import python3.11-3.11.10-1.el8_10

.python3.11.metadata

-9b1e896523fc510691126c864406d9360a3d1e986acbda59cda57b5abda45b87 SOURCES/Python-3.11.9.tar.xz
+07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 SOURCES/Python-3.11.10.tar.xz
 fb28243ffeb9725b14b60586a9a123682a89604c025b7a9d4bcdeb67078203c6 SOURCES/pgp_keys.asc

SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch

-From 642f28679e04c7b4ec7731f0c8872103f21a76f8 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <vstinner@python.org>
-Date: Fri, 15 Dec 2023 16:10:40 +0100
-Subject: [PATCH 1/2] 00415: [CVE-2023-27043] gh-102988: Reject malformed
- addresses in email.parseaddr() (#111116)
-
-Detect email address parsing errors and return empty tuple to
-indicate the parsing error (old API). Add an optional 'strict'
-parameter to getaddresses() and parseaddr() functions. Patch by
-Thomas Dwyer.
-
-Co-Authored-By: Thomas Dwyer <github@tomd.tel>
----
- Doc/library/email.utils.rst                   |  19 +-
- Lib/email/utils.py                            | 150 ++++++++++++-
- Lib/test/test_email/test_email.py             | 204 +++++++++++++++++-
- ...-10-20-15-28-08.gh-issue-102988.dStNO7.rst |   8 +
- 4 files changed, 360 insertions(+), 21 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-
-diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
-index 0e266b6..6723dc4 100644
---- a/Doc/library/email.utils.rst
-+++ b/Doc/library/email.utils.rst
-@@ -60,13 +60,18 @@ of the new API.
-    begins with angle brackets, they are stripped off.
- 
- 
--.. function:: parseaddr(address)
-+.. function:: parseaddr(address, *, strict=True)
- 
-    Parse address -- which should be the value of some address-containing field such
-    as :mailheader:`To` or :mailheader:`Cc` -- into its constituent *realname* and
-    *email address* parts.  Returns a tuple of that information, unless the parse
-    fails, in which case a 2-tuple of ``('', '')`` is returned.
- 
-+   If *strict* is true, use a strict parser which rejects malformed inputs.
-+
-+   .. versionchanged:: 3.13
-+      Add *strict* optional parameter and reject malformed inputs by default.
-+
- 
- .. function:: formataddr(pair, charset='utf-8')
- 
-@@ -84,12 +89,15 @@ of the new API.
-       Added the *charset* option.
- 
- 
--.. function:: getaddresses(fieldvalues)
-+.. function:: getaddresses(fieldvalues, *, strict=True)
- 
-    This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
-    *fieldvalues* is a sequence of header field values as might be returned by
--   :meth:`Message.get_all <email.message.Message.get_all>`.  Here's a simple
--   example that gets all the recipients of a message::
-+   :meth:`Message.get_all <email.message.Message.get_all>`.
-+
-+   If *strict* is true, use a strict parser which rejects malformed inputs.
-+
-+   Here's a simple example that gets all the recipients of a message::
- 
-       from email.utils import getaddresses
- 
-@@ -99,6 +107,9 @@ of the new API.
-       resent_ccs = msg.get_all('resent-cc', [])
-       all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
- 
-+   .. versionchanged:: 3.13
-+      Add *strict* optional parameter and reject malformed inputs by default.
-+
- 
- .. function:: parsedate(date)
- 
-diff --git a/Lib/email/utils.py b/Lib/email/utils.py
-index 8993858..41bb3c9 100644
---- a/Lib/email/utils.py
-+++ b/Lib/email/utils.py
-@@ -106,12 +106,127 @@ def formataddr(pair, charset='utf-8'):
-     return address
- 
- 
-+def _iter_escaped_chars(addr):
-+    pos = 0
-+    escape = False
-+    for pos, ch in enumerate(addr):
-+        if escape:
-+            yield (pos, '\\' + ch)
-+            escape = False
-+        elif ch == '\\':
-+            escape = True
-+        else:
-+            yield (pos, ch)
-+    if escape:
-+        yield (pos, '\\')
-+
-+
-+def _strip_quoted_realnames(addr):
-+    """Strip real names between quotes."""
-+    if '"' not in addr:
-+        # Fast path
-+        return addr
-+
-+    start = 0
-+    open_pos = None
-+    result = []
-+    for pos, ch in _iter_escaped_chars(addr):
-+        if ch == '"':
-+            if open_pos is None:
-+                open_pos = pos
-+            else:
-+                if start != open_pos:
-+                    result.append(addr[start:open_pos])
-+                start = pos + 1
-+                open_pos = None
-+
-+    if start < len(addr):
-+        result.append(addr[start:])
-+
-+    return ''.join(result)
-+
-+
-+supports_strict_parsing = True
-+
-+def getaddresses(fieldvalues, *, strict=True):
-+    """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
-+
-+    When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
-+    its place.
- 
--def getaddresses(fieldvalues):
--    """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
--    all = COMMASPACE.join(str(v) for v in fieldvalues)
--    a = _AddressList(all)
--    return a.addresslist
-+    If strict is true, use a strict parser which rejects malformed inputs.
-+    """
-+
-+    # If strict is true, if the resulting list of parsed addresses is greater
-+    # than the number of fieldvalues in the input list, a parsing error has
-+    # occurred and consequently a list containing a single empty 2-tuple [('',
-+    # '')] is returned in its place. This is done to avoid invalid output.
-+    #
-+    # Malformed input: getaddresses(['alice@example.com <bob@example.com>'])
-+    # Invalid output: [('', 'alice@example.com'), ('', 'bob@example.com')]
-+    # Safe output: [('', '')]
-+
-+    if not strict:
-+        all = COMMASPACE.join(str(v) for v in fieldvalues)
-+        a = _AddressList(all)
-+        return a.addresslist
-+
-+    fieldvalues = [str(v) for v in fieldvalues]
-+    fieldvalues = _pre_parse_validation(fieldvalues)
-+    addr = COMMASPACE.join(fieldvalues)
-+    a = _AddressList(addr)
-+    result = _post_parse_validation(a.addresslist)
-+
-+    # Treat output as invalid if the number of addresses is not equal to the
-+    # expected number of addresses.
-+    n = 0
-+    for v in fieldvalues:
-+        # When a comma is used in the Real Name part it is not a deliminator.
-+        # So strip those out before counting the commas.
-+        v = _strip_quoted_realnames(v)
-+        # Expected number of addresses: 1 + number of commas
-+        n += 1 + v.count(',')
-+    if len(result) != n:
-+        return [('', '')]
-+
-+    return result
-+
-+
-+def _check_parenthesis(addr):
-+    # Ignore parenthesis in quoted real names.
-+    addr = _strip_quoted_realnames(addr)
-+
-+    opens = 0
-+    for pos, ch in _iter_escaped_chars(addr):
-+        if ch == '(':
-+            opens += 1
-+        elif ch == ')':
-+            opens -= 1
-+            if opens < 0:
-+                return False
-+    return (opens == 0)
-+
-+
-+def _pre_parse_validation(email_header_fields):
-+    accepted_values = []
-+    for v in email_header_fields:
-+        if not _check_parenthesis(v):
-+            v = "('', '')"
-+        accepted_values.append(v)
-+
-+    return accepted_values
-+
-+
-+def _post_parse_validation(parsed_email_header_tuples):
-+    accepted_values = []
-+    # The parser would have parsed a correctly formatted domain-literal
-+    # The existence of an [ after parsing indicates a parsing failure
-+    for v in parsed_email_header_tuples:
-+        if '[' in v[1]:
-+            v = ('', '')
-+        accepted_values.append(v)
-+
-+    return accepted_values
- 
- 
- def _format_timetuple_and_zone(timetuple, zone):
-@@ -205,16 +320,33 @@ def parsedate_to_datetime(data):
-             tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
- 
- 
--def parseaddr(addr):
-+def parseaddr(addr, *, strict=True):
-     """
-     Parse addr into its constituent realname and email address parts.
- 
-     Return a tuple of realname and email address, unless the parse fails, in
-     which case return a 2-tuple of ('', '').
-+
-+    If strict is True, use a strict parser which rejects malformed inputs.
-     """
--    addrs = _AddressList(addr).addresslist
--    if not addrs:
--        return '', ''
-+    if not strict:
-+        addrs = _AddressList(addr).addresslist
-+        if not addrs:
-+            return ('', '')
-+        return addrs[0]
-+
-+    if isinstance(addr, list):
-+        addr = addr[0]
-+
-+    if not isinstance(addr, str):
-+        return ('', '')
-+
-+    addr = _pre_parse_validation([addr])[0]
-+    addrs = _post_parse_validation(_AddressList(addr).addresslist)
-+
-+    if not addrs or len(addrs) > 1:
-+        return ('', '')
-+
-     return addrs[0]
- 
- 
-diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
-index 785696e..ad60ed3 100644
---- a/Lib/test/test_email/test_email.py
-+++ b/Lib/test/test_email/test_email.py
-@@ -17,6 +17,7 @@ from unittest.mock import patch
- 
- import email
- import email.policy
-+import email.utils
- 
- from email.charset import Charset
- from email.generator import Generator, DecodedGenerator, BytesGenerator
-@@ -3336,15 +3337,154 @@ Foo
-            [('Al Person', 'aperson@dom.ain'),
-             ('Bud Person', 'bperson@dom.ain')])
- 
-+    def test_getaddresses_comma_in_name(self):
-+        """GH-106669 regression test."""
-+        self.assertEqual(
-+            utils.getaddresses(
-+                [
-+                    '"Bud, Person" <bperson@dom.ain>',
-+                    'aperson@dom.ain (Al Person)',
-+                    '"Mariusz Felisiak" <to@example.com>',
-+                ]
-+            ),
-+            [
-+                ('Bud, Person', 'bperson@dom.ain'),
-+                ('Al Person', 'aperson@dom.ain'),
-+                ('Mariusz Felisiak', 'to@example.com'),
-+            ],
-+        )
-+
-+    def test_parsing_errors(self):
-+        """Test for parsing errors from CVE-2023-27043 and CVE-2019-16056"""
-+        alice = 'alice@example.org'
-+        bob = 'bob@example.com'
-+        empty = ('', '')
-+
-+        # Test utils.getaddresses() and utils.parseaddr() on malformed email
-+        # addresses: default behavior (strict=True) rejects malformed address,
-+        # and strict=False which tolerates malformed address.
-+        for invalid_separator, expected_non_strict in (
-+            ('(', [(f'<{bob}>', alice)]),
-+            (')', [('', alice), empty, ('', bob)]),
-+            ('<', [('', alice), empty, ('', bob), empty]),
-+            ('>', [('', alice), empty, ('', bob)]),
-+            ('[', [('', f'{alice}[<{bob}>]')]),
-+            (']', [('', alice), empty, ('', bob)]),
-+            ('@', [empty, empty, ('', bob)]),
-+            (';', [('', alice), empty, ('', bob)]),
-+            (':', [('', alice), ('', bob)]),
-+            ('.', [('', alice + '.'), ('', bob)]),
-+            ('"', [('', alice), ('', f'<{bob}>')]),
-+        ):
-+            address = f'{alice}{invalid_separator}<{bob}>'
-+            with self.subTest(address=address):
-+                self.assertEqual(utils.getaddresses([address]),
-+                                 [empty])
-+                self.assertEqual(utils.getaddresses([address], strict=False),
-+                                 expected_non_strict)
-+
-+                self.assertEqual(utils.parseaddr([address]),
-+                                 empty)
-+                self.assertEqual(utils.parseaddr([address], strict=False),
-+                                 ('', address))
-+
-+        # Comma (',') is treated differently depending on strict parameter.
-+        # Comma without quotes.
-+        address = f'{alice},<{bob}>'
-+        self.assertEqual(utils.getaddresses([address]),
-+                         [('', alice), ('', bob)])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('', alice), ('', bob)])
-+        self.assertEqual(utils.parseaddr([address]),
-+                         empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Real name between quotes containing comma.
-+        address = '"Alice, alice@example.org" <bob@example.com>'
-+        expected_strict = ('Alice, alice@example.org', 'bob@example.com')
-+        self.assertEqual(utils.getaddresses([address]), [expected_strict])
-+        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
-+        self.assertEqual(utils.parseaddr([address]), expected_strict)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Valid parenthesis in comments.
-+        address = 'alice@example.org (Alice)'
-+        expected_strict = ('Alice', 'alice@example.org')
-+        self.assertEqual(utils.getaddresses([address]), [expected_strict])
-+        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
-+        self.assertEqual(utils.parseaddr([address]), expected_strict)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Invalid parenthesis in comments.
-+        address = 'alice@example.org )Alice('
-+        self.assertEqual(utils.getaddresses([address]), [empty])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
-+        self.assertEqual(utils.parseaddr([address]), empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Two addresses with quotes separated by comma.
-+        address = '"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>'
-+        self.assertEqual(utils.getaddresses([address]),
-+                         [('Jane Doe', 'jane@example.net'),
-+                          ('John Doe', 'john@example.net')])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('Jane Doe', 'jane@example.net'),
-+                          ('John Doe', 'john@example.net')])
-+        self.assertEqual(utils.parseaddr([address]), empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Test email.utils.supports_strict_parsing attribute
-+        self.assertEqual(email.utils.supports_strict_parsing, True)
-+
-     def test_getaddresses_nasty(self):
--        eq = self.assertEqual
--        eq(utils.getaddresses(['foo: ;']), [('', '')])
--        eq(utils.getaddresses(
--           ['[]*-- =~$']),
--           [('', ''), ('', ''), ('', '*--')])
--        eq(utils.getaddresses(
--           ['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
--           [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
-+        for addresses, expected in (
-+            (['"Sürname, Firstname" <to@example.com>'],
-+             [('Sürname, Firstname', 'to@example.com')]),
-+
-+            (['foo: ;'],
-+             [('', '')]),
-+
-+            (['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>'],
-+             [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]),
-+
-+            ([r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>'],
-+             [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]),
-+
-+            (['(Empty list)(start)Undisclosed recipients  :(nobody(I know))'],
-+             [('', '')]),
-+
-+            (['Mary <@machine.tld:mary@example.net>, , jdoe@test   . example'],
-+             [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]),
-+
-+            (['John Doe <jdoe@machine(comment).  example>'],
-+             [('John Doe (comment)', 'jdoe@machine.example')]),
-+
-+            (['"Mary Smith: Personal Account" <smith@home.example>'],
-+             [('Mary Smith: Personal Account', 'smith@home.example')]),
-+
-+            (['Undisclosed recipients:;'],
-+             [('', '')]),
-+
-+            ([r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>'],
-+             [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]),
-+        ):
-+            with self.subTest(addresses=addresses):
-+                self.assertEqual(utils.getaddresses(addresses),
-+                                 expected)
-+                self.assertEqual(utils.getaddresses(addresses, strict=False),
-+                                 expected)
-+
-+        addresses = ['[]*-- =~$']
-+        self.assertEqual(utils.getaddresses(addresses),
-+                         [('', '')])
-+        self.assertEqual(utils.getaddresses(addresses, strict=False),
-+                         [('', ''), ('', ''), ('', '*--')])
- 
-     def test_getaddresses_embedded_comment(self):
-         """Test proper handling of a nested comment"""
-@@ -3535,6 +3675,54 @@ multipart/report
-                 m = cls(*constructor, policy=email.policy.default)
-                 self.assertIs(m.policy, email.policy.default)
- 
-+    def test_iter_escaped_chars(self):
-+        self.assertEqual(list(utils._iter_escaped_chars(r'a\\b\"c\\"d')),
-+                         [(0, 'a'),
-+                          (2, '\\\\'),
-+                          (3, 'b'),
-+                          (5, '\\"'),
-+                          (6, 'c'),
-+                          (8, '\\\\'),
-+                          (9, '"'),
-+                          (10, 'd')])
-+        self.assertEqual(list(utils._iter_escaped_chars('a\\')),
-+                         [(0, 'a'), (1, '\\')])
-+
-+    def test_strip_quoted_realnames(self):
-+        def check(addr, expected):
-+            self.assertEqual(utils._strip_quoted_realnames(addr), expected)
-+
-+        check('"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>',
-+              ' <jane@example.net>,  <john@example.net>')
-+        check(r'"Jane \"Doe\"." <jane@example.net>',
-+              ' <jane@example.net>')
-+
-+        # special cases
-+        check(r'before"name"after', 'beforeafter')
-+        check(r'before"name"', 'before')
-+        check(r'b"name"', 'b')  # single char
-+        check(r'"name"after', 'after')
-+        check(r'"name"a', 'a')  # single char
-+        check(r'"name"', '')
-+
-+        # no change
-+        for addr in (
-+            'Jane Doe <jane@example.net>, John Doe <john@example.net>',
-+            'lone " quote',
-+        ):
-+            self.assertEqual(utils._strip_quoted_realnames(addr), addr)
-+
-+
-+    def test_check_parenthesis(self):
-+        addr = 'alice@example.net'
-+        self.assertTrue(utils._check_parenthesis(f'{addr} (Alice)'))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} )Alice('))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} (Alice))'))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} ((Alice)'))
-+
-+        # Ignore real name between quotes
-+        self.assertTrue(utils._check_parenthesis(f'")Alice((" {addr}'))
-+
- 
- # Test the iterator/generators
- class TestIterators(TestEmailBase):
-diff --git a/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-new file mode 100644
-index 0000000..3d0e9e4
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-@@ -0,0 +1,8 @@
-+:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
-+return ``('', '')`` 2-tuples in more situations where invalid email
-+addresses are encountered instead of potentially inaccurate values. Add
-+optional *strict* parameter to these two functions: use ``strict=False`` to
-+get the old behavior, accept malformed inputs.
-+``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check
-+if the *strict* paramater is available. Patch by Thomas Dwyer and Victor
-+Stinner to improve the CVE-2023-27043 fix.
--- 
-2.44.0
-
-
-From d371679e7c485551c10380ac11e5039a9fb4515b Mon Sep 17 00:00:00 2001
+From 3f01ced0b5051798516fc65f5fac10ffd15dbce6 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Wed, 10 Jan 2024 08:53:53 +0100
-Subject: [PATCH 2/2] Make it possible to disable strict parsing in email
- module
+Subject: [PATCH] Make it possible to disable strict parsing in email module
 
 ---
  Doc/library/email.utils.rst       | 26 +++++++++++
- Lib/email/utils.py                | 55 ++++++++++++++++++++++-
+ Lib/email/utils.py                | 54 +++++++++++++++++++++-
  Lib/test/test_email/test_email.py | 74 ++++++++++++++++++++++++++++++-
- 3 files changed, 151 insertions(+), 4 deletions(-)
+ 3 files changed, 150 insertions(+), 4 deletions(-)
 
 diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
-index 6723dc4..c89602d 100644
+index 97ddf49..0c9bf53 100644
 --- a/Doc/library/email.utils.rst
 +++ b/Doc/library/email.utils.rst
 @@ -69,6 +69,19 @@ of the new API.
@@ -527,7 +30,7 @@ index 6723dc4..c89602d 100644
 +      [email_addr_parsing]
 +      PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
 +
-    .. versionchanged:: 3.13
+    .. versionchanged:: 3.11.10
        Add *strict* optional parameter and reject malformed inputs by default.
  
 @@ -97,6 +110,19 @@ of the new API.
@@ -551,10 +54,10 @@ index 6723dc4..c89602d 100644
  
        from email.utils import getaddresses
 diff --git a/Lib/email/utils.py b/Lib/email/utils.py
-index 41bb3c9..09a414c 100644
+index 94ead0e..09a414c 100644
 --- a/Lib/email/utils.py
 +++ b/Lib/email/utils.py
-@@ -48,6 +48,47 @@ TICK = "'"
+@@ -48,6 +48,46 @@ TICK = "'"
  specialsre = re.compile(r'[][\\()<>@,:;".]')
  escapesre = re.compile(r'[\\"]')
  
@@ -598,11 +101,10 @@ index 41bb3c9..09a414c 100644
 +
 +    return True
 +
-+
+ 
  def _has_surrogates(s):
      """Return True if s may contain surrogate-escaped binary data."""
-     # This check is based on the fact that unless there are surrogates, utf8
-@@ -148,7 +189,7 @@ def _strip_quoted_realnames(addr):
+@@ -149,7 +189,7 @@ def _strip_quoted_realnames(addr):
  
  supports_strict_parsing = True
  
@@ -611,7 +113,7 @@ index 41bb3c9..09a414c 100644
      """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
  
      When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
-@@ -157,6 +198,11 @@ def getaddresses(fieldvalues, *, strict=True):
+@@ -158,6 +198,11 @@ def getaddresses(fieldvalues, *, strict=True):
      If strict is true, use a strict parser which rejects malformed inputs.
      """
  
@@ -623,7 +125,7 @@ index 41bb3c9..09a414c 100644
      # If strict is true, if the resulting list of parsed addresses is greater
      # than the number of fieldvalues in the input list, a parsing error has
      # occurred and consequently a list containing a single empty 2-tuple [('',
-@@ -320,7 +366,7 @@ def parsedate_to_datetime(data):
+@@ -321,7 +366,7 @@ def parsedate_to_datetime(data):
              tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
  
  
@@ -632,7 +134,7 @@ index 41bb3c9..09a414c 100644
      """
      Parse addr into its constituent realname and email address parts.
  
-@@ -329,6 +375,11 @@ def parseaddr(addr, *, strict=True):
+@@ -330,6 +375,11 @@ def parseaddr(addr, *, strict=True):
  
      If strict is True, use a strict parser which rejects malformed inputs.
      """
@@ -744,5 +246,5 @@ index ad60ed3..f85da56 100644
          for addresses, expected in (
              (['"Sürname, Firstname" <to@example.com>'],
 -- 
-2.44.0
+2.46.0
 

SOURCES/Python-3.11.10.tar.xz.asc

+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmbbrO0ACgkQ/+h0BBaL
+2Ec+YBAAnQJLKYPjj7Yr7xkFU655Sv86JxeRAdWjnIapbiIuWg3Up8Pd8FTRgHGf
+3XdTHw7b03lSjtzJwavzdnDklqAlBIGn9dVieljUIN7NYyNxoYOr/AiatimgSwv7
+dI5mfun5fLKV6ZcdNdQN5PJ3RZtF3I7VfkN2mlfZJHtxl1agdU/TfW2L+qJ7+JPY
+cayjq2xKTLRNXOf2iV29GRRovLiqA+Dx0+cAwsScwreHMp3U4k3GkeHVoR6fldV4
+bVAM8GRl3CYVFePiqAbamKP1BSys44JOINWbWyd94JxzEAwXWz//Es0h73AzeRfK
+ueORqzdoOGrVc74+HGlAHhqO1Gg7jMMmtkzCEuav+cGHYnMRMOngGR3q47aTJTVb
+5UdP0oD4OlADPFVa6q0LCqN/IFlebWMh9pXYw7Wpek63oNuZHTfNPq4S1AUM2HJm
+C3yzaOG9VAdYfLneJC4ldY4CVt1FKckfaXp5OAaMr71DI74e4CcEswlUupZJLZKV
+TJRjQD15bnXGhHDqU4w3RmzpCWMh2mf4m4VMYQyObl3TtlX+gVvzIhDS5+mXqutB
+F1pdXwaHHkTb2PLLxpwOGrnsp8XoW74tsylcYirQg8jSFMbgxfwgIjEIuRGXeDkT
+B4QzmQ4SxsbLiH7etV6Fznl1h569Z4DO9OOs4i0ZzIjdhPDQtAs=
+=TatG
+-----END PGP SIGNATURE-----

SPECS/python3.11.spec

@@ -16,11 +16,11 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.9
+%global general_version %{pybasever}.10
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 7%{?dist}
+Release: 1%{?dist}
 License: Python
 
 
@@ -388,7 +388,7 @@ Patch397: 00397-tarfile-filter.patch
 #
 # Upstream PR: https://github.com/python/cpython/pull/111116
 #
-# Second patch implmenets the possibility to restore the old behavior via
+# The patch implements the possibility to restore the old behavior via
 # config file or environment variable.
 Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
 
@@ -398,35 +398,6 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par
 # Downstream only.
 Patch422: 00422-fix-expat-tests.patch
 
-# 00431 #
-# Security fix for CVE-2024-4032: incorrect IPv4 and IPv6 private ranges
-# Resolved upstream: https://github.com/python/cpython/issues/113171
-# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2292921
-Patch431: 00431-CVE-2024-4032.patch
-
-# 00435 # d33a3c90daa3d5d2d7e67f6e9264e5438d9608a0
-# gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233)
-#
-# Per RFC 2047:
-#
-# > [...] these encoding schemes allow the
-# > encoding of arbitrary octet values, mail readers that implement this
-# > decoding should also ensure that display of the decoded data on the
-# > recipient's terminal will not cause unwanted side-effects
-#
-# It seems that the "quoted-word" scheme is a valid way to include
-# a newline character in a header value, just like we already allow
-# undecodable bytes or control characters.
-# They do need to be properly quoted when serialized to text, though.
-#
-# This should fail for custom fold() implementations that aren't careful
-# about newlines.
-Patch435: 00435-gh-121650-encode-newlines-in-headers-and-verify-headers-are-sound-gh-122233.patch
-
-# 00436 # 1acd6db660ad1124ab7ae449a841608dd9d9062d
-# [CVE-2024-8088] gh-122905: Sanitize names in zipfile.Path.
-Patch436: 00436-cve-2024-8088-gh-122905-sanitize-names-in-zipfile-path.patch
-
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1884,6 +1855,10 @@ fi
 # ======================================================
 
 %changelog
+* Mon Sep 09 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.11.10-1
+- Update to 3.11.10
+Resolves: RHEL-57400
+
 * Fri Aug 23 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.11.9-7
 - Security fix for CVE-2024-8088
 Resolves: RHEL-55934