From 8a079a06e92594496ebb736abebed7b072d38dbf4660537948d3c9291828c6f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 13 Dec 2024 12:31:47 +0100 Subject: [PATCH] Sync from SUSE:SLFO:Main python-tornado6 revision bf4ee9851ee7e165de08d6c01642671e --- openssl-3.2.patch | 13 ----------- python-tornado6.changes | 51 +++++++++++++++++++++++++++++++++++++++++ python-tornado6.spec | 7 ++---- tornado-6.4.2.tar.gz | 3 +++ tornado-6.4.tar.gz | 3 --- 5 files changed, 56 insertions(+), 21 deletions(-) delete mode 100644 openssl-3.2.patch create mode 100644 tornado-6.4.2.tar.gz delete mode 100644 tornado-6.4.tar.gz diff --git a/openssl-3.2.patch b/openssl-3.2.patch deleted file mode 100644 index 03ea042..0000000 --- a/openssl-3.2.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: tornado-6.4/tornado/iostream.py -=================================================================== ---- tornado-6.4.orig/tornado/iostream.py -+++ tornado-6.4/tornado/iostream.py -@@ -1374,7 +1374,7 @@ class SSLIOStream(IOStream): - return - elif err.args[0] in (ssl.SSL_ERROR_EOF, ssl.SSL_ERROR_ZERO_RETURN): - return self.close(exc_info=err) -- elif err.args[0] == ssl.SSL_ERROR_SSL: -+ elif err.args[0] in (ssl.SSL_ERROR_SSL, ssl.SSL_ERROR_SYSCALL): - try: - peer = self.socket.getpeername() - except Exception: diff --git a/python-tornado6.changes b/python-tornado6.changes index 55b207f..923e9f7 100644 --- a/python-tornado6.changes +++ b/python-tornado6.changes @@ -1,3 +1,54 @@ +------------------------------------------------------------------- +Mon Nov 25 03:19:20 UTC 2024 - Steve Kowalik + +- Update to 6.4.2: + + Security Improvements: + * Parsing of the cookie header is now much more efficient. The older + algorithm sometimes had quadratic performance which allowed for a + denial-of-service attack in which the server would spend excessive + CPU time parsing cookies and block the event loop. + (CVE-2024-52804, bsc#1233668) + +------------------------------------------------------------------- +Wed Jul 31 09:32:23 UTC 2024 - Dominique Leuenberger + +- Update to version 6.4.1: + + Security Improvements: + - Parsing of the ``Transfer-Encoding`` header is now stricter. + Unexpected transfer-encoding values were previously ignored + and treated as the HTTP/1.0 default of read-until-close. This + can lead to framing issues with certain proxies. We now treat + any unexpected value as an error. + - Handling of whitespace in headers now matches the RFC more + closely. Only space and tab characters are treated as + whitespace and stripped from the beginning and end of header + values. Other unicode whitespace characters are now left + alone. This could also lead to framing issues with certain + proxies. + - `tornado.curl_httpclient` now prohibits carriage return and + linefeed headers in HTTP headers (matching the behavior of + `simple_httpclient`). These characters could be used for + header injection or request smuggling if untrusted data were + used in headers. + + General Changes: + - `tornado.iostream`: `SLIOStream` now understands changes to + error codes from OpenSSL 3.2. The main result of this change + is to reduce the noise in the logs for certain errors. + - `tornado.simple_httpclient`: `simple_httpclient` now + prohibits carriage return characters in HTTP headers. It had + previously prohibited only linefeed characters. + - `tornado.testing`: `.AsyncTestCase` subclasses can now be + instantiated without being associated with a test method. + Improves compatibility with test discovery in Pytest 8.2. +- Drop support-pytest-8.2.patch: fixed upstream. +- Drop openssl-3.2.patch: fixed upstream. + +------------------------------------------------------------------- +Fri May 17 03:37:07 UTC 2024 - Steve Kowalik + +- Add patch support-pytest-8.2.patch: + * Support pytest >= 8.2 changes. + ------------------------------------------------------------------- Thu Jan 11 13:28:34 UTC 2024 - Daniel Garcia diff --git a/python-tornado6.spec b/python-tornado6.spec index 58669c2..20425e7 100644 --- a/python-tornado6.spec +++ b/python-tornado6.spec @@ -17,9 +17,8 @@ %{?sle15_python_module_pythons} -%define skip_python2 1 Name: python-tornado6 -Version: 6.4 +Version: 6.4.2 Release: 0 Summary: Open source version of scalable, non-blocking web server that power FriendFeed License: Apache-2.0 @@ -28,8 +27,6 @@ Source: https://files.pythonhosted.org/packages/source/t/tornado/tornado Source99: python-tornado6-rpmlintrc # PATCH-FIX-OPENSUSE ignore-resourcewarning-doctests.patch -- ignore resource warnings on OBS Patch0: ignore-resourcewarning-doctests.patch -# PATCH-FIX-OPENSUSE openssl-3.2.patch gh#tornadoweb/tornado#3355 -Patch1: openssl-3.2.patch BuildRequires: %{python_module base >= 3.8} BuildRequires: %{python_module devel} BuildRequires: %{python_module pip} @@ -106,6 +103,6 @@ export TRAVIS=1 %license LICENSE %doc %{_docdir}/%{python_prefix}-tornado6 %{python_sitearch}/tornado -%{python_sitearch}/tornado-%{version}*-info +%{python_sitearch}/tornado-%{version}.dist-info %changelog diff --git a/tornado-6.4.2.tar.gz b/tornado-6.4.2.tar.gz new file mode 100644 index 0000000..913eb6c --- /dev/null +++ b/tornado-6.4.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:92bad5b4746e9879fd7bf1eb21dce4e3fc5128d71601f80005afa39237ad620b +size 501135 diff --git a/tornado-6.4.tar.gz b/tornado-6.4.tar.gz deleted file mode 100644 index 96d31ad..0000000 --- a/tornado-6.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:72291fa6e6bc84e626589f1c29d90a5a6d593ef5ae68052ee2ef000dfd273dee -size 498845