rpms/python3.14
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to Python 3.14.3

Browse Source 
Security fixes for:
CVE-2025-11468
CVE-2026-0672
CVE-2026-0865
CVE-2025-15282
CVE-2026-1299
CVE-2025-11468

Resolves: RHEL-144855
This commit is contained in:
Karolina Surma 2026-02-09 10:10:12 +01:00 committed by Charalampos Stratakis
parent 07030f6d26
commit 44d0677443
5 changed files with 185 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch
View File

@ -41,7 +41,7 @@ index 5c10bcedc6..1fd7a273b5 100644
result = BytesIO()
xmlgen = XMLGenerator(result)
diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
index 25c084c8b9..e26e6e0c26 100644
index 0b343cc4bb..145ecacd21 100644
--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
@@ -1573,9 +1573,13 @@ def test_simple_xml(self, chunk_size=None, flush=False):

156
00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch Normal file
View File

@ -0,0 +1,156 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Fri, 6 Feb 2026 10:51:02 +0100
Subject: 00477: Raise an error when importing stdlib modules compiled for a
different Python version
This is a downstream workaround "implementing"
https://github.com/python/cpython/pull/137212 -
the mechanism for the check exists in Python 3.15+, where it needs to be
added to the standard library modules.
In Fedora, we need it also in previous Python versions, as we experience
segmentation fault when importing stdlib modules after update while
Python is running.
_tkinter, _tracemalloc and readline are not calling PyModuleDef_Init,
which is modified with this patch, hence they need a
direct call to the check function.
Co-Authored-By: Karolina Surma <ksurma@redhat.com>
---
Include/moduleobject.h | 43 ++++++++++++++++++++++++++++++++++++++++++
Makefile.pre.in | 3 +++
Modules/_tkinter.c | 6 ++++++
Modules/_tracemalloc.c | 6 ++++++
Modules/readline.c | 6 ++++++
Objects/moduleobject.c | 1 +
6 files changed, 65 insertions(+)
diff --git a/Include/moduleobject.h b/Include/moduleobject.h
index 2a17c891dd..64017c666c 100644
--- a/Include/moduleobject.h
+++ b/Include/moduleobject.h
@@ -116,6 +116,49 @@ struct PyModuleDef {
freefunc m_free;
};
+#if defined(_PyHack_check_version_on_modinit) && defined(Py_BUILD_CORE)
+/* The mechanism for the check has been implemented on Python 3.15+:
+ * https://github.com/python/cpython/pull/137212.
+ * In Fedora, we need this in older Pythons too:
+ * if somebody attempts to import a module compiled for a different Python version,
+ * instead of segmentation fault a meaningful error is raised.
+ */
+PyAPI_DATA(const unsigned long) Py_Version;
+
+static inline int
+_PyHack_CheckInternalAPIVersion(const char *mod_name)
+{
+ if (PY_VERSION_HEX != Py_Version) {
+ PyErr_Format(
+ PyExc_ImportError,
+ "internal Python C API version mismatch: "
+ "module %s compiled with %lu.%lu.%lu; "
+ "runtime version is %lu.%lu.%lu",
+ mod_name,
+ (const unsigned long)((PY_VERSION_HEX >> 24) & 0xFF),
+ (const unsigned long)((PY_VERSION_HEX >> 16) & 0xFF),
+ (const unsigned long)((PY_VERSION_HEX >> 8) & 0xFF),
+ (const unsigned long)((Py_Version >> 24) & 0xFF),
+ (const unsigned long)((Py_Version >> 16) & 0xFF),
+ (const unsigned long)((Py_Version >> 8) & 0xFF)
+ );
+ return -1;
+ }
+ return 0;
+}
+
+static inline PyObject *
+PyModuleDef_Init_with_check(PyModuleDef *def)
+{
+ if (_PyHack_CheckInternalAPIVersion(def->m_name) < 0) {
+ return NULL;
+ }
+ return PyModuleDef_Init(def);
+}
+
+#define PyModuleDef_Init PyModuleDef_Init_with_check
+#endif
+
#ifdef __cplusplus
}
#endif
diff --git a/Makefile.pre.in b/Makefile.pre.in
index 38a355a23f..67c19c329e 100644
--- a/Makefile.pre.in
+++ b/Makefile.pre.in
@@ -3415,3 +3415,6 @@ MODULE__MULTIBYTECODEC_DEPS=$(srcdir)/Modules/cjkcodecs/multibytecodec.h
# Local Variables:
# mode: makefile
# End:
+
+# Fedora-specific, downstream only
+PY_STDMODULE_CFLAGS += -D_PyHack_check_version_on_modinit=1
diff --git a/Modules/_tkinter.c b/Modules/_tkinter.c
index 2216de509e..a640496f7f 100644
--- a/Modules/_tkinter.c
+++ b/Modules/_tkinter.c
@@ -3489,6 +3489,12 @@ static struct PyModuleDef _tkintermodule = {
PyMODINIT_FUNC
PyInit__tkinter(void)
{
+ #ifdef _PyHack_check_version_on_modinit
+ if (_PyHack_CheckInternalAPIVersion("_tkinter") < 0) {
+ return NULL;
+ }
+ #endif
+
PyObject *m, *uexe, *cexe;
tcl_lock = PyThread_allocate_lock();
diff --git a/Modules/_tracemalloc.c b/Modules/_tracemalloc.c
index be71fc9fc9..67922098b2 100644
--- a/Modules/_tracemalloc.c
+++ b/Modules/_tracemalloc.c
@@ -215,6 +215,12 @@ static struct PyModuleDef module_def = {
PyMODINIT_FUNC
PyInit__tracemalloc(void)
{
+ #ifdef _PyHack_check_version_on_modinit
+ if (_PyHack_CheckInternalAPIVersion("_tracemalloc") < 0) {
+ return NULL;
+ }
+ #endif
+
PyObject *mod = PyModule_Create(&module_def);
if (mod == NULL) {
return NULL;
diff --git a/Modules/readline.c b/Modules/readline.c
index 8475846eef..b3f5eb3a1f 100644
--- a/Modules/readline.c
+++ b/Modules/readline.c
@@ -1604,6 +1604,12 @@ static struct PyModuleDef readlinemodule = {
PyMODINIT_FUNC
PyInit_readline(void)
{
+ #ifdef _PyHack_check_version_on_modinit
+ if (_PyHack_CheckInternalAPIVersion("readline") < 0) {
+ return NULL;
+ }
+ #endif
+
const char *backend = "readline";
PyObject *m;
readlinestate *mod_state;
diff --git a/Objects/moduleobject.c b/Objects/moduleobject.c
index b68584b5dd..cbf95dc92a 100644
--- a/Objects/moduleobject.c
+++ b/Objects/moduleobject.c
@@ -50,6 +50,7 @@ _PyModule_IsExtension(PyObject *obj)
}
+#undef PyModuleDef_Init
PyObject*
PyModuleDef_Init(PyModuleDef* def)
{

