Accepting request 700428 from home:mcepl:branches:devel:languages:python:Factory

- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. OBS-URL: https://build.opensuse.org/request/show/700428 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=243
2019-05-03 15:46:24 +00:00
parent 88ffffeead
commit 2f5ed5b585
5 changed files with 129 additions and 0 deletions
--- a/python.spec
+++ b/python.spec
@@ -83,6 +83,9 @@ Patch51:        CVE-2019-9636-netloc-no-decompose-characters.patch
 # PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com
 # removing unnecessary (and potentially harmful) URL scheme local-file://
 Patch52:        CVE-2019-9948-avoid_local-file.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com
+# bpo#30458: Disallow control chars in http URLs.
+Patch53:        CVE-2019-9947-no-ctrl-char-http.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -243,6 +246,7 @@ that rely on earlier non-verification behavior.
 %patch50 -p1
 %patch51 -p1
 %patch52 -p1
+%patch53 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac