update python to 3.14.5

ok kmos@ (MAINTAINER), tb@
2026-06-18 15:33:55 +02:00 · 2026-06-07 17:29:15 +00:00
parent f82416d145
commit 96351808fc
12 changed files with 7 additions and 130 deletions
@@ -3,8 +3,7 @@
 # requirement of the PSF license, if it constitutes a change to
 # Python itself.

-FULL_VERSION =		3.14.4
-REVISION-main =		1
+FULL_VERSION =		3.14.5
 SHARED_LIBS =		python3.14 0.0
 VERSION_SPEC =		>=3.14
 PORTROACH =		limit:^3\.14
@@ -1,2 +1,2 @@
-SHA256 (Python-3.14.4.tgz) = tMBZ1YlfAw59+WY4lM43Mr+hsyzTqyiDmAJmpFzjyzs=
-SIZE (Python-3.14.4.tgz) = 31148035
+SHA256 (Python-3.14.5.tgz) = nCK/6ZOabFQY/HSyiaXxzEGFmugqxrFjAWtYRL0Khrw=
+SIZE (Python-3.14.5.tgz) = 31197461
@@ -24,7 +24,5 @@ which results in loading an incorrect version in some cases.

 8.  Work around expat_config.h missing from base.

-9.  Cherry-pick fixes for CVE-2026-4519, CVE-2026-6100.
-
 These changes are available in the OpenBSD CVS repository
 <http://www.openbsd.org/anoncvs.html> in ports/lang/python/3.
@@ -1,26 +0,0 @@
-Fix fix for CVE 2026-4519
-
-A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
-the dash-prefix safety check.
-
-https://github.com/python/cpython/pull/148517
-
-Index: Lib/test/test_webbrowser.py
--- Lib/test/test_webbrowser.py.orig
-+++ Lib/test/test_webbrowser.py
-@@ -119,6 +119,15 @@ class ChromeCommandTest(CommandTestMixin, unittest.Tes
-                        arguments=[URL],
-                        kw=dict(new=999))
- 
-+    def test_reject_action_dash_prefixes(self):
-+        browser = self.browser_class(name=CMD_NAME)
-+        with self.assertRaises(ValueError):
-+            browser.open('%action--incognito')
-+        # new=1: action is "--new-window", so "%action" itself expands to
-+        # a dash-prefixed flag even with no dash in the original URL.
-+        with self.assertRaises(ValueError):
-+            browser.open('%action', new=1)
-+
- 
- class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
- 
@@ -1,28 +0,0 @@
-Fix fix for CVE 2026-4519
-
-A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
-the dash-prefix safety check.
-
-https://github.com/python/cpython/pull/148517
-Index: Lib/webbrowser.py
--- Lib/webbrowser.py.orig
-+++ Lib/webbrowser.py
-@@ -274,7 +274,6 @@ class UnixBrowser(BaseBrowser):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
-        self._check_url(url)
-         if new == 0:
-             action = self.remote_action
-         elif new == 1:
-@@ -288,7 +287,9 @@ class UnixBrowser(BaseBrowser):
-             raise Error("Bad 'new' parameter to open(); "
-                         f"expected 0, 1, or 2, got {new}")
- 
-        args = [arg.replace("%s", url).replace("%action", action)
-+        self._check_url(url.replace("%action", action))
-+
-+        args = [arg.replace("%action", action).replace("%s", url)
-                 for arg in self.remote_args]
-         args = [arg for arg in args if arg]
-         success = self._invoke(args, True, autoraise, url)
@@ -3,7 +3,7 @@ Make bsd make happy
 Index: Makefile.pre.in
 --- Makefile.pre.in.orig
 +++ Makefile.pre.in
-@@ -607,8 +607,6 @@ LIBMPDEC_OBJS= \
+@@ -609,8 +609,6 @@ LIBMPDEC_OBJS= \
 		Modules/_decimal/libmpdec/numbertheory.o \
 		Modules/_decimal/libmpdec/sixstep.o \
 		Modules/_decimal/libmpdec/transpose.o
@@ -1,21 +0,0 @@
-CVE-2026-6100:
-
-Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
-:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
-when memory allocation fails with :exc:`MemoryError`, which could let a
-subsequent :meth:`!decompress` call read or write through a stale pointer to
-the already-released caller buffer.
-
-https://github.com/python/cpython/pull/148479
-
-Index: Modules/_bz2module.c
--- Modules/_bz2module.c.orig
-+++ Modules/_bz2module.c
-@@ -593,6 +593,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len,
-     return result;
- 
- error:
-+    bzs->next_in = NULL;
-     Py_XDECREF(result);
-     return NULL;
- }
@@ -1,21 +0,0 @@
-CVE-2026-6100:
-
-Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
-:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
-when memory allocation fails with :exc:`MemoryError`, which could let a
-subsequent :meth:`!decompress` call read or write through a stale pointer to
-the already-released caller buffer.
-
-https://github.com/python/cpython/pull/148479
-
-Index: Modules/_lzmamodule.c
--- Modules/_lzmamodule.c.orig
-+++ Modules/_lzmamodule.c
-@@ -1120,6 +1120,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len,
-     return result;
- 
- error:
-+    lzs->next_in = NULL;
-     Py_XDECREF(result);
-     return NULL;
- }
@@ -1,21 +0,0 @@
-CVE-2026-6100:
-
-Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
-:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
-when memory allocation fails with :exc:`MemoryError`, which could let a
-subsequent :meth:`!decompress` call read or write through a stale pointer to
-the already-released caller buffer.
-
-https://github.com/python/cpython/pull/148479
-
-Index: Modules/zlibmodule.c
--- Modules/zlibmodule.c.orig
-+++ Modules/zlibmodule.c
-@@ -1675,6 +1675,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
-     return result;
- 
- error:
-+    self->zst.next_in = NULL;
-     Py_XDECREF(result);
-     return NULL;
- }
@@ -49,7 +49,7 @@ Index: configure.ac
     # Any changes made here should be reflected in the GCC+Darwin case below
     PGO_PROF_GEN_FLAG="-fprofile-instr-generate"
     PGO_PROF_USE_FLAG="-fprofile-instr-use=\"\$(shell pwd)/code.profclangd\""
-@@ -4417,11 +4418,7 @@ dnl Detect Tcl/Tk. Use pkg-config if available.
+@@ -4439,11 +4440,7 @@ dnl Detect Tcl/Tk. Use pkg-config if available.
 dnl
 found_tcltk=no
 for _QUERY in \
@@ -1918,7 +1918,7 @@ lib/${PY_VERSION}/ensurepip/__pycache__/_uninstall.${PYC_MAGIC_TAG}.opt-1.pyc
 lib/${PY_VERSION}/ensurepip/__pycache__/_uninstall.${PYC_MAGIC_TAG}.opt-2.pyc
 lib/${PY_VERSION}/ensurepip/__pycache__/_uninstall.${PYC_MAGIC_TAG}.pyc
 lib/${PY_VERSION}/ensurepip/_bundled/
-lib/${PY_VERSION}/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl
+lib/${PY_VERSION}/ensurepip/_bundled/pip-26.1.1-py3-none-any.whl
 lib/${PY_VERSION}/ensurepip/_uninstall.py
 lib/${PY_VERSION}/enum.py
 lib/${PY_VERSION}/filecmp.py
@@ -31,9 +31,6 @@ lib/${PY_VERSION}/test/__pycache__/_test_eintr.${PYC_MAGIC_TAG}.pyc
 lib/${PY_VERSION}/test/__pycache__/_test_embed_structseq.${PYC_MAGIC_TAG}.opt-1.pyc
 lib/${PY_VERSION}/test/__pycache__/_test_embed_structseq.${PYC_MAGIC_TAG}.opt-2.pyc
 lib/${PY_VERSION}/test/__pycache__/_test_embed_structseq.${PYC_MAGIC_TAG}.pyc
-lib/${PY_VERSION}/test/__pycache__/_test_gc_fast_cycles.${PYC_MAGIC_TAG}.opt-1.pyc
-lib/${PY_VERSION}/test/__pycache__/_test_gc_fast_cycles.${PYC_MAGIC_TAG}.opt-2.pyc
-lib/${PY_VERSION}/test/__pycache__/_test_gc_fast_cycles.${PYC_MAGIC_TAG}.pyc
 lib/${PY_VERSION}/test/__pycache__/_test_monitoring_shutdown.${PYC_MAGIC_TAG}.opt-1.pyc
 lib/${PY_VERSION}/test/__pycache__/_test_monitoring_shutdown.${PYC_MAGIC_TAG}.opt-2.pyc
 lib/${PY_VERSION}/test/__pycache__/_test_monitoring_shutdown.${PYC_MAGIC_TAG}.pyc
@@ -1362,7 +1359,6 @@ lib/${PY_VERSION}/test/_crossinterp_definitions.py
 lib/${PY_VERSION}/test/_test_atexit.py
 lib/${PY_VERSION}/test/_test_eintr.py
 lib/${PY_VERSION}/test/_test_embed_structseq.py
-lib/${PY_VERSION}/test/_test_gc_fast_cycles.py
 lib/${PY_VERSION}/test/_test_monitoring_shutdown.py
 lib/${PY_VERSION}/test/_test_multiprocessing.py
 lib/${PY_VERSION}/test/_test_venv_multiprocessing.py
@@ -3951,6 +3947,7 @@ lib/${PY_VERSION}/test/test_json/__pycache__/test_tool.${PYC_MAGIC_TAG}.pyc
 lib/${PY_VERSION}/test/test_json/__pycache__/test_unicode.${PYC_MAGIC_TAG}.opt-1.pyc
 lib/${PY_VERSION}/test/test_json/__pycache__/test_unicode.${PYC_MAGIC_TAG}.opt-2.pyc
 lib/${PY_VERSION}/test/test_json/__pycache__/test_unicode.${PYC_MAGIC_TAG}.pyc
+lib/${PY_VERSION}/test/test_json/json_lines.jsonl
 lib/${PY_VERSION}/test/test_json/test_decode.py
 lib/${PY_VERSION}/test/test_json/test_default.py
 lib/${PY_VERSION}/test/test_json/test_dump.py