diff --git a/00294-define-TLS-cipher-suite-on-build-time.patch b/00294-define-TLS-cipher-suite-on-build-time.patch index aed4032..485c6f0 100644 --- a/00294-define-TLS-cipher-suite-on-build-time.patch +++ b/00294-define-TLS-cipher-suite-on-build-time.patch @@ -1,5 +1,5 @@ diff --git a/Lib/ssl.py b/Lib/ssl.py -index 1f3a31a..b54a684 100644 +index 58d3e93..0114387 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -116,6 +116,7 @@ except ImportError: @@ -79,18 +79,18 @@ index 1f3a31a..b54a684 100644 if cafile or capath or cadata: context.load_verify_locations(cafile, capath, cadata) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index 9785a59..34a7ec2 100644 +index 74adebc..510bb09 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py -@@ -18,6 +18,7 @@ import asyncore - import weakref +@@ -19,6 +19,7 @@ import weakref import platform + import re import functools +import sysconfig try: import ctypes except ImportError: -@@ -36,7 +37,7 @@ PROTOCOLS = sorted(ssl._PROTOCOL_NAMES) +@@ -37,7 +38,7 @@ PROTOCOLS = sorted(ssl._PROTOCOL_NAMES) HOST = support.HOST IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL') IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0) @@ -99,7 +99,7 @@ index 9785a59..34a7ec2 100644 def data_file(*name): return os.path.join(os.path.dirname(__file__), *name) -@@ -889,6 +890,19 @@ class ContextTests(unittest.TestCase): +@@ -952,6 +953,19 @@ class ContextTests(unittest.TestCase): with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"): ctx.set_ciphers("^$:,;?*'dorothyx") @@ -120,10 +120,10 @@ index 9785a59..34a7ec2 100644 def test_get_ciphers(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) diff --git a/Modules/_ssl.c b/Modules/_ssl.c -index 5e007da..130f006 100644 +index 7365630..ec366f0 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c -@@ -237,6 +237,31 @@ SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s) +@@ -238,6 +238,31 @@ SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s) #endif /* OpenSSL < 1.1.0 or LibreSSL < 2.7.0 */ @@ -155,7 +155,7 @@ index 5e007da..130f006 100644 enum py_ssl_error { /* these mirror ssl.h */ -@@ -2803,7 +2828,12 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) +@@ -2861,7 +2886,12 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) /* A bare minimum cipher list without completely broken cipher suites. * It's far from perfect but gives users a better head start. */ if (proto_version != PY_SSL_VERSION_SSL2) { @@ -169,7 +169,7 @@ index 5e007da..130f006 100644 } else { /* SSLv2 needs MD5 */ result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL"); -@@ -5343,6 +5373,9 @@ PyInit__ssl(void) +@@ -5457,6 +5487,9 @@ PyInit__ssl(void) (PyObject *)&PySSLSession_Type) != 0) return NULL; @@ -180,10 +180,10 @@ index 5e007da..130f006 100644 PY_SSL_ERROR_ZERO_RETURN); PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ", diff --git a/configure.ac b/configure.ac -index 3703701..2eff514 100644 +index f986875..c071ec3 100644 --- a/configure.ac +++ b/configure.ac -@@ -5598,6 +5598,42 @@ if test "$have_getrandom" = yes; then +@@ -5663,6 +5663,42 @@ if test "$have_getrandom" = yes; then [Define to 1 if the getrandom() function is available]) fi diff --git a/00317-CVE-2019-5010.patch b/00317-CVE-2019-5010.patch deleted file mode 100644 index 62e931e..0000000 --- a/00317-CVE-2019-5010.patch +++ /dev/null @@ -1,111 +0,0 @@ -From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Tue, 15 Jan 2019 18:16:30 +0100 -Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser - -CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did -not handle CRL distribution points with empty DP or URI correctly. A -malicious or buggy certificate can result into segfault. - -Signed-off-by: Christian Heimes ---- - Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ - Lib/test/test_ssl.py | 22 +++++++++++++++++++ - .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ - Modules/_ssl.c | 4 ++++ - 4 files changed, 51 insertions(+) - create mode 100644 Lib/test/talos-2019-0758.pem - create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst - -diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem -new file mode 100644 -index 000000000000..13b95a77fd8a ---- /dev/null -+++ b/Lib/test/talos-2019-0758.pem -@@ -0,0 +1,22 @@ -+-----BEGIN CERTIFICATE----- -+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO -+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 -+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh -+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB -+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES -+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD -+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C -+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP -+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF -+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp -+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io -+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 -+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu -+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG -+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p -+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr -+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit -+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV -+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ -+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== -+-----END CERTIFICATE----- -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index 7f6b93148f45..1fc657f4d867 100644 ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -115,6 +115,7 @@ def data_file(*name): - BADKEY = data_file("badkey.pem") - NOKIACERT = data_file("nokia.pem") - NULLBYTECERT = data_file("nullbytecert.pem") -+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") - - DHFILE = data_file("ffdh3072.pem") - BYTES_DHFILE = os.fsencode(DHFILE) -@@ -348,6 +349,27 @@ def test_parse_cert(self): - self.assertEqual(p['crlDistributionPoints'], - ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) - -+ def test_parse_cert_CVE_2019_5010(self): -+ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) -+ if support.verbose: -+ sys.stdout.write("\n" + pprint.pformat(p) + "\n") -+ self.assertEqual( -+ p, -+ { -+ 'issuer': ( -+ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), -+ 'notAfter': 'Jun 14 18:00:58 2028 GMT', -+ 'notBefore': 'Jun 18 18:00:58 2018 GMT', -+ 'serialNumber': '02', -+ 'subject': ((('countryName', 'UK'),), -+ (('commonName', -+ 'codenomicon-vm-2.test.lal.cisco.com'),)), -+ 'subjectAltName': ( -+ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), -+ 'version': 3 -+ } -+ ) -+ - def test_parse_cert_CVE_2013_4238(self): - p = ssl._ssl._test_decode_cert(NULLBYTECERT) - if support.verbose: -diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst -new file mode 100644 -index 000000000000..dffe347eec84 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst -@@ -0,0 +1,3 @@ -+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did -+not handle CRL distribution points with empty DP or URI correctly. A -+malicious or buggy certificate can result into segfault. -diff --git a/Modules/_ssl.c b/Modules/_ssl.c -index 4e3352d9e661..0e720e268d93 100644 ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) { - STACK_OF(GENERAL_NAME) *gns; - - dp = sk_DIST_POINT_value(dps, i); -+ if (dp->distpoint == NULL) { -+ /* Ignore empty DP value, CVE-2019-5010 */ -+ continue; -+ } - gns = dp->distpoint->name.fullname; - - for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { diff --git a/00318-test-ssl-fix-for-tls-13.patch b/00318-test-ssl-fix-for-tls-13.patch deleted file mode 100644 index 7b00d75..0000000 --- a/00318-test-ssl-fix-for-tls-13.patch +++ /dev/null @@ -1,44 +0,0 @@ -bpo-32947: test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1 - -Backport partially commit 529525fb5a8fd9b96ab4021311a598c77588b918: -complete the previous partial backport (commit -2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826. - -Reported upstream: - -* https://bugs.python.org/issue32947#msg333990 -* https://github.com/python/cpython/pull/11612 - -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index 7f8f636..05c09a6 100644 ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -2021,6 +2021,16 @@ if _have_threads: - sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n" - % (msg, ctype, msg.lower(), ctype)) - self.write(msg.lower()) -+ except ConnectionResetError: -+ # XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError -+ # when connection is not shut down gracefully. -+ if self.server.chatty and support.verbose: -+ sys.stdout.write( -+ " Connection reset by peer: {}\n".format( -+ self.addr) -+ ) -+ self.close() -+ self.running = False - except OSError: - if self.server.chatty: - handle_error("Test server failure:\n") -@@ -2100,6 +2110,11 @@ if _have_threads: - pass - except KeyboardInterrupt: - self.stop() -+ except BaseException as e: -+ if support.verbose and self.chatty: -+ sys.stdout.write( -+ ' connection handling failed: ' + repr(e) + '\n') -+ - self.sock.close() - - def stop(self): diff --git a/python36.spec b/python36.spec index ef46f9c..d9c9753 100644 --- a/python36.spec +++ b/python36.spec @@ -13,8 +13,8 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -Version: %{pybasever}.8 -Release: 6%{?dist} +Version: %{pybasever}.9 +Release: 1%{?dist} License: Python @@ -353,16 +353,6 @@ Patch292: 00292-restore-PyExc_RecursionErrorInst-symbol.patch # See also: https://bugzilla.redhat.com/show_bug.cgi?id=1489816 Patch294: 00294-define-TLS-cipher-suite-on-build-time.patch -# 00317 # -# Security fix for CVE-2019-5010: Fix segfault in ssl's cert parser -# Fixed upstream https://bugs.python.org/issue35746 -Patch317: 00317-CVE-2019-5010.patch - -# 00318 # -# test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1 -# https://bugzilla.redhat.com/show_bug.cgi?id=1639531 -Patch318: 00318-test-ssl-fix-for-tls-13.patch - # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -649,8 +639,6 @@ rm Lib/ensurepip/_bundled/*.whl %patch274 -p1 %patch292 -p1 %patch294 -p1 -%patch317 -p1 -%patch318 -p1 # Remove files that should be generated by the build @@ -1531,6 +1519,9 @@ CheckPython optimized # ====================================================== %changelog +* Wed Jul 03 2019 Miro Hrončok - 3.6.9-1 +- Update to 3.6.9 + * Mon Feb 18 2019 Miro Hrončok - 3.6.8-6 - Reduced default build flags used to build extension modules https://fedoraproject.org/wiki/Changes/Python_Extension_Flags diff --git a/sources b/sources index ba4e466..6821fa3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (Python-3.6.8.tar.xz) = b17867e451ebe662f50df83ed112d3656c089e7d750651ea640052b01b713b58e66aac9e082f71fd16f5b5510bc9b797f5ccd30f5399581e9aa406197f02938a +SHA512 (Python-3.6.9.tar.xz) = 05de9c6f44d96a52bfce10ede4312de892573edaf8bece65926d19973a3a800d65eed7a857af945f69efcfb25efa3788e7a54016b03d80b611eb51c3ea074819