Debian Patches
Status for python3.11/3.11.2-6+deb12u3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| deb-setup.diff | C compiler flags: 1. Don't duplicate /usr/local in gcc search paths. FIXME: Not sure why. 2. Respect CPPFLAGS |
no | ||||
| deb-locations.diff | Debian: Adjust locations of directories to debian policy | not-needed | ||||
| distutils-install-layout.diff | Debian: Add a distutils option --install-layout=deb This option: - installs into $prefix/dist-packages instead of $prefix/site-packages. - doesn't encode the python version into the egg name. . We install modules into dist-packages so that a local admin can build their own cpython from source, and they won't see each others' installed modules. This keeps Debian packaged applications working correctly, isolated from the local cpython. . Customize site.py to import from Debian's dist-packages layout. |
not-needed | ||||
| locale-module.diff | Use glibc's name for the UTF-8 locale FIXME: back story? | no | ||||
| distutils-link.diff | distutils: Don't add standard library dirs to library_dirs and runtime_library_dirs. On amd64, runtime paths pointing to /usr/lib64 aren't recognized by dpkg-shlibdeps, and the packages containing these libraries aren't added to ${shlibs:Depends}. |
no | ||||
| distutils-sysconfig.diff | distutils: Use python's compiler arguments by default Get CONFIGURE_CFLAGS, CONFIGURE_CPPFLAGS, CONFIGURE_LDFLAGS from the python build, when CFLAGS, CPPFLAGS, LDSHARED) are not set in the environment. |
no | ||||
| sysconfig-debian-schemes.diff | no | |||||
| tkinter-import.diff | Suggest installation of python3-tk package We split Tk out into a separate binary package. Help users who try to import it, without it installed. |
not-needed | ||||
| gdbm-import.diff | Debian: Suggest installation of python3-gdbm package We split gdbm out into a separate binary package. Help users who try to import it, without it installed. |
not-needed | ||||
| link-opt.diff | Call the linker with -O1 -Bsymbolic-functions FIXME: Why? Why -O1? | no | ||||
| setup-modules.diff | Configure linking for C-library wrapping modules Use the system C libraries, rather than sources bundled with cPython, or anything from /usr/local. |
not-needed | ||||
| profiled-build.diff | Ignore errors in the profile task. FIXME: Back story? | no | ||||
| langpack-gettext.diff | Ubuntu: Support separate langpack packages Support alternative gettext tree in /usr/share/locale-langpack; if a file is present in both trees, prefer the newer one. Ubuntu collates gettext from packages on the DVD into language packs, to reduce disk-space on the image. This is Ubuntu-Specific. |
not-needed | ||||
| disable-sem-check.diff | Debian: Don't autodetect whether semephores are present Assume working semaphores, don't rely on running kernel for the check. Build machine != Target machine. |
not-needed | ||||
| lib-argparse.diff | Debian: Degrade argparse gracefully without gettext python3.X-minimal includes argparse but not gettext. Use a fallback noop gettext, if it can't be imported. |
not-needed | ||||
| ctypes-arm.diff | Arch: Workaround the presence of hard-float in ldconfig -p output. Also, handle the wide variety of ARM unames. | Loïc Minier | invalid | |||
| multiarch.diff | Debian: Configure multiarch tuple. 1. Expose multiarchsubdir in sysconfig. 2. Return the multiarch include dir in distutils. 3. Install the .pc file into the multiarch path. |
no | ||||
| lib2to3-no-pickled-grammar.diff | Arch: Ignore grammer pickle mis-matches in lib2to3. Pickle files encode the endian of the arch that built them. They are architecture-independent, but there isn't a canonical endianness, both are handled on load. |
no | ||||
| ext-no-libpython-link.diff | Don't link extensions with the shared libpython library FIXME: Still needed since 3.8? | no | ||||
| test-no-random-order.diff | Don't run the test suite in random order. | not-needed | ||||
| multiarch-extname.diff | Debian: Make sure to rename extensions to a tag including the MULTIARCH name this patch can be dropped for python3.5 final, if the upstream chage is kept. FIXME: so, can we drop it? |
not-needed | ||||
| tempfile-minimal.diff | Debian: Degrade tempfile gracefully without shutil python3.X-minimal includes tempfile but not shutil. Use a fallback racy rmtree, if shutil can't be imported. |
not-needed | ||||
| disable-some-tests.diff | Arch: Disable some failing tests we are not interested in | no | ||||
| ensurepip-disabled.diff | Disable ensurepip for the system installation We have a python3-pip package, for users who want pip. We just need ensurepip to seed pip in virtual environments. |
not-needed | ||||
| mangle-fstack-protector.diff | Support gcc < 4.9 When using GCC versions older than 4.9, automagically mangle -fstack-protector-strong to -fstack-protector FIXME: Still needed? |
no | ||||
| reproducible-buildinfo.diff | Build reproduceable date and time into build info Build information is encoded into getbuildinfo.o at build time. Use the date and time from the debian changelog, to make this reproduceable. |
no | ||||
| pydoc-use-pager.diff | pydoc: use the pager command if available Debian file pagers register the "pager" alternative, so if any pager is available, /usr/bin/pager will exist, and point to the best pager available. |
no | ||||
| local-doc-references.diff | Debian: Reference the local path to the documentation | not-needed | ||||
| doc-build-texinfo.diff | Add the option to build Texinfo-format documentation. | Benjamin Moody <benjamin@physionet.org> | yes | debian | 2017-11-27 | |
| argparse-no-shutil.diff | Debian: Degrade argparse gracefully without shutil python3.X-minimal includes argparse but not shutil. Use a fixed terminal width, if shutil can't be imported. |
not-needed | ||||
| sysconfigdata-name.diff | Don't encode the MACHDEP into the _sysconfigdata file name. Unfortunately on KFreeBSD MACHDEP includes the kernel version, so you end up with a changing MACHDEP. |
no | ||||
| hurd_kfreebsd_thread_native_id.diff | Implement the native thread ids for the Hurd and KFreeBSD | Samuel Thibault | yes | debian | ||
| sphinx3.diff | Allow building with Sphinx >= 3.2 Additionally: Disable sphinx warnings | no | upstream, https://github.com/python/cpython/commit/423e77d6de497931585d1883805a9e3fa4096b0b | |||
| destshared-location.diff | Keep the lib-dynload dir in the same place when configuring with --libdir=/usr/bin/$(DEB_HOST_MULTIARCH) FIXME: Expand? |
no | ||||
| fix-py_compile.diff | Fix regression byte-compiling filenames from stdin | yes | ||||
| ntpath-import.diff | # ntpath not in python-minimal | no | ||||
| shutdown-deadlock.diff | [3.11] GH-102126: fix deadlock at shutdown when clearing thread states (GH-102222) (cherry picked from commit 5f11478ce7fda826d399530af4c5ca96c592f144) | Kumar Aditya | no | debian | upstream, https://github.com/python/cpython/commit/026faf20cc9d1d5913ff7c01a93d8934594d7fec | |
| frame_dealloc-crash.diff | Fix use-after-free crash in frame_dealloc It was possible for the trashcan to delay the deallocation of a PyFrameObject until after its corresponding _PyInterpreterFrame has already been freed. So frame_dealloc needs to avoid dereferencing the f_frame pointer unless it first checks that the pointer still points to the interpreter frame within the frame object. |
Anders Kaseorg <andersk@mit.edu> | no | debian | https://github.com/python/cpython/commit/46cae02085311481dc8b1ea9a5110969d9325bc7 | 2023-08-29 |
| CVE-2024-0450.patch | commit a956e510f6336d5ae111ba429a61c3ade30a7549 [3.11] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) (GH-113913) Raise BadZipFile when try to read an entry that overlaps with other entry or central directory. (cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> |
Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | no | debian | 2024-01-11 | |
| CVE-2023-6597.patch | commit 5585334d772b253a01a6730e8202ffb1607c3d25 [3.11] gh-91133: tempfile.TemporaryDirectory: fix symlink bug in cleanup (GH-99930) (GH-112839) (cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d) Co-authored-by: Sren Lvborg <sorenl@unity3d.com> |
Serhiy Storchaka <storchaka@gmail.com> | no | debian | 2023-12-07 | |
| relfile-nullptr-dereference.patch | [PATCH] =?UTF-8?q?[3.11]=20gh-102281:=20Fix=20potential=20nullptr?= =?UTF-8?q?=20dereference=20+=20use=20of=20uninitia=E2=80=A6=20(#103040)?= [3.11] gh-102281: Fix potential nullptr dereference + use of uninitialized memory (gh-102282) (cherry picked from commit afa6092ee4260bacf7bc11905466e4c3f8556cbb) |
Max Bachmann <kontakt@maxbachmann.de> | no | 2023-03-26 | ||
| CVE-2023-41105-path-truncation.patch | [PATCH] [3.11] gh-106242: Fix path truncation in os.path.normpath (GH-106816) (#107982) | Steve Dower <steve.dower@python.org> | no | 2023-08-15 | ||
| CVE-2023-40217-ssl-pre-close-flaw.patch | [PATCH] [3.11] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108317) gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. |
=?UTF-8?q?=C5=81ukasz=20Langa?= <lukasz@langa.pl> | no | 2023-08-22 | ||
| CVE-2023-40217-ref-cycle.patch | [PATCH] [3.11] gh-108342: Break ref cycle in SSLSocket._create() exc (GH-108344) (#108349) Explicitly break a reference cycle when SSLSocket._create() raises an exception. Clear the variable storing the exception, since the exception traceback contains the variables and so creates a reference cycle. This test leak was introduced by the test added for the fix of GH-108310. (cherry picked from commit 64f99350351bc46e016b2286f36ba7cd669b79e3) |
"Miss Islington (bot)" | no | 2023-08-23 | ||
| CVE-2023-40217-test-reliability.patch | [PATCH] [3.11] gh-108342: Make ssl TestPreHandshakeClose more reliable (GH-108370) (#108405) * In preauth tests of test_ssl, explicitly break reference cycles invoving SingleConnectionTestServerThread to make sure that the thread is deleted. Otherwise, the test marks the environment as altered because the threading module sees a "dangling thread" (SingleConnectionTestServerThread). This test leak was introduced by the test added for the fix of issue gh-108310. * Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds timeout. * SingleConnectionTestServerThread.run() catchs TimeoutError * Fix a race condition (missing synchronization) in test_preauth_data_to_tls_client(): the server now waits until the client connect() completed in call_after_accept(). * test_https_client_non_tls_response_ignored() calls server.join() explicitly. * Replace "localhost" with server.listener.getsockname()[0]. (cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47) |
=?UTF-8?q?=C5=81ukasz=20Langa?= <lukasz@langa.pl> | no | 2023-08-24 | ||
| CVE-2023-24329-strip-control-chars-urlsplit.patch | [PATCH] [3.11] gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (#104575) * gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). |
"Miss Islington (bot)" | no | 2023-05-17 | ||
| CVE-2024-0397.diff | [PATCH] [3.11] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) (#115549) gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) * gh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See https://github.com/openssl/openssl/pull/23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb (cherry picked from commit bce693111bff906ccf9281c22371331aaff766ab) |
"Miss Islington (bot)" | no | 2024-02-20 | ||
| CVE-2024-4032.diff | [PATCH] [3.11] gh-113171: gh-65056: Fix "private" (non-global) IP address ranges (GH-113179) (GH-113186) (GH-118177) (#118227) | Petr Viktorin <encukou@gmail.com> | no | 2024-04-25 | ||
| CVE-2024-8088.diff | [PATCH] [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906) (#122925) * gh-122905: Sanitize names in zipfile.Path. (#122906) Ported from zipp 3.19.1; ref jaraco/zipp#119. (cherry picked from commit 9cd03263100ddb1657826cc4a71470786cab3932) * [3.11] gh-122905: Sanitize names in zipfile.Path. (GH-122906) Ported from zipp 3.19.1; ref jaraco/zippGH-119. (cherry picked from commit 9cd03263100ddb1657826cc4a71470786cab3932) |
"Jason R. Coombs" <jaraco@jaraco.com> | no | 2024-08-19 |
All known versions for source package 'python3.11'
- 3.11.2-6+deb12u6 (bookworm)
- 3.11.2-6+deb12u3 (bookworm-security)