rpms/python3.11
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI python3.11-3.11.13-3.el9

Browse Source
This commit is contained in:
eabdullin 2025-11-11 15:45:24 +00:00
parent 962f4b2dcd
commit eaf3c284ce
8 changed files with 238 additions and 2053 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/Python-3.11.11.tar.xz SOURCES/Python-3.11.13.tar.xz

2
.python3.11.metadata
View File

@ -1 +1 @@
acf539109b024d3c5f1fc63d6e7f08cd294ba56d SOURCES/Python-3.11.11.tar.xz fec9a494efd3520f7efe6f822111f22249549d0a SOURCES/Python-3.11.13.tar.xz

119
SOURCES/00450-cve-2025-0938-disallow-square-brackets-and-in-domain-names-for-parsed-urls.patch
View File

@ -1,119 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 31 Jan 2025 11:41:34 -0600
Subject: [PATCH] 00450: CVE-2025-0938: Disallow square brackets ([ and ]) in
domain names for parsed URLs
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
---
Lib/test/test_urlparse.py | 37 ++++++++++++++++++-
Lib/urllib/parse.py | 20 +++++++++-
...-01-28-14-08-03.gh-issue-105704.EnhHxu.rst | 4 ++
3 files changed, 58 insertions(+), 3 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index 2376dad81b..a283063f24 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -1224,16 +1224,51 @@ def test_invalid_bracketed_hosts(self):
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix')
def test_splitting_bracketed_hosts(self):
- p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
+ p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query')
self.assertEqual(p1.hostname, 'v6a.ip')
self.assertEqual(p1.username, 'user')
self.assertEqual(p1.path, '/path')
+ self.assertEqual(p1.port, 1234)
p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
self.assertEqual(p2.username, 'user')
self.assertEqual(p2.path, '/path')
+ self.assertIs(p2.port, None)
p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
self.assertEqual(p3.username, 'user')
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index abf1d1b546..724cce8d39 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -436,6 +436,23 @@ def _checknetloc(netloc):
raise ValueError("netloc '" + netloc + "' contains invalid " +
"characters under NFKC normalization")
+def _check_bracketed_netloc(netloc):
+ # Note that this function must mirror the splitting
+ # done in NetlocResultMixins._hostinfo().
+ hostname_and_port = netloc.rpartition('@')[2]
+ before_bracket, have_open_br, bracketed = hostname_and_port.partition('[')
+ if have_open_br:
+ # No data is allowed before a bracket.
+ if before_bracket:
+ raise ValueError("Invalid IPv6 URL")
+ hostname, _, port = bracketed.partition(']')
+ # No data is allowed after the bracket but before the port delimiter.
+ if port and not port.startswith(":"):
+ raise ValueError("Invalid IPv6 URL")
+ else:
+ hostname, _, port = hostname_and_port.partition(':')
+ _check_bracketed_host(hostname)
+
# Valid bracketed hosts are defined in
# https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
def _check_bracketed_host(hostname):
@@ -496,8 +513,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
(']' in netloc and '[' not in netloc)):
raise ValueError("Invalid IPv6 URL")
if '[' in netloc and ']' in netloc:
- bracketed_host = netloc.partition('[')[2].partition(']')[0]
- _check_bracketed_host(bracketed_host)
+ _check_bracketed_netloc(netloc)
if allow_fragments and '#' in url:
url, fragment = url.split('#', 1)
if '?' in url:
diff --git a/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
new file mode 100644
index 0000000000..bff1bc6b0d
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
@@ -0,0 +1,4 @@
+When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host
+parsing would not reject domain names containing square brackets (``[`` and
+``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to
+`RFC 3986 Section 3.2.2 <https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__.

196
SOURCES/00462-fix-pyssl_seterror-handling-ssl_error_syscall.patch Normal file
View File

@ -0,0 +1,196 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: yevgeny hong <hongyevgeny@gmail.com>
Date: Tue, 26 Mar 2024 16:45:43 +0900
Subject: 00462: Fix PySSL_SetError handling SSL_ERROR_SYSCALL
Python 3.10 changed from using SSL_write() and SSL_read() to SSL_write_ex() and
SSL_read_ex(), but did not update handling of the return value.
Change error handling so that the return value is not examined.
OSError (not EOF) is now returned when retval is 0.
This resolves the issue of failing tests when a system is
stressed on OpenSSL 3.5.
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
---
Lib/test/test_ssl.py | 28 ++++++-----
...-02-18-09-50-31.gh-issue-115627.HGchj0.rst | 2 +
Modules/_ssl.c | 48 +++++++------------
3 files changed, 35 insertions(+), 43 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 0b169c37d5..921c41bd0d 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -2633,16 +2633,18 @@ def run(self):
self.write(msg.lower())
except OSError as e:
# handles SSLError and socket errors
+ if isinstance(e, ConnectionError):
+ # OpenSSL 1.1.1 sometimes raises
+ # ConnectionResetError when connection is not
+ # shut down gracefully.
+ if self.server.chatty and support.verbose:
+ print(f" Connection reset by peer: {self.addr}")
+
+ self.close()
+ self.running = False
+ return
if self.server.chatty and support.verbose:
- if isinstance(e, ConnectionError):
- # OpenSSL 1.1.1 sometimes raises
- # ConnectionResetError when connection is not
- # shut down gracefully.
- print(
- f" Connection reset by peer: {self.addr}"
- )
- else:
- handle_error("Test server failure:\n")
+ handle_error("Test server failure:\n")
try:
self.write(b"ERROR\n")
except OSError:
@@ -3337,8 +3339,8 @@ def test_wrong_cert_tls13(self):
suppress_ragged_eofs=False) as s:
s.connect((HOST, server.port))
with self.assertRaisesRegex(
- ssl.SSLError,
- 'alert unknown ca|EOF occurred'
+ OSError,
+ 'alert unknown ca|EOF occurred|TLSV1_ALERT_UNKNOWN_CA|closed by the remote host|Connection reset by peer'
):
# TLS 1.3 perform client cert exchange after handshake
s.write(b'data')
@@ -4610,8 +4612,8 @@ def msg_cb(conn, direction, version, content_type, msg_type, data):
# test sometimes fails with EOF error. Test passes as long as
# server aborts connection with an error.
with self.assertRaisesRegex(
- ssl.SSLError,
- '(certificate required|EOF occurred)'
+ OSError,
+ 'certificate required|EOF occurred|closed by the remote host|Connection reset by peer'
):
# receive CertificateRequest
data = s.recv(1024)
diff --git a/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst b/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
new file mode 100644
index 0000000000..75d926ab59
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
@@ -0,0 +1,2 @@
+Fix the :mod:`ssl` module error handling of connection terminate by peer.
+It now throws an OSError with the appropriate error code instead of an EOFError.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 09207abde1..787c241133 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -576,7 +576,7 @@ PySSL_ChainExceptions(PySSLSocket *sslsock) {
}
static PyObject *
-PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
+PySSL_SetError(PySSLSocket *sslsock, const char *filename, int lineno)
{
PyObject *type;
char *errstr = NULL;
@@ -589,7 +589,6 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
_sslmodulestate *state = get_state_sock(sslsock);
type = state->PySSLErrorObject;
- assert(ret <= 0);
e = ERR_peek_last_error();
if (sslsock->ssl != NULL) {
@@ -622,32 +621,21 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
case SSL_ERROR_SYSCALL:
{
if (e == 0) {
- PySocketSockObject *s = GET_SOCKET(sslsock);
- if (ret == 0 || (((PyObject *)s) == Py_None)) {
+ /* underlying BIO reported an I/O error */
+ ERR_clear_error();
+#ifdef MS_WINDOWS
+ if (err.ws) {
+ return PyErr_SetFromWindowsErr(err.ws);
+ }
+#endif
+ if (err.c) {
+ errno = err.c;
+ return PyErr_SetFromErrno(PyExc_OSError);
+ }
+ else {
p = PY_SSL_ERROR_EOF;
type = state->PySSLEOFErrorObject;
errstr = "EOF occurred in violation of protocol";
- } else if (s && ret == -1) {
- /* underlying BIO reported an I/O error */
- ERR_clear_error();
-#ifdef MS_WINDOWS
- if (err.ws) {
- return PyErr_SetFromWindowsErr(err.ws);
- }
-#endif
- if (err.c) {
- errno = err.c;
- return PyErr_SetFromErrno(PyExc_OSError);
- }
- else {
- p = PY_SSL_ERROR_EOF;
- type = state->PySSLEOFErrorObject;
- errstr = "EOF occurred in violation of protocol";
- }
- } else { /* possible? */
- p = PY_SSL_ERROR_SYSCALL;
- type = state->PySSLSyscallErrorObject;
- errstr = "Some I/O error occurred";
}
} else {
if (ERR_GET_LIB(e) == ERR_LIB_SSL &&
@@ -1013,7 +1001,7 @@ _ssl__SSLSocket_do_handshake_impl(PySSLSocket *self)
err.ssl == SSL_ERROR_WANT_WRITE);
Py_XDECREF(sock);
if (ret < 1)
- return PySSL_SetError(self, ret, __FILE__, __LINE__);
+ return PySSL_SetError(self, __FILE__, __LINE__);
if (PySSL_ChainExceptions(self) < 0)
return NULL;
Py_RETURN_NONE;
@@ -2434,7 +2422,7 @@ _ssl__SSLSocket_write_impl(PySSLSocket *self, Py_buffer *b)
Py_XDECREF(sock);
if (retval == 0)
- return PySSL_SetError(self, retval, __FILE__, __LINE__);
+ return PySSL_SetError(self, __FILE__, __LINE__);
if (PySSL_ChainExceptions(self) < 0)
return NULL;
return PyLong_FromSize_t(count);
@@ -2464,7 +2452,7 @@ _ssl__SSLSocket_pending_impl(PySSLSocket *self)
self->err = err;
if (count < 0)
- return PySSL_SetError(self, count, __FILE__, __LINE__);
+ return PySSL_SetError(self, __FILE__, __LINE__);
else
return PyLong_FromLong(count);
}
@@ -2587,7 +2575,7 @@ _ssl__SSLSocket_read_impl(PySSLSocket *self, Py_ssize_t len,
err.ssl == SSL_ERROR_WANT_WRITE);
if (retval == 0) {
- PySSL_SetError(self, retval, __FILE__, __LINE__);
+ PySSL_SetError(self, __FILE__, __LINE__);
goto error;
}
if (self->exc_type != NULL)
@@ -2713,7 +2701,7 @@ _ssl__SSLSocket_shutdown_impl(PySSLSocket *self)
}
if (ret < 0) {
Py_XDECREF(sock);
- PySSL_SetError(self, ret, __FILE__, __LINE__);
+ PySSL_SetError(self, __FILE__, __LINE__);
return NULL;
}
if (self->exc_type != NULL)

