGNED macro
    and pyconfig.h no longer defines reserved symbol
    __CHAR_UNSIGNED__.
  - bpo-45296: Clarify close, quit, and exit in IDLE. In the File
    menu, 'Close' and 'Exit' are now 'Close Window' (the current
    one) and 'Exit' is now 'Exit IDLE' (by closing all windows).
    In Shell, 'quit()' and 'exit()' mean 'close Shell'. If there
    are no other windows, this also exits IDLE.
  - bpo-45447: Apply IDLE syntax highlighting to pyi files. Patch
    by Alex Waygood and Terry Jan Reedy.
  - bpo-46433: The internal function _PyType_GetModuleByDef now
    correctly handles inheritance patterns involving static
    types.
  - bpo-14916: Fixed bug in the tokenizer that prevented
    PyRun_InteractiveOne from parsing from the provided FD.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2294-1
Released:    Wed Jul  6 13:34:15 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:

- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2305-1
Released:    Wed Jul  6 13:38:42 2022
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1200734,1200735,1200736,1200737,CVE-2022-32205,CVE-2022-32206,CVE-2022-32207,CVE-2022-32208
This update for curl fixes the following issues:

- CVE-2022-32205: Set-Cookie denial of service (bsc#1200734)
- CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
- CVE-2022-32207: Unpreserved file permissions (bsc#1200736)
- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2308-1
Released:    Wed Jul  6 14:15:13 2022
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1185637,1199166,1200550,1201099,CVE-2022-1292,CVE-2022-2068,CVE-2022-2097
This update for openssl-1_1 fixes the following issues:

- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).


The following package changes have been done:

- libopenssl1_1-1.1.1l-150400.7.7.1 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.7.1 updated
- libcurl4-7.79.1-150400.5.3.1 updated
- openssl-1_1-1.1.1l-150400.7.7.1 updated
- curl-7.79.1-150400.5.3.1 updated
- libexpat1-2.4.4-150400.3.6.9 updated
- libpython3_10-1_0-3.10.5-150400.4.7.1 updated
- python310-base-3.10.5-150400.4.7.1 updated
- python310-3.10.5-150400.4.7.1 updated
- container:sles15-image-15.0.0-27.8.3 updated

SUSE: 2022:1435-1 bci/python Security Update

July 7, 2022
The container bci/python was updated

Summary

Advisory ID: SUSE-SU-2022:2291-1 Released: Wed Jul 6 13:04:37 2022 Summary: Security update for python310 Type: security Severity: important Advisory ID: SUSE-SU-2022:2294-1 Released: Wed Jul 6 13:34:15 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-SU-2022:2305-1 Released: Wed Jul 6 13:38:42 2022 Summary: Security update for curl Type: security Severity: important Advisory ID: SUSE-SU-2022:2308-1 Released: Wed Jul 6 14:15:13 2022 Summary: Security update for openssl-1_1 Type: security Severity: important

References

References : 1185637 1196025 1196026 1196168 1196169 1196171 1196784 1198511

1199166 1200550 1200734 1200735 1200736 1200737 1201099 CVE-2015-20107

CVE-2022-1292 CVE-2022-2068 CVE-2022-2097 CVE-2022-25235 CVE-2022-25236

CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 CVE-2022-32205 CVE-2022-32206

CVE-2022-32207 CVE-2022-32208

1198511,CVE-2015-20107

This update for python310 fixes the following issues:

- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

- Update to 3.10.5:

- Core and Builtins

- gh-93418: Fixed an assert where an f-string has an equal

sign '=' following an expression, but there's no trailing

brace. For example, f'{i='.

- gh-91924: Fix __ltrace__ debug feature if the stdout

encoding is not UTF-8. Patch by Victor Stinner.

- gh-93061: Backward jumps after async for loops are no

longer given dubious line numbers.

- gh-93065: Fix contextvars HAMT implementation to handle

iteration over deep trees.

- The bug was discovered and fixed by Eli Libman. See

MagicStack/immutables#84 for more details.

- gh-92311: Fixed a bug where setting frame.f_lineno to jump

over a list comprehension could misbehave or crash.

- gh-92112: Fix crash triggered by an evil custom mro() on

a metaclass.

