3.14.4: CVE-2026-1502, CVE-2026-4786, CVE-2026-5713, CVE-2026-6100#141
Open
stratakis wants to merge 347 commits intofedora-python:fedora-3.14from
Open
3.14.4: CVE-2026-1502, CVE-2026-4786, CVE-2026-5713, CVE-2026-6100#141stratakis wants to merge 347 commits intofedora-python:fedora-3.14from
stratakis wants to merge 347 commits intofedora-python:fedora-3.14from
Conversation
…ython#145207) [3.14] pythongh-144156: move news entry to Library
…ythonGH-145001) (pythonGH-145212) (cherry picked from commit 9b22261) Co-authored-by: Petr Viktorin <encukou@gmail.com>
…-143890) (python#145257) Co-authored-by: Adorilson Bezerra <adorilson@gmail.com>
… docs (pythonGH-144831) (python#145258) Co-authored-by: Rajhans Jadhao <rajhans.jadhao@gmail.com>
…_utf8` (pythonGH-144807) (python#145287) Co-authored-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
…2824) (python#145297) (cherry picked from commit 06b0920) Co-authored-by: A.Ibrahim <abdulrasheedibrahim47@gmail.com>
…pythonGH-145038) (python#145283) This undoes a change made as a part of PR 137470, for compatibility with EMSDK 4.0.19. It adds `emscripten_trampoline` field in `pycore_runtime_structs.h` and initializes it from JS initialization code with the wasm-gc based trampoline if possible. Otherwise we fall back to the JS trampoline. (cherry picked from commit 43fdb70) Co-authored-by: Hood Chatham <roberthoodchatham@gmail.com>
…cale (pythonGH-145250) (pythonGH-145302) It occurs in a code which perhaps never executed. (cherry picked from commit 6ea84b2) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
…honGH-145281) (python#145310) pythongh-145234: Normalize decoded CR in string tokenizer (pythonGH-145281) (cherry picked from commit 98b1e51) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
…pythonGH-145316) pythongh-141004: Document missing type flags (pythonGH-145127) (cherry picked from commit dc1b56a) Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
… exceptions (pythonGH-144824) (pythonGH-145318) pythongh-144693: Clarify that `PyFrame_GetBack` does not raise exceptions (pythonGH-144824) (cherry picked from commit 8775f90) Co-authored-by: Taegyun Kim <k.taegyun@gmail.com> Co-authored-by: Sergey Miryanov <sergey.miryanov@gmail.com> Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
…ythongh-145157) (python#145320) Co-authored-by: VanshAgarwal24036 <148854295+VanshAgarwal24036@users.noreply.github.com>
…red data from StreamReader (pythonGH-142354) (python#145363) pythongh-142352: Fix `asyncio` `start_tls()` to transfer buffered data from StreamReader (pythonGH-142354) (cherry picked from commit 0598f4a) Co-authored-by: Kumar Aditya <kumaraditya@python.org> Co-authored-by: Maksym Kasimov <39828623+kasimov-maxim@users.noreply.github.com>
…145270) (python#145367) pythongh-145269: simplify bisect.bisect doc example (pythonGH-145270) --------- (cherry picked from commit fdb4b35) Co-authored-by: Nathan Goldbaum <nathan.goldbaum@gmail.com> Co-authored-by: Pieter Eendebak <pieter.eendebak@gmail.com>
…onGH-145359) (python#145401) pythongh-100538: Add workflow to verify bundled libexpat (pythonGH-145359) Add workflow to verify bundled libexpat. (cherry picked from commit c9a5d9a) Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
…s in glob and iglob. (pythonGH-144836) (python#145415) Co-authored-by: Facundo Batista <facundo@taniquetil.com.ar> Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
…s called. (pythonGH-145308) (cherry picked from commit 1cf5abe) Co-authored-by: Steve Dower <steve.dower@python.org>
pythonGH-145390) (python#145433) pythongh-145335: Fix crash when passing -1 as fd in os.pathconf (pythonGH-145390) (cherry picked from commit 5c3a47b) Co-authored-by: AN Long <aisk@users.noreply.github.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
…en inline values are available (pythonGH-130469) (python#145438) Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
…y link some more (pythonGH-145436) (python#145443) Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
…thonGH-142925) (pythonGH-145419) (cherry picked from commit b611db4) Co-authored-by: zhong <60600792+superboy-zjc@users.noreply.github.com> Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
…salnum()` docs (pythonGH-144718) (pythonGH-144730) (cherry picked from commit f912c83) Co-authored-by: Adorilson Bezerra <adorilson@gmail.com>
…hods (pythonGH-145451) (pythonGH-145466) (cherry picked from commit db41717) Co-authored-by: Michiel W. Beijen <mb@x14.nl>
…ommands (pythonGH-145457) (python#145461) pythongh-145455: Show output of blurb & sphinx-build version commands (pythonGH-145457) In pythongh-145455, an outdated dependency caused an import error that was not printed out (`2>&1`); the message instead said that the tools are missing. Don't redirect stderr, to show warnings and failures. Also, switch `blurb` to output a version on a single line (`--version` rather than `help`), and, and don't redirect stdout either. This results in two version info lines being printed out. These get drowned in typical Sphinx output, and can be helpful when debugging. (cherry picked from commit f1de65b) Co-authored-by: Petr Viktorin <encukou@gmail.com>
…honGH-145362) (pythonGH-145470) (cherry picked from commit 671a953) Co-authored-by: bkap123 <97006829+bkap123@users.noreply.github.com>
…ment() (pythonGH-145479) (python#145485) Fix incorrect statement about argparse.ArgumentParser.add_argument() (pythonGH-145479) (cherry picked from commit dc12d19) Co-authored-by: Justin Kunimune <justinkunimune@gmail.com> Co-authored-by: Savannah Ostrowski <savannah@python.org>
…onGH-148075) (python#148095) pythongh-148074: Fix `typeobject.c` missing error return (pythonGH-148075) (cherry picked from commit c398490) Co-authored-by: Wulian233 <1055917385@qq.com>
