pool/python
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 742620 from devel:languages:python:Factory

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/742620
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=143
This commit is contained in:
Dominique Leuenberger 2019-11-04 16:08:49 +00:00 committed by Git OBS Bridge
commit 35b7abfdc2
17 changed files with 41 additions and 581 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
CVE-2018-20852-cookie-domain-check.patch
View File

@ -1,103 +0,0 @@
From def9e64d6aee945c19d9dab896fa91e915d96843 Mon Sep 17 00:00:00 2001
From: Karthikeyan Singaravelan <tir.karthi@gmail.com>
Date: Mon, 20 May 2019 00:33:52 +0530
Subject: [PATCH] Prefix dot in domain for proper subdomain validation
---
Lib/cookielib.py | 13 +++++++++++--
Lib/test/test_cookielib.py | 30 ++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/Lib/cookielib.py b/Lib/cookielib.py
index 2dd7c48728e0..0b471a42f296 100644
--- a/Lib/cookielib.py
+++ b/Lib/cookielib.py
@@ -1139,6 +1139,11 @@ def return_ok_domain(self, cookie, request):
req_host, erhn = eff_request_host(request)
domain = cookie.domain
+ if domain and not domain.startswith("."):
+ dotdomain = "." + domain
+ else:
+ dotdomain = domain
+
# strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
if (cookie.version == 0 and
(self.strict_ns_domain & self.DomainStrictNonDomain) and
@@ -1151,7 +1156,7 @@ def return_ok_domain(self, cookie, request):
_debug(" effective request-host name %s does not domain-match "
"RFC 2965 cookie domain %s", erhn, domain)
return False
- if cookie.version == 0 and not ("."+erhn).endswith(domain):
+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
_debug(" request-host %s does not match Netscape cookie domain "
"%s", req_host, domain)
return False
@@ -1165,7 +1170,11 @@ def domain_return_ok(self, domain, request):
req_host = "."+req_host
if not erhn.startswith("."):
erhn = "."+erhn
- if not (req_host.endswith(domain) or erhn.endswith(domain)):
+ if domain and not domain.startswith("."):
+ dotdomain = "." + domain
+ else:
+ dotdomain = domain
+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
#_debug(" request domain %s does not match cookie domain %s",
# req_host, domain)
return False
diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
index f2dd9727d137..7f7ff614d61d 100644
--- a/Lib/test/test_cookielib.py
+++ b/Lib/test/test_cookielib.py
@@ -368,6 +368,7 @@ def test_domain_return_ok(self):
("http://foo.bar.com/", ".foo.bar.com", True),
("http://foo.bar.com/", "foo.bar.com", True),
("http://foo.bar.com/", ".bar.com", True),
+ ("http://foo.bar.com/", "bar.com", True),
("http://foo.bar.com/", "com", True),
("http://foo.com/", "rhubarb.foo.com", False),
("http://foo.com/", ".foo.com", True),
@@ -378,6 +379,8 @@ def test_domain_return_ok(self):
("http://foo/", "foo", True),
("http://foo/", "foo.local", True),
("http://foo/", ".local", True),
+ ("http://barfoo.com", ".foo.com", False),
+ ("http://barfoo.com", "foo.com", False),
]:
request = urllib2.Request(url)
r = pol.domain_return_ok(domain, request)
@@ -938,6 +941,33 @@ def test_domain_block(self):
c.add_cookie_header(req)
self.assertFalse(req.has_header("Cookie"))
+ c.clear()
+
+ pol.set_blocked_domains([])
+ req = Request("http://acme.com/")
+ res = FakeResponse(headers, "http://acme.com/")
+ cookies = c.make_cookies(res, req)
+ c.extract_cookies(res, req)
+ self.assertEqual(len(c), 1)
+
+ req = Request("http://acme.com/")
+ c.add_cookie_header(req)
+ self.assertTrue(req.has_header("Cookie"))
+
+ req = Request("http://badacme.com/")
+ c.add_cookie_header(req)
+ self.assertFalse(pol.return_ok(cookies[0], req))
+ self.assertFalse(req.has_header("Cookie"))
+
+ p = pol.set_blocked_domains(["acme.com"])
+ req = Request("http://acme.com/")
+ c.add_cookie_header(req)
+ self.assertFalse(req.has_header("Cookie"))
+
+ req = Request("http://badacme.com/")
+ c.add_cookie_header(req)
+ self.assertFalse(req.has_header("Cookie"))
+
def test_secure(self):
from cookielib import CookieJar, DefaultCookiePolicy