- gh-92036: Fix a crash in subinterpreters related to the

garbage collector. When a subinterpreter is deleted,

untrack all objects tracked by its GC. To prevent a crash

in deallocator functions expecting objects to be tracked by

the GC, leak a strong reference to these objects on

purpose, so they are never deleted and their deallocator

functions are not called. Patch by Victor Stinner.

- gh-91421: Fix a potential integer overflow in

_Py_DecodeUTF8Ex.

- bpo-47212: Raise IndentationError instead of SyntaxError

for a bare except with no following indent. Improve

SyntaxError locations for an un-parenthesized generator

used as arguments. Patch by Matthieu Dartiailh.

- bpo-47182: Fix a crash when using a named unicode character

like '\N{digit nine}' after the main interpreter has been

initialized a second time.

- bpo-47117: Fix a crash if we fail to decode characters in

interactive mode if the tokenizer buffers are

uninitialized. Patch by Pablo Galindo.

- bpo-39829: Removed the __len__() call when initializing

a list and moved initializing to list_extend. Patch by

Jeremiah Pascual.

- bpo-46962: Classes and functions that unconditionally

declared their docstrings ignoring the

--without-doc-strings compilation flag no longer do so.

- The classes affected are ctypes.UnionType,

pickle.PickleBuffer, testcapi.RecursingInfinitelyError, and

types.GenericAlias.

- The functions affected are 24 methods in ctypes.

- Patch by Oleg Iarygin.

- bpo-36819: Fix crashes in built-in encoders with error

handlers that return position less or equal than the

starting position of non-encodable characters.

- Library

- gh-93156: Accessing the pathlib.PurePath.parents sequence

of an absolute path using negative index values produced

incorrect results.

- gh-89973: Fix re.error raised in fnmatch if the pattern

contains a character range with upper bound lower than

lower bound (e.g. [c-a]). Now such ranges are interpreted

as empty ranges.

- gh-93010: In a very special case, the email package tried

to append the nonexistent InvalidHeaderError to the defect

list. It should have been InvalidHeaderDefect.

- gh-92839: Fixed crash resulting from calling

bisect.insort() or bisect.insort_left() with the key

argument not equal to None.

- gh-91581: utcfromtimestamp() no longer attempts to resolve

fold in the pure Python implementation, since the fold is

never 1 in UTC. In addition to being slightly faster in the

common case, this also prevents some errors when the

timestamp is close to datetime.min. Patch by Paul Ganssle.

- gh-92530: Fix an issue that occurred after interrupting

threading.Condition.notify().

- gh-92049: Forbid pickling constants re._constants.SUCCESS

etc. Previously, pickling did not fail, but the result

could not be unpickled.

- bpo-47029: Always close the read end of the pipe used by

multiprocessing.Queue after the last write of buffered data

to the write end of the pipe to avoid BrokenPipeError at

garbage collection and at multiprocessing.Queue.close()

calls. Patch by G?ry Ogam.

- gh-91401: Provide a fail-safe way to disable subprocess use

of vfork() via a private subprocess._USE_VFORK attribute.

While there is currently no known need for this, if you

find a need please only set it to False. File a CPython

issue as to why you needed it and link to that from

a comment in your code. This attribute is documented as

a footnote in 3.11.

- gh-91910: Add missing f prefix to f-strings in error

messages from the multiprocessing and asyncio modules.

- gh-91810: ElementTree method write() and function

tostring() now use the text file's encoding ('UTF-8' if not

available) instead of locale encoding in XML declaration

when encoding='unicode' is specified.

- gh-91832: Add required attribute to argparse.Action repr

output.

- gh-91700: Compilation of regular expression containing

a conditional expression (?(group)...) now raises an

appropriate re.error if the group number refers to not

defined group. Previously an internal RuntimeError was

raised.

- gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown

the per test event loop executor before returning from its

run method so that a not yet stopped or garbage collected

executor state does not persist beyond the test.

- gh-90568: Parsing \N escapes of Unicode Named Character

Sequences in a regular expression raises now re.error

instead of TypeError.

- gh-91595: Fix the comparison of character and integer

inside Tools.gdb.libpython.write_repr(). Patch by Yu Liu.

