python3-doc-3.6.10-bp152.2.89

- Add CVE-2019-9674-zip-bomb.patch to improve documentation
  warning about dangers of zip-bombs and other security problems
  with zipfile library. (bsc#1162825 CVE-2019-9674)
- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
  "Python urrlib allowed an HTTP server to conduct Regular
  Expression Denial of Service (ReDoS)" (bsc#1162367)

- Add Requires: libpython%{so_version} == %{version}-%{release}
  to python3-base to keep both packages always synchronized
  (bsc#1162224).

- Reame idle icons to idle3 in order to not conflict with python2
  variant of the package bsc#1165894
  * renamed the icons
  * renamed icon load in desktop file

- Add pep538_coerce_legacy_c_locale.patch to coerce locale to
  C.UTF-8 always (bsc#1162423).

- Update to 3.6.10 (still in line with jsc#SLE-9426,
  jsc#SLE-9427, bsc#1159035):
  - Security:
  - bpo-38945: Newline characters have been escaped when
    performing uu encoding to prevent them from overflowing
    into to content section of the encoded file. This prevents
    malicious or accidental modification of data during the
    decoding process.
  - bpo-37228: Due to significant security concerns, the
    reuse_address parameter of
    asyncio.loop.create_datagram_endpoint() is no longer
    supported. This is because of the behavior of SO_REUSEADDR
    in UDP. For more details, see the documentation for
    loop.create_datagram_endpoint(). (Contributed by Kyle
    Stanley, Antoine Pitrou, and Yury Selivanov in bpo-37228.)
  - bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar.
    Patch by Ben Caller.
  - bpo-38243: Escape the server title of
    xmlrpc.server.DocXMLRPCServer when rendering the document
    page as HTML. (Contributed by Dong-hee Na in bpo-38243.)
  - bpo-38174: Update vendorized expat library version to
    2.2.8, which resolves CVE-2019-15903.
  - bpo-37461: Fix an infinite loop when parsing specially
    crafted email headers. Patch by Abhilash Raj.
  - bpo-34155: Fix parsing of invalid email addresses with more
    than one @ (e.g. a@b@c.com.) to not return the part before
    2nd @ as valid email address. Patch by maxking & jpic.
  - Library:
  - bpo-38216: Allow the rare code that wants to send invalid
    http requests from the http.client library a way to do so.
    The fixes for bpo-30458 led to breakage for some projects
    that were relying on this ability to test their own
    behavior in the face of bad requests.
  - bpo-36564: Fix infinite loop in email header folding logic
    that would be triggered when an email policy?s
    max_line_length is not long enough to include the required
    markup and any values in the message. Patch by Paul Ganssle
- Remove patches included in the upstream tarball:
  - CVE-2019-16935-xmlrpc-doc-server_title.patch
  - CVE-2019-16056-email-parse-addr.patch
- Move idle subpackage build from python3-base to python3 (bsc#1159622).
  appstream-glib required for packaging introduces considerable
  extra dependencies and a build loop via rust/librsvg.
- Correct installation of idle IDE icons:
  + idle.png is not the target directory
  + non-GNOME-specific icons belong into icons/hicolor
- Add required Name key to idle3 desktop file

- Unify all Python 3.6* SLE packages into one (jsc#SLE-9426,
  jsc#SLE-9427, bsc#1159035)
  - Patches which were already included upstream:
  - CVE-2018-1061-DOS-via-regexp-difflib.patch
  - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch

- Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing
  bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in
  python/Lib/DocXMLRPCServer.py

- Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from
  bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes
  bsc#1149792
- Add bpo36263-Fix_hashlib_scrypt.patch which works around
  bsc#1151490

- Add CVE-2019-16056-email-parse-addr.patch fixing the email
  module wrongly parses email addresses [bsc#1149955,
  CVE-2019-16056]

- jsc#PM-1350 bsc#1149121 Update python3 to the last version of
  the 3.6 line. This is just a bugfix release with no changes in
  functionality.
- The following patches were included in the upstream release as
  so they can be removed in the package:
  - CVE-2018-20852-cookie-domain-check.patch
  - CVE-2019-5010-null-defer-x509-cert-DOS.patch
  - CVE-2019-10160-netloc-port-regression.patch
  - CVE-2019-9636-urlsplit-NFKC-norm.patch
  - CVE-2019-9947-no-ctrl-char-http.patch
- Patch bpo23395-PyErr_SetInterrupt-signal.patch has been
  reapplied on the upstream base without changing any
  functionality.
- Add patch aarch64-prolong-timeout.patch to fix failing
  test_utime_current_old test.

- FAKE RECORD FROM SLE-12 CHANNEL Apply
  "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which
  converts shutil._call_external_zip to use subprocess rather
  than distutils.spawn. [bsc#1109663, CVE-2018-1000802]

- FAKE RECORD FROM SLE-12 CHANNEL bsc#1109847: add
  CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo#34623.

- boo#1141853 (CVE-2018-20852) add
  CVE-2018-20852-cookie-domain-check.patch fixing
  http.cookiejar.DefaultPolicy.domain_return_ok which did not
  correctly validate the domain: it could be tricked into sending
  cookies to the wrong server.

- bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch
  which fixes regression introduced by the previous patch.
  (CVE-2019-10160)
  Upstream gh#python/cpython#13812

- FAKE RECORD FROM SLE-12 CHANNEL bsc#1137942: Avoid duplicate
  files with python3* packages (https://fate.suse.com/327309)

- bsc#1094814: Add bpo23395-PyErr_SetInterrupt-signal.patch to
  handle situation when the SIGINT signal is ignored or not handled

- Update to 3.6.8:
  - bugfixes only
  - removed patches (subsumed in the upstream tarball):
  - CVE-2018-20406-pickle_LONG_BINPUT.patch
  - refreshed patches:
  - CVE-2019-5010-null-defer-x509-cert-DOS.patch
  - CVE-2019-9636-urlsplit-NFKC-norm.patch
  - Python-3.0b1-record-rpm.patch
  - python-3.3.0b1-fix_date_time_compiler.patch
  - python-3.3.0b1-test-posix_fadvise.patch
  - python-3.3.3-skip-distutils-test_sysconfig_module.patch
  - python-3.6.0-multilib-new.patch
  - python3-sorted_tar.patch
  - subprocess-raise-timeout.patch
  - switch off LTO and PGO optimization (bsc#1133452)
- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch
  Address the issue by disallowing URL paths with embedded
  whitespace or control characters through into the underlying
  http client request. Such potentially malicious header
  injection URLs now cause a ValueError to be raised.

- bsc#1129346: add CVE-2019-9636-urlsplit-NFKC-norm.patch
  Characters in the netloc attribute that decompose under NFKC
  normalization (as used by the IDNA encoding) into any of ``/``,
  ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the
  URL is decomposed before parsing, or is not a Unicode string,
  no error will be raised. (CVE-2019-9636)
  Upstream gh#python/cpython#12224

- bsc#1120644 add CVE-2018-20406-pickle_LONG_BINPUT.patch fixing bpo#34656
  Modules/_pickle.c in Python before 3.7.1 has an integer overflow via
  a large LONG_BINPUT value that is mishandled during a "resize to twice
  the size" attempt. This issue might cause memory exhaustion, but is
  only relevant if the pickle format is used for serializing tens or
  hundreds of gigabytes of data.

- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
  fixing bpo-35746.
  An exploitable denial-of-service vulnerability exists in the
  X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
  A specially crafted X509 certificate can cause a NULL pointer
  dereference, resulting in a denial of service. An attacker can
  initiate or accept TLS connections using crafted certificates
  to trigger this vulnerability.