Security update for python39 (important)

An update that solves one vulnerability, contains one
feature and has one errata is now available.

Description:

This update for python39 fixes the following issues:

• CVE-2015-20107: avoid command injection in the mailcap module
  (bsc#1198511).

• Update to 3.9.13:

  • Core and Builtins
    • gh-92311: Fixed a bug where setting frame.f_lineno to jump
      over a list comprehension could misbehave or crash.
    • gh-92112: Fix crash triggered by an evil custom mro() on a metaclass.
    • gh-92036: Fix a crash in subinterpreters related to the garbage
      collector. When a subinterpreter is deleted, untrack all objects
      tracked by its GC. To prevent a crash in deallocator functions
      expecting objects to be tracked by the GC, leak a strong reference
      to these objects on purpose, so they are never deleted and their
      deallocator functions are not called. Patch by Victor Stinner.
    • gh-91421: Fix a potential integer overflow in _Py_DecodeUTF8Ex.
    • bpo-46775: Some Windows system error codes(>= 10000) are now mapped
      into the correct errno and may now raise a subclass of OSError.
      Patch by Dong-hee Na.
    • bpo-46962: Classes and functions that unconditionally declared their
      docstrings ignoring the
      –without-doc-strings compilation flag no longer do so.
    • The classes affected are pickle.PickleBuffer,
      testcapi.RecursingInfinitelyError, and types.GenericAlias.
    • The functions affected are 24 methods in ctypes.
    • Patch by Oleg Iarygin.
    • bpo-36819: Fix crashes in built-in encoders with error handlers that
      return position less or equal than the starting position of
      non-encodable characters.
  • Library
    • gh-91581: utcfromtimestamp() no longer attempts to resolve fold in
      the pure Python implementation, since the fold is never 1 in UTC. In
      addition to being slightly faster in the common case, this also
      prevents some errors when the timestamp is close to datetime.min.
      Patch by Paul Ganssle.
    • gh-92530: Fix an issue that occurred after interrupting
      threading.Condition.notify().
    • gh-92049: Forbid pickling constants re._constants.SUCCESS etc.
      Previously, pickling did not fail, but the result could not be
      unpickled.
    • bpo-47029: Always close the read end of the pipe used by
      multiprocessing.Queue after the last write of buffered data to the
      write end of the pipe to avoid BrokenPipeError at garbage collection
      and at multiprocessing.Queue.close() calls. Patch by G��ry Ogam.
    • gh-91910: Add missing f prefix to f-strings in error messages from
      the multiprocessing and asyncio modules.
    • gh-91810: ElementTree method write() and function tostring() now use
      the text file’'s encoding (“UTF-8” if not available) instead of
      locale encoding in XML declaration when encoding=“unicode” is
      specified.
    • gh-91832: Add required attribute to argparse.Action repr
      output.
    • gh-91734: Fix OSS audio support on Solaris.
    • gh-91700: Compilation of regular expression containing a conditional
      expression (?(group)…) now raises an appropriate re.error if the
      group number refers to not defined group. Previously an internal
      RuntimeError was raised.
    • gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown the per
      test event loop executor before returning from its run method so
      that a not yet stopped or garbage collected executor state does not
      persist beyond the test.
    • gh-90568: Parsing \N escapes of Unicode Named Character Sequences in
      a regular expression raises now re.error instead of TypeError.
    • gh-91595: Fix the comparison of character and integer inside
      Tools.gdb.libpython.write_repr(). Patch by Yu Liu.
    • gh-90622: Worker processes for
      concurrent.futures.ProcessPoolExecutor are no longer spawned on
      demand (a feature added in 3.9) when the multiprocessing context
      start method is “fork” as that can lead to deadlocks in the child
      processes due to a fork happening while threads are running.
    • gh-91575: Update case-insensitive matching in the re module to the
      latest Unicode version.
    • gh-91581: Remove an unhandled error case in the C implementation of