1901
SOURCES/00465-tarfile-cves.patch
View File

File diff suppressed because it is too large Load Diff

16
SOURCES/Python-3.11.11.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmdPRgIACgkQ/+h0BBaL
2EeZ0g//W0Dw34k4l9Itf++MtfvRzfHIaELmo3w44y1bOl4WumgzTocVAoFf/vF2
BYupcHzPKV/3n2qrAEkEryutV21MykSZzcryDNXqXCAra/5WIFhpKfdGE+q6Ld/a
6bJEQwbXuuE703GWGwIVT8Dxeo7gPdpyZegnKpGS9ij/01m5s30DXSu9+HFkQmUL
dmqjPyE80hUbcrb5qoTedh0Kn+TsfhQ3QfSLTHailsCFpb6Y17KI2GSRAhKTvaEw
+to46LMximYc+Nz+frjTIzoUNsCh5wcBAnN5yLh3wIJTWdo7CGg8ffaZmBDJhRPR
drUl/8GFjC0WPfPSnwJFEfn+Dy9jmrhcoIzb/RdSZhe1NybxJ9o6cEybSM7/A/X3
RPMsywEiMElK4TAyjgMobxtDaZAC1V/qzfKP8bLdyhNWKC8pLwaL1S0xPZvToIT2
kZ4AyqEScZb23vI3P8orymawsdJBMhtZ7yJlUtsx1IdzgPEN3YLgjiqBTzRpOjZV
VcyUZZKn7aLZYFQlcY1ghtCj5Z5RIFwnOg4Ay+M3UNzXrd81rWc7IcIVLuQPGVgu
INlDLpQs2EuikXWT2ADvQ/Gm3Z42M3AZtSDIUyRb1gFWDWjqThjO0ypFA1rdZb6+
2MjmRsQ9nK6Nm5uJ+Ww+s0o8O/D52pMg/J9zshQGON/8LRBBoXk=
=UKo7
-----END PGP SIGNATURE-----