76
CVE-2019-16935-xmlrpc-doc-server_title.patch
View File

@ -1,76 +0,0 @@
From b41cde823d026f2adc21ef14b1c2e92b1006de06 Mon Sep 17 00:00:00 2001
From: Dong-hee Na <donghee.na92@gmail.com>
Date: Sat, 28 Sep 2019 10:17:25 +0900
Subject: [PATCH 1/3] [2.7] bpo-38243: Escape the server title of
DocXMLRPCServer when rendering
--- a/Lib/DocXMLRPCServer.py
+++ b/Lib/DocXMLRPCServer.py
@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXM
CGIXMLRPCRequestHandler,
resolve_dotted_attribute)
+
+def _html_escape_quote(s):
+ s = s.replace("&", "&amp;") # Must be done first!
+ s = s.replace("<", "&lt;")
+ s = s.replace(">", "&gt;")
+ s = s.replace('"', "&quot;")
+ s = s.replace('\'', "&#x27;")
+ return s
+
+
class ServerHTMLDoc(pydoc.HTMLDoc):
"""Class used to generate pydoc HTML document for a server"""
@@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
methods
)
- return documenter.page(self.server_title, documentation)
+ title = _html_escape_quote(self.server_title)
+ return documenter.page(title, documentation)
class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
"""XML-RPC and documentation request handler class.
--- a/Lib/test/test_docxmlrpc.py
+++ b/Lib/test/test_docxmlrpc.py
@@ -1,5 +1,6 @@
from DocXMLRPCServer import DocXMLRPCServer
import httplib
+import re
import sys
from test import test_support
threading = test_support.import_module('threading')
@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.Te
self.assertIn("""Try&nbsp;self.<strong>add</strong>,&nbsp;too.""",
response.read())
+ def test_server_title_escape(self):
+ """Test that the server title and documentation
+ are escaped for HTML.
+ """
+ self.serv.set_server_title('test_title<script>')
+ self.serv.set_server_documentation('test_documentation<script>')
+ self.assertEqual('test_title<script>', self.serv.server_title)
+ self.assertEqual('test_documentation<script>',
+ self.serv.server_documentation)
+
+ generated = self.serv.generate_html_documentation()
+ title = re.search(r'<title>(.+?)</title>', generated).group()
+ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
+ self.assertEqual('<title>Python: test_title&lt;script&gt;</title>',
+ title)
+ self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>',
+ documentation)
+
+
def test_main():
test_support.run_unittest(DocXMLRPCHTTPGETServer)
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
@@ -0,0 +1,3 @@
+Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
+when rendering the document page as HTML.
+(Contributed by Dong-hee Na in :issue:`38243`.)