- gh-90622: Worker processes for

concurrent.futures.ProcessPoolExecutor are no longer

spawned on demand (a feature added in 3.9) when the

multiprocessing context start method is 'fork' as that can

lead to deadlocks in the child processes due to a fork

happening while threads are running.

- gh-91575: Update case-insensitive matching in the re module

to the latest Unicode version.

- gh-91581: Remove an unhandled error case in the

C implementation of calls to datetime.fromtimestamp with no

time zone (i.e. getting a local time from an epoch

timestamp). This should have no user-facing effect other

than giving a possibly more accurate error message when

called with timestamps that fall on 10000-01-01 in the

local time. Patch by Paul Ganssle.

- bpo-47260: Fix os.closerange() potentially being a no-op in

a Linux seccomp sandbox.

- bpo-39064: zipfile.ZipFile now raises zipfile.BadZipFile

instead of ValueError when reading a corrupt zip file in

which the central directory offset is negative.

- bpo-47151: When subprocess tries to use vfork, it now falls

back to fork if vfork returns an error. This allows use in

situations where vfork isn't allowed by the OS kernel.

- bpo-27929: Fix asyncio.loop.sock_connect() to only resolve

names for socket.AF_INET or socket.AF_INET6 families.

Resolution may not make sense for other families, like

socket.AF_BLUETOOTH and socket.AF_UNIX.

- bpo-43323: Fix errors in the email module if the charset

itself contains undecodable/unencodable characters.

- bpo-47101: hashlib.algorithms_available now lists only

algorithms that are provided by activated crypto providers

on OpenSSL 3.0. Legacy algorithms are not listed unless the

legacy provider has been loaded into the default OSSL

context.

- bpo-46787: Fix concurrent.futures.ProcessPoolExecutor

exception memory leak

- bpo-45393: Fix the formatting for await x and not x in the

operator precedence table when using the help() system.

- bpo-46415: Fix ipaddress.ip_{address,interface,network}

raising TypeError instead of ValueError if given invalid

tuple as address parameter.

- bpo-28249: Set doctest.DocTest.lineno to None when object

does not have __doc__.

- bpo-45138: Fix a regression in the sqlite3 trace callback

where bound parameters were not expanded in the passed

statement string. The regression was introduced in Python

3.10 by bpo-40318. Patch by Erlend E. Aasland.

- bpo-44493: Add missing terminated NUL in sockaddr_un's

length

- This was potentially observable when using non-abstract

AF_UNIX datagram sockets to processes written in another

programming language.

- bpo-42627: Fix incorrect parsing of Windows registry proxy

settings

- bpo-36073: Raise ProgrammingError instead of segfaulting on

recursive usage of cursors in sqlite3 converters. Patch by

Sergey Fedoseev.

- Documentation

- gh-86438: Clarify that -W and PYTHONWARNINGS are matched

literally and case-insensitively, rather than as regular

expressions, in warnings.

- gh-92240: Added release dates for 'What's New in Python

3.X' for 3.0, 3.1, 3.2, 3.8 and 3.10

- gh-91888: Add a new gh role to the documentation to link to

GitHub issues.

- gh-91783: Document security issues concerning the use of

the function shutil.unpack_archive()

- gh-91547: Remove 'Undocumented modules' page.

- bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of

shutil.copytree().

- bpo-38668: Update the introduction to documentation for

os.path to remove warnings that became irrelevant after the

implementations of PEP 383 and PEP 529.

- bpo-47138: Pin Jinja to a version compatible with Sphinx

version 3.2.1.

- bpo-46962: All docstrings in code snippets are now wrapped

into PyDoc_STR() to follow the guideline of PEP 7's

Documentation Strings paragraph. Patch by Oleg Iarygin.

- bpo-26792: Improve the docstrings of runpy.run_module() and

runpy.run_path(). Original patch by Andrew Brezovsky.

- bpo-40838: Document that inspect.getdoc(),

inspect.getmodule(), and inspect.getsourcefile() might

return None.

- bpo-45790: Adjust inaccurate phrasing in Defining Extension

Types: Tutorial about the ob_base field and the macros used

to access its contents.

- bpo-42340: Document that in some circumstances

KeyboardInterrupt may cause the code to enter an

inconsistent state. Provided a sample workaround to avoid

it if needed.

