rpms/python39
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import python39-3.9.16-1.module+el8.8.0+17625+b531f198

Browse Source
This commit is contained in:
CentOS Sources 2023-05-16 06:06:59 +00:00 committed by Stepan Oksanichenko
parent d8eedb9296
commit 26c2e7f815
8 changed files with 60 additions and 283 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/Python-3.9.13.tar.xz
SOURCES/Python-3.9.16.tar.xz

2
.python39.metadata
View File

@ -1 +1 @@
d57e5c8b94fe42e2b403e6eced02b25ed47ca8da SOURCES/Python-3.9.13.tar.xz
19acd6a341e4f2d7ff97c10c2eada258e9898624 SOURCES/Python-3.9.16.tar.xz

55
SOURCES/00329-fips.patch
View File

@ -1,4 +1,4 @@
From 37aa11f4c57e08bd3859c0de1c22f1d5296b6fdc Mon Sep 17 00:00:00 2001
From ccb2659fa0ec259d4161ed84345553bf3f216531 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Wed, 11 Aug 2021 16:51:03 +0200
Subject: [PATCH 01/10] Backport PyModule_AddObjectRef as
@ -71,10 +71,10 @@ index 13482c6..fca1083 100644
PyModule_AddIntConstant(PyObject *m, const char *name, long value)
{
--
2.35.3
2.37.2
From 3fc28233b7244bb891499a974c3f3cda42454760 Mon Sep 17 00:00:00 2001
From 794c37495d91823bd820b96382b999d84dcad58d Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Fri, 13 Aug 2021 13:16:43 +0200
Subject: [PATCH 02/10] _hashopenssl: Uncomment and use initialization function
@ -144,10 +144,10 @@ index 4db058c..56dfff9 100644
return m;
--
2.35.3
2.37.2
From 309e06621a9a8b8220c8f83d588cc76e1fa2380d Mon Sep 17 00:00:00 2001
From 94b56c82b459474c3e0f9e5421fa7becbf5a1c70 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Sat, 27 Mar 2021 14:55:03 +0100
Subject: [PATCH 03/10] bpo-40645: use C implementation of HMAC (GH-24920,
@ -927,10 +927,10 @@ index 68aa765..4466ec4 100644
-/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/
--
2.35.3
2.37.2
From 2656f4998c17d8a63b5b45462a2dae5b1b3d520f Mon Sep 17 00:00:00 2001
From b63e3fbd7c0506b5a6c00c1bb0d255054e38bbe8 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 12 Dec 2019 16:58:31 +0100
Subject: [PATCH 04/10] Expose blake2b and blake2s hashes from OpenSSL
@ -1137,10 +1137,10 @@ index 4466ec4..54c22b2 100644
-/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/
+/*[clinic end generated code: output=fab05055e982f112 input=a9049054013a1b77]*/
--
2.35.3
2.37.2
From 652264a57ab6564bfe775d88502776df95cd897d Mon Sep 17 00:00:00 2001
From dc8ad7b98d6d9bf14cae439acb3a99fa8f4f5020 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 1 Aug 2019 17:57:05 +0200
Subject: [PATCH 05/10] Use a stronger hash in multiprocessing handshake
@ -1185,10 +1185,10 @@ index 510e4b5..b68f2fb 100644
response = connection.recv_bytes(256) # reject large message
if response != WELCOME:
--
2.35.3
2.37.2
From 4a8637f114196b1ab19435ea64c19c7acf77776c Mon Sep 17 00:00:00 2001
From af0c88c9d5bc4f9c127e49ed80d14e25d18813f2 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 25 Jul 2019 17:19:06 +0200
Subject: [PATCH 06/10] Disable Python's hash implementations in FIPS mode,
@ -1446,10 +1446,10 @@ index 0bec170..479f4b5 100644
))
--
2.35.3
2.37.2
From 165bcd0377075dbac9fa3f988ed5189668597ab6 Mon Sep 17 00:00:00 2001
From 9bc3d493a3508fb82df7d24cc62315c072d9eca8 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Fri, 29 Jan 2021 14:16:21 +0100
Subject: [PATCH 07/10] Use python's fall back crypto implementations only if
@ -1613,10 +1613,10 @@ index fa4a8d7..ec6c883 100644
def test_pbkdf2_hmac_py(self):
self._test_pbkdf2_hmac(builtin_hashlib.pbkdf2_hmac, builtin_hashes)
--
2.35.3
2.37.2
From f4383a6e0be8b75db2380fdcf0174b09709b613f Mon Sep 17 00:00:00 2001
From 331c0d39cbc9c4df266c375bae8c1a0d27dd78d9 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Wed, 31 Jul 2019 15:43:43 +0200
Subject: [PATCH 08/10] Test equivalence of hashes for the various digests with
@ -1772,10 +1772,10 @@ index ec6c883..0fd036f 100644
class KDFTests(unittest.TestCase):
--
2.35.3
2.37.2
From 5ecf11d53225bbe04e35970a834bcc90cd944391 Mon Sep 17 00:00:00 2001
From 1a3df28f95710925bc80018bcf22b7f37bbb1e17 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 26 Aug 2019 19:39:48 +0200
Subject: [PATCH 09/10] Guard against Python HMAC in FIPS mode
@ -1889,10 +1889,10 @@ index adf52ad..41e6a14 100644
def test_realcopy_old(self):
# Testing if the copy method created a real copy.
--
2.35.3
2.37.2
From 532ce8649bf743c029aa5ddb25d74604d9798da9 Mon Sep 17 00:00:00 2001
From dded0e09dd3e51998a2aa54d2ae8464d73987e51 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Wed, 25 Aug 2021 16:44:43 +0200
Subject: [PATCH 10/10] Disable hash-based PYCs in FIPS mode
@ -1935,15 +1935,13 @@ index bba3642..02db901 100644
return PycInvalidationMode.CHECKED_HASH
else:
diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
index 86ac8f0..dc042f7 100644
index 6dc0813..b9d5f9a 100644
--- a/Lib/test/support/__init__.py
+++ b/Lib/test/support/__init__.py
@@ -3294,3 +3294,17 @@ def clear_ignored_deprecations(*tokens: object) -> None:
if warnings.filters != new_filters:
warnings.filters[:] = new_filters
@@ -3296,6 +3296,20 @@ def clear_ignored_deprecations(*tokens: object) -> None:
warnings._filters_mutated()
+
+
+def fails_in_fips_mode(expected_error):
+ import _hashlib
+ if _hashlib.get_fips_mode():
@ -1956,6 +1954,11 @@ index 86ac8f0..dc042f7 100644
+ def _decorator(func):
+ return func
+ return _decorator
+
+
@contextlib.contextmanager
def adjust_int_max_str_digits(max_digits):
"""Temporarily change the integer string conversion length limit."""
diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py
index 7cb1370..61df232 100644
--- a/Lib/test/test_cmd_line_script.py
@ -2171,5 +2174,5 @@ index 8358d70..1b7fb85 100644
uint64_t x;
char data[sizeof(uint64_t)];
--
2.35.3
2.37.2

150
SOURCES/00382-cve-2015-20107.patch
View File

@ -1,150 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Fri, 3 Jun 2022 11:43:35 +0200
Subject: [PATCH] 00382: CVE-2015-20107
Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
Upstream: https://github.com/python/cpython/issues/68966
Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
---
Doc/library/mailcap.rst | 12 +++++++++
Lib/mailcap.py | 26 +++++++++++++++++--
Lib/test/test_mailcap.py | 8 ++++--
...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++
4 files changed, 46 insertions(+), 4 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst
index a22b5b9c9e..7aa3380fec 100644
--- a/Doc/library/mailcap.rst
+++ b/Doc/library/mailcap.rst
@@ -60,6 +60,18 @@ standard. However, mailcap files are supported on most Unix systems.
use) to determine whether or not the mailcap line applies. :func:`findmatch`
will automatically check such conditions and skip the entry if the check fails.
+ .. versionchanged:: 3.11
+
+ To prevent security issues with shell metacharacters (symbols that have
+ special effects in a shell command line), ``findmatch`` will refuse
+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
+ into the returned command line.
+
+ If a disallowed character appears in *filename*, ``findmatch`` will always
+ return ``(None, None)`` as if no entry was found.
+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
+ ``findmatch`` will ignore all mailcap entries which use that value.
+ A :mod:`warning <warnings>` will be raised in either case.
.. function:: getcaps()
diff --git a/Lib/mailcap.py b/Lib/mailcap.py
index ae416a8e9f..444c6408b5 100644
--- a/Lib/mailcap.py
+++ b/Lib/mailcap.py
@@ -2,6 +2,7 @@
import os
import warnings
+import re
__all__ = ["getcaps","findmatch"]
@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
else:
return 1, 0
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
+
+class UnsafeMailcapInput(Warning):
+ """Warning raised when refusing unsafe input"""
+
# Part 1: top-level interface.
@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
entry to use.
"""
+ if _find_unsafe(filename):
+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None, None
entries = lookup(caps, MIMEtype, key)
# XXX This code should somehow check for the needsterminal flag.
for e in entries:
if 'test' in e:
test = subst(e['test'], filename, plist)
+ if test is None:
+ continue
if test and os.system(test) != 0:
continue
command = subst(e[key], MIMEtype, filename, plist)
- return command, e
+ if command is not None:
+ return command, e
return None, None
def lookup(caps, MIMEtype, key=None):
@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
elif c == 's':
res = res + filename
elif c == 't':
+ if _find_unsafe(MIMEtype):
+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
res = res + MIMEtype
elif c == '{':
start = i
@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
i = i+1
name = field[start:i]
i = i+1
- res = res + findparam(name, plist)
+ param = findparam(name, plist)
+ if _find_unsafe(param):
+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
+ res = res + param
# XXX To do:
# %n == number of parts if type is multipart/*
# %F == list of alternating type and filename for parts
diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
index c08423c670..920283d9a2 100644
--- a/Lib/test/test_mailcap.py
+++ b/Lib/test/test_mailcap.py
@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase):
(["", "audio/*", "foo.txt"], ""),
(["echo foo", "audio/*", "foo.txt"], "echo foo"),
(["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
+ (["echo %t", "audio/*", "foo.txt"], None),
+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
(["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
(["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
(["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):
('"An audio fragment"', audio_basic_entry)),
([c, "audio/*"],
{"filename": fname},
- ("/usr/local/bin/showaudio audio/*", audio_entry)),
+ (None, None)),
+ ([c, "audio/wav"],
+ {"filename": fname},
+ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
([c, "message/external-body"],
{"plist": plist},
("showexternal /dev/null default john python.org /tmp foo bar", message_entry))
diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
new file mode 100644
index 0000000000..da81a1f699
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
@@ -0,0 +1,4 @@
+The deprecated mailcap module now refuses to inject unsafe text (filenames,
+MIME types, parameters) into shell commands. Instead of using such text, it
+will warn and act as if a match was not found (or for test commands, as if
+the test failed).

64
SOURCES/00391-cve-2022-42919.patch
View File

@ -1,64 +0,0 @@
From 85178d5849a4d9b5b46e7b91b1ebad7425139b44 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Thu, 20 Oct 2022 15:30:09 -0700
Subject: [PATCH] gh-97514: Don't use Linux abstract sockets for
multiprocessing (GH-98501)
Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.
This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
https://github.com/python/cpython/pull/18866 while fixing
https://github.com/python/cpython/issues/84031.
Explicit use of an abstract socket by a user now generates a
RuntimeWarning. If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
Lib/multiprocessing/connection.py | 5 -----
.../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
2 files changed, 15 insertions(+), 5 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
index 510e4b5aba44..8e2facf92a94 100644
--- a/Lib/multiprocessing/connection.py
+++ b/Lib/multiprocessing/connection.py
@@ -73,11 +73,6 @@ def arbitrary_address(family):
if family == 'AF_INET':
return ('localhost', 0)
elif family == 'AF_UNIX':
- # Prefer abstract sockets if possible to avoid problems with the address
- # size. When coding portable applications, some implementations have
- # sun_path as short as 92 bytes in the sockaddr_un struct.
- if util.abstract_sockets_supported:
- return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
elif family == 'AF_PIPE':
return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
new file mode 100644
index 000000000000..02d95b570520
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
@@ -0,0 +1,15 @@
+On Linux the :mod:`multiprocessing` module returns to using filesystem backed
+unix domain sockets for communication with the *forkserver* process instead of
+the Linux abstract socket namespace. Only code that chooses to use the
+:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
+
+Abstract sockets have no permissions and could allow any user on the system in
+the same `network namespace
+<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
+whole system) to inject code into the multiprocessing *forkserver* process.
+This was a potential privilege escalation. Filesystem based socket permissions
+restrict this to the *forkserver* process user as was the default in Python 3.8
+and earlier.
+
+This prevents Linux `CVE-2022-42919
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.

16
SOURCES/Python-3.9.13.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmKDr+sACgkQsmmV4xAl
BWib8A/+I+Gm2Gjf1lTFasrDIQb68gus7q9MjgjWG7HRY64gGqDBq6VcNrhVg+3g
lGL0Xr6QHkFCIJVlobDAL4UgmNkO0+I2fNhUybKPGT6BOVa4IXHkuWlJX0OBRjY+
uOw7nCEyLzEA/FbwZXb+0PKJm74s3opjUbu9/9uY7QIqWIiD77UfQ61SDsnRLaQW
oEULPWFNLbdpMhTn7M/WVUwcxbyrCzjeFJ8rDiEbux3C1AhagTW49NTxOVW722yS
3mzjuYeyfXBIfaaU9ZHW6Z7B1hbuNVF0AvOcI3nKFUjHYs5hhchM7QnZhdFG6mMN
7REmBhssGkzWBtsWVbyChHhgVIqv81qUv6tywYMWaZtKfmrgzx2UNg9rx609c5gs
1dzXWBrh2PFWLUf8U1noSOEz/Q6/fbgdHFj4AUsr+c3zr74FNABbH5VOHS6QP79X
ic0a9+zBirrSVnLlsHkEO+aXju9ITcU/DUxPIUZxgmOImL4Vx1lsjYaw00csMzA3
YItkoMwp4Hi7+Tvr/jGaTpKpmW+r00LyQfTfQmst7STDVY9EjlC3Mk2hzqgtFx5Z
hzb4EtMQNSjwPCvSXVWFFZWsLRu70n81uWfnXRBX7tRAWZoxC44jiOGjEhTJwzs4
sZAhimk17t3agM0Jf0fTFMPly0mVLQMjbE7OK8GIgv/q4O5R5lc=
=RYbS
-----END PGP SIGNATURE-----

16
SOURCES/Python-3.9.16.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPjAQACgkQsmmV4xAl
BWjzjQ//TQ9AtAs3RwRfGfJigHl3TG5lfYYdzAZIwEtt6NUw8tVKriCBMSvsJDjD
rlFX64SPWaDlTggnatU88sj1y4AtGpf517GbYKwJ1oLQjcCSIs6WSxD7CZAfb4CL
257KMANkT/n46luovTraqhAyLXp8fVWIEoSt3+6RgNYshjv00V6+L0HoE6jkzBRV
si6KHDUCyIydOJEtAt79w5Ze/pFxJjIlGZ6WxyRVEy77cyQKh0g4dSdQ15HZAsfr
fvv8rOmd8VXwIMi4xaUaHMddQxNrydDldDpKR4L1Lay/nY3OvSLI1AMw0D7n/FVO
HxgYvxwkRqHPgbDIBLoHe7nsou0621ELS+j6M7cRoqAjsSfEOwpHOBw7k4+zOoa3
4FHvru6TmT1p2iT6GSRllp/XspAzSelJeaFWA0Rs57MQ14gtXrw5hQHyZ1NgMzZi
TMpnj0tGHufQYn2ZQqGUIySvtH3S5eIZgZGdPETJ5k09mcRVEKcdujTbkrIcOYtC
GoPCw+3Qe7feVZLzElnsela9bDZi3uWfZh2kVyhZPAvxXJ0VNVCLvPlCKpr0R7t5
JJ7jMpblsA05FT6ZanbqWNFZtCHMjlkK1259oST3BMbBSHTFgY/KGJEHQTkYU3M2
U5OSn4za47qFBTVIXQsqkLGEBU/wrxtNmerJel8YW3ZIrkoTv2E=
=dXB5
-----END PGP SIGNATURE-----

38
SPECS/python39.spec
View File

@ -13,11 +13,11 @@ URL: https://www.python.org/
# WARNING When rebasing to a new Python version,
# remember to update the python3-docs package as well
%global general_version %{pybasever}.13
%global general_version %{pybasever}.16
#global prerel ...
%global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}}
Release: 2%{?dist}
Release: 1%{?dist}
License: Python
# Exclude i686 arch. Due to a modularity issue it's being added to the
@ -415,26 +415,6 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
# Upstream: https://bugs.python.org/issue46811
Patch378: 00378-support-expat-2-4-5.patch
# 00382 # 9e275dcdf3934b827994ecc3247d583d5bab7985
# CVE-2015-20107
#
# Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
#
# Upstream: https://github.com/python/cpython/issues/68966
#
# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
Patch382: 00382-cve-2015-20107.patch
# 00391 #
# CVE-2022-42919
#
# Local privilege escalation via the multiprocessing forkserver start method.
#
# Upstream: https://github.com/python/cpython/issues/97514
#
# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2138705
Patch391: 00391-cve-2022-42919.patch
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -846,8 +826,6 @@ rm Lib/ensurepip/_bundled/*.whl
%apply_patch -q %{PATCH329}
%apply_patch -q %{PATCH353}
%apply_patch -q %{PATCH378}
%apply_patch -q %{PATCH382}
%apply_patch -q %{PATCH391}
# Remove all exe files to ensure we are not shipping prebuilt binaries
# note that those are only used to create Microsoft Windows installers
@ -2014,10 +1992,20 @@ fi
# ======================================================
%changelog
* Mon Nov 07 2022 Lumír Balhar <lbalhar@redhat.com> - 3.9.13-2
* Tue Dec 13 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.16-1
- Update to 3.9.16
- Security fix for CVE-2022-45061
Resolves: rhbz#2144072
* Mon Nov 07 2022 Lumír Balhar <lbalhar@redhat.com> - 3.9.14-2
- Fix for CVE-2022-42919
Resolves: rhbz#2138705
* Mon Sep 12 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.14-1
- Update to 3.9.14
- Security fixes for CVE-2020-10735 and CVE-2021-28861
Resolves: rhbz#1834423, rhbz#2120642
* Tue Jun 14 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.13-1
- Update to 3.9.13
- Security fix for CVE-2015-20107