133
CVE-2019-9636-netloc-no-decompose-characters.patch
View File

@ -1,133 +0,0 @@
--- a/Doc/library/urlparse.rst
+++ b/Doc/library/urlparse.rst
@@ -119,12 +119,22 @@ The :mod:`urlparse` module defines the f
See section :ref:`urlparse-result-object` for more information on the result
object.
+ Characters in the :attr:`netloc` attribute that decompose under NFKC
+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
+ decomposed before parsing, or is not a Unicode string, no error will be
+ raised.
+
.. versionchanged:: 2.5
Added attributes to return value.
.. versionchanged:: 2.7
Added IPv6 URL parsing capabilities.
+ .. versionchanged:: 2.7.17
+ Characters that affect netloc parsing under NFKC normalization will
+ now raise :exc:`ValueError`.
+
.. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]])
@@ -232,11 +242,21 @@ The :mod:`urlparse` module defines the f
See section :ref:`urlparse-result-object` for more information on the result
object.
+ Characters in the :attr:`netloc` attribute that decompose under NFKC
+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
+ decomposed before parsing, or is not a Unicode string, no error will be
+ raised.
+
.. versionadded:: 2.2
.. versionchanged:: 2.5
Added attributes to return value.
+ .. versionchanged:: 2.7.17
+ Characters that affect netloc parsing under NFKC normalization will
+ now raise :exc:`ValueError`.
+
.. function:: urlunsplit(parts)
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -1,4 +1,6 @@
from test import test_support
+import sys
+import unicodedata
import unittest
import urlparse
@@ -624,6 +626,29 @@ class UrlParseTestCase(unittest.TestCase
self.assertEqual(urlparse.urlparse("http://www.python.org:80"),
('http','www.python.org:80','','','',''))
+ def test_urlsplit_normalization(self):
+ # Certain characters should never occur in the netloc,
+ # including under normalization.
+ # Ensure that ALL of them are detected and cause an error
+ illegal_chars = u'/:#?@'
+ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
+ denorm_chars = [
+ c for c in map(unichr, range(128, sys.maxunicode))
+ if (hex_chars & set(unicodedata.decomposition(c).split()))
+ and c not in illegal_chars
+ ]
+ # Sanity check that we found at least one such character
+ self.assertIn(u'\u2100', denorm_chars)
+ self.assertIn(u'\uFF03', denorm_chars)
+
+ for scheme in [u"http", u"https", u"ftp"]:
+ for c in denorm_chars:
+ url = u"{}://netloc{}false.netloc/path".format(scheme, c)
+ if test_support.verbose:
+ print "Checking %r" % url
+ with self.assertRaises(ValueError):
+ urlparse.urlsplit(url)
+
def test_main():
test_support.run_unittest(UrlParseTestCase)
--- a/Lib/urlparse.py
+++ b/Lib/urlparse.py
@@ -165,6 +165,21 @@ def _splitnetloc(url, start=0):
delim = min(delim, wdelim) # use earliest delim position
return url[start:delim], url[delim:] # return (domain, rest)
+def _checknetloc(netloc):
+ if not netloc or not isinstance(netloc, unicode):
+ return
+ # looking for characters like \u2100 that expand to 'a/c'
+ # IDNA uses NFKC equivalence, so normalize for this check
+ import unicodedata
+ netloc2 = unicodedata.normalize('NFKC', netloc)
+ if netloc == netloc2:
+ return
+ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
+ for c in '/?#@:':
+ if c in netloc2:
+ raise ValueError("netloc '" + netloc2 + "' contains invalid " +
+ "characters under NFKC normalization")
+
def urlsplit(url, scheme='', allow_fragments=True):
"""Parse a URL into 5 components:
<scheme>://<netloc>/<path>?<query>#<fragment>
@@ -193,6 +208,7 @@ def urlsplit(url, scheme='', allow_fragm
url, fragment = url.split('#', 1)
if '?' in url:
url, query = url.split('?', 1)
+ _checknetloc(netloc)
v = SplitResult(scheme, netloc, url, query, fragment)
_parse_cache[key] = v
return v
@@ -216,6 +232,7 @@ def urlsplit(url, scheme='', allow_fragm
url, fragment = url.split('#', 1)
if '?' in url:
url, query = url.split('?', 1)
+ _checknetloc(netloc)
v = SplitResult(scheme, netloc, url, query, fragment)
_parse_cache[key] = v
return v
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
@@ -0,0 +1,3 @@
+Changes urlsplit() to raise ValueError when the URL contains characters that
+decompose under IDNA encoding (NFKC-normalization) into characters that
+affect how the URL is parsed.
\ No newline at end of file

