From c6da41e8486f595557d06b74ce87f3b4617d94cc Mon Sep 17 00:00:00 2001 From: Karolina Surma Date: Wed, 8 Apr 2026 13:03:09 +0200 Subject: [PATCH] Update to Python 3.14.4 Security fixes for CVE-2026-2297, CVE-2026-3644, CVE-2026-4224, CVE-2026-0865 Related: RHEL-168121, RHEL-167887 --- 00251-change-user-install-location.patch | 8 +- ...not-working-with-older-expat-version.patch | 4 +- ...piled-for-a-different-python-version.patch | 2 +- 00478-cve-2026-4519.patch | 114 ------------------ python3.14.spec | 32 +++-- sources | 2 +- 6 files changed, 23 insertions(+), 139 deletions(-) delete mode 100644 00478-cve-2026-4519.patch diff --git a/00251-change-user-install-location.patch b/00251-change-user-install-location.patch index 41995c3..b35197d 100644 --- a/00251-change-user-install-location.patch +++ b/00251-change-user-install-location.patch @@ -51,7 +51,7 @@ index aeb7c6cfc7..86f9ae9e76 100644 if os.path.isdir(sitedir): addsitedir(sitedir, known_paths) diff --git a/Lib/sysconfig/__init__.py b/Lib/sysconfig/__init__.py -index 2ecbff222f..7211773bad 100644 +index faf8273bd0..d7667bbc77 100644 --- a/Lib/sysconfig/__init__.py +++ b/Lib/sysconfig/__init__.py @@ -106,6 +106,12 @@ @@ -130,7 +130,7 @@ index 2ecbff222f..7211773bad 100644 # On Windows we want to substitute 'lib' for schemes rather # than the native value (without modifying vars, in case it diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py -index 09eff11179..c227815ebd 100644 +index 1fe4b6849f..e0cb3ec23a 100644 --- a/Lib/test/test_sysconfig.py +++ b/Lib/test/test_sysconfig.py @@ -132,8 +132,19 @@ def test_get_path(self): @@ -154,7 +154,7 @@ index 09eff11179..c227815ebd 100644 os.path.normpath(expected), ) -@@ -395,7 +406,7 @@ def test_get_config_h_filename(self): +@@ -397,7 +408,7 @@ def test_get_config_h_filename(self): self.assertTrue(os.path.isfile(config_h), config_h) def test_get_scheme_names(self): @@ -163,7 +163,7 @@ index 09eff11179..c227815ebd 100644 if HAS_USER_BASE: wanted.extend(['nt_user', 'osx_framework_user', 'posix_user']) self.assertEqual(get_scheme_names(), tuple(sorted(wanted))) -@@ -407,6 +418,8 @@ def test_symlink(self): # Issue 7880 +@@ -409,6 +420,8 @@ def test_symlink(self): # Issue 7880 cmd = "-c", "import sysconfig; print(sysconfig.get_platform())" self.assertEqual(py.call_real(*cmd), py.call_link(*cmd)) diff --git a/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch b/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch index 92c451e..ce1c39d 100644 --- a/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch +++ b/00466-downstream-only-skip-tests-not-working-with-older-expat-version.patch @@ -15,10 +15,10 @@ which is tested as working. 3 files changed, 10 insertions(+) diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py -index daeaa38a3c..b243f1da14 100644 +index 465f65a03b..3379ab8aa9 100644 --- a/Lib/test/test_pyexpat.py +++ b/Lib/test/test_pyexpat.py -@@ -847,6 +847,8 @@ def start_element(name, _): +@@ -905,6 +905,8 @@ def start_element(name, _): self.assertEqual(started, ['doc']) diff --git a/00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch b/00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch index 808dac8..5fd303c 100644 --- a/00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch +++ b/00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch @@ -81,7 +81,7 @@ index 2a17c891dd..64017c666c 100644 } #endif diff --git a/Makefile.pre.in b/Makefile.pre.in -index 38a355a23f..67c19c329e 100644 +index 80a1b590c2..f28f562930 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in @@ -3415,3 +3415,6 @@ MODULE__MULTIBYTECODEC_DEPS=$(srcdir)/Modules/cjkcodecs/multibytecodec.h diff --git a/00478-cve-2026-4519.patch b/00478-cve-2026-4519.patch deleted file mode 100644 index ca5603c..0000000 --- a/00478-cve-2026-4519.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Tue, 24 Mar 2026 00:16:27 +0100 -Subject: 00478: CVE-2026-4519 - -Reject leading dashes in webbrowser URLs (GH-146214) - -(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b) - -Co-authored-by: Seth Michael Larson ---- - Lib/test/test_webbrowser.py | 5 +++++ - Lib/webbrowser.py | 13 +++++++++++++ - .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 + - 3 files changed, 19 insertions(+) - create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst - -diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py -index 4c3ea1cd8d..22e9d7493a 100644 ---- a/Lib/test/test_webbrowser.py -+++ b/Lib/test/test_webbrowser.py -@@ -67,6 +67,11 @@ def test_open(self): - options=[], - arguments=[URL]) - -+ def test_reject_dash_prefixes(self): -+ browser = self.browser_class(name=CMD_NAME) -+ with self.assertRaises(ValueError): -+ browser.open(f"--key=val {URL}") -+ - - class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase): - -diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py -index f2e2394089..9ead2990e8 100644 ---- a/Lib/webbrowser.py -+++ b/Lib/webbrowser.py -@@ -163,6 +163,12 @@ def open_new(self, url): - def open_new_tab(self, url): - return self.open(url, 2) - -+ @staticmethod -+ def _check_url(url): -+ """Ensures that the URL is safe to pass to subprocesses as a parameter""" -+ if url and url.lstrip().startswith("-"): -+ raise ValueError(f"Invalid URL: {url}") -+ - - class GenericBrowser(BaseBrowser): - """Class for all browsers started with a command -@@ -180,6 +186,7 @@ def __init__(self, name): - - def open(self, url, new=0, autoraise=True): - sys.audit("webbrowser.open", url) -+ self._check_url(url) - cmdline = [self.name] + [arg.replace("%s", url) - for arg in self.args] - try: -@@ -200,6 +207,7 @@ def open(self, url, new=0, autoraise=True): - cmdline = [self.name] + [arg.replace("%s", url) - for arg in self.args] - sys.audit("webbrowser.open", url) -+ self._check_url(url) - try: - if sys.platform[:3] == 'win': - p = subprocess.Popen(cmdline) -@@ -266,6 +274,7 @@ def _invoke(self, args, remote, autoraise, url=None): - - def open(self, url, new=0, autoraise=True): - sys.audit("webbrowser.open", url) -+ self._check_url(url) - if new == 0: - action = self.remote_action - elif new == 1: -@@ -357,6 +366,7 @@ class Konqueror(BaseBrowser): - - def open(self, url, new=0, autoraise=True): - sys.audit("webbrowser.open", url) -+ self._check_url(url) - # XXX Currently I know no way to prevent KFM from opening a new win. - if new == 2: - action = "newTab" -@@ -588,6 +598,7 @@ def register_standard_browsers(): - class WindowsDefault(BaseBrowser): - def open(self, url, new=0, autoraise=True): - sys.audit("webbrowser.open", url) -+ self._check_url(url) - try: - os.startfile(url) - except OSError: -@@ -608,6 +619,7 @@ def __init__(self, name='default'): - - def open(self, url, new=0, autoraise=True): - sys.audit("webbrowser.open", url) -+ self._check_url(url) - url = url.replace('"', '%22') - if self.name == 'default': - proto, _sep, _rest = url.partition(":") -@@ -664,6 +676,7 @@ def open(self, url, new=0, autoraise=True): - class IOSBrowser(BaseBrowser): - def open(self, url, new=0, autoraise=True): - sys.audit("webbrowser.open", url) -+ self._check_url(url) - # If ctypes isn't available, we can't open a browser - if objc is None: - return False -diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst -new file mode 100644 -index 0000000000..0f27eae99a ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst -@@ -0,0 +1 @@ -+Reject leading dashes in URLs passed to :func:`webbrowser.open` diff --git a/python3.14.spec b/python3.14.spec index fb3d247..2958963 100644 --- a/python3.14.spec +++ b/python3.14.spec @@ -45,11 +45,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.3 +%global general_version %{pybasever}.4 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 2%{?dist} +Release: 1%{?dist} License: Python-2.0.1 @@ -109,21 +109,21 @@ License: Python-2.0.1 # This needs to be manually updated when we update Python. # Explore the sources tarball (you need the version before %%prep is executed): # $ tar -tf Python-%%{upstream_version}.tar.xz | grep whl -%global pip_version 25.3 +%global pip_version 26.0.1 %global setuptools_version 79.0.1 # All of those also include a list of indirect bundled libs: # pip # $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt) %global pip_bundled_provides %{expand: -Provides: bundled(python3dist(cachecontrol)) = 0.14.3 -Provides: bundled(python3dist(certifi)) = 2025.10.5 +Provides: bundled(python3dist(cachecontrol)) = 0.14.4 +Provides: bundled(python3dist(certifi)) = 2026.1.4 Provides: bundled(python3dist(dependency-groups)) = 1.3.1 Provides: bundled(python3dist(distlib)) = 0.4 Provides: bundled(python3dist(distro)) = 1.9 -Provides: bundled(python3dist(idna)) = 3.10 +Provides: bundled(python3dist(idna)) = 3.11 Provides: bundled(python3dist(msgpack)) = 1.1.2 -Provides: bundled(python3dist(packaging)) = 25 -Provides: bundled(python3dist(platformdirs)) = 4.5 +Provides: bundled(python3dist(packaging)) = 26 +Provides: bundled(python3dist(platformdirs)) = 4.5.1 Provides: bundled(python3dist(pygments)) = 2.19.2 Provides: bundled(python3dist(pyproject-hooks)) = 1.2 Provides: bundled(python3dist(requests)) = 2.32.5 @@ -438,12 +438,6 @@ Patch475: 00475-cve-2025-15367.patch # direct call to the check function. Patch477: 00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch -# 00478 # d9d794656850591a4e6aeddcf853505aeea08028 -# CVE-2026-4519 -# -# Reject leading dashes in webbrowser URLs (GH-146214) -Patch478: 00478-cve-2026-4519.patch - # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -1981,15 +1975,19 @@ CheckPython freethreading # ====================================================== %changelog +* Wed Apr 08 2026 Karolina Surma - 3.14.4-1 +- Update to Python 3.14.4 +- Security fixes for CVE-2026-2297, CVE-2026-3644, CVE-2026-4224, CVE-2026-0865 +Related: RHEL-168121, RHEL-167887 + * Thu Mar 26 2026 Lumír Balhar - 3.14.3-2 - Security fix for CVE-2026-4519 Resolves: RHEL-158114 * Wed Feb 04 2026 Karolina Surma - 3.14.3-1 - Update to Python 3.14.3 -- Security fixes for CVE-2025-11468, CVE-2026-0672,CVE-2026-0865, -CVE-2025-15282, CVE-2026-1299, CVE-2025-11468, CVE-2025-15366, -CVE-2025-15367 +- Security fixes for CVE-2025-11468, CVE-2026-0672, CVE-2026-0865, +CVE-2025-15282, CVE-2026-1299, CVE-2025-15366, CVE-2025-15367 Resolves: RHEL-144855, RHEL-143058, RHEL-143111 * Mon Jan 19 2026 Charalampos Stratakis - 3.14.2-3 diff --git a/sources b/sources index ece54ca..5926230 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (Python-3.14.3.tar.xz) = 9fd875f7a1d96d64e7150913ef38b72b0aeecfcbc24ba46967e57b6495146b0cba6b940c273561fc4d656b6d0ce2e23ffb7bd32bcd0b61fd59a6d90585998c07 +SHA512 (Python-3.14.4.tar.xz) = 89a7f8b8a31f48d150badb4751df137d47d9014c9c422649a1a55aef5618aa7f0259dd18c151e6804fa8312c6a21544332a9f630ee81150dc00505637e62bb8c