- bpo-41233: Link the errnos referenced in

Doc/library/exceptions.rst to their respective section in

Doc/library/errno.rst, and vice versa. Previously this was

only done for EINTR and InterruptedError. Patch by Yan

'yyyyyyyan' Orestes.

- bpo-38056: Overhaul the Error Handlers documentation in

codecs.

- bpo-13553: Document tkinter.Tk args.

- Tests

- gh-92886: Fixing tests that fail when running with

optimizations (-O) in test_imaplib.py.

- gh-92670: Skip

test_shutil.TestCopy.test_copyfile_nonexistent_dir test on

AIX as the test uses a trailing slash to force the OS

consider the path as a directory, but on AIX the trailing

slash has no effect and is considered as a file.

- gh-91904: Fix initialization of

PYTHONREGRTEST_UNICODE_GUARD which prevented running

regression tests on non-UTF-8 locale.

- gh-91607: Fix test_concurrent_futures to test the correct

multiprocessing start method context in several cases where

the test logic mixed this up.

- bpo-47205: Skip test for sched_getaffinity() and

sched_setaffinity() error case on FreeBSD.

- bpo-47104: Rewrite asyncio.to_thread() tests to use

unittest.IsolatedAsyncioTestCase.

- bpo-29890: Add tests for ipaddress.IPv4Interface and

ipaddress.IPv6Interface construction with tuple arguments.

Original patch and tests by louisom.

- Tools/Demos

- gh-91583: Fix regression in the code generated by Argument

Clinic for functions with the defining_class parameter.

- Update to 3.10.4:

- bpo-46968: Check for the existence of the 'sys/auxv.h' header

in faulthandler to avoid compilation problems in systems

where this header doesn't exist. Patch by Pablo Galindo

- bpo-23691: Protect the re.finditer() iterator from

re-entering.

- bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to

avoid a 'zipfile.BadZipFile: Bad CRC-32 for file' exception

when reading a ZipFile from multiple threads.

- bpo-38256: Fix binascii.crc32() when it is compiled to use

zlib'c crc32 to work properly on inputs 4+GiB in length

instead of returning the wrong result. The workaround prior

to this was to always feed the function data in increments

smaller than 4GiB or to just call the zlib module function.

- bpo-39394: A warning about inline flags not at the start of

the regular expression now contains the position of the flag.

- bpo-47061: Deprecate the various modules listed by PEP 594:

- aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt,

imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd,

sndhdr, spwd, sunau, telnetlib, uu, xdrlib

- bpo-2604: Fix bug where doctests using globals would fail

when run multiple times.

- bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.

- bpo-47022: The asynchat, asyncore and smtpd modules have been

deprecated since at least Python 3.6. Their documentation and

deprecation warnings and have now been updated to note they

will removed in Python 3.12 (PEP 594).

- bpo-46421: Fix a unittest issue where if the command was

invoked as python -m unittest and the filename(s) began with

a dot (.), a ValueError is returned.

- bpo-40296: Fix supporting generic aliases in pydoc.

- Update to 3.10.3:

- bpo-46940: Avoid overriding AttributeError metadata

information for nested attribute access calls. Patch by Pablo

Galindo.

- bpo-46852: Rename the private undocumented

float.__set_format__() method to float.__setformat__() to fix

a typo introduced in Python 3.7. The method is only used by

test_float. Patch by Victor Stinner.

- bpo-46794: Bump up the libexpat version into 2.4.6

- bpo-46820: Fix parsing a numeric literal immediately (without

spaces) followed by 'not in' keywords, like in 1not in x. Now

the parser only emits a warning, not a syntax error.

- bpo-46762: Fix an assert failure in debug builds when a '<',

'>', or '=' is the last character in an f-string that's

missing a closing right brace.

- bpo-46724: Make sure that all backwards jumps use the

JUMP_ABSOLUTE instruction, rather than JUMP_FORWARD with an

argument of (2**32)+offset.

- bpo-46732: Correct the docstring for the __bool__() method.

Patch by Jelle Zijlstra.

- bpo-46707: Avoid potential exponential backtracking when

producing some syntax errors involving lots of brackets.

Patch by Pablo Galindo.

- bpo-40479: Add a missing call to va_end() in

Modules/_hashopenssl.c.

- bpo-46615: When iterating over sets internally in

setobject.c, acquire strong references to the resulting items

from the set. This prevents crashes in corner-cases of

various set operations where the set gets mutated.

- bpo-45773: Remove two invalid 'peephole' optimizations from

the bytecode compiler.

- bpo-43721: Fix docstrings of getter, setter, and deleter to

clarify that they create a new copy of the property.

- bpo-46503: Fix an assert when parsing some invalid N escape

sequences in f-strings.

- bpo-46417: Fix a race condition on setting a type __bases__

attribute: the internal function add_subclass() now gets the

PyTypeObject.tp_subclasses member after calling

PyWeakref_NewRef() which can trigger a garbage collection

which can indirectly modify PyTypeObject.tp_subclasses. Patch

by Victor Stinner.

- bpo-46383: Fix invalid signature of _zoneinfo's module_free

function to resolve a crash on wasm32-emscripten platform.

- bpo-46070: Py_EndInterpreter() now explicitly untracks all

objects currently tracked by the GC. Previously, if an object

was used later by another interpreter, calling

PyObject_GC_UnTrack() on the object crashed if the previous

or the next object of the PyGC_Head structure became

a dangling pointer. Patch by Victor Stinner.

- bpo-46339: Fix a crash in the parser when retrieving the

error text for multi-line f-strings expressions that do not

start in the first line of the string. Patch by Pablo Galindo

- bpo-46240: Correct the error message for unclosed parentheses

when the tokenizer doesn't reach the end of the source when

the error is reported. Patch by Pablo Galindo

- bpo-46091: Correctly calculate indentation levels for lines

with whitespace character that are ended by line continuation

characters. Patch by Pablo Galindo

- bpo-43253: Fix a crash when closing transports where the

underlying socket handle is already invalid on the Proactor

event loop.

- bpo-47004: Apply bugfixes from importlib_metadata 4.11.3,

including bugfix for EntryPoint.extras, which was returning

match objects and not the extras strings.

- bpo-46985: Upgrade pip wheel bundled with ensurepip (pip

22.0.4)

- bpo-46968: faulthandler: On Linux 5.14 and newer, dynamically

determine size of signal handler stack size CPython allocates

using getauxval(AT_MINSIGSTKSZ). This changes allows for

Python extension's request to Linux kernel to use AMX_TILE

instruction set on Sapphire Rapids Xeon processor to succeed,

unblocking use of the ISA in frameworks.

- bpo-46955: Expose asyncio.base_events.Server as

asyncio.Server. Patch by Stefan Zabka.

- bpo-23325: The signal module no longer assumes that SIG_IGN

and SIG_DFL are small int singletons.

- bpo-46932: Update bundled libexpat to 2.4.7

- bpo-25707: Fixed a file leak in

xml.etree.ElementTree.iterparse() when the iterator is not

exhausted. Patch by Jacob Walls.

- bpo-44886: Inherit asyncio proactor datagram transport from

asyncio.DatagramTransport.

- bpo-46827: Support UDP sockets in asyncio.loop.sock_connect()

for selector-based event loops. Patch by Thomas Grainger.

- bpo-46811: Make test suite support Expat >=2.4.5

- bpo-46252: Raise TypeError if ssl.SSLSocket is passed to

transport-based APIs.

- bpo-46784: Fix libexpat symbols collisions with user

dynamically loaded or statically linked libexpat in embedded

Python.

- bpo-39327: shutil.rmtree() can now work with VirtualBox

shared folders when running from the guest operating-system.

- bpo-46756: Fix a bug in

urllib.request.HTTPPasswordMgr.find_user_password() and

urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated()

which allowed to bypass authorization. For example, access to

URI example.org/foobar was allowed if the user was authorized

for URI example.org/foo.

- bpo-46643: In typing.get_type_hints(), support evaluating

stringified ParamSpecArgs and ParamSpecKwargs annotations.

Patch by Gregory Beauregard.

- bpo-45863: When the tarfile module creates a pax format

archive, it will put an integer representation of timestamps

in the ustar header (if possible) for the benefit of older

unarchivers, in addition to the existing full-precision

timestamps in the pax extended header.

- bpo-46676: Make typing.ParamSpec args and kwargs equal to

themselves. Patch by Gregory Beauregard.

- bpo-46672: Fix NameError in asyncio.gather() when initial

type check fails.

- bpo-46655: In typing.get_type_hints(), support evaluating

bare stringified TypeAlias annotations. Patch by Gregory

Beauregard.

- bpo-45948: Fixed a discrepancy in the C implementation of the

xml.etree.ElementTree module. Now, instantiating an

xml.etree.ElementTree.XMLParser with a target=None keyword

provides a default xml.etree.ElementTree.TreeBuilder target

as the Python implementation does.

- bpo-46521: Fix a bug in the codeop module that was

incorrectly identifying invalid code involving string quotes

as valid code.

- bpo-46581: Brings ParamSpec propagation for GenericAlias in

line with Concatenate (and others).

- bpo-46591: Make the IDLE doc URL on the About IDLE dialog

clickable.

- bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4

- bpo-46487: Add the get_write_buffer_limits method to

asyncio.transports.WriteTransport and to the SSL transport.

- bpo-45173: Note the configparser deprecations will be removed

in Python 3.12.

- bpo-46539: In typing.get_type_hints(), support evaluating

stringified ClassVar and Final annotations inside Annotated.

Patch by Gregory Beauregard.

- bpo-46491: Allow typing.Annotated to wrap typing.Final and

typing.ClassVar. Patch by Gregory Beauregard.

- bpo-46436: Fix command-line option -d/--directory in module

http.server which is ignored when combined with command-line

option --cgi. Patch by G?ry Ogam.

- bpo-41403: Make mock.patch() raise a TypeError with

a relevant error message on invalid arg. Previously it

allowed a cryptic AttributeError to escape.

- bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid

potential REDoS by limiting ambiguity in consecutive

whitespace.

- bpo-46469: asyncio generic classes now return

types.GenericAlias in __class_getitem__ instead of the same

class.

- bpo-46434: pdb now gracefully handles help when __doc__ is

missing, for example when run with pregenerated optimized

.pyc files.

- bpo-46333: The __eq__() and __hash__() methods of

typing.ForwardRef now honor the module parameter of

typing.ForwardRef. Forward references from different modules

are now differentiated.

- bpo-46246: Add missing __slots__ to

importlib.metadata.DeprecatedList. Patch by Arie Bovenberg.

- bpo-46266: Improve day constants in calendar.

- Now all constants (MONDAY ... SUNDAY) are documented, tested,

and added to __all__.

- bpo-46232: The ssl module now handles certificates with bit

strings in DN correctly.

- bpo-43118: Fix a bug in inspect.signature() that was causing

it to fail on some subclasses of classes with

a __text_signature__ referencing module globals. Patch by

Weipeng Hong.

- bpo-26552: Fixed case where failing asyncio.ensure_future()

did not close the coroutine. Patch by Kumar Aditya.

- bpo-21987: Fix an issue with tarfile.TarFile.getmember()

getting a directory name with a trailing slash.

- bpo-20392: Fix inconsistency with uppercase file extensions

in MimeTypes.guess_type(). Patch by Kumar Aditya.

- bpo-46080: Fix exception in argparse help text generation if

a argparse.BooleanOptionalAction argument's default is

argparse.SUPPRESS and it has help specified. Patch by Felix

Fontein.

- bpo-44439: Fix .write() method of a member file in ZipFile,

when the input data is an object that supports the buffer

protocol, the file length may be wrong.

- bpo-45703: When a namespace package is imported before

another module from the same namespace is created/installed

in a different sys.path location while the program is

running, calling the importlib.invalidate_caches() function

will now also guarantee the new module is noticed.

- bpo-24959: Fix bug where unittest sometimes drops frames from

tracebacks of exceptions raised in tests.

- bpo-44791: Fix substitution of ParamSpec in Concatenate with

different parameter expressions. Substitution with a list of

types returns now a tuple of types. Substitution with

Concatenate returns now a Concatenate with concatenated lists

of arguments.

- bpo-14156: argparse.FileType now supports an argument of '-'

in binary mode, returning the .buffer attribute of

sys.stdin/sys.stdout as appropriate. Modes including 'x' and

'a' are treated equivalently to 'w' when argument is '-'.