108
CVE-2019-9947-no-ctrl-char-http.patch
View File

@ -1,108 +0,0 @@
--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -247,6 +247,15 @@ _MAXHEADERS = 100
_is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
_is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
+# These characters are not allowed within http URL paths.
+# https://tools.ietf.org/html/rfc3986#section-3.3
+# in order to prevent CVE-2019-9740.
+# We don't restrict chars above \x7f as putrequest() limits us to ASCII.
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
+# Arguably only these _should_ allowed:
+# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+# We are more lenient for assumed real world compatibility purposes.
+
# We always set the Content-Length header for these methods because some
# servers will otherwise respond with a 411
_METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
@@ -927,6 +936,9 @@ class HTTPConnection:
self._method = method
if not url:
url = '/'
+ # Prevent CVE-2019-9740.
+ if _contains_disallowed_url_pchar_re.search(url):
+ raise InvalidURL("URL can't contain control characters. {0!r}".format(url))
hdr = '%s %s %s' % (method, url, self._http_vsn_str)
self._output(hdr)
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -2,6 +2,7 @@
import collections
import urllib
+import urllib2
import httplib
import io
import unittest
@@ -13,6 +14,11 @@ import tempfile
from test import test_support
from base64 import b64encode
+try:
+ import ssl
+except ImportError:
+ ssl = None
+
def hexescape(char):
"""Escape char as RFC 2396 specifies"""
@@ -364,6 +370,31 @@ Connection: close
finally:
self.unfakehttp()
+ def test_url_with_newline_header_injection_rejected(self):
+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
+ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
+ schemeless_url = "//" + host + ":8080/test/?test=a"
+ try:
+ # We explicitly test urllib.request.urlopen() instead of the top
+ # level 'def urlopen()' function defined in this... (quite ugly)
+ # test suite. they use different url opening codepaths. plain
+ # urlopen uses FancyURLOpener which goes via a codepath that
+ # calls urllib.parse.quote() on the URL which makes all of the
+ # above attempts at injection within the url _path_ safe.
+ with self.assertRaisesRegexp(httplib.InvalidURL,
+ r"contain control.*\\r"):
+ urllib2.urlopen("http:{0}".format(schemeless_url))
+ if ssl is not None:
+ with self.assertRaisesRegexp(httplib.InvalidURL,
+ r"contain control.*\\n"):
+ urllib2.urlopen("https:{0}".format(schemeless_url))
+ # This code path quotes the URL so there is no injection.
+ resp = urllib.urlopen("http:{0}".format(schemeless_url))
+ self.assertNotIn(' ', resp.geturl())
+ self.assertNotIn('\r', resp.geturl())
+ self.assertNotIn('\n', resp.geturl())
+ finally:
+ self.unfakehttp()
class urlretrieve_FileTests(unittest.TestCase):
"""Test urllib.urlretrieve() on local files"""
--- a/Lib/test/test_xmlrpc.py
+++ b/Lib/test/test_xmlrpc.py
@@ -1,4 +1,5 @@
import base64
+import contextlib
import datetime
import sys
import time
@@ -658,9 +659,14 @@ class SimpleServerTestCase(BaseServerTes
def test_partial_post(self):
# Check that a partial POST doesn't make the server loop: issue #14001.
- conn = httplib.HTTPConnection(ADDR, PORT)
- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
- conn.close()
+ with contextlib.closing(socket.create_connection((ADDR, PORT))) as conn:
+ conn.send(('POST /RPC2 HTTP/1.0\r\n' +
+ 'Content-Length: 100\r\n\r\n' +
+ 'bye HTTP/1.1\r\n' +
+ 'Host: {0}:{1}\r\n'.format(ADDR, PORT) +
+ 'Accept-Encoding: identity\r\n' +
+ 'Content-Length: 0\r\n\r\n').encode('ascii'))
+
class SimpleServerEncodingTestCase(BaseServerTestCase):
@staticmethod

