Update to 3.14.5rc1

Move back to the generational from the incremental garbage collector Security fix for CVE-2026-6019 Patches 479, 480, 482 merged upstream. (cherry picked from Fedora commit b04f319cc685fc8d26243b3293ad8915fb1a5451) Resolves: RHEL-180642
2026-06-09 17:37:16 +02:00 · 2026-06-09 17:37:16 +02:00 · 073c905275
commit 073c905275
parent 4be142c0e7
7 changed files with 19 additions and 267 deletions
--- a/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch
+++ b/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch
@ -41,7 +41,7 @@ index 5c10bcedc6..1fd7a273b5 100644
         result = BytesIO()
         xmlgen = XMLGenerator(result)
 diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
-index 0b343cc4bb..145ecacd21 100644
+index 1bd0fde844..f87134c11e 100644
 --- a/Lib/test/test_xml_etree.py
 +++ b/Lib/test/test_xml_etree.py
@@ -1573,9 +1573,13 @@ def test_simple_xml(self, chunk_size=None, flush=False):
--- a/00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch
+++ b/00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch
@ -81,10 +81,10 @@ index 2a17c891dd..64017c666c 100644
 }
 #endif
 diff --git a/Makefile.pre.in b/Makefile.pre.in
-index 80a1b590c2..f28f562930 100644
+index da6d7c3315..92a6825b5e 100644
 --- a/Makefile.pre.in
 +++ b/Makefile.pre.in
-@@ -3415,3 +3415,6 @@ MODULE__MULTIBYTECODEC_DEPS=$(srcdir)/Modules/cjkcodecs/multibytecodec.h
+@@ -3420,3 +3420,6 @@ MODULE__MULTIBYTECODEC_DEPS=$(srcdir)/Modules/cjkcodecs/multibytecodec.h
 # Local Variables:
 # mode: makefile
 # End:
--- a/00479-cve-2026-1502.patch
+++ b/00479-cve-2026-1502.patch
@ -1,107 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Seth Larson <seth@python.org>
-Date: Fri, 10 Apr 2026 10:21:42 -0500
-Subject: 00479: CVE-2026-1502
-
-Reject CR/LF in HTTP tunnel request headers
-
-Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
---
- Lib/http/client.py                            | 11 ++++-
- Lib/test/test_httplib.py                      | 45 +++++++++++++++++++
- ...-03-20-09-29-42.gh-issue-146211.PQVbs7.rst |  2 +
- 3 files changed, 57 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
-
-diff --git a/Lib/http/client.py b/Lib/http/client.py
-index 77f8d26291..6fb7d254ea 100644
--- a/Lib/http/client.py
-+++ b/Lib/http/client.py
-@@ -972,13 +972,22 @@ def _wrap_ipv6(self, ip):
-         return ip
- 
-     def _tunnel(self):
-+        if _contains_disallowed_url_pchar_re.search(self._tunnel_host):
-+            raise ValueError('Tunnel host can\'t contain control characters %r'
-+                             % (self._tunnel_host,))
-         connect = b"CONNECT %s:%d %s\r\n" % (
-             self._wrap_ipv6(self._tunnel_host.encode("idna")),
-             self._tunnel_port,
-             self._http_vsn_str.encode("ascii"))
-         headers = [connect]
-         for header, value in self._tunnel_headers.items():
-            headers.append(f"{header}: {value}\r\n".encode("latin-1"))
-+            header_bytes = header.encode("latin-1")
-+            value_bytes = value.encode("latin-1")
-+            if not _is_legal_header_name(header_bytes):
-+                raise ValueError('Invalid header name %r' % (header_bytes,))
-+            if _is_illegal_header_value(value_bytes):
-+                raise ValueError('Invalid header value %r' % (value_bytes,))
-+            headers.append(b"%s: %s\r\n" % (header_bytes, value_bytes))
-         headers.append(b"\r\n")
-         # Making a single send() call instead of one per line encourages
-         # the host OS to use a more optimal packet size instead of
-diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
-index bcb828edec..6f3eac6b98 100644
--- a/Lib/test/test_httplib.py
-+++ b/Lib/test/test_httplib.py
-@@ -369,6 +369,51 @@ def test_invalid_headers(self):
-                 with self.assertRaisesRegex(ValueError, 'Invalid header'):
-                     conn.putheader(name, value)
- 
-+    def test_invalid_tunnel_headers(self):
-+        cases = (
-+            ('Invalid\r\nName', 'ValidValue'),
-+            ('Invalid\rName', 'ValidValue'),
-+            ('Invalid\nName', 'ValidValue'),
-+            ('\r\nInvalidName', 'ValidValue'),
-+            ('\rInvalidName', 'ValidValue'),
-+            ('\nInvalidName', 'ValidValue'),
-+            (' InvalidName', 'ValidValue'),
-+            ('\tInvalidName', 'ValidValue'),
-+            ('Invalid:Name', 'ValidValue'),
-+            (':InvalidName', 'ValidValue'),
-+            ('ValidName', 'Invalid\r\nValue'),
-+            ('ValidName', 'Invalid\rValue'),
-+            ('ValidName', 'Invalid\nValue'),
-+            ('ValidName', 'InvalidValue\r\n'),
-+            ('ValidName', 'InvalidValue\r'),
-+            ('ValidName', 'InvalidValue\n'),
-+        )
-+        for name, value in cases:
-+            with self.subTest((name, value)):
-+                conn = client.HTTPConnection('example.com')
-+                conn.set_tunnel('tunnel', headers={
-+                    name: value
-+                })
-+                conn.sock = FakeSocket('')
-+                with self.assertRaisesRegex(ValueError, 'Invalid header'):
-+                    conn._tunnel()  # Called in .connect()
-+
-+    def test_invalid_tunnel_host(self):
-+        cases = (
-+            'invalid\r.host',
-+            '\ninvalid.host',
-+            'invalid.host\r\n',
-+            'invalid.host\x00',
-+            'invalid host',
-+        )
-+        for tunnel_host in cases:
-+            with self.subTest(tunnel_host):
-+                conn = client.HTTPConnection('example.com')
-+                conn.set_tunnel(tunnel_host)
-+                conn.sock = FakeSocket('')
-+                with self.assertRaisesRegex(ValueError, 'Tunnel host can\'t contain control characters'):
-+                    conn._tunnel()  # Called in .connect()
-+
-     def test_headers_debuglevel(self):
-         body = (
-             b'HTTP/1.1 200 OK\r\n'
-diff --git a/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst b/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
-new file mode 100644
-index 0000000000..4993633b8e
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
-@@ -0,0 +1,2 @@
-+Reject CR/LF characters in tunnel request headers for the
-+HTTPConnection.set_tunnel() method.
--- a/00480-cve-2026-4786.patch
+++ b/00480-cve-2026-4786.patch
@ -1,64 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stan Ulbrych <stan@python.org>
-Date: Mon, 13 Apr 2026 20:02:52 +0100
-Subject: 00480: CVE-2026-4786
-
-Fix webbrowser `%action` substitution bypass of dash-prefix check
---
- Lib/test/test_webbrowser.py                              | 9 +++++++++
- Lib/webbrowser.py                                        | 5 +++--
- .../2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst       | 2 ++
- 3 files changed, 14 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
-
-diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
-index 404b3a31a5..bfbcf112b0 100644
--- a/Lib/test/test_webbrowser.py
-+++ b/Lib/test/test_webbrowser.py
-@@ -119,6 +119,15 @@ def test_open_bad_new_parameter(self):
-                        arguments=[URL],
-                        kw=dict(new=999))
- 
-+    def test_reject_action_dash_prefixes(self):
-+        browser = self.browser_class(name=CMD_NAME)
-+        with self.assertRaises(ValueError):
-+            browser.open('%action--incognito')
-+        # new=1: action is "--new-window", so "%action" itself expands to
-+        # a dash-prefixed flag even with no dash in the original URL.
