Compare commits
13 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
4017ecdf5c | ||
|
8231a6035b | ||
|
e8d957d10d | ||
|
4f080ec31e | ||
|
104735ad1e | ||
|
8ba2b3c10e | ||
|
c6dc7288ed | ||
|
3fa87d10ec | ||
|
2681260943 | ||
|
bb9e0079d1 | ||
|
90849f2a9f | ||
|
d8a5560ab5 | ||
|
582d517241 |
17
00209-fix-test-pyexpat-failure.patch
Normal file
17
00209-fix-test-pyexpat-failure.patch
Normal file
@ -0,0 +1,17 @@
|
||||
diff -r 682a8e36dd18 Lib/test/test_pyexpat.py
|
||||
--- a/Lib/test/test_pyexpat.py Tue Jul 05 17:08:52 2016 +0300
|
||||
+++ b/Lib/test/test_pyexpat.py Thu Jul 07 17:04:35 2016 +0800
|
||||
@@ -656,11 +656,9 @@
|
||||
# \xc2\x85 is UTF-8 encoded U+0085 (NEXT LINE)
|
||||
xml = b"<?xml version\xc2\x85='1.0'?>\r\n"
|
||||
parser = expat.ParserCreate()
|
||||
- try:
|
||||
+ err_pattern = r'XML declaration not well-formed: line 1, column \d+'
|
||||
+ with self.assertRaisesRegex(expat.ExpatError, err_pattern):
|
||||
parser.Parse(xml, True)
|
||||
- self.fail()
|
||||
- except expat.ExpatError as e:
|
||||
- self.assertEqual(str(e), 'XML declaration not well-formed: line 1, column 14')
|
||||
|
||||
class ErrorMessageTest(unittest.TestCase):
|
||||
def test_codes(self):
|
35
00237-Raise-an-error-when-STARTTLS-fails.patch
Normal file
35
00237-Raise-an-error-when-STARTTLS-fails.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 761db274ca898f8a92348ed5979d3d3c1b0d634a Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Orsava <torsava@redhat.com>
|
||||
Date: Fri, 17 Jun 2016 16:08:11 +0200
|
||||
Subject: [PATCH] Raise an error when STARTTLS fails
|
||||
|
||||
CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
|
||||
|
||||
Based on an upstream change by Benjamin Peterson <benjamin@python.org>
|
||||
- in changeset 101887:d590114c2394 3.4
|
||||
- https://hg.python.org/cpython/rev/d590114c2394
|
||||
---
|
||||
Lib/smtplib.py | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/Lib/smtplib.py b/Lib/smtplib.py
|
||||
index 4756973..dfbf5f9 100755
|
||||
--- a/Lib/smtplib.py
|
||||
+++ b/Lib/smtplib.py
|
||||
@@ -773,6 +773,11 @@ class SMTP:
|
||||
self.ehlo_resp = None
|
||||
self.esmtp_features = {}
|
||||
self.does_esmtp = 0
|
||||
+ else:
|
||||
+ # RFC 3207:
|
||||
+ # 501 Syntax error (no parameters allowed)
|
||||
+ # 454 TLS not available due to temporary reason
|
||||
+ raise SMTPResponseException(resp, reply)
|
||||
return (resp, reply)
|
||||
|
||||
def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
|
||||
--
|
||||
2.5.5
|
||||
|
162
00238-Disabled-HTTP-header-injections-in-http-client.patch
Normal file
162
00238-Disabled-HTTP-header-injections-in-http-client.patch
Normal file
@ -0,0 +1,162 @@
|
||||
From 86589512cc1192e58343bbbc51bb4c09450dab90 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Orsava <torsava@redhat.com>
|
||||
Date: Fri, 24 Jun 2016 12:35:26 +0200
|
||||
Subject: [PATCH] Disabled HTTP header injections in http.client.