73
CVE-2019-9948-avoid_local-file.patch
View File

@ -1,73 +0,0 @@
From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
From: push0ebp <push0ebp@shl-MacBook-Pro.local>
Date: Thu, 14 Feb 2019 02:05:46 +0900
Subject: [PATCH 1/2] bpo-35907: Avoid file reading as disallowing the
unnecessary URL scheme in urllib
---
Lib/test/test_urllib.py | 12 ++++++++++++
Lib/urllib.py | 5 ++++-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
index 1ce9201c0693..e5f210e62a18 100644
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -1023,6 +1023,18 @@ def open_spam(self, url):
"spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
"//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
+ def test_local_file_open(self):
+ class DummyURLopener(urllib.URLopener):
+ def open_local_file(self, url):
+ return url
+ self.assertEqual(DummyURLopener().open(
+ 'local-file://example'), '//example')
+ self.assertEqual(DummyURLopener().open(
+ 'local_file://example'), '//example')
+ self.assertRaises(IOError, urllib.urlopen,
+ 'local-file://example')
+ self.assertRaises(IOError, urllib.urlopen,
+ 'local_file://example')
# Just commented them out.
# Can't really tell why keep failing in windows and sparc.
diff --git a/Lib/urllib.py b/Lib/urllib.py
index d85504a5cb7e..a24e9a5c68fb 100644
--- a/Lib/urllib.py
+++ b/Lib/urllib.py
@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
name = 'open_' + urltype
self.type = urltype
name = name.replace('-', '_')
- if not hasattr(self, name):
+
+ # bpo-35907: # disallow the file reading with the type not allowed
+ if not hasattr(self, name) or \
+ (self == _urlopener and name == 'open_local_file'):
if proxy:
return self.open_unknown_proxy(proxy, fullurl, data)
else:
From b86392511acd4cd30dc68711fa22f9f93228715a Mon Sep 17 00:00:00 2001
From: "blurb-it[bot]" <blurb-it[bot]@users.noreply.github.com>
Date: Wed, 13 Feb 2019 17:21:11 +0000
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?=
=?UTF-8?q?rb=5Fit.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 +
1 file changed, 1 insertion(+)
create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
new file mode 100644
index 000000000000..8118a5f40583
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
@@ -0,0 +1 @@
+Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
\ No newline at end of file

3
Python-2.7.16.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f222ef602647eecb6853681156d32de4450a2c39f4de93bd5b20235f2e660ed7
size 12752104

16
Python-2.7.16.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEwB4crV6ixPC441cVBMNnwhit1P8FAlx6zU8ACgkQBMNnwhit
1P+xUg//dE6dUc6NlwUzLD+MsvegKz5vXJXjPvhEsShcdaiedWsdfr22PeAXsook
fqEYALONUetv5LTWIlMpR8sNefxw7GCeIsk4ze7aXKNnh0HsZ6LJYny1Eh0aL9Mu
5tpJfvSC8Gxp2IR/vQOGMibNEuU6gpcUA0XPgKi6RvHI1iXbo71NaSuM7Ypi/6t9
X6ZBGGU0TOP7QDdFHwSs+KzfU0uLpzadWHoksTv6lESTK9BmNlKY2CdUkjbxdD/z
72UZKaLBqCwKC6znpTrZRLzdzdeRGhlnzW1LTNmdsQOj70zRwYvE8/kXVlIF5zJo
7y4SyL54+/B+M5fXsxemY1If8kc5sHFhLouzI1gd5nfiGoebWMDE+gjkBTMr5r9i
/J5DLUYHLd0/B9Yf6sz+O6kTqYwjp0SIhcIDhQRWKre4vNc0Jy6rpogA6ILl2pFo
VRctsjnqLyfhp1wfrBq4h18fjEw48itu9rWKea/DC+4oudHzAuSP9dv8RkLVD+GR
buV1lXSIsPE2sYBrc1KvRud475W3I8zPZ25VVsZ/uRJdj4HehcTwiN7poSZ4T7My
Mz4grC5b3HDveFT4N6TbL1RgbSKL9Xm3mh+LF0u6uFN466ahmdzjAj3+uCJ98TkU
4aZvrLgiPTkWOyBD0Y8WXsdiAblTRucGStm5SbqvnXUgB9N3rNA=
=XmAm
-----END PGP SIGNATURE-----