-+        with self.assertRaises(ValueError):
-+            browser.open('%action', new=1)
-+
- 
- class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
- 
-diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
-index 0e0b5034e5..97aad6eea5 100644
--- a/Lib/webbrowser.py
-+++ b/Lib/webbrowser.py
-@@ -274,7 +274,6 @@ def _invoke(self, args, remote, autoraise, url=None):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
-        self._check_url(url)
-         if new == 0:
-             action = self.remote_action
-         elif new == 1:
-@@ -288,7 +287,9 @@ def open(self, url, new=0, autoraise=True):
-             raise Error("Bad 'new' parameter to open(); "
-                         f"expected 0, 1, or 2, got {new}")
- 
-        args = [arg.replace("%s", url).replace("%action", action)
-+        self._check_url(url.replace("%action", action))
-+
-+        args = [arg.replace("%action", action).replace("%s", url)
-                 for arg in self.remote_args]
-         args = [arg for arg in args if arg]
-         success = self._invoke(args, True, autoraise, url)
-diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
-new file mode 100644
-index 0000000000..45cdeebe1b
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
-@@ -0,0 +1,2 @@
-+A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
-+the dash-prefix safety check.
--- a/00482-cve-2026-6100.patch
+++ b/00482-cve-2026-6100.patch
@ -1,64 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Mon, 13 Apr 2026 03:40:54 +0200
-Subject: 00482: CVE-2026-6100
-
-Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
-
-Co-authored-by: Stan Ulbrych <stan@python.org>
---
- .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst  | 5 +++++
- Modules/_bz2module.c                                         | 1 +
- Modules/_lzmamodule.c                                        | 1 +
- Modules/zlibmodule.c                                         | 1 +
- 4 files changed, 8 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
-
-diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
-new file mode 100644
-index 0000000000..9502189ab1
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
-@@ -0,0 +1,5 @@
-+Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
-+:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
-+when memory allocation fails with :exc:`MemoryError`, which could let a
-+subsequent :meth:`!decompress` call read or write through a stale pointer to
-+the already-released caller buffer.
-diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
-index 9e85e0de42..055ce82e7d 100644
--- a/Modules/_bz2module.c
-+++ b/Modules/_bz2module.c
-@@ -593,6 +593,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
-     return result;
- 
- error:
-+    bzs->next_in = NULL;
-     Py_XDECREF(result);
-     return NULL;
- }
-diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
-index 462c2181fa..6785dc5673 100644
--- a/Modules/_lzmamodule.c
-+++ b/Modules/_lzmamodule.c
-@@ -1120,6 +1120,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
-     return result;
- 
- error:
-+    lzs->next_in = NULL;
-     Py_XDECREF(result);
-     return NULL;
- }
-diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
-index 5b6b0c5cac..a86aa5fdbb 100644
--- a/Modules/zlibmodule.c
-+++ b/Modules/zlibmodule.c
-@@ -1675,6 +1675,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
-     return result;
- 
- error:
-+    self->zst.next_in = NULL;
-     Py_XDECREF(result);
-     return NULL;
- }
--- a/python3.14.spec
+++ b/python3.14.spec
@ -45,11 +45,11 @@ URL: https://www.python.org/

 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.4
-#global prerel ...