…ythonGH-145885) (python#148087) (cherry picked from commit fe9befc) Co-authored-by: Stan Ulbrych <stan@python.org>
…pythonGH-148092) (python#148097) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
pythonGH-148043) (python#148099) (cherry picked from commit b1d2d98) Co-authored-by: Stan Ulbrych <stan@python.org>
…hon#148104) (cherry picked from commit 75be902) Co-authored-by: Stan Ulbrych <stan@python.org>
python#148115) Add `permissions: {}` to all reusable workflows (python#148114) Add permissions: {} to all reusable workflows (cherry picked from commit 1f36a51)
…() with user= (pythonGH-148129) (python#148130) pythongh-94632: document the subprocess need for extra_groups=() with user= (pythonGH-148129) (cherry picked from commit a1cf443) Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
…os-26-intel` in `{jit,tail-call}.yml` (pythonGH-148126) (python#148135)
Co-authored-by: Stan Ulbrych <stan@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
…es (pythonGH-148143) (python#148147) pythongh-148144: Initialize visited on copied interpreter frames (pythonGH-148143) _PyFrame_Copy() copied interpreter frames into generator and frame-object storage without initializing the visited byte. Incremental GC later reads frame->visited in mark_stacks() on non-start passes, so copied frames could expose an uninitialized value once they became live on a thread stack again. Reset visited when copying a frame so copied frames start with defined GC bookkeeping state. Preserve lltrace in Py_DEBUG builds. (cherry picked from commit fbfc6cc) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
…pythonGH-148054) (python#148150) Pre-create the Android emulator image so that the the configuration can be modified to use 4GB of RAM. (cherry picked from commit a95ee3a) Co-authored-by: Malcolm Smith <smith@chaquo.com>
…thon#148159) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
…fail in `_PyPegen_name_default_pair` (pythonGH-148158) (python#148162) (cherry picked from commit 1795fcc) Co-authored-by: Stan Ulbrych <stan@python.org>
…grouper` (pythonGH-147962) (python#148010) pythongh-146613: Fix re-entrant use-after-free in `itertools._grouper` (pythonGH-147962) (cherry picked from commit fc7a188) Co-authored-by: Ma Yukun <68433685+TheSkyC@users.noreply.github.com>
… path (pythonGH-137584) (python#148173) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
…ents (pythonGH-148194) (python#148195) Avoid embedding the parent's sys.argv into the forkserver -c command string via repr(). When sys.argv is large (e.g. thousands of file paths from a pre-commit hook), the resulting single argument could exceed the OS per-argument length limit (MAX_ARG_STRLEN on Linux, typically 128 KiB), causing posix_spawn to fail and the parent to observe a BrokenPipeError. Instead, append the argv entries as separate command-line arguments after -c; the forkserver child reads them back as sys.argv[1:]. This cannot exceed any limit the parent itself did not already satisfy. Regression introduced by pythongh-143706 / 298d544. (cherry picked from commit 5e9d90b)
…thonGH-148197) (pythonGH-148206) (cherry picked from commit cf59bf7) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Stan Ulbrych <stan@python.org>
…ythonGH-146263) (python#148198) Co-authored-by: Brandt Bucher <brandt@python.org>
Set values of base and platbase in sysconfig from /usr to /usr/local when RPM build is not detected to make pip and similar tools install into separate location. Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe Downstream only. We've tried to rework in Fedora 36/Python 3.10 to follow https://bugs.python.org/issue43976 but we have identified serious problems with that approach, see https://bugzilla.redhat.com/2026979 or https://bugzilla.redhat.com/2097183 pypa/distutils integration: pypa/distutils#70 Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Miro Hrončok <miro@hroncok.cz> Co-authored-by: Michal Cyprian <m.cyprian@gmail.com> Co-authored-by: Lumír Balhar <frenzy.madness@gmail.com>
Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S The BTI flag must be applied in the assembler sources for this class of attacks to be mitigated on newer aarch64 processors. Upstream PR: https://github.com/python/cpython/pull/130864/files The upstream patch is incomplete but only for the case where frame pointers are not used on 3.13+. Since on Fedora we always compile with frame pointers the BTI/PAC hardware protections can be enabled without losing Perf unwinding.
We want to run these tests in Fedora and EPEL 10, but not in EPEL 9, which has too old version of expat. We set the upper bound version in the conditionalized skip to a release available in CentOS Stream 10, which is tested as working.
Downstream only: Reject control characters in IMAP commands
Downstream only: Reject control characters in POP3 commands
…fferent Python version This is a downstream workaround "implementing" python#137212 - the mechanism for the check exists in Python 3.15+, where it needs to be added to the standard library modules. In Fedora, we need it also in previous Python versions, as we experience segmentation fault when importing stdlib modules after update while Python is running. _tkinter, _tracemalloc and readline are not calling PyModuleDef_Init, which is modified with this patch, hence they need a direct call to the check function. Co-Authored-By: Karolina Surma <ksurma@redhat.com>
Reject CR/LF in HTTP tunnel request headers Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Fix webbrowser `%action` substitution bypass of dash-prefix check
Validate remote debug offset tables on load
Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
Co-authored-by: Stan Ulbrych <stan@python.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.