Removed rpms ============ - DisplayCAL - chameleon - createrepo - fslint - fwzs - gonvert - gtkparasite - gyp - iceWMCP - iceWMCP-addons - iwscanner - jumpnbump - libraft0 - lxcc - mysql-workbench - nagstamon - ndpmon - py-fishcrypt - qm - sk1 - telepathy-gabble - telepathy-gabble-xmpp-console - vpp-api-python - yum - yum-lang - yum-metadata-parser - yum-updatesd - zeroinstall-injector Added rpms ========== - libraft2 - python-devel - python-xml - python2-PyYAML Package Source Changes ====================== autotrace +- biWidth*biBitCnt integer overflow fix (bsc#1182158, + CVE-2019-19004, CVE-2019-19004.patch). +- Bitmap double free fix (bsc1182159, CVE-2019-19005, + CVE-2017-9182, CVE-2017-9190, CVE-2019-19005.patch). + -- Fix AC_DEFUN quoting - clustershell +- Disable py2 support on Leap 15.4 + createrepo_c -- [boo#1187811] fix segfaults when metadata loading fails - + added 0001-set-proper-error-on-failed-loading-of-metadata.patch +- removed %is_opensuse (CtLG) +- disabled drpm for SLE/Leap 15.3 + +- Update to 0.16.0 + + Never do dir walk when --recycle-pkglist specified + + Add automatic module metadata handling for repos (rh#1795936) + +- Update to 0.15.11 + + Add python unittest for invalid date in updateinfo record get_datetime + + Simplify case when attr is empty (prevents covscan warnings) + + Fix couple of memory leaks, some mistakenly dead code and error handling + + Add --arch-expand option + + Fix spelling errors. + +- Update to 0.15.7 + + Add relogin_suggested to updatecollectionpackage (rh#1779751) + + Support issued date in epoch format in Python API (rh#1779751) + +- Update to 0.15.6 + + Set global_exit_status on sigint so that .repodata are cleaned up + + Fix various issues discovered by covscans (rh#1789707) + + Enhance error handling when locating repositories (rh#1762697) + + Switch updateinfo to explicitly include bool values (rh#1772466) + + add --recycle-pkglist option + + use pkg href for cache lookup with --update + + Sync --excludes matching for dir-walk vs. --pkglist grass +- Use python3 on Leap 15.4 + kicad +- Use python3 on Leap 15.4 + package-translations -- Leap 15.4 Beta poo#99990 bump to version 89.87.20220225.5943e334: - * Translated using Weblate (Japanese) - * Translated using Weblate (Slovak) - * Translated using Weblate (Catalan) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Dutch) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) +- Update to version 89.87.20220316.36bed595: + * Update pot and po files for Leap 15.4 and SLE 15 SP4 + * urls_sle.txt: Update for the latest SLE15 SP4 content + * Replace non-responding downloadcontent.opensuse.org by download.opensuse.org + * Translated using Weblate (Chinese (China) (zh_CN)) + * Translated using Weblate (Chinese (Taiwan) (zh_TW)) - * executing extractor for Leap 15.4 Beta poo#99879 - * bump for 15.4 - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Spanish) - * Translated using Weblate (Finnish) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Japanese) - * Translated using Weblate (Spanish) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Chinese (China) (zh_CN)) - * Translated using Weblate (Chinese (China) (zh_CN)) - * Translated using Weblate (Chinese (China) (zh_CN)) - * Translated using Weblate (Chinese (China) (zh_CN)) - * Translated using Weblate (Chinese (China) (zh_CN)) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Arabic) - * Translated using Weblate (Arabic) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Spanish) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Spanish) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Japanese) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Japanese) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Japanese) - * Translated using Weblate (Russian) - * Translated using Weblate (Ukrainian) + * Translated using Weblate (French) + * Translated using Weblate (Indonesian) + * Translated using Weblate (Italian) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Russian) + * Translated using Weblate (Polish) + * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Russian) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) + * Translated using Weblate (Slovak) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) + * Translated using Weblate (Swedish) + +- Leap 15.4 Beta poo#99990 bump to version 89.87.20220225.5943e334: + * bump for 15.4 + * executing extractor for Leap 15.4 Beta poo#99879 + * Translated using Weblate (Arabic) + * Translated using Weblate (Catalan) + * Translated using Weblate (Chinese (China) (zh_CN)) + * Translated using Weblate (Czech) + * Translated using Weblate (Dutch) + * Translated using Weblate (Finnish) + * Translated using Weblate (German) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Ukrainian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Indonesian) - * Translated using Weblate (Russian) - * Translated using Weblate (German) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Russian) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Russian) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Russian) - * Translated using Weblate (Japanese) - * Translated using Weblate (Russian) - * Translated using Weblate (Catalan) - * Translated using Weblate (Russian) + * Translated using Weblate (Slovak) + * Translated using Weblate (Spanish) + * Translated using Weblate (Ukrainian) patterns-lxde +- Remove Resommends lxcc, lxcc will be deleted + python-base +- Update bundled pip wheel to the latest SLE version patched + against bsc#1186819 (CVE-2021-3572). +- Recover again proper value of %python2_package_prefix + (bsc#1175619). + +- BuildRequire rpm-build-python: The provider to inject python(abi) + has been moved there. rpm-build pulls rpm-build-python + automatically in when building anything against python3-base, but + this implies that the initial build of python3-base does not + trigger the automatic installation. + +- Older SLE versions should use old OpenSSL. + +- Add CVE-2022-0391-urllib_parse-newline-parsing.patch + (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs + containing ASCII newline and tabs in urlparse. + +- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146, + bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib + not trust the PASV response. + +- build against openssl 1.1.x (incompatible with openssl 3.0x) + for now. + +- on sle12, python2 modules will still be called python-xxxx until EOL, + for newer SLE versions they will be python2-xxxx + +- BuildRequire rpm-build-python: The provider to inject python(abi) + has been moved there. rpm-build pulls rpm-build-python + automatically in when building anything against python3-base, but + this implies that the initial build of python3-base does not + trigger the automatic installation. + +- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 + (CVE-2019-20907, bpo#39017) avoiding possible infinite loop + in specifically crafted tarball. + Add recursion.tar as a testing tarball for the patch. +- Provide the newest setuptools wheel (bsc#1176262, + CVE-2019-20916) in their correct form (bsc#1180686). +- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211 + (CVE-2020-26116, bpo#39603) no longer allowing special characters in + the method parameter of HTTPConnection.putrequest in httplib, stopping + injection of headers. Such characters now raise ValueError. + +- Renamed patch for assigned CVE: + * bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch -> + CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch + (boo#1189241, CVE-2021-3737) + +- Renamed patch for assigned CVE: + * bpo43075-fix-ReDoS-in-request.patch -> CVE-2021-3733-fix-ReDoS-in-request.patch + (boo#1189287, CVE-2021-3733) +- Fix python-doc build (bpo#35293): + * sphinx-update-removed-function.patch +- Update documentation formatting for Sphinx 3.0 (bpo#40204). + +- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in + request (bpo#43075, boo#1189287). +- Add missing security announcement to + bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch. + +- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch + which fixes http client infinite line reading (DoS) after a http + 100 (bpo#44022, boo#1189241). + +- Modify Lib/ensurepip/__init__.py to contain the same version + numbers as are in reality the ones in the bundled wheels + (bsc#1187668). + +- Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids + use of semicolon as a query string separator (bpo#42967, + bsc#1182379, CVE-2021-23336). + +- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing + bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in + _ctypes/callproc.c, which may lead to remote code execution. + +- (bsc#1180125) We really don't Require python-rpm-macros package. + Unnecessary dependency. + +- Add patch configure_PYTHON_FOR_REGEN.patch which makes + configure.ac to consider the correct version of + PYTHON_FO_REGEN (bsc#1078326). + +- Use python3-Sphinx on anything more recent than SLE-15 (inclusive). + +- Update to 2.7.18, final release of Python 2. Ever.: + - Newline characters have been escaped when performing uu + encoding to prevent them from overflowing into to content + section of the encoded file. This prevents malicious or + accidental modification of data during the decoding process. + - Fixes a ReDoS vulnerability in `http.cookiejar`. Patch by Ben + Caller. + - Fixed line numbers and column offsets for AST nodes for calls + without arguments in decorators. + - bsc#1155094 (CVE-2019-18348) Disallow control characters in + hostnames in http.client. Such potentially malicious header + injection URLs now cause a InvalidURL to be raised. + - Fix urllib.urlretrieve failing on subsequent ftp transfers + from the same host. + - Fix problems identified by GCC's -Wstringop-truncation + warning. + - AddRefActCtx() was needlessly being checked for failure in + PC/dl_nt.c. + - Prevent failure of test_relative_path in test_py_compile on + macOS Catalina. + - Fixed possible leak in `PyArg_Parse` and similar + functions for format units "es#" and "et#" when the macro + `PY_SSIZE_T_CLEAN` is not defined. +- Remove upstreamed patches: + - CVE-2019-18348-CRLF_injection_via_host_part.patch + - python-2.7.14-CVE-2017-1000158.patch + - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch + - CVE-2018-1061-DOS-via-regexp-difflib.patch + - CVE-2019-10160-netloc-port-regression.patch + - CVE-2019-16056-email-parse-addr.patch + +- Add CVE-2019-9674-zip-bomb.patch to improve documentation + warning about dangers of zip-bombs and other security problems + with zipfile library. (bsc#1162825 CVE-2019-9674) + +- Change to Requires: libpython%{so_version} == %{version}-%{release} + to python-base to keep both packages always synchronized (add + %{so_version}) (bsc#1162224). + +- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug + "Python urrlib allowed an HTTP server to conduct Regular + Expression Denial of Service (ReDoS)" (bsc#1162367) + +- Provide python-testsuite from devel subkg to ease py2->py3 + dependencies + +- Add python-2.7.17-switch-off-failing-SSL-tests.patch to switch + off tests coliding with the combination of modern Python and + ancient OpenSSL on SLE-12. + +- libnsl is required only on more recent SLEs and openSUSE, older + glibc supported NIS on its own. + +- Add provides in gdbm subpackage to provide dbm symbols. This + allows us to use %%{python_module dbm} as a dependency and have + it properly resolved for both python2 and python3 + +- Drop appstream-glib BuildRequires and no longer call + appstream-util validate-relax: eliminate a build cycle between + as-glib and python. The only thing would would gain by calling + as-uril is catching if upstream breaks the appdata.xml file in a + future release. Considering py2 is dying, chances for a new + release, let alone one breaking the xml file, are slim. + +- Unify packages among openSUSE:Factory and SLE versions. + (bsc#1159035) ; add missing records to this changelog. +- Add idle.desktop and idle.appdata.xml to provide IDLE in menus + (bsc#1153830) + +- Add python2_split_startup Provide to make it possible to + conflict older packages by shared-python-startup. + +- Move /etc/pythonstart script to shared-python-startup + package. + +- Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from + bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes + bsc#1149792 + +- Add adapted-from-F00251-change-user-install-location.patch fixing + pip/distutils to install into /usr/local. + +- Update to 2.7.17: + - a bug fix release in the Python 2.7.x series. It is expected + to be the penultimate release for Python 2.7. +- Removed patches included upstream: + - CVE-2018-20852-cookie-domain-check.patch + - CVE-2019-16935-xmlrpc-doc-server_title.patch + - CVE-2019-9636-netloc-no-decompose-characters.patch + - CVE-2019-9947-no-ctrl-char-http.patch + - CVE-2019-9948-avoid_local-file.patch + - python-2.7.14-CVE-2018-1000030-1.patch + - python-2.7.14-CVE-2018-1000030-2.patch +- Renamed remove-static-libpython.diff and python-bsddb6.diff to + remove-static-libpython.patch and python-bsddb6.patch to unify + filenames. + +- Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing + bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in + python/Lib/DocXMLRPCServer.py + +- Add bpo36302-sort-module-sources.patch (boo#1041090) + +- Add CVE-2019-16056-email-parse-addr.patch fixing the email + module wrongly parses email addresses [bsc#1149955, + CVE-2019-16056] + +- boo#1141853 (CVE-2018-20852) add + CVE-2018-20852-cookie-domain-check.patch fixing + http.cookiejar.DefaultPolicy.domain_return_ok which did not + correctly validate the domain: it could be tricked into sending + cookies to the wrong server. + +- Skip test_urllib2_localnet that randomly fails in OBS + +- bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch + which fixes regression introduced by the previous patch. + (CVE-2019-10160) + Upstream gh#python/cpython#13812 + +- Set _lto_cflags to nil as it will prevent to propage LTO + for Python modules that are built in a separate package. + +- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch + Address the issue by disallowing URL paths with embedded + whitespace or control characters through into the underlying + http client request. Such potentially malicious header + injection URLs now cause a ValueError to be raised. + +- bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch + removing unnecessary (and potentially harmful) URL scheme + local-file://. + +- bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch + Characters in the netloc attribute that decompose under NFKC + normalization (as used by the IDNA encoding) into any of ``/``, + ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the + URL is decomposed before parsing, or is not a Unicode string, + no error will be raised (CVE-2019-9636). + Upstream commits e37ef41 and 507bd8c. + +- (bsc#1111793) Update to 2.7.16: + * bugfix-only release: complete list of changes on + https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.16rc1.rst + * Removed openssl-111.patch and CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch + which are fully included in the tarball. + * Updated patches to apply cleanly: + CVE-2019-5010-null-defer-x509-cert-DOS.patch + bpo36160-init-sysconfig_vars.patch + do-not-use-non-ascii-in-test_ssl.patch + openssl-111-middlebox-compat.patch + openssl-111-ssl_options.patch + python-2.5.1-sqlite.patch + python-2.6-gettext-plurals.patch + python-2.7-dirs.patch + python-2.7.2-fix_date_time_compiler.patch + python-2.7.4-canonicalize2.patch + python-2.7.5-multilib.patch + python-2.7.9-ssl_ca_path.patch + python-bsddb6.diff + remove-static-libpython.patch + * Update python-2.7.5-multilib.patch to pass with new platlib + regime. + +- bsc#1109847 (CVE-2018-14647): add + CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing + bpo-34623. + +- bsc#1073748: add bpo-29347-dereferencing-undefined-pointers.patch + PyWeakref_NewProxy@Objects/weakrefobject.c creates new isntance + of PyWeakReference struct and does not intialize wr_prev and + wr_next of new isntance. These pointers can have garbage and + point to random memory locations. + Python should not crash while destroying the isntance created + in the same interpreter function. As per my understanding, both + wr_prev and wr_next of PyWeakReference instance should be + initialized to NULL to avoid segfault. + +- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch + fixing bpo-35746 (CVE-2019-5010). + An exploitable denial-of-service vulnerability exists in the + X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. + A specially crafted X509 certificate can cause a NULL pointer + dereference, resulting in a denial of service. An attacker can + initiate or accept TLS connections using crafted certificates + to trigger this vulnerability. + +- Use upstream-recommended %{_rpmconfigdir}/macros.d directory + for the rpm macros. + +- Add patch openssl-111.patch to work with openssl-1.1.1 + (bsc#1113755) + +- Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which + converts shutil._call_external_zip to use subprocess rather than + distutils.spawn. [bsc#1109663, CVE-2018-1000802] + +- Apply "CVE-2018-1061-DOS-via-regexp-difflib.patch" to prevent + low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS + (CVE-2018-1061). Prior to this patch mail server's timestamp was + susceptible to catastrophic backtracking on long evil response from + the server. Also, it was susceptible to catastrophic backtracking, + which was a potential DOS vector. + [bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060] + +- Apply "CVE-2017-18207.patch" to add a check to Lib/wave.py that + verifies that at least one channel is provided. Prior to this + check, attackers could cause a denial of service (divide-by-zero + error and application crash) via a crafted wav format audio file. + [bsc#1083507, CVE-2017-18207] + +- Apply "python-sorted_tar.patch" (bsc#1086001, boo#1081750) + sort tarfile output directory listing + +- update to 2.7.15 + * dozens of bugfixes, see NEWS for details +- removed obsolete patches: + * python-ncurses-6.0-accessors.patch + * python-fix-shebang.patch + * gcc8-miscompilation-fix.patch +- add patch from upstream: + * do-not-use-non-ascii-in-test_ssl.patch + +- Add gcc8-miscompilation-fix.patch (boo#1084650). + +- Apply "python-2.7.14-CVE-2017-1000158.patch" to prevent integer + overflows in PyString_DecodeEscape that could have resulted in + heap-based buffer overflow attacks and possible arbitrary code + execution. [bsc#1068664, CVE-2017-1000158] + +- exclude test_socket & test_subprocess for PowerPC boo#1078485 + (same ref as previous change) + +- Add python-skip_random_failing_tests.patch bypass boo#1078485 + and exclude many tests for PowerPC + +- Add patch python-fix-shebang.patch to fix bsc#1078326 + +- exclude test_regrtest for s390, where it does not segfault as it should + (fixes bsc#1073269) +- fix segfault while creating weakref - bsc#1073748, bpo#29347 + (this is actually fixed by the 2.7.14 update; mentioning this for purposes + of bugfix tracking) + +- update to 2.7.14 + * dozens of bugfixes, see NEWS for details + * fixed possible integer overflow in PyString_DecodeEscape (CVE-2017-1000158, bsc#1068664) + * fixed segfaults with dict mutated during search + * fixed possible free-after-use problems with buffer objects with custom indexing + * fixed urllib.splithost to correctly parse fragments (bpo-30500) +- drop upstreamed python-2.7.13-overflow_check.patch +- drop unneeded python-2.7.12-makeopcode.patch +- drop upstreamed 0001-2.7-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-3094.patch +- Apply "python-2.7.14-CVE-2018-1000030-1.patch" and + "python-2.7.14-CVE-2018-1000030-2.patch" to remedy a bug that + would crash the Python interpreter when multiple threads used the + same I/O stream concurrently. This issue is not classified as a + security vulnerability due to the fact that an attacker must be + able to run code, however in some situations -- such as function + as a service -- this vulnerability can potentially be used by an + attacker to violate a trust boundary. [bsc#1079300, + CVE-2018-1000030] + +- Call python2 instead of python in macros + +- Fix test broken with OpenSSL 1.1 (bsc#1042670) + * add 0001-2.7-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-3094.patch + +- drop SUSE_ASNEEDED=0 as it is not needed anymore + +- Add libnsl-devel build requires for glibc obsoleting libnsl + +- obsolete/provide python-argparse and provide python2-argparse, + because the argparse module is available from python 2.7 up + +- SLE package update (bsc#1027282) +- refresh python-2.7.5-multilib.patch +- dropped upstreamed patches: + python-fix-short-dh.patch + python-2.7.7-mhlib-linkcount.patch + python-2.7-urllib2-localnet-ssl.patch + CVE-2016-0772-smtplib-starttls.patch + CVE-2016-5699-http-header-injection.patch + CVE-2016-5636-zipimporter-overflow.patch + python-2.7-httpoxy.patch +- Add python-ncurses-6.0-accessors.patch: Fix build with + NCurses 6.0 and OPAQUE_WINDOW set to 1. + (dimstar@opensuse.org) + +- Add reproducible.patch to allow reproducible builds of various + python packages like python-amqp + Upstream: https://github.com/python/cpython/pull/296 + +- update to 2.7.13 + * dozens of bugfixes, see NEWS for details + * updated cipher lists for openssl wrapper, support openssl >= 1.1.0 + * properly fix HTTPoxy (CVE-2016-1000110) + * profile-opt build now applies PGO to modules as well +- update python-2.7.10-overflow_check.patch + with python-2.7.13-overflow_check.patch, incorporating upstream changes + (bnc#964182) +- add "-fwrapv" to optflags explicitly because upstream code still + relies on it in many places + +- provide python2-* symbols, for support of new packages built as + python2-foo +- rename macros.python to macros.python2 accordingly +- require python-rpm-macros package, drop macro definitions from + macros.python2 + +- initial packaging of `python27` side-by-side variant (fate#321075, bsc#997436) +- renamed `python` to `python27` in package names and requires +- removed Provides and Obsoletes clauses +- dropped SLE12-only patch python-2.7.9-sles-disable-verification-by-default.patch, + companion sle_tls_checks_policy.py file and the python-strict-tls-checks subpackage +- dropped profile files +- removed /usr/bin/python and /usr/bin/python2, along with other unversioned + aliases +- rewrote macros file to enable stand-alone packages depending on py2.7 +- re-included downloaded version of HTML documentation + +- update to 2.7.12 + * dozens of bugfixes, see NEWS for details + * fixes multiple security issues: + CVE-2016-0772 TLS stripping attack on smtplib (bsc#984751) + CVE-2016-5636 zipimporter heap overflow (bsc#985177) + CVE-2016-5699 httplib header injection (bsc#985348) + (this one is actually fixed since 2.7.10) +- removed upstreamed python-2.7.7-mhlib-linkcount.patch +- refreshed multilib patch +- python-2.7.12-makeopcode.patch - run newly-built python interpreter + to make opcodes, in order not to require pre-built python +- update LD_LIBRARY_PATH to use $PWD instead of "." because the test + process escapes to its own directory +- modify shebang-fixing scriptlet to ignore makeopcodetargets.py + +- CVE-2016-0772-smtplib-starttls.patch: + smtplib vulnerability opens startTLS stripping attack + (CVE-2016-0772, bsc#984751) +- CVE-2016-5636-zipimporter-overflow.patch: + heap overflow when importing malformed zip files + (CVE-2016-5636, bsc#985177) +- CVE-2016-5699-http-header-injection.patch: + incorrect validation of HTTP headers allow header injection + (CVE-2016-5699, bsc#985348) +- python-2.7-httpoxy.patch: + HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY + when REQUEST_METHOD is also set + (CVE-2016-1000110, bsc#989523) + +- Add python-2.7.10-overflow_check.patch to fix broken overflow checks. + [bnc#964182] + +- copy strict-tls-checks subpackage from SLE to retain future compatibility + (not built in openSUSE) +- do this properly to fix bnc#945401 +- update SLE check to exclude Leap which also has version 1315, + just to be sure + +- Add python-ncurses-6.0-accessors.patch: Fix build with + NCurses 6.0 and OPAQUE_WINDOW set to 1. + +- add missing ssl.pyc and ssl.pyo to package +- implement python-strict-tls-checks subpackage + * when present, Python will perform TLS certificate checking by default. + it is possible to remove the package to turn off the checks + for compatibility with legacy scripts. + * as discussed in fate#318300 + * this is not built for openSUSE, but retained here in case we want + to build the package for a SLE system + +- python-fix-short-dh.patch: Bump DH parameters to 2048 bit + to fix logjam security issue. bsc#935856 + +- add __python2 compatibility macro (used by Fedora) (fate#318838) + +- update to 2.7.10 +- removed obsolete python-2.7-urllib2-localnet-ssl.patch + +- Reenable test_posix on aarch64 + +- python-2.7.4-aarch64.patch: Remove obsolete patch +- python-2.7-libffi-aarch64.patch: Fix argument passing in libffi for + aarch64 + +- update to 2.7.9 + * contains full backport of ssl module from Python 3.4 (PEP466) + * HTTPS certificate validation enabled by default (PEP476) + * SSLv3 disabled by default (bnc#901715) + * backported ensurepip module (PEP477) + * fixes several missing CVEs from last release: CVE-2013-1752, + CVE-2013-1753 + * dozens of minor bugfixes +- dropped upstreamed patches: python-2.7.6-poplib.patch, + smtplib_maxline-2.7.patch, xmlrpc_gzip_27.patch +- dropped patch python-2.7.3-ssl_ca_path.patch because we don't need it + with ssl module from Python 3 +- libffi was upgraded upstream, seems to contain our changes, + so dropping libffi-ppc64le.diff as well +- python-2.7-urllib2-localnet-ssl.patch - properly remove unconditional + "import ssl" from test_urllib2_localnet that caused it to fail without ssl + +- skip test_thread in qemu_linux_user mode + raft +- raft 0.13.0: + * move to raft_fsm v2 introducing snapshot_finalize + +- raft 0.11.3: + * initial support for tracing + * protocol bug fixes +