|
||||
|
||||
CVE-2016-5699 python: http protocol steam injection attack
|
||||
rhbz#1303699 : https://bugzilla.redhat.com/show_bug.cgi?id=1303699
|
||||
|
||||
Based on an upstream change by Demian Brecht and Serhiy Storchaka
|
||||
- in changeset 94952:bf3e1c9b80e9 3.4
|
||||
- https://hg.python.org/cpython/rev/bf3e1c9b80e9
|
||||
---
|
||||
Lib/http/client.py | 37 +++++++++++++++++++++++++++++++
|
||||
Lib/test/test_httplib.py | 57 ++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 94 insertions(+)
|
||||
|
||||
diff --git a/Lib/http/client.py b/Lib/http/client.py
|
||||
index 6de4b0e..7ec5899 100644
|
||||
--- a/Lib/http/client.py
|
||||
+++ b/Lib/http/client.py
|
||||
@@ -70,6 +70,7 @@ import email.parser
|
||||
import email.message
|
||||
import io
|
||||
import os
|
||||
+import re
|
||||
import socket
|
||||
import collections
|
||||
from urllib.parse import urlsplit
|
||||
@@ -215,6 +216,34 @@ MAXAMOUNT = 1048576
|
||||
_MAXLINE = 65536
|
||||
_MAXHEADERS = 100
|
||||
|
||||
+# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
|
||||
+#
|
||||
+# VCHAR = %x21-7E
|
||||
+# obs-text = %x80-FF
|
||||
+# header-field = field-name ":" OWS field-value OWS
|
||||
+# field-name = token
|
||||
+# field-value = *( field-content / obs-fold )
|
||||
+# field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
|
||||
+# field-vchar = VCHAR / obs-text
|
||||
+#
|
||||
+# obs-fold = CRLF 1*( SP / HTAB )
|
||||
+# ; obsolete line folding
|
||||
+# ; see Section 3.2.4
|
||||
+
|
||||
+# token = 1*tchar
|
||||
+#
|
||||
+# tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
|
||||
+# / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
|
||||
+# / DIGIT / ALPHA
|
||||
+# ; any VCHAR, except delimiters
|
||||
+#
|
||||
+# VCHAR defined in http://tools.ietf.org/html/rfc5234#appendix-B.1
|
||||
+
|
||||
+# the patterns for both name and value are more leniant than RFC
|
||||
+# definitions to allow for backwards compatibility
|
||||
+_is_legal_header_name = re.compile(rb'[^:\s][^:\r\n]*').fullmatch
|
||||
+_is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search
|
||||
+
|
||||
|
||||
class HTTPMessage(email.message.Message):
|
||||
# XXX The only usage of this method is in
|
||||
@@ -1058,12 +1087,20 @@ class HTTPConnection:
|
||||
|
||||
if hasattr(header, 'encode'):
|
||||
header = header.encode('ascii')
|
||||
+
|
||||
+ if not _is_legal_header_name(header):
|
||||
+ raise ValueError('Invalid header name %r' % (header,))
|
||||
+
|
||||
values = list(values)
|
||||
for i, one_value in enumerate(values):
|
||||
if hasattr(one_value, 'encode'):
|
||||
values[i] = one_value.encode('latin-1')
|
||||
elif isinstance(one_value, int):
|
||||
values[i] = str(one_value).encode('ascii')
|
||||
+
|
||||
+ if _is_illegal_header_value(values[i]):
|
||||
+ raise ValueError('Invalid header value %r' % (values[i],))
|
||||
+
|
||||
value = b'\r\n\t'.join(values)
|
||||
header = header + b': ' + value
|
||||
self._output(header)
|
||||
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
|
||||
index 3fc3466..d5037f0 100644
|
||||
--- a/Lib/test/test_httplib.py
|
||||
+++ b/Lib/test/test_httplib.py
|
||||
@@ -148,6 +148,33 @@ class HeaderTests(TestCase):
|
||||
conn.putheader('Content-length', 42)
|
||||
