Update to Python 3.14.4

Security fixes for CVE-2026-2297, CVE-2026-3644, CVE-2026-4224, CVE-2026-0865 Related: RHEL-168121, RHEL-167887
2026-04-08 13:03:09 +02:00 · 2026-04-08 13:03:09 +02:00 · c6da41e848
commit c6da41e848
parent 2dad57ee32
6 changed files with 23 additions and 139 deletions
--- a/00251-change-user-install-location.patch
+++ b/00251-change-user-install-location.patch
@ -51,7 +51,7 @@ index aeb7c6cfc7..86f9ae9e76 100644
         if os.path.isdir(sitedir):
             addsitedir(sitedir, known_paths)
 diff --git a/Lib/sysconfig/__init__.py b/Lib/sysconfig/__init__.py
-index 2ecbff222f..7211773bad 100644
+index faf8273bd0..d7667bbc77 100644
 --- a/Lib/sysconfig/__init__.py
 +++ b/Lib/sysconfig/__init__.py
@@ -106,6 +106,12 @@
@ -130,7 +130,7 @@ index 2ecbff222f..7211773bad 100644
         # On Windows we want to substitute 'lib' for schemes rather
         # than the native value (without modifying vars, in case it
 diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py
-index 09eff11179..c227815ebd 100644
+index 1fe4b6849f..e0cb3ec23a 100644
 --- a/Lib/test/test_sysconfig.py
 +++ b/Lib/test/test_sysconfig.py
@@ -132,8 +132,19 @@ def test_get_path(self):
@ -154,7 +154,7 @@ index 09eff11179..c227815ebd 100644
                     os.path.normpath(expected),
                 )
 
-@@ -395,7 +406,7 @@ def test_get_config_h_filename(self):
+@@ -397,7 +408,7 @@ def test_get_config_h_filename(self):
         self.assertTrue(os.path.isfile(config_h), config_h)
 
     def test_get_scheme_names(self):
@ -163,7 +163,7 @@ index 09eff11179..c227815ebd 100644
         if HAS_USER_BASE:
             wanted.extend(['nt_user', 'osx_framework_user', 'posix_user'])
         self.assertEqual(get_scheme_names(), tuple(sorted(wanted)))
-@@ -407,6 +418,8 @@ def test_symlink(self): # Issue 7880
+@@ -409,6 +420,8 @@ def test_symlink(self): # Issue 7880
             cmd = "-c", "import sysconfig; print(sysconfig.get_platform())"
             self.assertEqual(py.call_real(*cmd), py.call_link(*cmd))
 
--- a/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch
+++ b/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch
@ -15,10 +15,10 @@ which is tested as working.
 3 files changed, 10 insertions(+)

 diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
-index daeaa38a3c..b243f1da14 100644
+index 465f65a03b..3379ab8aa9 100644
 --- a/Lib/test/test_pyexpat.py
 +++ b/Lib/test/test_pyexpat.py
-@@ -847,6 +847,8 @@ def start_element(name, _):
+@@ -905,6 +905,8 @@ def start_element(name, _):
 
         self.assertEqual(started, ['doc'])
 
--- a/00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch
+++ b/00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch
@ -81,7 +81,7 @@ index 2a17c891dd..64017c666c 100644
 }
 #endif
 diff --git a/Makefile.pre.in b/Makefile.pre.in
-index 38a355a23f..67c19c329e 100644
+index 80a1b590c2..f28f562930 100644
 --- a/Makefile.pre.in
 +++ b/Makefile.pre.in
@@ -3415,3 +3415,6 @@ MODULE__MULTIBYTECODEC_DEPS=$(srcdir)/Modules/cjkcodecs/multibytecodec.h
--- a/00478-cve-2026-4519.patch
+++ b/00478-cve-2026-4519.patch
@ -1,114 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Tue, 24 Mar 2026 00:16:27 +0100
-Subject: 00478: CVE-2026-4519
-
-Reject leading dashes in webbrowser URLs (GH-146214)
-
-(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
-
-Co-authored-by: Seth Michael Larson <seth@python.org>
---
- Lib/test/test_webbrowser.py                         |  5 +++++
- Lib/webbrowser.py                                   | 13 +++++++++++++
- .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst  |  1 +
- 3 files changed, 19 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
-
-diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
-index 4c3ea1cd8d..22e9d7493a 100644
--- a/Lib/test/test_webbrowser.py
-+++ b/Lib/test/test_webbrowser.py
-@@ -67,6 +67,11 @@ def test_open(self):
-                    options=[],
-                    arguments=[URL])
- 
-+    def test_reject_dash_prefixes(self):
-+        browser = self.browser_class(name=CMD_NAME)
-+        with self.assertRaises(ValueError):
-+            browser.open(f"--key=val {URL}")
-+
- 
- class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
- 
-diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
-index f2e2394089..9ead2990e8 100644
--- a/Lib/webbrowser.py
-+++ b/Lib/webbrowser.py
-@@ -163,6 +163,12 @@ def open_new(self, url):
-     def open_new_tab(self, url):
-         return self.open(url, 2)
- 
-+    @staticmethod
-+    def _check_url(url):
-+        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
-+        if url and url.lstrip().startswith("-"):
-+            raise ValueError(f"Invalid URL: {url}")
-+
- 
- class GenericBrowser(BaseBrowser):
-     """Class for all browsers started with a command
-@@ -180,6 +186,7 @@ def __init__(self, name):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         cmdline = [self.name] + [arg.replace("%s", url)
-                                  for arg in self.args]
-         try:
-@@ -200,6 +207,7 @@ def open(self, url, new=0, autoraise=True):
-         cmdline = [self.name] + [arg.replace("%s", url)
-                                  for arg in self.args]
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         try:
-             if sys.platform[:3] == 'win':
-                 p = subprocess.Popen(cmdline)
-@@ -266,6 +274,7 @@ def _invoke(self, args, remote, autoraise, url=None):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         if new == 0:
-             action = self.remote_action
-         elif new == 1:
-@@ -357,6 +366,7 @@ class Konqueror(BaseBrowser):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         # XXX Currently I know no way to prevent KFM from opening a new win.
-         if new == 2:
-             action = "newTab"
-@@ -588,6 +598,7 @@ def register_standard_browsers():
-     class WindowsDefault(BaseBrowser):
-         def open(self, url, new=0, autoraise=True):
-             sys.audit("webbrowser.open", url)
-+            self._check_url(url)
-             try:
-                 os.startfile(url)
-             except OSError:
-@@ -608,6 +619,7 @@ def __init__(self, name='default'):
- 
-         def open(self, url, new=0, autoraise=True):
-             sys.audit("webbrowser.open", url)
-+            self._check_url(url)
-             url = url.replace('"', '%22')
-             if self.name == 'default':
-                 proto, _sep, _rest = url.partition(":")
-@@ -664,6 +676,7 @@ def open(self, url, new=0, autoraise=True):
-     class IOSBrowser(BaseBrowser):
-         def open(self, url, new=0, autoraise=True):
-             sys.audit("webbrowser.open", url)
-+            self._check_url(url)
-             # If ctypes isn't available, we can't open a browser
-             if objc is None:
-                 return False
-diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
-new file mode 100644
-index 0000000000..0f27eae99a
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
-@@ -0,0 +1 @@
-+Reject leading dashes in URLs passed to :func:`webbrowser.open`
--- a/python3.14.spec
+++ b/python3.14.spec
@ -45,11 +45,11 @@ URL: https://www.python.org/