      calls to datetime.fromtimestamp with no time zone (i.e. getting a
      local time from an epoch timestamp). This should have no user-facing
      effect other than giving a possibly more accurate error message when
      called with timestamps that fall on 10000-01-01 in the local time.
      Patch by Paul Ganssle.
    • bpo-34480: Fix a bug where _markupbase raised an UnboundLocalError
      when an invalid keyword was found in marked section. Patch by Marek
      Suscak.
    • bpo-27929: Fix asyncio.loop.sock_connect() to only resolve names for
      socket.AF_INET or socket.AF_INET6 families. Resolution may not make
      sense for other families, like socket.AF_BLUETOOTH and
      socket.AF_UNIX.
    • bpo-43323: Fix errors in the email module if the charset itself
      contains undecodable/unencodable characters.
    • bpo-46787: Fix concurrent.futures.ProcessPoolExecutor exception
      memory leak
    • bpo-46415: Fix ipaddress.ip_{address,interface,network} raising
      TypeError instead of ValueError if given invalid tuple as address
      parameter.
    • bpo-44911: IsolatedAsyncioTestCase will no longer throw an exception
      while cancelling leaked tasks. Patch by Bar Harel.
    • bpo-44493: Add missing terminated NUL in sockaddr_un’s length
    • This was potentially observable when using non-abstract AF_UNIX
      datagram sockets to processes written in another programming
      language.
    • bpo-42627: Fix incorrect parsing of Windows registry proxy settings
    • bpo-36073: Raise ProgrammingError instead of segfaulting on
      recursive usage of cursors in sqlite3 converters. Patch by Sergey
      Fedoseev.
  • Documentation
    • gh-91888: Add a new gh role to the documentation to link to GitHub
      issues.
    • gh-91783: Document security issues concerning the use of the
      function shutil.unpack_archive()
    • gh-91547: Remove “Undocumented modules” page.
    • bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of
      shutil.copytree().
    • bpo-38668: Update the introduction to documentation for
      os.path to remove warnings that became irrelevant after the
      implementations of PEP 383 and PEP 529.
    • bpo-47138: Pin Jinja to a version compatible with Sphinx version
      2.4.4.
    • bpo-46962: All docstrings in code snippets are now wrapped into
      PyDoc_STR() to follow the guideline of PEP 7’s Documentation Strings
      paragraph. Patch by Oleg Iarygin.
    • bpo-26792: Improve the docstrings of runpy.run_module() and
      runpy.run_path(). Original patch by Andrew Brezovsky.
    • bpo-45790: Adjust inaccurate phrasing in Defining Extension Types:
      Tutorial about the ob_base field and the macros used to access its
      contents.
    • bpo-42340: Document that in some circumstances KeyboardInterrupt may
      cause the code to enter an inconsistent state. Provided a sample
      workaround to avoid it if needed.
    • bpo-41233: Link the errnos referenced in Doc/library/exceptions.rst
      to their respective section in Doc/library/errno.rst, and vice
      versa. Previously this was
      only done for EINTR and InterruptedError. Patch by Yan “yyyyyyyan”
      Orestes.
    • bpo-38056: Overhaul the Error Handlers documentation in codecs.
    • bpo-13553: Document tkinter.Tk args.
  • Tests
    • gh-91607: Fix test_concurrent_futures to test the correct
      multiprocessing start method context in several cases where the test
      logic mixed this up.
    • bpo-47205: Skip test for sched_getaffinity() and sched_setaffinity()
      error case on FreeBSD.
    • bpo-29890: Add tests for ipaddress.IPv4Interface and
      ipaddress.IPv6Interface construction with tuple arguments. Original
      patch and tests by louisom.
  • Build
    • bpo-47103: Windows PGInstrument builds now copy a required DLL into
      the output directory, making it easier to run the profile stage of a
      PGO build.
  • Windows
    • bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
    • bpo-46785: Fix race condition between os.stat() and unlinking a file
      on Windows, by using errors codes returned by FindFirstFileW() when
      appropriate in win32_xstat_impl.
    • bpo-40859: Update Windows build to use xz-5.2.5
  • Tools/Demos
    • gh-91583: Fix regression in the code generated by Argument Clinic
      for functions with the defining_class parameter.

• Update to 3.9.12:

  • bpo-46968: Check for the existence of the “sys/auxv.h” header in
    faulthandler to avoid compilation problems in systems where this
    header doesn’t exist. Patch by Pablo Galindo
  • bpo-47101: hashlib.algorithms_available now lists only algorithms that
    are provided by activated crypto providers on OpenSSL 3.0. Legacy
    algorithms are not listed unless the legacy provider has been loaded
    into the default OSSL context.
  • bpo-23691: Protect the re.finditer() iterator from re-entering.
  • bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to avoid a
    “zipfile.BadZipFile: Bad CRC-32 for file” exception when reading a
    ZipFile from multiple threads.
  • bpo-38256: Fix binascii.crc32() when it is compiled to use zlib’c
    crc32 to work properly on inputs 4+GiB in length instead of returning
    the wrong result. The workaround prior to this was to always feed the
    function data in increments smaller than 4GiB or to just call the zlib
    module function.
  • bpo-39394: A warning about inline flags not at the start of the
    regular expression now contains the position of the flag.
  • bpo-47061: Deprecate the various modules listed by PEP 594:
  • aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt, imghdr,
    msilib, nntplib, nis, ossaudiodev, pipes, smtpd, sndhdr, spwd, sunau,
    telnetlib, uu, xdrlib
  • bpo-2604: Fix bug where doctests using globals would fail when run
    multiple times.
  • bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
  • bpo-47022: The asynchat, asyncore and smtpd modules have been
    deprecated since at least Python 3.6. Their documentation has now been
    updated to note they will removed in Python 3.12 (PEP 594).
  • bpo-46421: Fix a unittest issue where if the command was invoked as
    python -m unittest and the filename(s) began with a dot (.), a
    ValueError is returned.
  • bpo-40296: Fix supporting generic aliases in pydoc.
  • bpo-14156: argparse.FileType now supports an argument of ‘-’; in
    binary mode, returning the .buffer attribute of sys.stdin/sys.stdout
    as appropriate. Modes including ‘x’ and ‘a’ are treated equivalently
    to ‘w’ when argument is ‘-’. Patch contributed by Josh Rosenberg

• Update to 3.9.11:

  • bpo-46852: Rename the private undocumented float.set_format()
    method to float.setformat() to fix a typo introduced in Python
    3.7. The method is only used by test_float. Patch by Victor Stinner.
  • bpo-46794: Bump up the libexpat version into 2.4.6
  • bpo-46762: Fix an assert failure in debug builds when a ‘<’, ‘>’, or
    ‘=’ is the last character in an f-string that’s missing a closing
    right brace.
  • bpo-46732: Correct the docstring for the bool() method. Patch by
    Jelle Zijlstra.
  • bpo-40479: Add a missing call to va_end() in Modules/_hashopenssl.c.
  • bpo-46615: When iterating over sets internally in setobject.c, acquire
    strong references to the resulting items from the set. This prevents
    crashes in corner-cases of various set operations where the set gets
    mutated.
  • bpo-43721: Fix docstrings of getter, setter, and deleter to clarify
    that they create a new copy of the property.
  • bpo-46503: Fix an assert when parsing some invalid N escape sequences
    in f-strings.
  • bpo-46417: Fix a race condition on setting a type bases attribute:
    the internal function add_subclass() now gets the
    PyTypeObject.tp_subclasses member after calling PyWeakref_NewRef()
    which can trigger a garbage collection which can indirectly modify
    PyTypeObject.tp_subclasses. Patch by Victor Stinner.
  • bpo-46383: Fix invalid signature of _zoneinfo’s module_free function
    to resolve a crash on wasm32-emscripten platform.
  • bpo-43253: Fix a crash when closing transports where the underlying
    socket handle is already invalid on the Proactor event loop.
  • bpo-47004: Apply bugfixes from importlib_metadata 4.11.3, including
    bugfix for EntryPoint.extras, which was returning match objects and
    not the extras strings.
  • bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
  • bpo-46968: faulthandler: On Linux 5.14 and newer, dynamically
    determine size of signal handler stack size CPython allocates using
    getauxval(AT_MINSIGSTKSZ). This changes allows for Python extension’s
    request to Linux kernel to use AMX_TILE instruction set on Sapphire
    Rapids Xeon processor to succeed, unblocking use of the ISA in
    frameworks.
  • bpo-46955: Expose asyncio.base_events.Server as asyncio.Server. Patch
    by Stefan Zabka.
  • bpo-46932: Update bundled libexpat to 2.4.7
  • bpo-25707: Fixed a file leak in xml.etree.ElementTree.iterparse() when
    the iterator is not exhausted. Patch by Jacob Walls.
  • bpo-44886: Inherit asyncio proactor datagram transport from
    asyncio.DatagramTransport.
  • bpo-46827: Support UDP sockets in asyncio.loop.sock_connect() for
    selector-based event loops. Patch by Thomas Grainger.
  • bpo-46811: Make test suite support Expat >=2.4.5
  • bpo-46252: Raise TypeError if ssl.SSLSocket is passed to
    transport-based APIs.
  • bpo-46784: Fix libexpat symbols collisions with user dynamically
    loaded or statically linked libexpat in embedded Python.
  • bpo-39327: shutil.rmtree() can now work with VirtualBox shared folders
    when running from the guest operating-system.
  • bpo-46756: Fix a bug in
    urllib.request.HTTPPasswordMgr.find_user_password() and
    urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which
    allowed to bypass authorization. For example, access to URI
    example.org/foobar was allowed if the user was authorized for URI
    example.org/foo.
  • bpo-45863: When the tarfile module creates a pax format archive, it
    will put an integer representation of timestamps in the ustar header
    (if possible) for the benefit of older unarchivers, in addition to the
    existing full-precision timestamps in the pax extended header.
  • bpo-46672: Fix NameError in asyncio.gather() when initial type check
    fails.
  • bpo-45948: Fixed a discrepancy in the C implementation of the
    xml.etree.ElementTree module. Now, instantiating an
    xml.etree.ElementTree.XMLParser with a target=None keyword provides a
    default xml.etree.ElementTree.TreeBuilder target as the Python
    implementation does.
  • bpo-46591: Make the IDLE doc URL on the About IDLE dialog clickable.
  • bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
  • bpo-46487: Add the get_write_buffer_limits method to
    asyncio.transports.WriteTransport and to the SSL transport.
  • bpo-46539: In typing.get_type_hints(), support evaluating stringified
    ClassVar and Final annotations inside Annotated. Patch by Gregory
    Beauregard.
  • bpo-46491: Allow typing.Annotated to wrap typing.Final and
    typing.ClassVar. Patch by Gregory Beauregard.
  • bpo-46436: Fix command-line option -d/–directory in module
    http.server which is ignored when combined with command-line
    option --cgi. Patch by G��ry Ogam.
  • bpo-41403: Make mock.patch() raise a TypeError with a relevant error
    message on invalid arg. Previously it allowed a cryptic AttributeError
    to escape.
  • bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid potential
    REDoS by limiting ambiguity in consecutive whitespace.
  • bpo-46469: asyncio generic classes now return types.GenericAlias in
    class_getitem instead of the same class.
  • bpo-46434: pdb now gracefully handles help when doc is missing,
    for example when run with pregenerated optimized .pyc files.
  • bpo-46333: The eq() and hash() methods of typing.ForwardRef
    now honor the module parameter of typing.ForwardRef. Forward
    references from different modules are now differentiated.
  • bpo-43118: Fix a bug in inspect.signature() that was causing it to
    fail on some subclasses of classes with a text_signature
    referencing module globals. Patch by Weipeng Hong.
  • bpo-21987: Fix an issue with tarfile.TarFile.getmember() getting a
    directory name with a trailing slash.
  • bpo-20392: Fix inconsistency with uppercase file extensions in
    MimeTypes.guess_type(). Patch by Kumar Aditya.
  • bpo-46080: Fix exception in argparse help text generation if a
    argparse.BooleanOptionalAction argument’s default is argparse.SUPPRESS
    and it has help specified. Patch by Felix Fontein.
  • bpo-44439: Fix .write() method of a member file in ZipFile, when the
    input data is an object that supports the buffer protocol, the file
    length may be wrong.
  • bpo-45703: When a namespace package is imported before another module
    from the same namespace is created/installed in a different sys.path
    location while the program is running, calling the
    importlib.invalidate_caches() function will now also guarantee the new
    module is noticed.
  • bpo-24959: Fix bug where unittest sometimes drops frames from
    tracebacks of exceptions raised in tests.
  • bpo-46463: Fixes escape4chm.py script used when building the CHM
    documentation file
  • bpo-46913: Fix test_faulthandler.test_sigfpe() if Python is built with
    undefined behavior sanitizer (UBSAN): disable UBSAN on the
    faulthandler_sigfpe() function. Patch by Victor Stinner.
  • bpo-46708: Prevent default asyncio event loop policy modification
    warning after test_asyncio execution.
  • bpo-46616: Ensures test_importlib.test_windows cleans up registry keys
    after completion.
  • bpo-44359: test_ftplib now silently ignores socket errors to prevent
    logging unhandled threading exceptions. Patch by Victor Stinner.
  • bpo-46542: Fix a Python crash in test_lib2to3 when using Python built
    in debug mode: limit the recursion limit. Patch by Victor Stinner.
  • bpo-46576: test_peg_generator now disables compiler
    optimization when testing compilation of its own C extensions to
    significantly speed up the testing on non-debug builds of CPython.
  • bpo-46542: Fix test_json tests checking for RecursionError: modify
    these tests to use support.infinite_recursion(). Patch by Victor
    Stinner.
  • bpo-13886: Skip test_builtin PTY tests on non-ASCII characters if the
    readline module is loaded. The readline module changes input()
    behavior, but test_builtin is not intented to test the readline
    module. Patch by Victor Stinner.
  • bpo-38472: Fix GCC detection in setup.py when cross-compiling. The C
    compiler is now run with LC_ALL=C. Previously, the detection failed
    with a German locale.
  • bpo-46513: configure no longer uses AC_C_CHAR_UNSIGNED macro and
    pyconfig.h no longer defines reserved symbol CHAR_UNSIGNED.
  • bpo-45925: Update Windows installer to use SQLite 3.37.2.
  • bpo-45296: Clarify close, quit, and exit in IDLE. In the File menu,
    ‘Close’ and ‘Exit’ are now ‘Close Window’ (the current
    one) and ‘Exit’ is now ‘Exit IDLE’ (by closing all windows). In Shell,
    ‘quit()’ and ‘exit()’ mean ‘close Shell’. If there are no other
    windows, this also exits IDLE.
  • bpo-45447: Apply IDLE syntax highlighting to pyi files. Patch by Alex
    Waygood and Terry Jan Reedy.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4:

  zypper in -t patch openSUSE-SLE-15.4-2022-2174=1

• openSUSE Leap 15.3:

  zypper in -t patch openSUSE-SLE-15.3-2022-2174=1

• SUSE Linux Enterprise Module for Development Tools 15-SP3:

  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-2174=1

• SUSE Linux Enterprise Module for Basesystem 15-SP3:

  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-2174=1