16
SOURCES/Python-3.11.13.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmg/TJcACgkQ/+h0BBaL
2EdZXA/+P2dP1QMiwB3RyWkSoYmRIGqzCW9avVXt+PPsuogJ0QgKwU74uPViks4r
jOGvNJq9xiGgObJV66LxZx/agtwQPCfNKH6PIYi5EQvDGrFNADvarJPS58bLqSeS
W6LGBeFV/9T62NtjMvO2ZhwQzDnGbt+SvIVhO9gQfO6Zq45OP3TOOGHZzQv0Uffr
Q1BNOUbhO8ARlVG9dJVd2WEO2MWPsirJcsY9rbDeXeKoj/sGlsb8wbAOP5ow16nR
QR304+MwqPaQCKom7miZzyT78pkWahzES3Wn1fMaiBqesRv8V+9NZShxOb7WEkEH
tySPm9DeFEuKIeBRVeealsURyBOEoRaplFKqXUQI+/tc6OlJYzhNuHGUZuG5oIIq
yVCI+nxkxk5QWbQj0z0A3F0Ko4oD3OX/m/YC9gnLdnQ5odf2Lu/nbuVy/nxc1Ecv
fQYUp6ebw8UquLIlj2KsSYjHO+qNi0E0JR+h+M0L8AyVroAEvyUYk5ikOwULv1Mp
FIOHTmOX1wFJ5p3HP5yIcUDVbLWOvxcX1qPv9v62k2vWXXJwTy5f7zpx0v4tXJ2T
4JtR5wghJzBcpyb7C98pX2dHSr6SD/UQk+gVeztjwZf5JXLMcifyhsJvR3TRuy2p
dD6kQ+gelg1OwSQH4QvZ4xbs9mSS14vJVEhGRO8dEjFTWYxJpIo=
=DdRc
-----END PGP SIGNATURE-----

39
SPECS/python3.11.spec
View File

@ -16,11 +16,11 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version, # WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well # remember to update the python3-docs package as well
%global general_version %{pybasever}.11 %global general_version %{pybasever}.13
#global prerel ... #global prerel ...
%global upstream_version %{general_version}%{?prerel} %global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}} Version: %{general_version}%{?prerel:~%{prerel}}
Release: 2%{?dist}.2 Release: 3%{?dist}
License: Python License: Python
@ -228,6 +228,7 @@ BuildRequires: valgrind-devel
BuildRequires: xz-devel BuildRequires: xz-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: systemtap-sdt-devel
BuildRequires: /usr/bin/dtrace BuildRequires: /usr/bin/dtrace
# workaround http://bugs.python.org/issue19804 (test_uuid requires ifconfig) # workaround http://bugs.python.org/issue19804 (test_uuid requires ifconfig)
@ -369,16 +370,18 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par
# Downstream only. # Downstream only.
Patch422: 00422-fix-expat-tests.patch Patch422: 00422-fix-expat-tests.patch
# 00450 # 4ab8663661748eb994c09e4ae89f59eb84c5d3ea # 00462 # c9db492d8924b2d1a0991e36f3c2b4f9c2ec8942
# CVE-2025-0938: Disallow square brackets ([ and ]) in domain names for parsed URLs # Fix PySSL_SetError handling SSL_ERROR_SYSCALL
Patch450: 00450-cve-2025-0938-disallow-square-brackets-and-in-domain-names-for-parsed-urls.patch
# 00465 #
# Security fixes for:
# CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718 and CVE-2025-4435 in the tarfile module.
# #
# Resolved upstream: https://github.com/python/cpython/pull/135066 # Python 3.10 changed from using SSL_write() and SSL_read() to SSL_write_ex() and
Patch465: 00465-tarfile-cves.patch # SSL_read_ex(), but did not update handling of the return value.
#
# Change error handling so that the return value is not examined.
# OSError (not EOF) is now returned when retval is 0.
#
# This resolves the issue of failing tests when a system is
# stressed on OpenSSL 3.5.
Patch462: 00462-fix-pyssl_seterror-handling-ssl_error_syscall.patch
# 00467 # # 00467 #
# CVE-2025-8194 # CVE-2025-8194
@ -1666,13 +1669,19 @@ CheckPython optimized
# ====================================================== # ======================================================
%changelog %changelog
* Thu Aug 21 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.11-2.2 * Thu Aug 21 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.13-3
- Security fix for CVE-2025-8194 - Security fix for CVE-2025-8194
Resolves: RHEL-106366 Resolves: RHEL-106365
* Fri Jun 20 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.11-2.1 * Wed Jul 23 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.13-2
- Fix PySSL_SetError handling SSL_ERROR_SYSCALL
- This fixes random flakiness of test_ssl on stressed machines
Resolves: RHEL-101551
* Wed Jun 04 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.11.13-1
- Update to 3.11.13
- Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435 - Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435
- Resolves: RHEL-98045, RHEL-98015, RHEL-98238, RHEL-98177, RHEL-98206 Resolves: RHEL-98044, RHEL-98014, RHEL-98237, RHEL-98176, RHEL-98205
* Mon Feb 10 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.11-2 * Mon Feb 10 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.11.11-2
- Security fix for CVE-2025-0938 - Security fix for CVE-2025-0938