Lucene search

K
suseSuseSUSE-SU-2022:2291-1
HistoryJul 06, 2022 - 12:00 a.m.

Security update for python310 (important)

2022-07-0600:00:00
lists.opensuse.org
26

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

COMPLETE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:C/A:P

An update that fixes one vulnerability is now available.

Description:

This update for python310 fixes the following issues:

  • CVE-2015-20107: avoid command injection in the mailcap module
    (bsc#1198511).

  • Update to 3.10.5:

    • Core and Builtins
      • gh-93418: Fixed an assert where an f-string has an equal sign ‘=’
        following an expression, but there’s no trailing brace. For example,
        f"{i=".
      • gh-91924: Fix ltrace debug feature if the stdout encoding is not
        UTF-8. Patch by Victor Stinner.
      • gh-93061: Backward jumps after async for loops are no longer given
        dubious line numbers.
      • gh-93065: Fix contextvars HAMT implementation to handle iteration
        over deep trees.
      • The bug was discovered and fixed by Eli Libman. See
        MagicStack/immutables#84 for more details.
      • gh-92311: Fixed a bug where setting frame.f_lineno to jump
        over a list comprehension could misbehave or crash.
      • gh-92112: Fix crash triggered by an evil custom mro() on a metaclass.
      • gh-92036: Fix a crash in subinterpreters related to the garbage
        collector. When a subinterpreter is deleted, untrack all objects
        tracked by its GC. To prevent a crash in deallocator functions
        expecting objects to be tracked by the GC, leak a strong reference
        to these objects on purpose, so they are never deleted and their
        deallocator functions are not called. Patch by Victor Stinner.
      • gh-91421: Fix a potential integer overflow in _Py_DecodeUTF8Ex.
      • bpo-47212: Raise IndentationError instead of SyntaxError for a bare
        except with no following indent. Improve SyntaxError locations for
        an un-parenthesized generator used as arguments. Patch by Matthieu
        Dartiailh.
      • bpo-47182: Fix a crash when using a named unicode character like
        “\N{digit nine}” after the main interpreter has been initialized a
        second time.
      • bpo-47117: Fix a crash if we fail to decode characters in
        interactive mode if the tokenizer buffers are uninitialized. Patch
        by Pablo Galindo.
      • bpo-39829: Removed the len() call when initializing a list and
        moved initializing to list_extend. Patch by Jeremiah Pascual.
      • bpo-46962: Classes and functions that unconditionally declared their
        docstrings ignoring the
        –without-doc-strings compilation flag no longer do so.
      • The classes affected are ctypes.UnionType, pickle.PickleBuffer,
        testcapi.RecursingInfinitelyError, and types.GenericAlias.
      • The functions affected are 24 methods in ctypes.
      • Patch by Oleg Iarygin.
      • bpo-36819: Fix crashes in built-in encoders with error handlers that
        return position less or equal than the starting position of
        non-encodable characters.
    • Library
      • gh-93156: Accessing the pathlib.PurePath.parents sequence
        of an absolute path using negative index values produced incorrect
        results.
      • gh-89973: Fix re.error raised in fnmatch if the pattern contains a
        character range with upper bound lower than lower bound (e.g.
        [c-a]). Now such ranges are interpreted as empty ranges.
      • gh-93010: In a very special case, the email package tried to append
        the nonexistent InvalidHeaderError to the defect list. It should
        have been InvalidHeaderDefect.
      • gh-92839: Fixed crash resulting from calling bisect.insort() or
        bisect.insort_left() with the key argument not equal to None.
      • gh-91581: utcfromtimestamp() no longer attempts to resolve fold in
        the pure Python implementation, since the fold is never 1 in UTC. In
        addition to being slightly faster in the common case, this also
        prevents some errors when the timestamp is close to datetime.min.
        Patch by Paul Ganssle.
      • gh-92530: Fix an issue that occurred after interrupting
        threading.Condition.notify().
      • gh-92049: Forbid pickling constants re._constants.SUCCESS etc.
        Previously, pickling did not fail, but the result could not be
        unpickled.
      • bpo-47029: Always close the read end of the pipe used by
        multiprocessing.Queue after the last write of buffered data to the
        write end of the pipe to avoid BrokenPipeError at garbage collection
        and at multiprocessing.Queue.close() calls. Patch by G��ry Ogam.
      • gh-91401: Provide a fail-safe way to disable subprocess use
        of vfork() via a private subprocess._USE_VFORK attribute. While
        there is currently no known need for this, if you find a need please only
        set it to False. File a CPython issue as to why you needed it and link to
        that from a comment in your code. This attribute is documented as a
        footnote in 3.11.
      • gh-91910: Add missing f prefix to f-strings in error messages from
        the multiprocessing and asyncio modules.
      • gh-91810: ElementTree method write() and function tostring() now use
        the text file’s encoding (“UTF-8” if not available) instead of
        locale encoding in XML declaration when encoding=“unicode” is
        specified.
      • gh-91832: Add required attribute to argparse.Action repr
        output.
      • gh-91700: Compilation of regular expression containing a conditional
        expression (?(group)…) now raises an appropriate re.error if the
        group number refers to not defined group. Previously an internal
        RuntimeError was raised.
      • gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown the per
        test event loop executor before returning from its run method so
        that a not yet stopped or garbage collected executor state does not
        persist beyond the test.
      • gh-90568: Parsing \N escapes of Unicode Named Character Sequences in
        a regular expression raises now re.error instead of TypeError.
      • gh-91595: Fix the comparison of character and integer inside
        Tools.gdb.libpython.write_repr(). Patch by Yu Liu.
      • gh-90622: Worker processes for
        concurrent.futures.ProcessPoolExecutor are no longer spawned on
        demand (a feature added in 3.9) when the multiprocessing context
        start method is “fork” as that can lead to deadlocks in the child
        processes due to a fork happening while threads are running.
      • gh-91575: Update case-insensitive matching in the re module to the
        latest Unicode version.
      • gh-91581: Remove an unhandled error case in the C implementation of
        calls to datetime.fromtimestamp with no time zone (i.e. getting a
        local time from an epoch timestamp). This should have no user-facing
        effect other than giving a possibly more accurate error message when
        called with timestamps that fall on 10000-01-01 in the local time.
        Patch by Paul Ganssle.
      • bpo-47260: Fix os.closerange() potentially being a no-op in a Linux
        seccomp sandbox.
      • bpo-39064: zipfile.ZipFile now raises zipfile.BadZipFile instead of
        ValueError when reading a corrupt zip file in which the central
        directory offset is negative.
      • bpo-47151: When subprocess tries to use vfork, it now falls back to
        fork if vfork returns an error. This allows use in situations where
        vfork isn’t allowed by the OS kernel.
      • bpo-27929: Fix asyncio.loop.sock_connect() to only resolve names for
        socket.AF_INET or socket.AF_INET6 families. Resolution may not make
        sense for other families, like socket.AF_BLUETOOTH and
        socket.AF_UNIX.
      • bpo-43323: Fix errors in the email module if the charset itself
        contains undecodable/unencodable characters.
      • bpo-47101: hashlib.algorithms_available now lists only algorithms
        that are provided by activated crypto providers
        on OpenSSL 3.0. Legacy algorithms are not listed unless the legacy
        provider has been loaded into the default OSSL context.
      • bpo-46787: Fix concurrent.futures.ProcessPoolExecutor exception
        memory leak
      • bpo-45393: Fix the formatting for await x and not x in the
        operator precedence table when using the help() system.
      • bpo-46415: Fix ipaddress.ip_{address,interface,network} raising
        TypeError instead of ValueError if given invalid tuple as address
        parameter.
      • bpo-28249: Set doctest.DocTest.lineno to None when object does not
        have doc.
      • bpo-45138: Fix a regression in the sqlite3 trace callback where
        bound parameters were not expanded in the passed statement string.
        The regression was introduced in Python 3.10 by bpo-40318. Patch by
        Erlend E. Aasland.
      • bpo-44493: Add missing terminated NUL in sockaddr_un’s length
      • This was potentially observable when using non-abstract AF_UNIX
        datagram sockets to processes written in another programming
        language.
      • bpo-42627: Fix incorrect parsing of Windows registry proxy settings
      • bpo-36073: Raise ProgrammingError instead of segfaulting on
        recursive usage of cursors in sqlite3 converters. Patch by Sergey
        Fedoseev.
    • Documentation
      • gh-86438: Clarify that -W and PYTHONWARNINGS are matched literally
        and case-insensitively, rather than as regular expressions, in
        warnings.
      • gh-92240: Added release dates for “What’s New in Python 3.X” for
        3.0, 3.1, 3.2, 3.8 and 3.10
      • gh-91888: Add a new gh role to the documentation to link to GitHub
        issues.
      • gh-91783: Document security issues concerning the use of the
        function shutil.unpack_archive()
      • gh-91547: Remove “Undocumented modules” page.
      • bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of
        shutil.copytree().
      • bpo-38668: Update the introduction to documentation for
        os.path to remove warnings that became irrelevant after the
        implementations of PEP 383 and PEP 529.
      • bpo-47138: Pin Jinja to a version compatible with Sphinx version
        3.2.1.
      • bpo-46962: All docstrings in code snippets are now wrapped into
        PyDoc_STR() to follow the guideline of PEP 7’s Documentation Strings
        paragraph. Patch by Oleg Iarygin.
      • bpo-26792: Improve the docstrings of runpy.run_module() and
        runpy.run_path(). Original patch by Andrew Brezovsky.
      • bpo-40838: Document that inspect.getdoc(), inspect.getmodule(), and
        inspect.getsourcefile() might return None.
      • bpo-45790: Adjust inaccurate phrasing in Defining Extension Types:
        Tutorial about the ob_base field and the macros used to access its
        contents.
      • bpo-42340: Document that in some circumstances KeyboardInterrupt may
        cause the code to enter an inconsistent state. Provided a sample
        workaround to avoid it if needed.
      • bpo-41233: Link the errnos referenced in Doc/library/exceptions.rst
        to their respective section in Doc/library/errno.rst, and vice
        versa. Previously this was
        only done for EINTR and InterruptedError. Patch by Yan “yyyyyyyan”
        Orestes.
      • bpo-38056: Overhaul the Error Handlers documentation in codecs.
      • bpo-13553: Document tkinter.Tk args.
    • Tests
      • gh-92886: Fixing tests that fail when running with
        optimizations (-O) in test_imaplib.py.
      • gh-92670: Skip test_shutil.TestCopy.test_copyfile_nonexistent_dir
        test on AIX as the test uses a trailing slash to force the OS
        consider the path as a directory, but on AIX the trailing slash has
        no effect and is considered as a file.
      • gh-91904: Fix initialization of PYTHONREGRTEST_UNICODE_GUARD which
        prevented running regression tests on non-UTF-8 locale.
      • gh-91607: Fix test_concurrent_futures to test the correct
        multiprocessing start method context in several cases where the test
        logic mixed this up.
      • bpo-47205: Skip test for sched_getaffinity() and sched_setaffinity()
        error case on FreeBSD.
      • bpo-47104: Rewrite asyncio.to_thread() tests to use
        unittest.IsolatedAsyncioTestCase.
      • bpo-29890: Add tests for ipaddress.IPv4Interface and
        ipaddress.IPv6Interface construction with tuple arguments. Original
        patch and tests by louisom.
    • Tools/Demos
      • gh-91583: Fix regression in the code generated by Argument Clinic
        for functions with the defining_class parameter.
  • Update to 3.10.4:

    • bpo-46968: Check for the existence of the “sys/auxv.h” header in
      faulthandler to avoid compilation problems in systems where this
      header doesn’t exist. Patch by Pablo Galindo
    • bpo-23691: Protect the re.finditer() iterator from re-entering.
    • bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to avoid a
      “zipfile.BadZipFile: Bad CRC-32 for file” exception when reading a
      ZipFile from multiple threads.
    • bpo-38256: Fix binascii.crc32() when it is compiled to use zlib’c
      crc32 to work properly on inputs 4+GiB in length instead of returning
      the wrong result. The workaround prior to this was to always feed the
      function data in increments smaller than 4GiB or to just call the zlib
      module function.
    • bpo-39394: A warning about inline flags not at the start of the
      regular expression now contains the position of the flag.
    • bpo-47061: Deprecate the various modules listed by PEP 594:
    • aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt, imghdr,
      msilib, nntplib, nis, ossaudiodev, pipes, smtpd, sndhdr, spwd, sunau,
      telnetlib, uu, xdrlib
    • bpo-2604: Fix bug where doctests using globals would fail when run
      multiple times.
    • bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order.
    • bpo-47022: The asynchat, asyncore and smtpd modules have been
      deprecated since at least Python 3.6. Their documentation and
      deprecation warnings and have now been updated to note they will
      removed in Python 3.12 (PEP 594).
    • bpo-46421: Fix a unittest issue where if the command was invoked as
      python -m unittest and the filename(s) began with a dot (.), a
      ValueError is returned.
    • bpo-40296: Fix supporting generic aliases in pydoc.
  • Update to 3.10.3:

    • bpo-46940: Avoid overriding AttributeError metadata information for
      nested attribute access calls. Patch by Pablo Galindo.
    • bpo-46852: Rename the private undocumented float.set_format()
      method to float.setformat() to fix a typo introduced in Python
      3.7. The method is only used by test_float. Patch by Victor Stinner.
    • bpo-46794: Bump up the libexpat version into 2.4.6
    • bpo-46820: Fix parsing a numeric literal immediately (without spaces)
      followed by “not in” keywords, like in 1not in x. Now the parser only
      emits a warning, not a syntax error.
    • bpo-46762: Fix an assert failure in debug builds when a ‘<’, ‘>’, or
      ‘=’ is the last character in an f-string that’s missing a closing
      right brace.
    • bpo-46724: Make sure that all backwards jumps use the JUMP_ABSOLUTE
      instruction, rather than JUMP_FORWARD with an argument of
      (2**32)+offset.
    • bpo-46732: Correct the docstring for the bool() method. Patch by
      Jelle Zijlstra.
    • bpo-46707: Avoid potential exponential backtracking when producing
      some syntax errors involving lots of brackets. Patch by Pablo Galindo.
    • bpo-40479: Add a missing call to va_end() in Modules/_hashopenssl.c.
    • bpo-46615: When iterating over sets internally in setobject.c, acquire
      strong references to the resulting items from the set. This prevents
      crashes in corner-cases of various set operations where the set gets
      mutated.
    • bpo-45773: Remove two invalid “peephole” optimizations from the
      bytecode compiler.
    • bpo-43721: Fix docstrings of getter, setter, and deleter to clarify
      that they create a new copy of the property.
    • bpo-46503: Fix an assert when parsing some invalid N escape sequences
      in f-strings.
    • bpo-46417: Fix a race condition on setting a type bases attribute:
      the internal function add_subclass() now gets the
      PyTypeObject.tp_subclasses member after calling PyWeakref_NewRef()
      which can trigger a garbage collection which can indirectly modify
      PyTypeObject.tp_subclasses. Patch by Victor Stinner.
    • bpo-46383: Fix invalid signature of _zoneinfo’s module_free function
      to resolve a crash on wasm32-emscripten platform.
    • bpo-46070: Py_EndInterpreter() now explicitly untracks all
      objects currently tracked by the GC. Previously, if an object was used
      later by another interpreter, calling PyObject_GC_UnTrack() on the
      object crashed if the previous
      or the next object of the PyGC_Head structure became a dangling
      pointer. Patch by Victor Stinner.
    • bpo-46339: Fix a crash in the parser when retrieving the error text
      for multi-line f-strings expressions that do not start in the first
      line of the string. Patch by Pablo Galindo
    • bpo-46240: Correct the error message for unclosed parentheses when the
      tokenizer doesn’t reach the end of the source when the error is
      reported. Patch by Pablo Galindo
    • bpo-46091: Correctly calculate indentation levels for lines with
      whitespace character that are ended by line continuation characters.
      Patch by Pablo Galindo
    • bpo-43253: Fix a crash when closing transports where the underlying
      socket handle is already invalid on the Proactor event loop.
    • bpo-47004: Apply bugfixes from importlib_metadata 4.11.3, including
      bugfix for EntryPoint.extras, which was returning match objects and
      not the extras strings.
    • bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)
    • bpo-46968: faulthandler: On Linux 5.14 and newer, dynamically
      determine size of signal handler stack size CPython allocates using
      getauxval(AT_MINSIGSTKSZ). This changes allows for Python extension’s
      request to Linux kernel to use AMX_TILE instruction set on Sapphire
      Rapids Xeon processor to succeed, unblocking use of the ISA in
      frameworks.
    • bpo-46955: Expose asyncio.base_events.Server as asyncio.Server. Patch
      by Stefan Zabka.
    • bpo-23325: The signal module no longer assumes that SIG_IGN and
      SIG_DFL are small int singletons.
    • bpo-46932: Update bundled libexpat to 2.4.7
    • bpo-25707: Fixed a file leak in xml.etree.ElementTree.iterparse() when
      the iterator is not exhausted. Patch by Jacob Walls.
    • bpo-44886: Inherit asyncio proactor datagram transport from
      asyncio.DatagramTransport.
    • bpo-46827: Support UDP sockets in asyncio.loop.sock_connect() for
      selector-based event loops. Patch by Thomas Grainger.
    • bpo-46811: Make test suite support Expat >=2.4.5
    • bpo-46252: Raise TypeError if ssl.SSLSocket is passed to
      transport-based APIs.
    • bpo-46784: Fix libexpat symbols collisions with user dynamically
      loaded or statically linked libexpat in embedded Python.
    • bpo-39327: shutil.rmtree() can now work with VirtualBox shared folders
      when running from the guest operating-system.
    • bpo-46756: Fix a bug in
      urllib.request.HTTPPasswordMgr.find_user_password() and
      urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which
      allowed to bypass authorization. For example, access to URI
      example.org/foobar was allowed if the user was authorized for URI
      example.org/foo.
    • bpo-46643: In typing.get_type_hints(), support evaluating stringified
      ParamSpecArgs and ParamSpecKwargs annotations. Patch by Gregory
      Beauregard.
    • bpo-45863: When the tarfile module creates a pax format archive, it
      will put an integer representation of timestamps in the ustar header
      (if possible) for the benefit of older unarchivers, in addition to the
      existing full-precision timestamps in the pax extended header.
    • bpo-46676: Make typing.ParamSpec args and kwargs equal to themselves.
      Patch by Gregory Beauregard.
    • bpo-46672: Fix NameError in asyncio.gather() when initial type check
      fails.
    • bpo-46655: In typing.get_type_hints(), support evaluating bare
      stringified TypeAlias annotations. Patch by Gregory Beauregard.
    • bpo-45948: Fixed a discrepancy in the C implementation of the
      xml.etree.ElementTree module. Now, instantiating an
      xml.etree.ElementTree.XMLParser with a target=None keyword provides a
      default xml.etree.ElementTree.TreeBuilder target as the Python
      implementation does.
    • bpo-46521: Fix a bug in the codeop module that was incorrectly
      identifying invalid code involving string quotes as valid code.
    • bpo-46581: Brings ParamSpec propagation for GenericAlias in line with
      Concatenate (and others).
    • bpo-46591: Make the IDLE doc URL on the About IDLE dialog clickable.
    • bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4
    • bpo-46487: Add the get_write_buffer_limits method to
      asyncio.transports.WriteTransport and to the SSL transport.
    • bpo-45173: Note the configparser deprecations will be removed in
      Python 3.12.
    • bpo-46539: In typing.get_type_hints(), support evaluating stringified
      ClassVar and Final annotations inside Annotated. Patch by Gregory
      Beauregard.
    • bpo-46491: Allow typing.Annotated to wrap typing.Final and
      typing.ClassVar. Patch by Gregory Beauregard.
    • bpo-46436: Fix command-line option -d/–directory in module
      http.server which is ignored when combined with command-line
      option --cgi. Patch by G��ry Ogam.
    • bpo-41403: Make mock.patch() raise a TypeError with a relevant error
      message on invalid arg. Previously it allowed a cryptic AttributeError
      to escape.
    • bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid potential
      REDoS by limiting ambiguity in consecutive whitespace.
    • bpo-46469: asyncio generic classes now return types.GenericAlias in
      class_getitem instead of the same class.
    • bpo-46434: pdb now gracefully handles help when doc is missing,
      for example when run with pregenerated optimized .pyc files.
    • bpo-46333: The eq() and hash() methods of typing.ForwardRef
      now honor the module parameter of typing.ForwardRef. Forward
      references from different modules are now differentiated.
    • bpo-46246: Add missing slots to importlib.metadata.DeprecatedList.
      Patch by Arie Bovenberg.
    • bpo-46266: Improve day constants in calendar.
    • Now all constants (MONDAY … SUNDAY) are documented, tested, and
      added to all.
    • bpo-46232: The ssl module now handles certificates with bit strings in
      DN correctly.
    • bpo-43118: Fix a bug in inspect.signature() that was causing it to
      fail on some subclasses of classes with a text_signature
      referencing module globals. Patch by Weipeng Hong.
    • bpo-26552: Fixed case where failing asyncio.ensure_future() did not
      close the coroutine. Patch by Kumar Aditya.
    • bpo-21987: Fix an issue with tarfile.TarFile.getmember() getting a
      directory name with a trailing slash.
    • bpo-20392: Fix inconsistency with uppercase file extensions in
      MimeTypes.guess_type(). Patch by Kumar Aditya.
    • bpo-46080: Fix exception in argparse help text generation if a
      argparse.BooleanOptionalAction argument’s default is argparse.SUPPRESS
      and it has help specified. Patch by Felix Fontein.
    • bpo-44439: Fix .write() method of a member file in ZipFile, when the
      input data is an object that supports the buffer protocol, the file
      length may be wrong.
    • bpo-45703: When a namespace package is imported before another module
      from the same namespace is created/installed in a different sys.path
      location while the program is running, calling the
      importlib.invalidate_caches() function will now also guarantee the new
      module is noticed.
    • bpo-24959: Fix bug where unittest sometimes drops frames from
      tracebacks of exceptions raised in tests.
    • bpo-44791: Fix substitution of ParamSpec in Concatenate with different
      parameter expressions. Substitution with a list of types returns now a
      tuple of types. Substitution with Concatenate returns now a
      Concatenate with concatenated lists
      of arguments.
    • bpo-14156: argparse.FileType now supports an argument of ‘-’ in binary
      mode, returning the .buffer attribute of sys.stdin/sys.stdout as
      appropriate. Modes including ‘x’ and ‘a’ are treated equivalently to
      ‘w’ when argument is ‘-’. Patch contributed by Josh Rosenberg
    • bpo-46463: Fixes escape4chm.py script used when building the CHM
      documentation file
    • bpo-46913: Fix test_faulthandler.test_sigfpe() if Python is built with
      undefined behavior sanitizer (UBSAN): disable UBSAN on the
      faulthandler_sigfpe() function. Patch by Victor Stinner.
    • bpo-46708: Prevent default asyncio event loop policy modification
      warning after test_asyncio execution.
    • bpo-46678: The function make_legacy_pyc in
      Lib/test/support/import_helper.py no longer fails when
      PYTHONPYCACHEPREFIX is set to a directory on a different device from
      where tempfiles are stored.
    • bpo-46616: Ensures test_importlib.test_windows cleans up registry keys
      after completion.
    • bpo-44359: test_ftplib now silently ignores socket errors to prevent
      logging unhandled threading exceptions. Patch by Victor Stinner.
    • bpo-46542: Fix a Python crash in test_lib2to3 when using Python built
      in debug mode: limit the recursion limit. Patch by Victor Stinner.
    • bpo-46576: test_peg_generator now disables compiler
      optimization when testing compilation of its own C extensions to
      significantly speed up the testing on non-debug builds of CPython.
    • bpo-46542: Fix test_json tests checking for RecursionError: modify
      these tests to use support.infinite_recursion(). Patch by Victor
      Stinner.
    • bpo-13886: Skip test_builtin PTY tests on non-ASCII characters if the
      readline module is loaded. The readline module changes input()
      behavior, but test_builtin is not intented to test the readline
      module. Patch by Victor Stinner.
    • bpo-38472: Fix GCC detection in setup.py when cross-compiling. The C
      compiler is now run with LC_ALL=C. Previously, the detection failed
      with a German locale.
    • bpo-46513: configure no longer uses AC_C_CHAR_UNSIGNED macro and
      pyconfig.h no longer defines reserved symbol CHAR_UNSIGNED.
    • bpo-45296: Clarify close, quit, and exit in IDLE. In the File menu,
      ‘Close’ and ‘Exit’ are now ‘Close Window’ (the current
      one) and ‘Exit’ is now ‘Exit IDLE’ (by closing all windows). In Shell,
      ‘quit()’ and ‘exit()’ mean ‘close Shell’. If there are no other
      windows, this also exits IDLE.
    • bpo-45447: Apply IDLE syntax highlighting to pyi files. Patch by Alex
      Waygood and Terry Jan Reedy.
    • bpo-46433: The internal function _PyType_GetModuleByDef now correctly
      handles inheritance patterns involving static types.
    • bpo-14916: Fixed bug in the tokenizer that prevented
      PyRun_InteractiveOne from parsing from the provided FD.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4:

    zypper in -t patch openSUSE-SLE-15.4-2022-2291=1

  • SUSE Linux Enterprise Module for Python3 15-SP4:

    zypper in -t patch SUSE-SLE-Module-Python3-15-SP4-2022-2291=1

OSVersionArchitecturePackageVersionFilename
openSUSE Leap15.4aarch64< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.aarch64.rpm
openSUSE Leap15.4ppc64le< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.ppc64le.rpm
openSUSE Leap15.4s390x< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.s390x.rpm
openSUSE Leap15.4x86_64< - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):.x86_64.rpm
openSUSE Leap15.4x86_64< - openSUSE Leap 15.4 (x86_64):- openSUSE Leap 15.4 (x86_64):.x86_64.rpm
SUSE Linux Enterprise Module for Python3 15SP4aarch64<  SUSE Linux Enterprise Module for Python3 15-SP4 (aarch64 ppc64le s390x x86_64):- SUSE Linux Enterprise Module for Python3 15-SP4 (aarch64 ppc64le s390x x86_64):.aarch64.rpm
SUSE Linux Enterprise Module for Python3 15SP4ppc64le<  SUSE Linux Enterprise Module for Python3 15-SP4 (aarch64 ppc64le s390x x86_64):- SUSE Linux Enterprise Module for Python3 15-SP4 (aarch64 ppc64le s390x x86_64):.ppc64le.rpm
SUSE Linux Enterprise Module for Python3 15SP4s390x<  SUSE Linux Enterprise Module for Python3 15-SP4 (aarch64 ppc64le s390x x86_64):- SUSE Linux Enterprise Module for Python3 15-SP4 (aarch64 ppc64le s390x x86_64):.s390x.rpm
SUSE Linux Enterprise Module for Python3 15SP4x86_64<  SUSE Linux Enterprise Module for Python3 15-SP4 (aarch64 ppc64le s390x x86_64):- SUSE Linux Enterprise Module for Python3 15-SP4 (aarch64 ppc64le s390x x86_64):.x86_64.rpm

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

COMPLETE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:C/A:P