Update to 3.6.9
Patches rebased: 294 (automatic) Patches already merged upstream: 317, 318
This commit is contained in:
parent
242778f56e
commit
d32d055885
|
@ -1,5 +1,5 @@
|
|||
diff --git a/Lib/ssl.py b/Lib/ssl.py
|
||||
index 1f3a31a..b54a684 100644
|
||||
index 58d3e93..0114387 100644
|
||||
--- a/Lib/ssl.py
|
||||
+++ b/Lib/ssl.py
|
||||
@@ -116,6 +116,7 @@ except ImportError:
|
||||
|
@ -79,18 +79,18 @@ index 1f3a31a..b54a684 100644
|
|||
if cafile or capath or cadata:
|
||||
context.load_verify_locations(cafile, capath, cadata)
|
||||
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
|
||||
index 9785a59..34a7ec2 100644
|
||||
index 74adebc..510bb09 100644
|
||||
--- a/Lib/test/test_ssl.py
|
||||
+++ b/Lib/test/test_ssl.py
|
||||
@@ -18,6 +18,7 @@ import asyncore
|
||||
import weakref
|
||||
@@ -19,6 +19,7 @@ import weakref
|
||||
import platform
|
||||
import re
|
||||
import functools
|
||||
+import sysconfig
|
||||
try:
|
||||
import ctypes
|
||||
except ImportError:
|
||||
@@ -36,7 +37,7 @@ PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
|
||||
@@ -37,7 +38,7 @@ PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
|
||||
HOST = support.HOST
|
||||
IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL')
|
||||
IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0)
|
||||
|
@ -99,7 +99,7 @@ index 9785a59..34a7ec2 100644
|
|||
|
||||
def data_file(*name):
|
||||
return os.path.join(os.path.dirname(__file__), *name)
|
||||
@@ -889,6 +890,19 @@ class ContextTests(unittest.TestCase):
|
||||
@@ -952,6 +953,19 @@ class ContextTests(unittest.TestCase):
|
||||
with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
|
||||
ctx.set_ciphers("^$:,;?*'dorothyx")
|
||||
|
||||
|
@ -120,10 +120,10 @@ index 9785a59..34a7ec2 100644
|
|||
def test_get_ciphers(self):
|
||||
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
|
||||
index 5e007da..130f006 100644
|
||||
index 7365630..ec366f0 100644
|
||||
--- a/Modules/_ssl.c
|
||||
+++ b/Modules/_ssl.c
|
||||
@@ -237,6 +237,31 @@ SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
|
||||
@@ -238,6 +238,31 @@ SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
|
||||
|
||||
#endif /* OpenSSL < 1.1.0 or LibreSSL < 2.7.0 */
|
||||
|
||||
|
@ -155,7 +155,7 @@ index 5e007da..130f006 100644
|
|||
|
||||
enum py_ssl_error {
|
||||
/* these mirror ssl.h */
|
||||
@@ -2803,7 +2828,12 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
|
||||
@@ -2861,7 +2886,12 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
|
||||
/* A bare minimum cipher list without completely broken cipher suites.
|
||||
* It's far from perfect but gives users a better head start. */
|
||||
if (proto_version != PY_SSL_VERSION_SSL2) {
|
||||
|
@ -169,7 +169,7 @@ index 5e007da..130f006 100644
|
|||
} else {
|
||||
/* SSLv2 needs MD5 */
|
||||
result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL");
|
||||
@@ -5343,6 +5373,9 @@ PyInit__ssl(void)
|
||||
@@ -5457,6 +5487,9 @@ PyInit__ssl(void)
|
||||
(PyObject *)&PySSLSession_Type) != 0)
|
||||
return NULL;
|
||||
|
||||
|
@ -180,10 +180,10 @@ index 5e007da..130f006 100644
|
|||
PY_SSL_ERROR_ZERO_RETURN);
|
||||
PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 3703701..2eff514 100644
|
||||
index f986875..c071ec3 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -5598,6 +5598,42 @@ if test "$have_getrandom" = yes; then
|
||||
@@ -5663,6 +5663,42 @@ if test "$have_getrandom" = yes; then
|
||||
[Define to 1 if the getrandom() function is available])
|
||||
fi
|
||||
|
||||
|
|
|
@ -1,111 +0,0 @@
|
|||
From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <christian@python.org>
|
||||
Date: Tue, 15 Jan 2019 18:16:30 +0100
|
||||
Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser
|
||||
|
||||
CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did
|
||||
not handle CRL distribution points with empty DP or URI correctly. A
|
||||
malicious or buggy certificate can result into segfault.
|
||||
|
||||
Signed-off-by: Christian Heimes <christian@python.org>
|
||||
---
|
||||
Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++
|
||||
Lib/test/test_ssl.py | 22 +++++++++++++++++++
|
||||
.../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++
|
||||
Modules/_ssl.c | 4 ++++
|
||||
4 files changed, 51 insertions(+)
|
||||
create mode 100644 Lib/test/talos-2019-0758.pem
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
|
||||
|
||||
diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
|
||||
new file mode 100644
|
||||
index 000000000000..13b95a77fd8a
|
||||
--- /dev/null
|
||||
+++ b/Lib/test/talos-2019-0758.pem
|
||||
@@ -0,0 +1,22 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
|
||||
+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
|
||||
+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
|
||||
+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
|
||||
+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
|
||||
+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
|
||||
+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
|
||||
+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
|
||||
+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
|
||||
+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
|
||||
+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
|
||||
+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
|
||||
+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
|
||||
+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
|
||||
+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
|
||||
+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
|
||||
+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
|
||||
+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
|
||||
+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
|
||||
+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
|
||||
index 7f6b93148f45..1fc657f4d867 100644
|
||||
--- a/Lib/test/test_ssl.py
|
||||
+++ b/Lib/test/test_ssl.py
|
||||
@@ -115,6 +115,7 @@ def data_file(*name):
|
||||
BADKEY = data_file("badkey.pem")
|
||||
NOKIACERT = data_file("nokia.pem")
|
||||
NULLBYTECERT = data_file("nullbytecert.pem")
|
||||
+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
|
||||
|
||||
DHFILE = data_file("ffdh3072.pem")
|
||||
BYTES_DHFILE = os.fsencode(DHFILE)
|
||||
@@ -348,6 +349,27 @@ def test_parse_cert(self):
|
||||
self.assertEqual(p['crlDistributionPoints'],
|
||||
('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
|
||||
|
||||
+ def test_parse_cert_CVE_2019_5010(self):
|
||||
+ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
|
||||
+ if support.verbose:
|
||||
+ sys.stdout.write("\n" + pprint.pformat(p) + "\n")
|
||||
+ self.assertEqual(
|
||||
+ p,
|
||||
+ {
|
||||
+ 'issuer': (
|
||||
+ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
|
||||
+ 'notAfter': 'Jun 14 18:00:58 2028 GMT',
|
||||
+ 'notBefore': 'Jun 18 18:00:58 2018 GMT',
|
||||
+ 'serialNumber': '02',
|
||||
+ 'subject': ((('countryName', 'UK'),),
|
||||
+ (('commonName',
|
||||
+ 'codenomicon-vm-2.test.lal.cisco.com'),)),
|
||||
+ 'subjectAltName': (
|
||||
+ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
|
||||
+ 'version': 3
|
||||
+ }
|
||||
+ )
|
||||
+
|
||||
def test_parse_cert_CVE_2013_4238(self):
|
||||
p = ssl._ssl._test_decode_cert(NULLBYTECERT)
|
||||
if support.verbose:
|
||||
diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
|
||||
new file mode 100644
|
||||
index 000000000000..dffe347eec84
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
|
||||
@@ -0,0 +1,3 @@
|
||||
+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
|
||||
+not handle CRL distribution points with empty DP or URI correctly. A
|
||||
+malicious or buggy certificate can result into segfault.
|
||||
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
|
||||
index 4e3352d9e661..0e720e268d93 100644
|
||||
--- a/Modules/_ssl.c
|
||||
+++ b/Modules/_ssl.c
|
||||
@@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) {
|
||||
STACK_OF(GENERAL_NAME) *gns;
|
||||
|
||||
dp = sk_DIST_POINT_value(dps, i);
|
||||
+ if (dp->distpoint == NULL) {
|
||||
+ /* Ignore empty DP value, CVE-2019-5010 */
|
||||
+ continue;
|
||||
+ }
|
||||
gns = dp->distpoint->name.fullname;
|
||||
|
||||
for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
|
|
@ -1,44 +0,0 @@
|
|||
bpo-32947: test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1
|
||||
|
||||
Backport partially commit 529525fb5a8fd9b96ab4021311a598c77588b918:
|
||||
complete the previous partial backport (commit
|
||||
2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826.
|
||||
|
||||
Reported upstream:
|
||||
|
||||
* https://bugs.python.org/issue32947#msg333990
|
||||
* https://github.com/python/cpython/pull/11612
|
||||
|
||||
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
|
||||
index 7f8f636..05c09a6 100644
|
||||
--- a/Lib/test/test_ssl.py
|
||||
+++ b/Lib/test/test_ssl.py
|
||||
@@ -2021,6 +2021,16 @@ if _have_threads:
|
||||
sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
|
||||
% (msg, ctype, msg.lower(), ctype))
|
||||
self.write(msg.lower())
|
||||
+ except ConnectionResetError:
|
||||
+ # XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError
|
||||
+ # when connection is not shut down gracefully.
|
||||
+ if self.server.chatty and support.verbose:
|
||||
+ sys.stdout.write(
|
||||
+ " Connection reset by peer: {}\n".format(
|
||||
+ self.addr)
|
||||
+ )
|
||||
+ self.close()
|
||||
+ self.running = False
|
||||
except OSError:
|
||||
if self.server.chatty:
|
||||
handle_error("Test server failure:\n")
|
||||
@@ -2100,6 +2110,11 @@ if _have_threads:
|
||||
pass
|
||||
except KeyboardInterrupt:
|
||||
self.stop()
|
||||
+ except BaseException as e:
|
||||
+ if support.verbose and self.chatty:
|
||||
+ sys.stdout.write(
|
||||
+ ' connection handling failed: ' + repr(e) + '\n')
|
||||
+
|
||||
self.sock.close()
|
||||
|
||||
def stop(self):
|
|
@ -13,8 +13,8 @@ URL: https://www.python.org/
|
|||
|
||||
# WARNING When rebasing to a new Python version,
|
||||
# remember to update the python3-docs package as well
|
||||
Version: %{pybasever}.8
|
||||
Release: 6%{?dist}
|
||||
Version: %{pybasever}.9
|
||||
Release: 1%{?dist}
|
||||
License: Python
|
||||
|
||||
|
||||
|
@ -353,16 +353,6 @@ Patch292: 00292-restore-PyExc_RecursionErrorInst-symbol.patch
|
|||
# See also: https://bugzilla.redhat.com/show_bug.cgi?id=1489816
|
||||
Patch294: 00294-define-TLS-cipher-suite-on-build-time.patch
|
||||
|
||||
# 00317 #
|
||||
# Security fix for CVE-2019-5010: Fix segfault in ssl's cert parser
|
||||
# Fixed upstream https://bugs.python.org/issue35746
|
||||
Patch317: 00317-CVE-2019-5010.patch
|
||||
|
||||
# 00318 #
|
||||
# test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1639531
|
||||
Patch318: 00318-test-ssl-fix-for-tls-13.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
|
@ -649,8 +639,6 @@ rm Lib/ensurepip/_bundled/*.whl
|
|||
%patch274 -p1
|
||||
%patch292 -p1
|
||||
%patch294 -p1
|
||||
%patch317 -p1
|
||||
%patch318 -p1
|
||||
|
||||
|
||||
# Remove files that should be generated by the build
|
||||
|
@ -1531,6 +1519,9 @@ CheckPython optimized
|
|||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Wed Jul 03 2019 Miro Hrončok <mhroncok@redhat.com> - 3.6.9-1
|
||||
- Update to 3.6.9
|
||||
|
||||
* Mon Feb 18 2019 Miro Hrončok <mhroncok@redhat.com> - 3.6.8-6
|
||||
- Reduced default build flags used to build extension modules
|
||||
https://fedoraproject.org/wiki/Changes/Python_Extension_Flags
|
||||
|
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (Python-3.6.8.tar.xz) = b17867e451ebe662f50df83ed112d3656c089e7d750651ea640052b01b713b58e66aac9e082f71fd16f5b5510bc9b797f5ccd30f5399581e9aa406197f02938a
|
||||
SHA512 (Python-3.6.9.tar.xz) = 05de9c6f44d96a52bfce10ede4312de892573edaf8bece65926d19973a3a800d65eed7a857af945f69efcfb25efa3788e7a54016b03d80b611eb51c3ea074819
|
||||
|
|
Loading…
Reference in New Issue