From 5167eaaa6a5a6857f1ddd391a485b01e70dc21409416c98276ebba62604aab1e Mon Sep 17 00:00:00 2001
From: Matej Cepl <mcepl@suse.com>
Date: Thu, 24 Oct 2019 14:12:02 +0000
Subject: [PATCH] Accepting request 742619 from
home:mcepl:branches:devel:languages:python:Factory
- Update to 2.7.17:
- a bug fix release in the Python 2.7.x series. It is expected
to be the penultimate release for Python 2.7.
- Removed patches included upstream:
- CVE-2018-20852-cookie-domain-check.patch
- CVE-2019-16935-xmlrpc-doc-server_title.patch
- CVE-2019-9636-netloc-no-decompose-characters.patch
- CVE-2019-9947-no-ctrl-char-http.patch
- CVE-2019-9948-avoid_local-file.patch
OBS-URL: https://build.opensuse.org/request/show/742619
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=255
---
CVE-2018-20852-cookie-domain-check.patch | 103 --------------
CVE-2019-16935-xmlrpc-doc-server_title.patch | 76 ----------
...-9636-netloc-no-decompose-characters.patch | 133 ------------------
CVE-2019-9947-no-ctrl-char-http.patch | 108 --------------
CVE-2019-9948-avoid_local-file.patch | 73 ----------
Python-2.7.16.tar.xz | 3 -
Python-2.7.16.tar.xz.asc | 16 ---
Python-2.7.17.tar.xz | 3 +
Python-2.7.17.tar.xz.asc | 16 +++
python-2.7.16-docs-pdf-a4.tar.bz2 | 3 -
python-2.7.16-docs-pdf-letter.tar.bz2 | 3 -
python-2.7.17-docs-pdf-a4.tar.bz2 | 3 +
python-2.7.17-docs-pdf-letter.tar.bz2 | 3 +
python-base.changes | 13 ++
python-base.spec | 22 +--
python-doc.spec | 22 +--
python.spec | 22 +--
17 files changed, 41 insertions(+), 581 deletions(-)
delete mode 100644 CVE-2018-20852-cookie-domain-check.patch
delete mode 100644 CVE-2019-16935-xmlrpc-doc-server_title.patch
delete mode 100644 CVE-2019-9636-netloc-no-decompose-characters.patch
delete mode 100644 CVE-2019-9947-no-ctrl-char-http.patch
delete mode 100644 CVE-2019-9948-avoid_local-file.patch
delete mode 100644 Python-2.7.16.tar.xz
delete mode 100644 Python-2.7.16.tar.xz.asc
create mode 100644 Python-2.7.17.tar.xz
create mode 100644 Python-2.7.17.tar.xz.asc
delete mode 100644 python-2.7.16-docs-pdf-a4.tar.bz2
delete mode 100644 python-2.7.16-docs-pdf-letter.tar.bz2
create mode 100644 python-2.7.17-docs-pdf-a4.tar.bz2
create mode 100644 python-2.7.17-docs-pdf-letter.tar.bz2
diff --git a/CVE-2018-20852-cookie-domain-check.patch b/CVE-2018-20852-cookie-domain-check.patch
deleted file mode 100644
index 0f9095b..0000000
--- a/CVE-2018-20852-cookie-domain-check.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From def9e64d6aee945c19d9dab896fa91e915d96843 Mon Sep 17 00:00:00 2001
-From: Karthikeyan Singaravelan <tir.karthi@gmail.com>
-Date: Mon, 20 May 2019 00:33:52 +0530
-Subject: [PATCH] Prefix dot in domain for proper subdomain validation
-
----
- Lib/cookielib.py | 13 +++++++++++--
- Lib/test/test_cookielib.py | 30 ++++++++++++++++++++++++++++++
- 2 files changed, 41 insertions(+), 2 deletions(-)
-
-diff --git a/Lib/cookielib.py b/Lib/cookielib.py
-index 2dd7c48728e0..0b471a42f296 100644
---- a/Lib/cookielib.py
-+++ b/Lib/cookielib.py
-@@ -1139,6 +1139,11 @@ def return_ok_domain(self, cookie, request):
- req_host, erhn = eff_request_host(request)
- domain = cookie.domain
-
-+ if domain and not domain.startswith("."):
-+ dotdomain = "." + domain
-+ else:
-+ dotdomain = domain
-+
- # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
- if (cookie.version == 0 and
- (self.strict_ns_domain & self.DomainStrictNonDomain) and
-@@ -1151,7 +1156,7 @@ def return_ok_domain(self, cookie, request):
