Package Release Info


Update Info: Base Release
Available in Package Hub : 15 SP2 (BETA)




Change Logs

* Sat Feb 08 2020 Matej Cepl <>
- Add CVE-2019-9674-zip-bomb.patch to improve documentation
  warning about dangers of zip-bombs and other security problems
  with zipfile library. (bsc#1162825 CVE-2019-9674)
- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
  "Python urrlib allowed an HTTP server to conduct Regular
  Expression Denial of Service (ReDoS)" (bsc#1162367)
* Sat Feb 08 2020 Matej Cepl <>
- Add Requires: libpython%{so_version} == %{version}-%{release}
  to python3-base to keep both packages always synchronized
* Mon Feb 03 2020 Tomá? Chvátal <>
- Reame idle icons to idle3 in order to not conflict with python2
  variant of the package bsc#1165894
  * renamed the icons
  * renamed icon load in desktop file
* Tue Jan 28 2020 Matej Cepl <>
- Add pep538_coerce_legacy_c_locale.patch to coerce locale to
  C.UTF-8 always (bsc#1162423).
* Thu Dec 19 2019 Matej Cepl <>
- Update to 3.6.10 (still in line with jsc#SLE-9426,
  jsc#SLE-9427, bsc#1159035):
  - Security:
  - bpo-38945: Newline characters have been escaped when
    performing uu encoding to prevent them from overflowing
    into to content section of the encoded file. This prevents
    malicious or accidental modification of data during the
    decoding process.
  - bpo-37228: Due to significant security concerns, the
    reuse_address parameter of
    asyncio.loop.create_datagram_endpoint() is no longer
    supported. This is because of the behavior of SO_REUSEADDR
    in UDP. For more details, see the documentation for
    loop.create_datagram_endpoint(). (Contributed by Kyle
    Stanley, Antoine Pitrou, and Yury Selivanov in bpo-37228.)
  - bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar.
    Patch by Ben Caller.
  - bpo-38243: Escape the server title of
    xmlrpc.server.DocXMLRPCServer when rendering the document
    page as HTML. (Contributed by Dong-hee Na in bpo-38243.)
  - bpo-38174: Update vendorized expat library version to
    2.2.8, which resolves CVE-2019-15903.
  - bpo-37461: Fix an infinite loop when parsing specially
    crafted email headers. Patch by Abhilash Raj.
  - bpo-34155: Fix parsing of invalid email addresses with more
    than one @ (e.g. to not return the part before
    2nd @ as valid email address. Patch by maxking & jpic.
  - Library:
  - bpo-38216: Allow the rare code that wants to send invalid
    http requests from the http.client library a way to do so.
    The fixes for bpo-30458 led to breakage for some projects
    that were relying on this ability to test their own
    behavior in the face of bad requests.
  - bpo-36564: Fix infinite loop in email header folding logic
    that would be triggered when an email policy?s
    max_line_length is not long enough to include the required
    markup and any values in the message. Patch by Paul Ganssle
- Remove patches included in the upstream tarball:
  - CVE-2019-16935-xmlrpc-doc-server_title.patch
  - CVE-2019-16056-email-parse-addr.patch
- Move idle subpackage build from python3-base to python3 (bsc#1159622).
  appstream-glib required for packaging introduces considerable
  extra dependencies and a build loop via rust/librsvg.
- Correct installation of idle IDE icons:
  + idle.png is not the target directory
  + non-GNOME-specific icons belong into icons/hicolor
- Add required Name key to idle3 desktop file
* Thu Dec 12 2019 Matej Cepl <>
- Unify all Python 3.6* SLE packages into one (jsc#SLE-9426,
  jsc#SLE-9427, bsc#1159035)
  - Patches which were already included upstream:
  - CVE-2018-1061-DOS-via-regexp-difflib.patch
  - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
* Tue Oct 22 2019 Matej Cepl <>
- Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing
  bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in
* Thu Sep 19 2019 Matej Cepl <>
- Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from
  bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes
- Add bpo36263-Fix_hashlib_scrypt.patch which works around
* Mon Sep 16 2019 Matej Cepl <>
- Add CVE-2019-16056-email-parse-addr.patch fixing the email
  module wrongly parses email addresses [bsc#1149955,
* Mon Sep 09 2019 Matej Cepl <>
- jsc#PM-1350 bsc#1149121 Update python3 to the last version of
  the 3.6 line. This is just a bugfix release with no changes in
- The following patches were included in the upstream release as
  so they can be removed in the package:
  - CVE-2018-20852-cookie-domain-check.patch
  - CVE-2019-5010-null-defer-x509-cert-DOS.patch
  - CVE-2019-10160-netloc-port-regression.patch
  - CVE-2019-9636-urlsplit-NFKC-norm.patch
  - CVE-2019-9947-no-ctrl-char-http.patch
- Patch bpo23395-PyErr_SetInterrupt-signal.patch has been
  reapplied on the upstream base without changing any
- Add patch aarch64-prolong-timeout.patch to fix failing
  test_utime_current_old test.
* Wed Jul 24 2019 Matej Cepl <>
  "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which
  converts shutil._call_external_zip to use subprocess rather
  than distutils.spawn. [bsc#1109663, CVE-2018-1000802]
* Wed Jul 24 2019 Matej Cepl <>
- FAKE RECORD FROM SLE-12 CHANNEL bsc#1109847: add
  CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo#34623.
* Fri Jul 19 2019 Matej Cepl <>
- boo#1141853 (CVE-2018-20852) add
  CVE-2018-20852-cookie-domain-check.patch fixing
  http.cookiejar.DefaultPolicy.domain_return_ok which did not
  correctly validate the domain: it could be tricked into sending
  cookies to the wrong server.
* Wed Jul 03 2019 Matej Cepl <>
- bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch
  which fixes regression introduced by the previous patch.
  Upstream gh#python/cpython#13812
* Wed Jun 12 2019 Matej Cepl <>
- FAKE RECORD FROM SLE-12 CHANNEL bsc#1137942: Avoid duplicate
  files with python3* packages (
* Tue Jun 11 2019 Matej Cepl <>
- bsc#1094814: Add bpo23395-PyErr_SetInterrupt-signal.patch to
  handle situation when the SIGINT signal is ignored or not handled
* Tue Apr 30 2019 Matej Cepl <>
- Update to 3.6.8:
  - bugfixes only
  - removed patches (subsumed in the upstream tarball):
  - CVE-2018-20406-pickle_LONG_BINPUT.patch
  - refreshed patches:
  - CVE-2019-5010-null-defer-x509-cert-DOS.patch
  - CVE-2019-9636-urlsplit-NFKC-norm.patch
  - Python-3.0b1-record-rpm.patch
  - python-3.3.0b1-fix_date_time_compiler.patch
  - python-3.3.0b1-test-posix_fadvise.patch
  - python-3.3.3-skip-distutils-test_sysconfig_module.patch
  - python-3.6.0-multilib-new.patch
  - python3-sorted_tar.patch
  - subprocess-raise-timeout.patch
  - switch off LTO and PGO optimization (bsc#1133452)
- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch
  Address the issue by disallowing URL paths with embedded
  whitespace or control characters through into the underlying
  http client request. Such potentially malicious header
  injection URLs now cause a ValueError to be raised.
* Tue Apr 09 2019 Matej Cepl <>
- bsc#1129346: add CVE-2019-9636-urlsplit-NFKC-norm.patch
  Characters in the netloc attribute that decompose under NFKC
  normalization (as used by the IDNA encoding) into any of ``/``,
  ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the
  URL is decomposed before parsing, or is not a Unicode string,
  no error will be raised. (CVE-2019-9636)
  Upstream gh#python/cpython#12224
* Mon Jan 21 2019 Mat?j Cepl <>
- bsc#1120644 add CVE-2018-20406-pickle_LONG_BINPUT.patch fixing bpo#34656
  Modules/_pickle.c in Python before 3.7.1 has an integer overflow via
  a large LONG_BINPUT value that is mishandled during a "resize to twice
  the size" attempt. This issue might cause memory exhaustion, but is
  only relevant if the pickle format is used for serializing tens or
  hundreds of gigabytes of data.
* Sat Jan 19 2019
- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
  fixing bpo-35746.
  An exploitable denial-of-service vulnerability exists in the
  X509 certificate parser of Python 2.7.11 / 3.7.2.
  A specially crafted X509 certificate can cause a NULL pointer
  dereference, resulting in a denial of service. An attacker can
  initiate or accept TLS connections using crafted certificates
  to trigger this vulnerability.