7
plan.fmf
View File

@ -24,15 +24,14 @@ discover:
test: "PYTHON=python${pybasever}d TOX=false VERSION=${pybasever} CYTHON=true ./venv.sh"
- name: selftest
path: /selftest
test: "VERSION=${pybasever} X='-i test_check_probes -i test_margin_is_sufficient' ./parallel.sh"
test: "VERSION=${pybasever} X='-i test_check_probes' ./parallel.sh"
- name: debugtest
path: /selftest
# test_base_interpreter: https://github.com/python/cpython/issues/131372
# test_margin_is_sufficient: https://github.com/python/cpython/issues/140222
test: "VERSION=${pybasever} PYTHON=python${pybasever}d X='-i test_check_probes -i test_base_interpreter -i test_margin_is_sufficient' ./parallel.sh"
test: "VERSION=${pybasever} PYTHON=python${pybasever}d X='-i test_check_probes -i test_base_interpreter' ./parallel.sh"
- name: freethreadingtest
path: /selftest
test: "VERSION=${pybasever}t X='-i test_check_probes -i test_base_interpreter -i test_margin_is_sufficient' ./parallel.sh"
test: "VERSION=${pybasever}t X='-i test_check_probes -i test_base_interpreter' ./parallel.sh"
- name: optimizedflags
path: /flags
test: "python${pybasever} ./assertflags.py -O3 CFLAGS PY_BUILTIN_MODULE_CFLAGS PY_CFLAGS PY_CORE_CFLAGS PY_CFLAGS_NODIST PY_STDMODULE_CFLAGS"

29
python3.14.spec
View File

@ -45,11 +45,11 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well
%global general_version %{pybasever}.2
%global general_version %{pybasever}.3
#global prerel ...
%global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}}
Release: 3%{?dist}
Release: 1%{?dist}
License: Python-2.0.1
@ -410,6 +410,22 @@ Patch464: 00464-enable-pac-and-bti-protections-for-aarch64.patch
# which is tested as working.
Patch466: 00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch
# 00477 # f9f53e560d161531a0c3476c08ee26b89a628bde
# Raise an error when importing stdlib modules compiled for a different Python version
#
# This is a downstream workaround "implementing"
# https://github.com/python/cpython/pull/137212 -
# the mechanism for the check exists in Python 3.15+, where it needs to be
# added to the standard library modules.
# In Fedora, we need it also in previous Python versions, as we experience
# segmentation fault when importing stdlib modules after update while
# Python is running.
#
# _tkinter, _tracemalloc and readline are not calling PyModuleDef_Init,
# which is modified with this patch, hence they need a
# direct call to the check function.
Patch477: 00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1455,8 +1471,6 @@ CheckPython() {
# test_check_probes is failing since it was introduced in 3.12.0rc1,
# the test is skipped until it is fixed in upstream.
# see: https://github.com/python/cpython/issues/104280#issuecomment-1669249980
# test_margin_is_sufficient
# reported in https://github.com/python/cpython/issues/140222
LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.regrtest \
-wW --slowest %{_smp_mflags} \
%ifarch riscv64
@ -1465,7 +1479,6 @@ CheckPython() {
--timeout=2700 \
%endif
-i test_check_probes \
-i test_margin_is_sufficient \
echo FINISHED: CHECKING OF PYTHON FOR CONFIGURATION: $ConfName
@ -1950,6 +1963,12 @@ CheckPython freethreading
# ======================================================
%changelog
* Wed Feb 04 2026 Karolina Surma <ksurma@redhat.com> - 3.14.3-1
- Update to Python 3.14.3
- Security fixes for CVE-2025-11468, CVE-2026-0672,CVE-2026-0865,
CVE-2025-15282, CVE-2026-1299, CVE-2025-11468
Resolves: RHEL-144855
* Mon Jan 19 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.14.2-3
- Support OpenSSL FIPS mode
- Disable the builtin hashlib hashes except blake2

2
sources
View File

@ -1 +1 @@
SHA512 (Python-3.14.2.tar.xz) = 165256b4c713e0262767cd7a2c65622f3f086423524646a39bfa64912376be9e5b70863d5a3c95224b516152d0b79e7ccbfe2f2cf35b809d132f2c38ebb3ab3b
SHA512 (Python-3.14.3.tar.xz) = 9fd875f7a1d96d64e7150913ef38b72b0aeecfcbc24ba46967e57b6495146b0cba6b940c273561fc4d656b6d0ce2e23ffb7bd32bcd0b61fd59a6d90585998c07