self.assertIn(b'Content-length: 42', conn._buffer)
|
||||
|
||||
+ conn.putheader('Foo', ' bar ')
|
||||
+ self.assertIn(b'Foo: bar ', conn._buffer)
|
||||
+ conn.putheader('Bar', '\tbaz\t')
|
||||
+ self.assertIn(b'Bar: \tbaz\t', conn._buffer)
|
||||
+ conn.putheader('Authorization', 'Bearer mytoken')
|
||||
+ self.assertIn(b'Authorization: Bearer mytoken', conn._buffer)
|
||||
+ conn.putheader('IterHeader', 'IterA', 'IterB')
|
||||
+ self.assertIn(b'IterHeader: IterA\r\n\tIterB', conn._buffer)
|
||||
+ conn.putheader('LatinHeader', b'\xFF')
|
||||
+ self.assertIn(b'LatinHeader: \xFF', conn._buffer)
|
||||
+ conn.putheader('Utf8Header', b'\xc3\x80')
|
||||
+ self.assertIn(b'Utf8Header: \xc3\x80', conn._buffer)
|
||||
+ conn.putheader('C1-Control', b'next\x85line')
|
||||
+ self.assertIn(b'C1-Control: next\x85line', conn._buffer)
|
||||
+ conn.putheader('Embedded-Fold-Space', 'is\r\n allowed')
|
||||
+ self.assertIn(b'Embedded-Fold-Space: is\r\n allowed', conn._buffer)
|
||||
+ conn.putheader('Embedded-Fold-Tab', 'is\r\n\tallowed')
|
||||
+ self.assertIn(b'Embedded-Fold-Tab: is\r\n\tallowed', conn._buffer)
|
||||
+ conn.putheader('Key Space', 'value')
|
||||
+ self.assertIn(b'Key Space: value', conn._buffer)
|
||||
+ conn.putheader('KeySpace ', 'value')
|
||||
+ self.assertIn(b'KeySpace : value', conn._buffer)
|
||||
+ conn.putheader(b'Nonbreak\xa0Space', 'value')
|
||||
+ self.assertIn(b'Nonbreak\xa0Space: value', conn._buffer)
|
||||
+ conn.putheader(b'\xa0NonbreakSpace', 'value')
|
||||
+ self.assertIn(b'\xa0NonbreakSpace: value', conn._buffer)
|
||||
+
|
||||
def test_ipv6host_header(self):
|
||||
# Default host header on IPv6 transaction should wrapped by [] if
|
||||
# its actual IPv6 address
|
||||
@@ -177,6 +204,36 @@ class HeaderTests(TestCase):
|
||||
self.assertEqual(resp.getheader('First'), 'val')
|
||||
self.assertEqual(resp.getheader('Second'), 'val')
|
||||
|
||||
+ def test_invalid_headers(self):
|
||||
+ conn = client.HTTPConnection('example.com')
|
||||
+ conn.sock = FakeSocket('')
|
||||
+ conn.putrequest('GET', '/')
|
||||
+
|
||||
+ # http://tools.ietf.org/html/rfc7230#section-3.2.4, whitespace is no
|
||||
+ # longer allowed in header names
|
||||
+ cases = (
|
||||
+ (b'Invalid\r\nName', b'ValidValue'),
|
||||
+ (b'Invalid\rName', b'ValidValue'),
|
||||
+ (b'Invalid\nName', b'ValidValue'),
|
||||
+ (b'\r\nInvalidName', b'ValidValue'),
|
||||
+ (b'\rInvalidName', b'ValidValue'),
|
||||
+ (b'\nInvalidName', b'ValidValue'),
|
||||
+ (b' InvalidName', b'ValidValue'),
|
||||
+ (b'\tInvalidName', b'ValidValue'),
|
||||
+ (b'Invalid:Name', b'ValidValue'),
|
||||
+ (b':InvalidName', b'ValidValue'),
|
||||
+ (b'ValidName', b'Invalid\r\nValue'),
|
||||
+ (b'ValidName', b'Invalid\rValue'),
|
||||
+ (b'ValidName', b'Invalid\nValue'),
|
||||
+ (b'ValidName', b'InvalidValue\r\n'),
|
||||
+ (b'ValidName', b'InvalidValue\r'),
|
||||
+ (b'ValidName', b'InvalidValue\n'),
|
||||
+ )
|
||||
+ for name, value in cases:
|
||||
+ with self.subTest((name, value)):
|
||||
+ with self.assertRaisesRegex(ValueError, 'Invalid header'):
|
||||
+ conn.putheader(name, value)
|
||||
+
|
||||
|
||||
class BasicTest(TestCase):
|
||||
def test_status_lines(self):
|
||||
--
|
||||
2.9.0
|
||||
|
@ -0,0 +1,39 @@
|
||||
From ae99040f6c1f329d6b6c984f39c920f09d383925 Mon Sep 17 00:00:00 2001
|
||||
From: Charalampos Stratakis <cstratak@redhat.com>
|
||||
Date: Mon, 11 Jul 2016 11:21:29 +0200
|
||||
Subject: [PATCH] CVE-2016-5636 fix
|
||||
|
||||
---
|
||||
Modules/zipimport.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/Modules/zipimport.c b/Modules/zipimport.c
|
||||
index 8fe9195..f72e89f 100644
|
||||
--- a/Modules/zipimport.c
|
||||
+++ b/Modules/zipimport.c
|
||||
@@ -1071,6 +1071,10 @@ get_data(PyObject *archive, PyObject *toc_entry)
|
||||
&date, &crc)) {
|
||||
return NULL;
|
||||
}
|
||||
+ if (data_size < 0) {
|
||||
+ PyErr_Format(ZipImportError, "negative data size");
|
||||
+ return NULL;
|
||||
+ }
|
||||
|
||||
fp = _Py_fopen_obj(archive, "rb");
|
||||
if (!fp) {
|
||||
@@ -1111,6 +1115,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
|
||||
}
|
||||
file_offset += l; /* Start of file data */
|
||||
|
||||
+ if (data_size > LONG_MAX - 1) {
|
||||
+ fclose(fp);
|
||||
+ PyErr_NoMemory();
|
||||
+ return NULL;
|
||||
+ }
|
||||
bytes_size = compress == 0 ? data_size : data_size + 1;
|
||||
if (bytes_size == 0)
|
||||
bytes_size++;
|
||||
--
|
||||
2.7.4
|
||||
|
100
00242-CVE-2016-1000110-httpoxy.patch
Normal file
100
00242-CVE-2016-1000110-httpoxy.patch
Normal file
@ -0,0 +1,100 @@
|
||||
|
||||
# HG changeset patch
|
||||
# User Senthil Kumaran <senthil@uthcode.com>
|
||||
# Date 1469947146 25200
|
||||
# Node ID a0ac52ed8f7918222603b584ec8fc93d9b7bc0a5
|
||||
# Parent 4cb94e561e2db9865fb4d752f2bceefca4c6819a# Parent 3c19023c9fec5a615c25598468b44fade89049ce
|
||||
[merge from 3.4] - Prevent HTTPoxy attack (CVE-2016-1000110)
|
||||
|
||||
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
|
||||
indicates that the script is in CGI mode.
|
||||
|
||||
Issue #27568 Reported and patch contributed by Rémi Rampin.
|
||||
|
||||
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
|
||||
--- a/Doc/howto/urllib2.rst
|
||||
+++ b/Doc/howto/urllib2.rst
|
||||
@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ han
|
||||
through a proxy. However, this can be enabled by extending urllib.request as
|
||||
shown in the recipe [#]_.
|
||||
|
||||
+.. note::
|
||||
+
|
||||
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
|
||||
+ the documentation on :func:`~urllib.request.getproxies`.
|
||||
+
|
||||
|
||||
Sockets and Layers
|
||||
==================
|
||||
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
|
||||
--- a/Doc/library/urllib.request.rst
|
||||
+++ b/Doc/library/urllib.request.rst
|
||||
@@ -166,6 +166,16 @@ The :mod:`urllib.request` module defines the following functions:
|
||||
cannot find it, looks for proxy information from Mac OSX System
|
||||
Configuration for Mac OS X and Windows Systems Registry for Windows.
|
||||
|
||||
+ .. note::
|
||||
+
|
||||
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
|
||||
+ indicates your script is running in a CGI environment, the environment
|
||||
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
|
||||
+ because that variable can be injected by a client using the "Proxy:" HTTP
|
||||
+ header. If you need to use an HTTP proxy in a CGI environment, either use
|
||||
+ ``ProxyHandler`` explicitly, or make sure the variable name is in
|
||||
+ lowercase (or at least the ``_proxy`` suffix).
|
||||
+
|
||||
|
||||
The following classes are provided:
|
||||
|
||||
@@ -275,6 +285,12 @@ The following classes are provided:
|
||||
|
||||
To disable autodetected proxy pass an empty dictionary.
|
||||
|
||||
+ .. note::
|
||||
+
|
||||
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
|
||||
+ see the documentation on :func:`~urllib.request.getproxies`.
|
||||
+
|
||||
+
|
||||
|
||||
.. class:: HTTPPasswordMgr()
|
||||
|
||||
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
|
||||
--- a/Lib/test/test_urllib.py
|
||||
+++ b/Lib/test/test_urllib.py
|
||||
@@ -225,6 +225,18 @@ class ProxyTests(unittest.TestCase):
|
||||
self.env.set('NO_PROXY', 'localhost, anotherdomain.com, newdomain.com')
|
||||
self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com'))
|
||||
|
||||
+ def test_proxy_cgi_ignore(self):
|
||||
+ try:
|
||||
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
|
||||
+ proxies = urllib.request.getproxies_environment()
|
||||
+ self.assertEqual('http://somewhere:3128', proxies['http'])
|
||||
+ self.env.set('REQUEST_METHOD', 'GET')
|
||||
+ proxies = urllib.request.getproxies_environment()
|
||||
+ self.assertNotIn('http', proxies)
|
||||
+ finally:
|
||||
+ self.env.unset('REQUEST_METHOD')
|
||||
+ self.env.unset('HTTP_PROXY')
|
||||
+
|
||||
class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin, FakeFTPMixin):
|
||||
"""Test urlopen() opening a fake http connection."""
|
||||
|
||||
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
|
||||
--- a/Lib/urllib/request.py
|
||||
+++ b/Lib/urllib/request.py
|
||||
@@ -2394,6 +2394,12 @@ def getproxies_environment():
|
||||
name = name.lower()
|
||||
if value and name[-6:] == '_proxy':
|
||||
proxies[name[:-6]] = value
|
||||
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
|
||||
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
|
||||
+ # header from the client
|
||||
+ # If "proxy" is lowercase, it will still be used thanks to the next block
|
||||
+ if 'REQUEST_METHOD' in os.environ:
|
||||
+ proxies.pop('http', None)
|
||||
return proxies
|
||||
|
||||
def proxy_bypass_environment(host):
|
||||
|
@ -1,16 +0,0 @@
|
||||
%__python3 /usr/bin/python3
|
||||
%python3_sitelib %(%{__python3} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")
|
||||
%python3_sitearch %(%{__python3} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")
|
||||
%python3_version %(%{__python3} -c "import sys; sys.stdout.write(sys.version[:3])")
|
||||
%python3_version_nodots %(%{__python3} -c "import sys; sys.stdout.write(sys.version[:3].replace('.',''))")
|
||||
%py3dir %{_builddir}/python3-%{name}-%{version}-%{release}
|
||||
|
||||
%py3_shbang_opts -s
|
||||
|
||||
%py3_build() %{expand:\
|
||||
CFLAGS="%{optflags}" %{__python3} %{py_setup} %{?py_setup_args} build --executable="%{__python3} %{py3_shbang_opts}" %{?1}\
|
||||
}
|
||||
|
||||
%py3_install() %{expand:\
|
||||
CFLAGS="%{optflags}" %{__python3} %{py_setup} %{?py_setup_args} install -O1 --skip-build --root %{buildroot} %{?1}\
|
||||
}
|
110
python3.spec
110
python3.spec
@ -140,7 +140,7 @@
|
||||
Summary: Version 3 of the Python programming language aka Python 3000
|
||||
Name: python3
|
||||
Version: %{pybasever}.3
|
||||
Release: 5%{?dist}
|
||||
Release: 12%{?dist}
|
||||
License: Python
|
||||
Group: Development/Languages
|
||||
|
||||
@ -216,10 +216,6 @@ Source1: find-provides-without-python-sonames.sh
|
||||
%global _use_internal_dependency_generator 0
|
||||
%global __find_provides %{SOURCE1}
|
||||
|
||||
# Supply various useful macros for building python 3 modules:
|
||||
# __python3, python3_sitelib, python3_sitearch
|
||||
Source2: macros.python%{pybasever}
|
||||
|
||||
# Supply an RPM macro "py_byte_compile" for the python3-devel subpackage
|
||||
# to enable specfiles to selectively byte-compile individual files and paths
|
||||
# with different Python runtimes as necessary:
|
||||
@ -734,26 +730,54 @@ Patch203: 00203-disable-threading-test-koji.patch
|
||||
# openssl requires DH keys to be > 768bits
|
||||
Patch204: 00204-increase-dh-keys-size.patch
|
||||
|
||||
# 00209 #
|
||||
# Fix test breakage with version 2.2.0 of Expat
|
||||
# rhbz#1353918: https://bugzilla.redhat.com/show_bug.cgi?id=1353918
|
||||
# FIXED UPSTREAM: http://bugs.python.org/issue27369
|
||||
Patch209: 00209-fix-test-pyexpat-failure.patch
|
||||
|
||||
# 00237 #
|
||||
# CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
|
||||
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
|
||||
# Raise an error when STARTTLS fails
|
||||
Patch237: 00237-Raise-an-error-when-STARTTLS-fails.patch
|
||||
|
||||
# 00238 #
|
||||
# CVE-2016-5699 python: http protocol steam injection attack
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1303699
|
||||
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/bf3e1c9b80e9
|
||||
# Disabled HTTP header injections in http.client
|
||||
# Resolves: rhbz#1331392
|
||||
Patch238: 00238-Disabled-HTTP-header-injections-in-http-client.patch
|
||||
|
||||
# 00241 #
|
||||
# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560
|
||||
# rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859
|
||||
# https://hg.python.org/cpython/rev/10dad6da1b28/
|
||||
# https://hg.python.org/cpython/rev/5533a9e02b21
|
||||
# Fix possible integer overflow and heap corruption in zipimporter.get_data()
|
||||
# FIXED UPSTREAM: https://bugs.python.org/issue26171
|
||||
Patch241: 00241-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
|
||||
|
||||
# 00242 #
|
||||
# HTTPoxy attack (CVE-2016-1000110)
|
||||
# https://httpoxy.org/
|
||||
# FIXED UPSTREAM: http://bugs.python.org/issue27568
|
||||
# Based on a patch by Rémi Rampin
|
||||
# Resolves: rhbz#1359177
|
||||
Patch242: 00242-CVE-2016-1000110-httpoxy.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora 17 onwards,
|
||||
# please try to keep the patch numbers in-sync between the two specfiles:
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
# please try to keep the patch numbers in-sync between all specfiles.
|
||||
#
|
||||
# - use the same patch number across both specfiles for conceptually-equivalent
|
||||
# fixes, ideally with the same name
|
||||
# More information, and a patch number catalog, is at:
|
||||
#
|
||||
# - when a patch is relevant to both specfiles, use the same introductory
|
||||
# comment in both specfiles where possible (to improve "diff" output when
|
||||
# comparing them)
|
||||
#
|
||||
# - when a patch is only relevant for one of the two specfiles, leave a gap
|
||||
# in the patch numbering in the other specfile, adding a comment when
|
||||
# omitting a patch, both in the manifest section here, and in the "prep"
|
||||
# phase below
|
||||
#
|
||||
# Hopefully this will make it easier to ensure that all relevant fixes are
|
||||
# applied to both versions.
|
||||
# https://fedoraproject.org/wiki/SIGs/Python/PythonPatches
|
||||
|
||||
|
||||
# This is the generated patch to "configure"; see the description of
|
||||
# %{regenerate_autotooling_patch}
|
||||
@ -803,8 +827,9 @@ Summary: Libraries and header files needed for Python 3 development
|
||||
Group: Development/Libraries
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
BuildRequires: python-macros
|
||||
Requires: python-macros
|
||||
BuildRequires: python-rpm-macros
|
||||
Requires: python-rpm-macros
|
||||
Requires: python3-rpm-macros
|
||||
Conflicts: %{name} < %{version}-%{release}
|
||||
|
||||
%description devel
|
||||
@ -915,7 +940,7 @@ for f in md5module.c sha1module.c sha256module.c sha512module.c; do
|
||||
done
|
||||
|
||||
%if 0%{with_rewheel}
|
||||
%global pip_version 7.0.3
|
||||
%global pip_version 7.1.0
|
||||
sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/ensurepip/__init__.py
|
||||
%endif
|
||||
|
||||
@ -1025,6 +1050,12 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
|
||||
%patch203 -p1
|
||||
%patch204 -p1
|
||||
|
||||
%patch209 -p1
|
||||
%patch237 -p1
|
||||
%patch238 -p1
|
||||
%patch241 -p1
|
||||
%patch242 -p1
|
||||
|
||||
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
|
||||
# are many differences between 2.6 and the Python 3 library.
|
||||
#
|
||||
@ -1372,7 +1403,6 @@ find %{buildroot} \
|
||||
|
||||
# Install macros for rpm:
|
||||
mkdir -p %{buildroot}/%{_rpmconfigdir}/macros.d/
|
||||
install -m 644 %{SOURCE2} %{buildroot}/%{_rpmconfigdir}/macros.d/
|
||||
install -m 644 %{SOURCE3} %{buildroot}/%{_rpmconfigdir}/macros.d/
|
||||
|
||||
# Ensure that the curses module was linked against libncursesw.so, rather than
|
||||
@ -1756,7 +1786,6 @@ rm -fr %{buildroot}
|
||||
%{_libdir}/pkgconfig/python-%{LDVERSION_optimized}.pc
|
||||
%{_libdir}/pkgconfig/python-%{pybasever}.pc
|
||||
%{_libdir}/pkgconfig/python3.pc
|
||||
%{_rpmconfigdir}/macros.d/macros.python%{pybasever}
|
||||
%{_rpmconfigdir}/macros.d/macros.pybytecompile%{pybasever}
|
||||
|
||||
%files tools
|
||||
@ -1920,7 +1949,36 @@ rm -fr %{buildroot}
|
||||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Mon Jun 29 2015 Thomas Spura <tomspur@fedoraproject.org> - 3.4.3-4
|
||||
* Tue Aug 09 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.3-12
|
||||
- Fix for CVE-2016-1000110 HTTPoxy attack
|
||||
- SPEC file cleanup
|
||||
|
||||
* Mon Jul 11 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.3-11
|
||||
- Refactor patch for properly fixing CVE-2016-5636
|
||||
|
||||
* Mon Jul 11 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.3-10
|
||||
- Fix test_pyexpat failure with Expat version of 2.2.0
|
||||
|
||||
* Fri Jun 24 2016 Tomas Orsava <torsava@redhat.com> - 3.4.3-9
|
||||
- Fix CVE-2016-5699 python: http protocol steam injection attack (rhbz#1303699)
|
||||
- Fixed upstream: https://hg.python.org/cpython/rev/bf3e1c9b80e9
|
||||
- Disabled HTTP header injections in http.client
|
||||
Resolves: rhbz#1331392
|
||||
|
||||
* Thu Jun 16 2016 Tomas Orsava <torsava@redhat.com> - 3.4.3-8
|
||||
- Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
- Raise an error when STARTTLS fails
|
||||
- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
- rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
|
||||
- Fixed upstream: https://hg.python.org/cpython/rev/d590114c2394
|
||||
|
||||
* Mon Jun 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.3-7
|
||||
- Added patch for fixing possible integer overflow and heap corruption in zipimporter.get_data()
|
||||
|
||||
* Mon Mar 28 2016 Orion Poplwski <orion@cora.nwra.com> - 3.4.3-6
|
||||
- Drop python3 macros, require python/python3-rpm-macros
|
||||
|
||||
* Mon Jun 29 2015 Thomas Spura <tomspur@fedoraproject.org> - 3.4.3-5
|
||||
- python3-devel: Require python-macros for version independant macros such as
|
||||
python_provide. See fpc#281 and fpc#534.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user