Patch contributed by Josh Rosenberg

- bpo-46463: Fixes escape4chm.py script used when building the

CHM documentation file

- bpo-46913: Fix test_faulthandler.test_sigfpe() if Python is

built with undefined behavior sanitizer (UBSAN): disable

UBSAN on the faulthandler_sigfpe() function. Patch by Victor

Stinner.

- bpo-46708: Prevent default asyncio event loop policy

modification warning after test_asyncio execution.

- bpo-46678: The function make_legacy_pyc in

Lib/test/support/import_helper.py no longer fails when

PYTHONPYCACHEPREFIX is set to a directory on a different

device from where tempfiles are stored.

- bpo-46616: Ensures test_importlib.test_windows cleans up

registry keys after completion.

- bpo-44359: test_ftplib now silently ignores socket errors to

prevent logging unhandled threading exceptions. Patch by

Victor Stinner.

- bpo-46542: Fix a Python crash in test_lib2to3 when using

Python built in debug mode: limit the recursion limit. Patch

by Victor Stinner.

- bpo-46576: test_peg_generator now disables compiler

optimization when testing compilation of its own C extensions

to significantly speed up the testing on non-debug builds of

CPython.

- bpo-46542: Fix test_json tests checking for RecursionError:

modify these tests to use support.infinite_recursion(). Patch

by Victor Stinner.

- bpo-13886: Skip test_builtin PTY tests on non-ASCII

characters if the readline module is loaded. The readline

module changes input() behavior, but test_builtin is not

intented to test the readline module. Patch by Victor

Stinner.

- bpo-38472: Fix GCC detection in setup.py when

cross-compiling. The C compiler is now run with LC_ALL=C.

Previously, the detection failed with a German locale.

- bpo-46513: configure no longer uses AC_C_CHAR_UNSIGNED macro

and pyconfig.h no longer defines reserved symbol

__CHAR_UNSIGNED__.

- bpo-45296: Clarify close, quit, and exit in IDLE. In the File

menu, 'Close' and 'Exit' are now 'Close Window' (the current

one) and 'Exit' is now 'Exit IDLE' (by closing all windows).

In Shell, 'quit()' and 'exit()' mean 'close Shell'. If there

are no other windows, this also exits IDLE.

- bpo-45447: Apply IDLE syntax highlighting to pyi files. Patch

by Alex Waygood and Terry Jan Reedy.

- bpo-46433: The internal function _PyType_GetModuleByDef now

correctly handles inheritance patterns involving static

types.

- bpo-14916: Fixed bug in the tokenizer that prevented

PyRun_InteractiveOne from parsing from the provided FD.

1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315

This update for expat fixes the following issues:

- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).

- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).

- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).

- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

1200734,1200735,1200736,1200737,CVE-2022-32205,CVE-2022-32206,CVE-2022-32207,CVE-2022-32208

This update for curl fixes the following issues:

- CVE-2022-32205: Set-Cookie denial of service (bsc#1200734)

- CVE-2022-32206: HTTP compression denial of service (bsc#1200735)

- CVE-2022-32207: Unpreserved file permissions (bsc#1200736)

- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)

1185637,1199166,1200550,1201099,CVE-2022-1292,CVE-2022-2068,CVE-2022-2097

This update for openssl-1_1 fixes the following issues:

- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

The following package changes have been done:

- libopenssl1_1-1.1.1l-150400.7.7.1 updated

- libopenssl1_1-hmac-1.1.1l-150400.7.7.1 updated

- libcurl4-7.79.1-150400.5.3.1 updated

- openssl-1_1-1.1.1l-150400.7.7.1 updated

- curl-7.79.1-150400.5.3.1 updated

- libexpat1-2.4.4-150400.3.6.9 updated

- libpython3_10-1_0-3.10.5-150400.4.7.1 updated

- python310-base-3.10.5-150400.4.7.1 updated

- python310-3.10.5-150400.4.7.1 updated

- container:sles15-image-15.0.0-27.8.3 updated

Severity
Container Advisory ID : SUSE-CU-2022:1435-1
Container Tags : bci/python:3 , bci/python:3.10 , bci/python:3.10-4.10 , bci/python:latest
Container Release : 4.10
Severity : important
Type : security

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.