- _debug(" effective request-host name %s does not domain-match "
- "RFC 2965 cookie domain %s", erhn, domain)
- return False
-- if cookie.version == 0 and not ("."+erhn).endswith(domain):
-+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
- _debug(" request-host %s does not match Netscape cookie domain "
- "%s", req_host, domain)
- return False
-@@ -1165,7 +1170,11 @@ def domain_return_ok(self, domain, request):
- req_host = "."+req_host
- if not erhn.startswith("."):
- erhn = "."+erhn
-- if not (req_host.endswith(domain) or erhn.endswith(domain)):
-+ if domain and not domain.startswith("."):
-+ dotdomain = "." + domain
-+ else:
-+ dotdomain = domain
-+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
- #_debug(" request domain %s does not match cookie domain %s",
- # req_host, domain)
- return False
-diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
-index f2dd9727d137..7f7ff614d61d 100644
---- a/Lib/test/test_cookielib.py
-+++ b/Lib/test/test_cookielib.py
-@@ -368,6 +368,7 @@ def test_domain_return_ok(self):
- ("http://foo.bar.com/", ".foo.bar.com", True),
- ("http://foo.bar.com/", "foo.bar.com", True),
- ("http://foo.bar.com/", ".bar.com", True),
-+ ("http://foo.bar.com/", "bar.com", True),
- ("http://foo.bar.com/", "com", True),
- ("http://foo.com/", "rhubarb.foo.com", False),
- ("http://foo.com/", ".foo.com", True),
-@@ -378,6 +379,8 @@ def test_domain_return_ok(self):
- ("http://foo/", "foo", True),
- ("http://foo/", "foo.local", True),
- ("http://foo/", ".local", True),
-+ ("http://barfoo.com", ".foo.com", False),
-+ ("http://barfoo.com", "foo.com", False),
- ]:
- request = urllib2.Request(url)
- r = pol.domain_return_ok(domain, request)
-@@ -938,6 +941,33 @@ def test_domain_block(self):
- c.add_cookie_header(req)
- self.assertFalse(req.has_header("Cookie"))
-
-+ c.clear()
-+
-+ pol.set_blocked_domains([])
-+ req = Request("http://acme.com/")
-+ res = FakeResponse(headers, "http://acme.com/")
-+ cookies = c.make_cookies(res, req)
-+ c.extract_cookies(res, req)
-+ self.assertEqual(len(c), 1)
-+
-+ req = Request("http://acme.com/")
-+ c.add_cookie_header(req)
-+ self.assertTrue(req.has_header("Cookie"))
-+
-+ req = Request("http://badacme.com/")
-+ c.add_cookie_header(req)
-+ self.assertFalse(pol.return_ok(cookies[0], req))
-+ self.assertFalse(req.has_header("Cookie"))
-+
-+ p = pol.set_blocked_domains(["acme.com"])
-+ req = Request("http://acme.com/")
-+ c.add_cookie_header(req)
-+ self.assertFalse(req.has_header("Cookie"))
-+
-+ req = Request("http://badacme.com/")
-+ c.add_cookie_header(req)
-+ self.assertFalse(req.has_header("Cookie"))
-+
- def test_secure(self):
- from cookielib import CookieJar, DefaultCookiePolicy
-
diff --git a/CVE-2019-16935-xmlrpc-doc-server_title.patch b/CVE-2019-16935-xmlrpc-doc-server_title.patch
deleted file mode 100644
index 0eaeb53..0000000
--- a/CVE-2019-16935-xmlrpc-doc-server_title.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From b41cde823d026f2adc21ef14b1c2e92b1006de06 Mon Sep 17 00:00:00 2001
-From: Dong-hee Na <donghee.na92@gmail.com>
-Date: Sat, 28 Sep 2019 10:17:25 +0900
-Subject: [PATCH 1/3] [2.7] bpo-38243: Escape the server title of
- DocXMLRPCServer when rendering
-
---- a/Lib/DocXMLRPCServer.py
-+++ b/Lib/DocXMLRPCServer.py
-@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXM
- CGIXMLRPCRequestHandler,
- resolve_dotted_attribute)
-
-+
-+def _html_escape_quote(s):
-+ s = s.replace("&", "&") # Must be done first!
-+ s = s.replace("<", "<")
-+ s = s.replace(">", ">")
-+ s = s.replace('"', """)
-+ s = s.replace('\'', "'")
-+ return s
-+
-+
- class ServerHTMLDoc(pydoc.HTMLDoc):
- """Class used to generate pydoc HTML document for a server"""
-
-@@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
- methods
- )
-
-- return documenter.page(self.server_title, documentation)
-+ title = _html_escape_quote(self.server_title)
-+ return documenter.page(title, documentation)
-
- class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
- """XML-RPC and documentation request handler class.
---- a/Lib/test/test_docxmlrpc.py
-+++ b/Lib/test/test_docxmlrpc.py
-@@ -1,5 +1,6 @@
- from DocXMLRPCServer import DocXMLRPCServer
- import httplib
-+import re
- import sys
- from test import test_support
- threading = test_support.import_module('threading')
-@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.Te
- self.assertIn("""Try self.<strong>add</strong>, too.""",
- response.read())
-
-+ def test_server_title_escape(self):
-+ """Test that the server title and documentation
-+ are escaped for HTML.
-+ """
-+ self.serv.set_server_title('test_title<script>')
-+ self.serv.set_server_documentation('test_documentation<script>')
-+ self.assertEqual('test_title<script>', self.serv.server_title)
-+ self.assertEqual('test_documentation<script>',
-+ self.serv.server_documentation)
-+
-+ generated = self.serv.generate_html_documentation()
-+ title = re.search(r'<title>(.+?)</title>', generated).group()
-+ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
-+ self.assertEqual('<title>Python: test_title<script></title>',
-+ title)
-+ self.assertEqual('<p><tt>test_documentation<script></tt></p>',
-+ documentation)
-+
-+
- def test_main():
- test_support.run_unittest(DocXMLRPCHTTPGETServer)
-
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-@@ -0,0 +1,3 @@
-+Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
-+when rendering the document page as HTML.
-+(Contributed by Dong-hee Na in :issue:`38243`.)
diff --git a/CVE-2019-9636-netloc-no-decompose-characters.patch b/CVE-2019-9636-netloc-no-decompose-characters.patch
deleted file mode 100644
index 4cb11a4..0000000
--- a/CVE-2019-9636-netloc-no-decompose-characters.patch
+++ /dev/null
@@ -1,133 +0,0 @@
---- a/Doc/library/urlparse.rst
-+++ b/Doc/library/urlparse.rst
-@@ -119,12 +119,22 @@ The :mod:`urlparse` module defines the f
- See section :ref:`urlparse-result-object` for more information on the result
- object.
-
-+ Characters in the :attr:`netloc` attribute that decompose under NFKC
-+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
-+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
-+ decomposed before parsing, or is not a Unicode string, no error will be
-+ raised.
-+
- .. versionchanged:: 2.5
- Added attributes to return value.
-
- .. versionchanged:: 2.7
- Added IPv6 URL parsing capabilities.
-
-+ .. versionchanged:: 2.7.17
-+ Characters that affect netloc parsing under NFKC normalization will
-+ now raise :exc:`ValueError`.
-+
-
- .. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]])
-
-@@ -232,11 +242,21 @@ The :mod:`urlparse` module defines the f
- See section :ref:`urlparse-result-object` for more information on the result
- object.
-
-+ Characters in the :attr:`netloc` attribute that decompose under NFKC
-+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
-+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
-+ decomposed before parsing, or is not a Unicode string, no error will be
-+ raised.
-+
- .. versionadded:: 2.2
-
- .. versionchanged:: 2.5
- Added attributes to return value.
-
-+ .. versionchanged:: 2.7.17
-+ Characters that affect netloc parsing under NFKC normalization will
-+ now raise :exc:`ValueError`.
-+
-
- .. function:: urlunsplit(parts)
-
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -1,4 +1,6 @@
- from test import test_support
-+import sys
-+import unicodedata
- import unittest
- import urlparse
-
-@@ -624,6 +626,29 @@ class UrlParseTestCase(unittest.TestCase
- self.assertEqual(urlparse.urlparse("http://www.python.org:80"),
- ('http','www.python.org:80','','','',''))
-
-+ def test_urlsplit_normalization(self):
-+ # Certain characters should never occur in the netloc,
-+ # including under normalization.
-+ # Ensure that ALL of them are detected and cause an error
-+ illegal_chars = u'/:#?@'
-+ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
-+ denorm_chars = [
-+ c for c in map(unichr, range(128, sys.maxunicode))
-+ if (hex_chars & set(unicodedata.decomposition(c).split()))
-+ and c not in illegal_chars
-+ ]
-+ # Sanity check that we found at least one such character
-+ self.assertIn(u'\u2100', denorm_chars)
-+ self.assertIn(u'\uFF03', denorm_chars)
-+
-+ for scheme in [u"http", u"https", u"ftp"]:
-+ for c in denorm_chars:
-+ url = u"{}://netloc{}false.netloc/path".format(scheme, c)
-+ if test_support.verbose:
-+ print "Checking %r" % url
-+ with self.assertRaises(ValueError):
-+ urlparse.urlsplit(url)
-+
- def test_main():
- test_support.run_unittest(UrlParseTestCase)
-
---- a/Lib/urlparse.py
-+++ b/Lib/urlparse.py
-@@ -165,6 +165,21 @@ def _splitnetloc(url, start=0):
- delim = min(delim, wdelim) # use earliest delim position
- return url[start:delim], url[delim:] # return (domain, rest)
-
-+def _checknetloc(netloc):
-+ if not netloc or not isinstance(netloc, unicode):
-+ return
-+ # looking for characters like \u2100 that expand to 'a/c'
-+ # IDNA uses NFKC equivalence, so normalize for this check
-+ import unicodedata
-+ netloc2 = unicodedata.normalize('NFKC', netloc)
-+ if netloc == netloc2:
-+ return
-+ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
-+ for c in '/?#@:':
-+ if c in netloc2:
-+ raise ValueError("netloc '" + netloc2 + "' contains invalid " +
-+ "characters under NFKC normalization")
-+
- def urlsplit(url, scheme='', allow_fragments=True):
- """Parse a URL into 5 components:
- <scheme>://<netloc>/<path>?<query>#<fragment>
-@@ -193,6 +208,7 @@ def urlsplit(url, scheme='', allow_fragm
- url, fragment = url.split('#', 1)
- if '?' in url:
- url, query = url.split('?', 1)
-+ _checknetloc(netloc)
- v = SplitResult(scheme, netloc, url, query, fragment)
- _parse_cache[key] = v
- return v
-@@ -216,6 +232,7 @@ def urlsplit(url, scheme='', allow_fragm
- url, fragment = url.split('#', 1)
- if '?' in url:
- url, query = url.split('?', 1)
-+ _checknetloc(netloc)
- v = SplitResult(scheme, netloc, url, query, fragment)
- _parse_cache[key] = v
- return v
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-@@ -0,0 +1,3 @@
-+Changes urlsplit() to raise ValueError when the URL contains characters that
-+decompose under IDNA encoding (NFKC-normalization) into characters that
-+affect how the URL is parsed.
-\ No newline at end of file
diff --git a/CVE-2019-9947-no-ctrl-char-http.patch b/CVE-2019-9947-no-ctrl-char-http.patch
deleted file mode 100644
index 93347c4..0000000
--- a/CVE-2019-9947-no-ctrl-char-http.patch
+++ /dev/null
@@ -1,108 +0,0 @@
---- a/Lib/httplib.py
-+++ b/Lib/httplib.py
-@@ -247,6 +247,15 @@ _MAXHEADERS = 100
- _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
- _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
-
-+# These characters are not allowed within http URL paths.
-+# https://tools.ietf.org/html/rfc3986#section-3.3
-+# in order to prevent CVE-2019-9740.
-+# We don't restrict chars above \x7f as putrequest() limits us to ASCII.
-+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
-+# Arguably only these _should_ allowed:
-+# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
-+# We are more lenient for assumed real world compatibility purposes.
-+
- # We always set the Content-Length header for these methods because some
- # servers will otherwise respond with a 411
- _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
-@@ -927,6 +936,9 @@ class HTTPConnection:
- self._method = method
- if not url:
- url = '/'
-+ # Prevent CVE-2019-9740.
-+ if _contains_disallowed_url_pchar_re.search(url):
-+ raise InvalidURL("URL can't contain control characters. {0!r}".format(url))
- hdr = '%s %s %s' % (method, url, self._http_vsn_str)
-
- self._output(hdr)
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -2,6 +2,7 @@
-
- import collections
- import urllib
-+import urllib2
- import httplib
- import io
- import unittest
-@@ -13,6 +14,11 @@ import tempfile
- from test import test_support
- from base64 import b64encode
-
-+try:
-+ import ssl
-+except ImportError:
-+ ssl = None
-+
-
- def hexescape(char):
- """Escape char as RFC 2396 specifies"""
-@@ -364,6 +370,31 @@ Connection: close
- finally:
- self.unfakehttp()
-
-+ def test_url_with_newline_header_injection_rejected(self):
-+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
-+ schemeless_url = "//" + host + ":8080/test/?test=a"
-+ try:
-+ # We explicitly test urllib.request.urlopen() instead of the top
-+ # level 'def urlopen()' function defined in this... (quite ugly)
-+ # test suite. they use different url opening codepaths. plain
-+ # urlopen uses FancyURLOpener which goes via a codepath that
-+ # calls urllib.parse.quote() on the URL which makes all of the
-+ # above attempts at injection within the url _path_ safe.
-+ with self.assertRaisesRegexp(httplib.InvalidURL,
-+ r"contain control.*\\r"):
-+ urllib2.urlopen("http:{0}".format(schemeless_url))
-+ if ssl is not None:
-+ with self.assertRaisesRegexp(httplib.InvalidURL,
-+ r"contain control.*\\n"):
-+ urllib2.urlopen("https:{0}".format(schemeless_url))
-+ # This code path quotes the URL so there is no injection.
-+ resp = urllib.urlopen("http:{0}".format(schemeless_url))
-+ self.assertNotIn(' ', resp.geturl())
-+ self.assertNotIn('\r', resp.geturl())
-+ self.assertNotIn('\n', resp.geturl())
-+ finally:
-+ self.unfakehttp()
-
- class urlretrieve_FileTests(unittest.TestCase):
- """Test urllib.urlretrieve() on local files"""
---- a/Lib/test/test_xmlrpc.py
-+++ b/Lib/test/test_xmlrpc.py
-@@ -1,4 +1,5 @@
- import base64
-+import contextlib
- import datetime
- import sys
- import time
-@@ -658,9 +659,14 @@ class SimpleServerTestCase(BaseServerTes
-
- def test_partial_post(self):
- # Check that a partial POST doesn't make the server loop: issue #14001.
-- conn = httplib.HTTPConnection(ADDR, PORT)
-- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
-- conn.close()
-+ with contextlib.closing(socket.create_connection((ADDR, PORT))) as conn:
-+ conn.send(('POST /RPC2 HTTP/1.0\r\n' +
-+ 'Content-Length: 100\r\n\r\n' +
-+ 'bye HTTP/1.1\r\n' +
-+ 'Host: {0}:{1}\r\n'.format(ADDR, PORT) +
-+ 'Accept-Encoding: identity\r\n' +
-+ 'Content-Length: 0\r\n\r\n').encode('ascii'))
-+
-
- class SimpleServerEncodingTestCase(BaseServerTestCase):
- @staticmethod
diff --git a/CVE-2019-9948-avoid_local-file.patch b/CVE-2019-9948-avoid_local-file.patch
deleted file mode 100644
index 0ae57ca..0000000
--- a/CVE-2019-9948-avoid_local-file.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
-From: push0ebp <push0ebp@shl-MacBook-Pro.local>
-Date: Thu, 14 Feb 2019 02:05:46 +0900
-Subject: [PATCH 1/2] bpo-35907: Avoid file reading as disallowing the
- unnecessary URL scheme in urllib
-
----
- Lib/test/test_urllib.py | 12 ++++++++++++
- Lib/urllib.py | 5 ++++-
- 2 files changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
-index 1ce9201c0693..e5f210e62a18 100644
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -1023,6 +1023,18 @@ def open_spam(self, url):
- "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
- "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
-
-+ def test_local_file_open(self):
-+ class DummyURLopener(urllib.URLopener):
-+ def open_local_file(self, url):
-+ return url
-+ self.assertEqual(DummyURLopener().open(
-+ 'local-file://example'), '//example')
-+ self.assertEqual(DummyURLopener().open(
-+ 'local_file://example'), '//example')
-+ self.assertRaises(IOError, urllib.urlopen,
-+ 'local-file://example')
-+ self.assertRaises(IOError, urllib.urlopen,
-+ 'local_file://example')
-
- # Just commented them out.
- # Can't really tell why keep failing in windows and sparc.
-diff --git a/Lib/urllib.py b/Lib/urllib.py
-index d85504a5cb7e..a24e9a5c68fb 100644
---- a/Lib/urllib.py
-+++ b/Lib/urllib.py
-@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
- name = 'open_' + urltype
- self.type = urltype
- name = name.replace('-', '_')
-- if not hasattr(self, name):
-+
-+ # bpo-35907: # disallow the file reading with the type not allowed
-+ if not hasattr(self, name) or \
-+ (self == _urlopener and name == 'open_local_file'):
- if proxy:
- return self.open_unknown_proxy(proxy, fullurl, data)
- else:
-
-From b86392511acd4cd30dc68711fa22f9f93228715a Mon Sep 17 00:00:00 2001
-From: "blurb-it[bot]" <blurb-it[bot]@users.noreply.github.com>
-Date: Wed, 13 Feb 2019 17:21:11 +0000
-Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?=
- =?UTF-8?q?rb=5Fit.?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
----
- .../NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 +
- 1 file changed, 1 insertion(+)
- create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
-
-diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
-new file mode 100644
-index 000000000000..8118a5f40583
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
-@@ -0,0 +1 @@
-+Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
-\ No newline at end of file
diff --git a/Python-2.7.16.tar.xz b/Python-2.7.16.tar.xz
deleted file mode 100644
index 9fda2b9..0000000
--- a/Python-2.7.16.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f222ef602647eecb6853681156d32de4450a2c39f4de93bd5b20235f2e660ed7
-size 12752104
diff --git a/Python-2.7.16.tar.xz.asc b/Python-2.7.16.tar.xz.asc
deleted file mode 100644
index bfab747..0000000
--- a/Python-2.7.16.tar.xz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEwB4crV6ixPC441cVBMNnwhit1P8FAlx6zU8ACgkQBMNnwhit
-1P+xUg//dE6dUc6NlwUzLD+MsvegKz5vXJXjPvhEsShcdaiedWsdfr22PeAXsook
-fqEYALONUetv5LTWIlMpR8sNefxw7GCeIsk4ze7aXKNnh0HsZ6LJYny1Eh0aL9Mu
-5tpJfvSC8Gxp2IR/vQOGMibNEuU6gpcUA0XPgKi6RvHI1iXbo71NaSuM7Ypi/6t9
-X6ZBGGU0TOP7QDdFHwSs+KzfU0uLpzadWHoksTv6lESTK9BmNlKY2CdUkjbxdD/z
-72UZKaLBqCwKC6znpTrZRLzdzdeRGhlnzW1LTNmdsQOj70zRwYvE8/kXVlIF5zJo
-7y4SyL54+/B+M5fXsxemY1If8kc5sHFhLouzI1gd5nfiGoebWMDE+gjkBTMr5r9i
-/J5DLUYHLd0/B9Yf6sz+O6kTqYwjp0SIhcIDhQRWKre4vNc0Jy6rpogA6ILl2pFo
-VRctsjnqLyfhp1wfrBq4h18fjEw48itu9rWKea/DC+4oudHzAuSP9dv8RkLVD+GR
-buV1lXSIsPE2sYBrc1KvRud475W3I8zPZ25VVsZ/uRJdj4HehcTwiN7poSZ4T7My
-Mz4grC5b3HDveFT4N6TbL1RgbSKL9Xm3mh+LF0u6uFN466ahmdzjAj3+uCJ98TkU
-4aZvrLgiPTkWOyBD0Y8WXsdiAblTRucGStm5SbqvnXUgB9N3rNA=
-=XmAm
------END PGP SIGNATURE-----
diff --git a/Python-2.7.17.tar.xz b/Python-2.7.17.tar.xz
new file mode 100644
index 0000000..94abb7e
--- /dev/null
+++ b/Python-2.7.17.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4d43f033cdbd0aa7b7023c81b0e986fd11e653b5248dac9144d508f11812ba41
+size 12855568
diff --git a/Python-2.7.17.tar.xz.asc b/Python-2.7.17.tar.xz.asc
new file mode 100644
index 0000000..e92d432
--- /dev/null
+++ b/Python-2.7.17.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEwB4crV6ixPC441cVBMNnwhit1P8FAl2rXRsACgkQBMNnwhit
+1P/dJg//UrZRji4wnui1gfsp/qUtEIQe3Qb48LU7NAPjr5Y0B+ebG9peOw2pR4JX
+yUXYewWFN7Cy4wxyQki5pbo9bNwSqJ0Xfix/R+mcoSQHGWb0FVH+gk2tGehtM99M
+EUR1cdywA2a3K+Dpqaqysl7NCYMTq2bqMcRh/ADUHfmCpneisdSZTq2vX7lfgBAj
+py+OIeXTa3P6EFhMZYKOc+/7p/pltmh28cmLqhL91UEVQi4eT3EbAu17CI7d9pQr
+28FtqM7EDhm1cbkE25GuVDE8zP5JO+AjcMmRBSiRDBTur////0NqzeoCqmFcwPpt
+DZAfS4AAyQroXJsYElZDr5STL/guhgYe3FJGVSqpZ4Tk2Fyr1olQGnVR2TlPufQu
+21e6dJZFyc+7cHIe9+gpizXsoOgMk40qTJB/xQ0ERNGJZ6t39VJ2s8GlaY0+Dnvq
+yRt5a/SzHrJK4Y/0lC17LylSP5VuMUKm0gXFGmJGYfHYw7I51IpXpFWBQBzghelj
+aKgEsjWxmHcaM7t8tBlQniSQ8eAONCBvhG+pnQn2WEaSdQxpTdeckcfP6K2CV7AN
+XuZ42/u+lwRB4QI4sA1HXQ6ab/gjCAQzKJSbRhhx4WIosGxNMf0rI+u0cCOT/eBI
+sYCLEx564/NS2ErMAVoT+tvXIDQXl7Z/0K95I4IJel+6aPiW9HI=
+=YxNu
+-----END PGP SIGNATURE-----
diff --git a/python-2.7.16-docs-pdf-a4.tar.bz2 b/python-2.7.16-docs-pdf-a4.tar.bz2
deleted file mode 100644
index be076ad..0000000
--- a/python-2.7.16-docs-pdf-a4.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b35b997446031dcda1fc7fb9bc4f24e8e3615d09b038ee802e6b88d3b3d27182
-size 11420205
diff --git a/python-2.7.16-docs-pdf-letter.tar.bz2 b/python-2.7.16-docs-pdf-letter.tar.bz2
deleted file mode 100644
index f1efb0f..0000000
--- a/python-2.7.16-docs-pdf-letter.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4157eadddf1d5d892820f16752119910f0e9d3264e55616c6ebf0445854a47fe
-size 11420016
diff --git a/python-2.7.17-docs-pdf-a4.tar.bz2 b/python-2.7.17-docs-pdf-a4.tar.bz2
new file mode 100644
index 0000000..dfee271
--- /dev/null
+++ b/python-2.7.17-docs-pdf-a4.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bec4c29c255bcf87b39606ec76d6ed25ef3880333a88447bb8958cf9269f7a21
+size 11440300
diff --git a/python-2.7.17-docs-pdf-letter.tar.bz2 b/python-2.7.17-docs-pdf-letter.tar.bz2
new file mode 100644
index 0000000..ae384b5
--- /dev/null
+++ b/python-2.7.17-docs-pdf-letter.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:27d3f0f23a13300a5df66c66d7a28d09681b810436ab94895295479a8ae0572d
+size 11440077
diff --git a/python-base.changes b/python-base.changes
index f361373..6bda782 100644
--- a/python-base.changes
+++ b/python-base.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Oct 24 14:40:39 CEST 2019 - Matej Cepl <mcepl@suse.com>
+
+- Update to 2.7.17:
+ - a bug fix release in the Python 2.7.x series. It is expected
+ to be the penultimate release for Python 2.7.
+- Removed patches included upstream:
+ - CVE-2018-20852-cookie-domain-check.patch
+ - CVE-2019-16935-xmlrpc-doc-server_title.patch
+ - CVE-2019-9636-netloc-no-decompose-characters.patch
+ - CVE-2019-9947-no-ctrl-char-http.patch
+ - CVE-2019-9948-avoid_local-file.patch
+
-------------------------------------------------------------------
Tue Oct 8 19:46:52 CEST 2019 - Matej Cepl <mcepl@suse.com>
diff --git a/python-base.spec b/python-base.spec
index 96f5311..2fd6d8a 100644
--- a/python-base.spec
+++ b/python-base.spec
@@ -17,7 +17,7 @@
Name: python-base
-Version: 2.7.16
+Version: 2.7.17
Release: 0
Summary: Python Interpreter base package
License: Python-2.0
@@ -72,23 +72,8 @@ Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch
# PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com
# Initialize sysconfig variables in test_site.
Patch50: bpo36160-init-sysconfig_vars.patch
-# PATCH-FIX-UPSTREAM CVE-2019-9636-netloc-no-decompose-characters.patch bsc#1129346 mcepl@suse.com
-# https://bugs.python.org/issue36216
-Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch
-# PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com
-# removing unnecessary (and potentially harmful) URL scheme local-file://
-Patch52: CVE-2019-9948-avoid_local-file.patch
-# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com
-# bpo#30458: Disallow control chars in http URLs.
-Patch53: CVE-2019-9947-no-ctrl-char-http.patch
-# PATCH-FIX-UPSTREAM CVE-2018-20852-cookie-domain-check.patch bsc#1141853 mcepl@suse.com
-# http.cookiejar.DefaultPolicy.domain_return_ok does not correctly validate the domain
-Patch54: CVE-2018-20852-cookie-domain-check.patch
# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
Patch55: bpo36302-sort-module-sources.patch
-# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
-# XSS vulnerability in the documentation XML-RPC server in server_title field
-Patch56: CVE-2019-16935-xmlrpc-doc-server_title.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@@ -200,12 +185,7 @@ other applications.
%patch48 -p1
%patch49 -p1
%patch50 -p1
-%patch51 -p1
-%patch52 -p1
-%patch53 -p1
-%patch54 -p1
%patch55 -p1
-%patch56 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
diff --git a/python-doc.spec b/python-doc.spec
index e438c1b..6fa4036 100644
--- a/python-doc.spec
+++ b/python-doc.spec
@@ -17,7 +17,7 @@
Name: python-doc
-Version: 2.7.16
+Version: 2.7.17
Release: 0
Summary: Additional Package Documentation for Python
License: Python-2.0
@@ -72,23 +72,8 @@ Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch
# PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com
# Initialize sysconfig variables in test_site.
Patch50: bpo36160-init-sysconfig_vars.patch
-# PATCH-FIX-UPSTREAM CVE-2019-9636-netloc-no-decompose-characters.patch bsc#1129346 mcepl@suse.com
-# https://bugs.python.org/issue36216
-Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch
-# PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com
-# removing unnecessary (and potentially harmful) URL scheme local-file://
-Patch52: CVE-2019-9948-avoid_local-file.patch
-# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com
-# bpo#30458: Disallow control chars in http URLs.
-Patch53: CVE-2019-9947-no-ctrl-char-http.patch
-# PATCH-FIX-UPSTREAM CVE-2018-20852-cookie-domain-check.patch bsc#1141853 mcepl@suse.com
-# http.cookiejar.DefaultPolicy.domain_return_ok does not correctly validate the domain
-Patch54: CVE-2018-20852-cookie-domain-check.patch
# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
Patch55: bpo36302-sort-module-sources.patch
-# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
-# XSS vulnerability in the documentation XML-RPC server in server_title field
-Patch56: CVE-2019-16935-xmlrpc-doc-server_title.patch
# COMMON-PATCH-END
Provides: pyth_doc
Provides: pyth_ps
@@ -146,12 +131,7 @@ Python, and Macintosh Module Reference in PDF format.
%patch48 -p1
%patch49 -p1
%patch50 -p1
-%patch51 -p1
-%patch52 -p1
-%patch53 -p1
-%patch54 -p1
%patch55 -p1
-%patch56 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
diff --git a/python.spec b/python.spec
index a166c98..f4d3ac7 100644
--- a/python.spec
+++ b/python.spec
@@ -17,7 +17,7 @@
Name: python
-Version: 2.7.16
+Version: 2.7.17
Release: 0
Summary: Python Interpreter
License: Python-2.0
@@ -77,23 +77,8 @@ Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch
# PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com
# Initialize sysconfig variables in test_site.
Patch50: bpo36160-init-sysconfig_vars.patch
-# PATCH-FIX-UPSTREAM CVE-2019-9636-netloc-no-decompose-characters.patch bsc#1129346 mcepl@suse.com
-# https://bugs.python.org/issue36216
-Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch
-# PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com
-# removing unnecessary (and potentially harmful) URL scheme local-file://
-Patch52: CVE-2019-9948-avoid_local-file.patch
-# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com
-# bpo#30458: Disallow control chars in http URLs.
-Patch53: CVE-2019-9947-no-ctrl-char-http.patch
-# PATCH-FIX-UPSTREAM CVE-2018-20852-cookie-domain-check.patch bsc#1141853 mcepl@suse.com
-# http.cookiejar.DefaultPolicy.domain_return_ok does not correctly validate the domain
-Patch54: CVE-2018-20852-cookie-domain-check.patch
# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
Patch55: bpo36302-sort-module-sources.patch
-# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
-# XSS vulnerability in the documentation XML-RPC server in server_title field
-Patch56: CVE-2019-16935-xmlrpc-doc-server_title.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@@ -251,12 +236,7 @@ that rely on earlier non-verification behavior.
%patch48 -p1
%patch49 -p1
%patch50 -p1
-%patch51 -p1
-%patch52 -p1
-%patch53 -p1
-%patch54 -p1
%patch55 -p1
-%patch56 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac