Accepting request 1226960 from devel:languages:python

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1226960
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-waitress?expand=0&rev=34

python-waitress.changes

@@ -1,3 +1,48 @@
+-------------------------------------------------------------------
+Wed Nov 20 17:06:45 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.0.2:
+  * When using Waitress to process trusted proxy headers,
+    Waitress will now update the headers to drop any untrusted
+    values, thereby making sure that WSGI apps only get trusted
+    and validated values that Waitress itself used to update the
+    environ.
+
+-------------------------------------------------------------------
+Wed Oct 30 06:49:46 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 3.0.1 (bsc#1232554, bsc#1232556, CVE-2024-49769, CVE-2024-49768):
+    * Fix a bug that would lead to Waitress busy looping on select()
+      on a half-open socket due to a race condition that existed when
+      creating a new HTTPChannel. See
+      https://github.com/Pylons/waitress/pull/435,
+      https://github.com/Pylons/waitress/issues/418 and
+      https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6
+    * No longer strip the header values before passing them to the
+      WSGI environ. See https://github.com/Pylons/waitress/pull/434
+      and https://github.com/Pylons/waitress/issues/432
+    * Fix a race condition in Waitress when
+      `channel_request_lookahead` is enabled that could lead to HTTP
+      request smuggling.
+    * See https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj
+
+-------------------------------------------------------------------
+Sun Jun 30 07:59:06 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.0.0:
+  * Fixed testing of vendored asyncore code to not rely on
+    particular naming for errno's.
+  * HTTP Request methods and versions are now validated to meet
+    the HTTP standards thereby dropping invalid requests on the floor.
+  * No longer close the connection when sending a HEAD request
+    response.
+  * Always attempt to send the Connection: close response header
+    when we are going to close the connection to let the remote
+    know in more instances.
+  * Document that trusted_proxy may be set to a wildcard value to
+    trust all proxies.
+  * clear_untrusted_proxy_headers is set to True by default.
+
 -------------------------------------------------------------------
 Mon Dec  4 15:20:28 UTC 2023 - Ana Guerrero <ana.guerrero@suse.com>
 
@@ -76,7 +121,7 @@ Thu Mar 17 17:42:42 UTC 2022 - Dirk Müller <dmueller@suse.com>
     previously get parsed as 10 and accepted. This stops potential HTTP
     desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue.
     See
-    https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36 
+    https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
 
 -------------------------------------------------------------------
 Fri Aug 27 12:27:31 UTC 2021 - Stefan Schubert <schubi@suse.de>
@@ -157,9 +202,9 @@ Mon May 18 07:25:32 UTC 2020 - Petr Gajdos <pgajdos@suse.com>
 Thu Feb  6 17:29:20 UTC 2020 - Marketa Calabkova <mcalabkova@suse.com>
 
 - update to 1.4.3
-  * Waitress did not properly validate that the HTTP headers it received 
-    were properly formed, thereby potentially allowing a front-end server 
-    to treat a request different from Waitress. This could lead to HTTP 
+  * Waitress did not properly validate that the HTTP headers it received
+    were properly formed, thereby potentially allowing a front-end server
+    to treat a request different from Waitress. This could lead to HTTP
     request smuggling/splitting.
 - drop patch local-intersphinx-inventories.patch
   * it was commented out, anyway
@@ -186,7 +231,7 @@ Fri Dec 20 18:28:24 UTC 2019 - Dirk Mueller <dmueller@suse.com>
 Thu Aug 29 13:35:14 UTC 2019 - Marketa Calabkova <mcalabkova@suse.com>
 
 - update to 1.3.1
-  * Waitress won’t accidentally throw away part of the path if it 
+  * Waitress won’t accidentally throw away part of the path if it
     starts with a double slash
 
 -------------------------------------------------------------------
@@ -412,10 +457,10 @@ Tue Aug 13 10:15:30 UTC 2013 - dmueller@suse.com
 - update to 0.8.6:
  - Do alternate type of checking for UNIX socket support, instead of checking
    for platform == windows.
- 
+
  - Functional tests now use multiprocessing module instead of subprocess module,
    speeding up test suite and making concurrent execution more reliable.
- 
+
  - Runner now appends the current working directory to ``sys.path`` to support
    running WSGI applications from a directory (i.e., not installed in a
    virtualenv).
@@ -451,5 +496,5 @@ Mon Apr 29 14:14:25 UTC 2013 - speilicke@suse.com
 -------------------------------------------------------------------
 Mon Apr 29 13:06:10 UTC 2013 - dmueller@suse.com
 
-- Initial package (0.8.3) 
+- Initial package (0.8.3)
 

python-waitress.spec

@@ -1,7 +1,7 @@
 #
-# spec file
+# spec file for package python-waitress
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -31,7 +31,7 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-waitress%{psuffix}
-Version:        2.1.2
+Version:        3.0.2
 Release:        0
 Summary:        Waitress WSGI server
 License:        ZPL-2.1
@@ -42,7 +42,9 @@ Source:         https://files.pythonhosted.org/packages/source/w/waitress/waitre
 # https://docs.python.org/3/objects.inv -> python3.inv
 Source1:        python3.inv
 Source2:        fetch-intersphinx-inventories.sh
+BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module wheel}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros >= 20210929
 BuildArch:      noarch
@@ -53,7 +55,7 @@ BuildRequires:  alts
 Requires:       alts
 %else
 Requires(post): update-alternatives
-Requires(postun):update-alternatives
+Requires(postun): update-alternatives
 %endif
 %else
 # Documentation requirements
@@ -87,10 +89,10 @@ http://docs.pylonsproject.org/projects/waitress/en/latest/ .
 sed -i '/addopts/d' setup.cfg
 
 %build
-%python_build
+%pyproject_wheel
 
 %install
-%python_install
+%pyproject_install
 %python_clone -a %{buildroot}%{_bindir}/waitress-serve
 %python_expand %fdupes %{buildroot}%{$python_sitelib}
 
@@ -113,7 +115,7 @@ sed -i '/addopts/d' setup.cfg
 %doc COPYRIGHT.txt README.rst
 %python_alternative %{_bindir}/waitress-serve
 %{python_sitelib}/waitress
-%{python_sitelib}/waitress-%{version}*-info
+%{python_sitelib}/waitress-%{version}.dist-info
 
 %else