3
Python-2.7.17.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4d43f033cdbd0aa7b7023c81b0e986fd11e653b5248dac9144d508f11812ba41
size 12855568

16
Python-2.7.17.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEwB4crV6ixPC441cVBMNnwhit1P8FAl2rXRsACgkQBMNnwhit
1P/dJg//UrZRji4wnui1gfsp/qUtEIQe3Qb48LU7NAPjr5Y0B+ebG9peOw2pR4JX
yUXYewWFN7Cy4wxyQki5pbo9bNwSqJ0Xfix/R+mcoSQHGWb0FVH+gk2tGehtM99M
EUR1cdywA2a3K+Dpqaqysl7NCYMTq2bqMcRh/ADUHfmCpneisdSZTq2vX7lfgBAj
py+OIeXTa3P6EFhMZYKOc+/7p/pltmh28cmLqhL91UEVQi4eT3EbAu17CI7d9pQr
28FtqM7EDhm1cbkE25GuVDE8zP5JO+AjcMmRBSiRDBTur////0NqzeoCqmFcwPpt
DZAfS4AAyQroXJsYElZDr5STL/guhgYe3FJGVSqpZ4Tk2Fyr1olQGnVR2TlPufQu
21e6dJZFyc+7cHIe9+gpizXsoOgMk40qTJB/xQ0ERNGJZ6t39VJ2s8GlaY0+Dnvq
yRt5a/SzHrJK4Y/0lC17LylSP5VuMUKm0gXFGmJGYfHYw7I51IpXpFWBQBzghelj
aKgEsjWxmHcaM7t8tBlQniSQ8eAONCBvhG+pnQn2WEaSdQxpTdeckcfP6K2CV7AN
XuZ42/u+lwRB4QI4sA1HXQ6ab/gjCAQzKJSbRhhx4WIosGxNMf0rI+u0cCOT/eBI
sYCLEx564/NS2ErMAVoT+tvXIDQXl7Z/0K95I4IJel+6aPiW9HI=
=YxNu
-----END PGP SIGNATURE-----

3
python-2.7.16-docs-pdf-a4.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b35b997446031dcda1fc7fb9bc4f24e8e3615d09b038ee802e6b88d3b3d27182
size 11420205

3
python-2.7.16-docs-pdf-letter.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4157eadddf1d5d892820f16752119910f0e9d3264e55616c6ebf0445854a47fe
size 11420016

3
python-2.7.17-docs-pdf-a4.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bec4c29c255bcf87b39606ec76d6ed25ef3880333a88447bb8958cf9269f7a21
size 11440300

3
python-2.7.17-docs-pdf-letter.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:27d3f0f23a13300a5df66c66d7a28d09681b810436ab94895295479a8ae0572d
size 11440077

13
python-base.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Thu Oct 24 14:40:39 CEST 2019 - Matej Cepl <mcepl@suse.com>
- Update to 2.7.17:
- a bug fix release in the Python 2.7.x series. It is expected
to be the penultimate release for Python 2.7.
- Removed patches included upstream:
- CVE-2018-20852-cookie-domain-check.patch
- CVE-2019-16935-xmlrpc-doc-server_title.patch
- CVE-2019-9636-netloc-no-decompose-characters.patch
- CVE-2019-9947-no-ctrl-char-http.patch
- CVE-2019-9948-avoid_local-file.patch
-------------------------------------------------------------------
Tue Oct 8 19:46:52 CEST 2019 - Matej Cepl <mcepl@suse.com>

22
python-base.spec
View File

@ -17,7 +17,7 @@
Name: python-base
Version: 2.7.16
Version: 2.7.17
Release: 0
Summary: Python Interpreter base package
License: Python-2.0
@ -72,23 +72,8 @@ Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch
# PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com
# Initialize sysconfig variables in test_site.
Patch50: bpo36160-init-sysconfig_vars.patch
# PATCH-FIX-UPSTREAM CVE-2019-9636-netloc-no-decompose-characters.patch bsc#1129346 mcepl@suse.com
# https://bugs.python.org/issue36216
Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch
# PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com
# removing unnecessary (and potentially harmful) URL scheme local-file://
Patch52: CVE-2019-9948-avoid_local-file.patch
# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com
# bpo#30458: Disallow control chars in http URLs.
Patch53: CVE-2019-9947-no-ctrl-char-http.patch
# PATCH-FIX-UPSTREAM CVE-2018-20852-cookie-domain-check.patch bsc#1141853 mcepl@suse.com
# http.cookiejar.DefaultPolicy.domain_return_ok does not correctly validate the domain
Patch54: CVE-2018-20852-cookie-domain-check.patch
# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
Patch55: bpo36302-sort-module-sources.patch
# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
# XSS vulnerability in the documentation XML-RPC server in server_title field
Patch56: CVE-2019-16935-xmlrpc-doc-server_title.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@ -200,12 +185,7 @@ other applications.
%patch48 -p1
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac

22
python-doc.spec
View File

@ -17,7 +17,7 @@
Name: python-doc
Version: 2.7.16
Version: 2.7.17
Release: 0
Summary: Additional Package Documentation for Python
License: Python-2.0
@ -72,23 +72,8 @@ Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch
# PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com
# Initialize sysconfig variables in test_site.
Patch50: bpo36160-init-sysconfig_vars.patch
# PATCH-FIX-UPSTREAM CVE-2019-9636-netloc-no-decompose-characters.patch bsc#1129346 mcepl@suse.com
# https://bugs.python.org/issue36216
Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch
# PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com
# removing unnecessary (and potentially harmful) URL scheme local-file://
Patch52: CVE-2019-9948-avoid_local-file.patch
# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com
# bpo#30458: Disallow control chars in http URLs.
Patch53: CVE-2019-9947-no-ctrl-char-http.patch
# PATCH-FIX-UPSTREAM CVE-2018-20852-cookie-domain-check.patch bsc#1141853 mcepl@suse.com
# http.cookiejar.DefaultPolicy.domain_return_ok does not correctly validate the domain
Patch54: CVE-2018-20852-cookie-domain-check.patch
# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
Patch55: bpo36302-sort-module-sources.patch
# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
# XSS vulnerability in the documentation XML-RPC server in server_title field
Patch56: CVE-2019-16935-xmlrpc-doc-server_title.patch
# COMMON-PATCH-END
Provides: pyth_doc
Provides: pyth_ps
@ -146,12 +131,7 @@ Python, and Macintosh Module Reference in PDF format.
%patch48 -p1
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac

22
python.spec
View File

@ -17,7 +17,7 @@
Name: python
Version: 2.7.16
Version: 2.7.17
Release: 0
Summary: Python Interpreter
License: Python-2.0
@ -77,23 +77,8 @@ Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch
# PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com
# Initialize sysconfig variables in test_site.
Patch50: bpo36160-init-sysconfig_vars.patch
# PATCH-FIX-UPSTREAM CVE-2019-9636-netloc-no-decompose-characters.patch bsc#1129346 mcepl@suse.com
# https://bugs.python.org/issue36216
Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch
# PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com
# removing unnecessary (and potentially harmful) URL scheme local-file://
Patch52: CVE-2019-9948-avoid_local-file.patch
# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com
# bpo#30458: Disallow control chars in http URLs.
Patch53: CVE-2019-9947-no-ctrl-char-http.patch
# PATCH-FIX-UPSTREAM CVE-2018-20852-cookie-domain-check.patch bsc#1141853 mcepl@suse.com
# http.cookiejar.DefaultPolicy.domain_return_ok does not correctly validate the domain
Patch54: CVE-2018-20852-cookie-domain-check.patch
# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
Patch55: bpo36302-sort-module-sources.patch
# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
# XSS vulnerability in the documentation XML-RPC server in server_title field
Patch56: CVE-2019-16935-xmlrpc-doc-server_title.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@ -251,12 +236,7 @@ that rely on earlier non-verification behavior.
%patch48 -p1
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac