Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

python-xml-2.7.17-lp152.3.6.2 RPM for i586

From OpenSuSE Leap 15.2 updates for i586

Name: python-xml Distribution: openSUSE Leap 15.2
Version: 2.7.17 Vendor: openSUSE
Release: lp152.3.6.2 Build date: Wed Nov 18 01:31:01 2020
Group: Development/Libraries/Python Build host: lamb77
Size: 927463 Source RPM: python-base-2.7.17-lp152.3.6.2.src.rpm
Summary: A Python XML Interface
The expat module is a Python interface to the expat XML parser. Since
Python2.x, it is part of the core Python distribution.






* Mon Oct 19 2020 Steve Kowalik <>
  - Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
    (CVE-2020-26116, bpo#39603) no longer allowing special characters in
    the method parameter of HTTPConnection.putrequest in httplib, stopping
    injection of headers. Such characters now raise ValueError.
* Mon Jul 20 2020 Matej Cepl <>
  - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
    (CVE-2019-20907, bpo#39017) avoiding possible infinite loop
    in specifically crafted tarball.
    Add recursion.tar as a testing tarball for the patch.
* Fri May 01 2020 Matej Cepl <>
  - Add CVE-2019-18348-CRLF_injection_via_host_part.patch to
    disallow control characters in hostnames in httplib,
    addressing CVE-2019-18348. Such potentially malicious header
    injection URLs now cause a InvalidURL to be raised.
* Sat Feb 08 2020 Matej Cepl <>
  - Add CVE-2019-9674-zip-bomb.patch to improve documentation
    warning about dangers of zip-bombs and other security problems
    with zipfile library. (bsc#1162825 CVE-2019-9674)
* Sat Feb 08 2020 Matej Cepl <>
  - Change to Requires: libpython%{so_version} == %{version}-%{release}
    to python-base to keep both packages always synchronized (add
    %{so_version}) (bsc#1162224).
* Thu Feb 06 2020 Matej Cepl <>
  - Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
    "Python urrlib allowed an HTTP server to conduct Regular
    Expression Denial of Service (ReDoS)" (bsc#1162367)
* Mon Feb 03 2020 Tomáš Chvátal <>
  - Provide python-testsuite from devel subkg to ease py2->py3
* Mon Jan 27 2020 Matej Cepl <>
  - Add python-2.7.17-switch-off-failing-SSL-tests.patch to switch
    off tests coliding with the combination of modern Python and
    ancient OpenSSL on SLE-12.
* Fri Jan 10 2020 Matej Cepl <>
  - libnsl is required only on more recent SLEs and openSUSE, older
    glibc supported NIS on its own.
* Thu Jan 02 2020 Tomáš Chvátal <>
  - Add provides in gdbm subpackage to provide dbm symbols. This
    allows us to use %%{python_module dbm} as a dependency and have
    it properly resolved for both python2 and python3
* Thu Dec 19 2019 Dominique Leuenberger <>
  - Drop appstream-glib BuildRequires and no longer call
    appstream-util validate-relax: eliminate a build cycle between
    as-glib and python. The only thing would would gain by calling
    as-uril is catching if upstream breaks the appdata.xml file in a
    future release. Considering py2 is dying, chances for a new
    release, let alone one breaking the xml file, are slim.
* Wed Dec 11 2019 Matej Cepl <>
  - Unify packages among openSUSE:Factory and SLE versions.
    (bsc#1159035) ; add missing records to this changelog.
  - Add idle.desktop and idle.appdata.xml to provide IDLE in menus
* Wed Dec 04 2019 Matej Cepl <>
  - Add python2_split_startup Provide to make it possible to
    conflict older packages by shared-python-startup.
* Fri Nov 22 2019 Matej Cepl <>
  - Move /etc/pythonstart script to shared-python-startup
* Tue Nov 05 2019 Matej Cepl <>
  - Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from
    bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes
* Tue Nov 05 2019 Steve Kowalik <>
  - Add adapted-from-F00251-change-user-install-location.patch fixing
    pip/distutils to install into /usr/local.
* Thu Oct 24 2019 Matej Cepl <>
  - Update to 2.7.17:
    - a bug fix release in the Python 2.7.x series. It is expected
      to be the penultimate release for Python 2.7.
  - Removed patches included upstream:
    - CVE-2018-20852-cookie-domain-check.patch
    - CVE-2019-16935-xmlrpc-doc-server_title.patch
    - CVE-2019-9636-netloc-no-decompose-characters.patch
    - CVE-2019-9947-no-ctrl-char-http.patch
    - CVE-2019-9948-avoid_local-file.patch
    - python-2.7.14-CVE-2018-1000030-1.patch
    - python-2.7.14-CVE-2018-1000030-2.patch
  - Renamed remove-static-libpython.diff and python-bsddb6.diff to
    remove-static-libpython.patch and python-bsddb6.patch to unify
* Tue Oct 08 2019 Matej Cepl <>
  - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing
    bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in
* Wed Sep 25 2019 Bernhard Wiedemann <>
  - Add bpo36302-sort-module-sources.patch (boo#1041090)
* Mon Sep 16 2019 Matej Cepl <>
  - Add CVE-2019-16056-email-parse-addr.patch fixing the email
    module wrongly parses email addresses [bsc#1149955,
* Thu Jul 25 2019 Matej Cepl <>
  - boo#1141853 (CVE-2018-20852) add
    CVE-2018-20852-cookie-domain-check.patch fixing
    http.cookiejar.DefaultPolicy.domain_return_ok which did not
    correctly validate the domain: it could be tricked into sending
    cookies to the wrong server.
* Fri Jul 19 2019 Tomáš Chvátal <>
  - Skip test_urllib2_localnet that randomly fails in OBS
* Wed Jul 03 2019 Matej Cepl <>
  - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch
    which fixes regression introduced by the previous patch.
    Upstream gh#python/cpython#13812
* Wed May 29 2019 Martin Liška <>
  -  Set _lto_cflags to nil as it will prevent to propage LTO
    for Python modules that are built in a separate package.
* Thu May 02 2019 Matej Cepl <>
  - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch
    Address the issue by disallowing URL paths with embedded
    whitespace or control characters through into the underlying
    http client request. Such potentially malicious header
    injection URLs now cause a ValueError to be raised.
* Mon Apr 08 2019 Matej Cepl <>
  - bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch
    removing unnecessary (and potentially harmful) URL scheme
* Mon Apr 08 2019 Matej Cepl <>
  - bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch
    Characters in the netloc attribute that decompose under NFKC
    normalization (as used by the IDNA encoding) into any of ``/``,
    ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the
    URL is decomposed before parsing, or is not a Unicode string,
    no error will be raised (CVE-2019-9636).
    Upstream commits e37ef41 and 507bd8c.
* Thu Apr 04 2019 Matej Cepl <>
  - (bsc#1111793) Update to 2.7.16:
    * bugfix-only release: complete list of changes on
    * Removed openssl-111.patch and CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
      which are fully included in the tarball.
    * Updated patches to apply cleanly:
    * Update python-2.7.5-multilib.patch to pass with new platlib
* Fri Jan 25 2019
  - bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
    fixing bpo-34623.
* Fri Jan 25 2019
  - bsc#1073748: add bpo-29347-dereferencing-undefined-pointers.patch
    PyWeakref_NewProxy@Objects/weakrefobject.c creates new isntance
    of PyWeakReference struct and does not intialize wr_prev and
    wr_next of new isntance. These pointers can have garbage and
    point to random memory locations.
    Python should not crash while destroying the isntance created
    in the same interpreter function. As per my understanding, both
    wr_prev and wr_next of PyWeakReference instance should be
    initialized to NULL to avoid segfault.
* Sat Jan 19 2019
  - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
    fixing bpo-35746.
    An exploitable denial-of-service vulnerability exists in the
    X509 certificate parser of Python 2.7.11 / 3.7.2.
    A specially crafted X509 certificate can cause a NULL pointer
    dereference, resulting in a denial of service. An attacker can
    initiate or accept TLS connections using crafted certificates
    to trigger this vulnerability.
* Wed Dec 19 2018 Todd R <>
  - Use upstream-recommended %{_rpmconfigdir}/macros.d directory
    for the rpm macros.
* Fri Oct 26 2018 Tomáš Chvátal <>
  - Add patch openssl-111.patch to work with openssl-1.1.1
* Tue Sep 25 2018 Matěj Cepl <>
  - Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which
    converts shutil._call_external_zip to use subprocess rather than
    distutils.spawn. [bsc#1109663, CVE-2018-1000802]
* Fri Jun 29 2018
  - Apply "CVE-2018-1061-DOS-via-regexp-difflib.patch" to prevent
    low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS
    (CVE-2018-1061). Prior to this patch mail server's timestamp was
    susceptible to catastrophic backtracking on long evil response from
    the server. Also, it was susceptible to catastrophic backtracking,
    which was a potential DOS vector.
    [bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060]
* Thu Jun 07 2018
  - Apply "CVE-2017-18207.patch" to add a check to Lib/ that
    verifies that at least one channel is provided. Prior to this
    check, attackers could cause a denial of service (divide-by-zero
    error and application crash) via a crafted wav format audio file.
    [bsc#1083507, CVE-2017-18207]
* Tue May 29 2018
  - Apply "python-sorted_tar.patch" (bsc#1086001, boo#1081750)
      sort tarfile output directory listing
* Mon May 21 2018
  - update to 2.7.15
    * dozens of bugfixes, see NEWS for details
  - removed obsolete patches:
    * python-ncurses-6.0-accessors.patch
    * python-fix-shebang.patch
    * gcc8-miscompilation-fix.patch
  - add patch from upstream:
    * do-not-use-non-ascii-in-test_ssl.patch
* Fri Apr 06 2018
  - Add gcc8-miscompilation-fix.patch (boo#1084650).
* Tue Mar 13 2018
  - Apply "python-2.7.14-CVE-2017-1000158.patch" to prevent integer
    overflows in PyString_DecodeEscape that could have resulted in
    heap-based buffer overflow attacks and possible arbitrary code
    execution. [bsc#1068664, CVE-2017-1000158]
* Mon Feb 05 2018
  - exclude test_socket & test_subprocess for PowerPC boo#1078485
    (same ref as previous change)
* Fri Feb 02 2018
  - Add python-skip_random_failing_tests.patch bypass boo#1078485
    and exclude many tests for PowerPC
* Tue Jan 30 2018
  - Add patch python-fix-shebang.patch to fix bsc#1078326
* Fri Dec 22 2017
  - exclude test_regrtest for s390, where it does not segfault as it should
    (fixes bsc#1073269)
  - fix segfault while creating weakref - bsc#1073748, bpo#29347
    (this is actually fixed by the 2.7.14 update; mentioning this for purposes
    of bugfix tracking)
* Mon Nov 20 2017
  - update to 2.7.14
    * dozens of bugfixes, see NEWS for details
    * fixed possible integer overflow in PyString_DecodeEscape (CVE-2017-1000158, bsc#1068664)
    * fixed segfaults with dict mutated during search
    * fixed possible free-after-use problems with buffer objects with custom indexing
    * fixed urllib.splithost to correctly parse fragments (bpo-30500)
  - drop upstreamed python-2.7.13-overflow_check.patch
  - drop unneeded python-2.7.12-makeopcode.patch
  - drop upstreamed 0001-2.7-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-3094.patch
  - Apply "python-2.7.14-CVE-2018-1000030-1.patch" and
    "python-2.7.14-CVE-2018-1000030-2.patch" to remedy a bug that
    would crash the Python interpreter when multiple threads used the
    same I/O stream concurrently. This issue is not classified as a
    security vulnerability due to the fact that an attacker must be
    able to run code, however in some situations -- such as function
    as a service -- this vulnerability can potentially be used by an
    attacker to violate a trust boundary. [bsc#1079300,
* Thu Nov 02 2017
  - Call python2 instead of python in macros
* Thu Sep 14 2017
  - Fix test broken with OpenSSL 1.1 (bsc#1042670)
    * add 0001-2.7-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-3094.patch
* Mon Aug 28 2017
  - drop SUSE_ASNEEDED=0 as it is not needed anymore
* Thu Aug 17 2017
  - Add libnsl-devel build requires for glibc obsoleting libnsl
* Mon May 15 2017
  - obsolete/provide python-argparse and provide python2-argparse,
    because the argparse module is available from python 2.7 up
* Tue Feb 28 2017
  - SLE package update (bsc#1027282)
  - refresh python-2.7.5-multilib.patch
  - dropped upstreamed patches:
  - Add python-ncurses-6.0-accessors.patch: Fix build with
    NCurses 6.0 and OPAQUE_WINDOW set to 1.
* Fri Feb 24 2017
  - Add reproducible.patch to allow reproducible builds of various
    python packages like python-amqp
* Tue Jan 03 2017
  - update to 2.7.13
    * dozens of bugfixes, see NEWS for details
    * updated cipher lists for openssl wrapper, support openssl >= 1.1.0
    * properly fix HTTPoxy (CVE-2016-1000110)
    * profile-opt build now applies PGO to modules as well
  - update python-2.7.10-overflow_check.patch
    with python-2.7.13-overflow_check.patch, incorporating upstream changes
  - add "-fwrapv" to optflags explicitly because upstream code still
    relies on it in many places
* Fri Dec 02 2016
  - provide python2-* symbols, for support of new packages built as
  - rename macros.python to macros.python2 accordingly
  - require python-rpm-macros package, drop macro definitions from
* Mon Sep 26 2016
  - initial packaging of `python27` side-by-side variant (fate#321075, bsc#997436)
  - renamed `python` to `python27` in package names and requires
  - removed Provides and Obsoletes clauses
  - dropped SLE12-only patch python-2.7.9-sles-disable-verification-by-default.patch,
    companion file and the python-strict-tls-checks subpackage
  - dropped profile files
  - removed /usr/bin/python and /usr/bin/python2, along with other unversioned
  - rewrote macros file to enable stand-alone packages depending on py2.7
  - re-included downloaded version of HTML documentation
* Thu Jun 30 2016
  - update to 2.7.12
    * dozens of bugfixes, see NEWS for details
    * fixes multiple security issues:
      CVE-2016-0772 TLS stripping attack on smtplib (bsc#984751)
      CVE-2016-5636 zipimporter heap overflow (bsc#985177)
      CVE-2016-5699 httplib header injection (bsc#985348)
      (this one is actually fixed since 2.7.10)
  - removed upstreamed python-2.7.7-mhlib-linkcount.patch
  - refreshed multilib patch
  - python-2.7.12-makeopcode.patch - run newly-built python interpreter
    to make opcodes, in order not to require pre-built python
  - update LD_LIBRARY_PATH to use $PWD instead of "." because the test
    process escapes to its own directory
  - modify shebang-fixing scriptlet to ignore
* Fri Jun 17 2016
  - CVE-2016-0772-smtplib-starttls.patch:
    smtplib vulnerability opens startTLS stripping attack
    (CVE-2016-0772, bsc#984751)
  - CVE-2016-5636-zipimporter-overflow.patch:
    heap overflow when importing malformed zip files
    (CVE-2016-5636, bsc#985177)
  - CVE-2016-5699-http-header-injection.patch:
    incorrect validation of HTTP headers allow header injection
    (CVE-2016-5699, bsc#985348)
  - python-2.7-httpoxy.patch:
    HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY
    when REQUEST_METHOD is also set
    (CVE-2016-1000110, bsc#989523)
* Fri Jan 29 2016
  - Add python-2.7.10-overflow_check.patch to fix broken overflow checks.
* Mon Sep 14 2015
  - copy strict-tls-checks subpackage from SLE to retain future compatibility
    (not built in openSUSE)
  - do this properly to fix bnc#945401
  - update SLE check to exclude Leap which also has version 1315,
    just to be sure
* Wed Sep 09 2015
  - Add python-ncurses-6.0-accessors.patch: Fix build with
    NCurses 6.0 and OPAQUE_WINDOW set to 1.
* Thu Aug 13 2015
  - add missing ssl.pyc and ssl.pyo to package
  - implement python-strict-tls-checks subpackage
    * when present, Python will perform TLS certificate checking by default.
      it is possible to remove the package to turn off the checks
      for compatibility with legacy scripts.
    * as discussed in fate#318300
    * this is not built for openSUSE, but retained here in case we want
      to build the package for a SLE system
* Mon Jun 29 2015
  - python-fix-short-dh.patch: Bump DH parameters to 2048 bit
    to fix logjam security issue. bsc#935856
* Wed Jun 10 2015
  - add __python2 compatibility macro (used by Fedora) (fate#318838)
* Sun May 24 2015
  - update to 2.7.10
  - removed obsolete python-2.7-urllib2-localnet-ssl.patch
* Tue May 19 2015
  - Reenable test_posix on aarch64
* Sun Dec 21 2014
  - python-2.7.4-aarch64.patch: Remove obsolete patch
  - python-2.7-libffi-aarch64.patch: Fix argument passing in libffi for
* Fri Dec 12 2014
  - update to 2.7.9
    * contains full backport of ssl module from Python 3.4 (PEP466)
    * HTTPS certificate validation enabled by default (PEP476)
    * SSLv3 disabled by default (bnc#901715)
    * backported ensurepip module (PEP477)
    * fixes several missing CVEs from last release: CVE-2013-1752,
    * dozens of minor bugfixes
  - dropped upstreamed patches: python-2.7.6-poplib.patch,
    smtplib_maxline-2.7.patch, xmlrpc_gzip_27.patch
  - dropped patch python-2.7.3-ssl_ca_path.patch because we don't need it
    with ssl module from Python 3
  - libffi was upgraded upstream, seems to contain our changes,
    so dropping libffi-ppc64le.diff as well
  - python-2.7-urllib2-localnet-ssl.patch - properly remove unconditional
    "import ssl" from test_urllib2_localnet that caused it to fail without ssl
* Wed Oct 22 2014
  - skip test_thread in qemu_linux_user mode



Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 11:42:48 2024