+%global general_version %{pybasever}.5
+%global prerel rc1
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 3%{?dist}
+Release: 1%{?dist}
 License: Python-2.0.1


@ -109,31 +109,30 @@ License: Python-2.0.1
 # This needs to be manually updated when we update Python.
 # Explore the sources tarball (you need the version before %%prep is executed):
 #  $ tar -tf Python-%%{upstream_version}.tar.xz | grep whl
-%global pip_version 26.0.1
+%global pip_version 26.1
 %global setuptools_version 79.0.1
 # All of those also include a list of indirect bundled libs:
 # pip
 #  $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt)
 %global pip_bundled_provides %{expand:
 Provides: bundled(python3dist(cachecontrol)) = 0.14.4
-Provides: bundled(python3dist(certifi)) = 2026.1.4
-Provides: bundled(python3dist(dependency-groups)) = 1.3.1
+Provides: bundled(python3dist(certifi)) = 2026.2.25
 Provides: bundled(python3dist(distlib)) = 0.4
 Provides: bundled(python3dist(distro)) = 1.9
 Provides: bundled(python3dist(idna)) = 3.11
 Provides: bundled(python3dist(msgpack)) = 1.1.2
-Provides: bundled(python3dist(packaging)) = 26
+Provides: bundled(python3dist(packaging)) = 26.2
 Provides: bundled(python3dist(platformdirs)) = 4.5.1
 Provides: bundled(python3dist(pygments)) = 2.19.2
 Provides: bundled(python3dist(pyproject-hooks)) = 1.2
-Provides: bundled(python3dist(requests)) = 2.32.5
+Provides: bundled(python3dist(requests)) = 2.33.1
 Provides: bundled(python3dist(resolvelib)) = 1.2.1
 Provides: bundled(python3dist(rich)) = 14.2
 Provides: bundled(python3dist(setuptools)) = 70.3
-Provides: bundled(python3dist(tomli)) = 2.3
+Provides: bundled(python3dist(tomli)) = 2.3.1
 Provides: bundled(python3dist(tomli-w)) = 1.2
 Provides: bundled(python3dist(truststore)) = 0.10.4
-Provides: bundled(python3dist(urllib3)) = 1.26.20
+Provides: bundled(python3dist(urllib3)) = 2.6.3
 }
 # setuptools
 # vendor.txt not in .whl
@ -435,30 +434,12 @@ Patch475: 00475-cve-2025-15367.patch
 # direct call to the check function.
 Patch477: 00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch

-# 00479 # 97404b2cf62e545c2d41be7ccfed4e74da9ee665
-# CVE-2026-1502
-#
-# Reject CR/LF in HTTP tunnel request headers
-Patch479: 00479-cve-2026-1502.patch
-
-# 00480 # 858691f36890b33e713f330d24c6670329695c2e
-# CVE-2026-4786
-#
-# Fix webbrowser `%%action` substitution bypass of dash-prefix check
-Patch480: 00480-cve-2026-4786.patch
-
 # 00481 # 4c1fd39918651c4559a4835d42b86639a192c2c5
 # CVE-2026-5713
 #
 # Validate remote debug offset tables on load
 Patch481: 00481-cve-2026-5713.patch

-# 00482 # 69f14bc306fc62400d45565faa980b77858b9151
-# CVE-2026-6100
-#
-# Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
-Patch482: 00482-cve-2026-6100.patch
-
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1981,6 +1962,12 @@ CheckPython freethreading
 # ======================================================

 %changelog
+* Tue Jun 09 2026 Miro Hrončok <mhroncok@redhat.com> - 3.14.5~rc1-1
+- Update to 3.14.5rc1
+- Move back to the generational from the incremental garbage collector
+- Security fix for CVE-2026-6019
+Resolves: RHEL-180642
+
 * Mon Jun 01 2026 Lukáš Zachar <lzachar@redhat.com> - 3.14.4-3
 - Depend on sqlite-libs with (de)serialize API
 Resolves: RHEL-180476
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (Python-3.14.4.tar.xz) = 89a7f8b8a31f48d150badb4751df137d47d9014c9c422649a1a55aef5618aa7f0259dd18c151e6804fa8312c6a21544332a9f630ee81150dc00505637e62bb8c
+SHA512 (Python-3.14.5rc1.tar.xz) = 67ede84d59046e3b413643449a7eced8cefcd908238b8a34d2ac38507d967201695c62c22464f1bfd51669daf306995262279c7bbfc5a25998ed867a3d743b38