 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.3
+%global general_version %{pybasever}.4
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: Python-2.0.1


@ -109,21 +109,21 @@ License: Python-2.0.1
 # This needs to be manually updated when we update Python.
 # Explore the sources tarball (you need the version before %%prep is executed):
 #  $ tar -tf Python-%%{upstream_version}.tar.xz | grep whl
-%global pip_version 25.3
+%global pip_version 26.0.1
 %global setuptools_version 79.0.1
 # All of those also include a list of indirect bundled libs:
 # pip
 #  $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt)
 %global pip_bundled_provides %{expand:
-Provides: bundled(python3dist(cachecontrol)) = 0.14.3
-Provides: bundled(python3dist(certifi)) = 2025.10.5
+Provides: bundled(python3dist(cachecontrol)) = 0.14.4
+Provides: bundled(python3dist(certifi)) = 2026.1.4
 Provides: bundled(python3dist(dependency-groups)) = 1.3.1
 Provides: bundled(python3dist(distlib)) = 0.4
 Provides: bundled(python3dist(distro)) = 1.9
-Provides: bundled(python3dist(idna)) = 3.10
+Provides: bundled(python3dist(idna)) = 3.11
 Provides: bundled(python3dist(msgpack)) = 1.1.2
-Provides: bundled(python3dist(packaging)) = 25
-Provides: bundled(python3dist(platformdirs)) = 4.5
+Provides: bundled(python3dist(packaging)) = 26
+Provides: bundled(python3dist(platformdirs)) = 4.5.1
 Provides: bundled(python3dist(pygments)) = 2.19.2
 Provides: bundled(python3dist(pyproject-hooks)) = 1.2
 Provides: bundled(python3dist(requests)) = 2.32.5
@ -438,12 +438,6 @@ Patch475: 00475-cve-2025-15367.patch
 # direct call to the check function.
 Patch477: 00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch

-# 00478 # d9d794656850591a4e6aeddcf853505aeea08028
-# CVE-2026-4519
-#
-# Reject leading dashes in webbrowser URLs (GH-146214)
-Patch478: 00478-cve-2026-4519.patch
-
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1981,15 +1975,19 @@ CheckPython freethreading
 # ======================================================

 %changelog
+* Wed Apr 08 2026 Karolina Surma <ksurma@redhat.com> - 3.14.4-1
+- Update to Python 3.14.4
+- Security fixes for CVE-2026-2297, CVE-2026-3644, CVE-2026-4224, CVE-2026-0865
+Related: RHEL-168121, RHEL-167887
+
 * Thu Mar 26 2026 Lumír Balhar <lbalhar@redhat.com> - 3.14.3-2
 - Security fix for CVE-2026-4519
 Resolves: RHEL-158114

 * Wed Feb 04 2026 Karolina Surma <ksurma@redhat.com> - 3.14.3-1
 - Update to Python 3.14.3
- Security fixes for CVE-2025-11468, CVE-2026-0672,CVE-2026-0865,
-CVE-2025-15282, CVE-2026-1299, CVE-2025-11468, CVE-2025-15366,
-CVE-2025-15367
+- Security fixes for CVE-2025-11468, CVE-2026-0672, CVE-2026-0865,
+CVE-2025-15282, CVE-2026-1299, CVE-2025-15366, CVE-2025-15367
 Resolves: RHEL-144855, RHEL-143058, RHEL-143111

 * Mon Jan 19 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.14.2-3
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (Python-3.14.3.tar.xz) = 9fd875f7a1d96d64e7150913ef38b72b0aeecfcbc24ba46967e57b6495146b0cba6b940c273561fc4d656b6d0ce2e23ffb7bd32bcd0b61fd59a6d90585998c07
+SHA512 (Python-3.14.4.tar.xz) = 89a7f8b8a31f48d150badb4751df137d47d9014c9c422649a1a55aef5618aa7f0259dd18c151e6804fa8312c6a21544332a9f630ee81150dc00505637e62bb8c