- Restore python-2.7.9-sles-disable-verification-by-default.patch

for SLE-12.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=337

CVE-2019-5010-null-defer-x509-cert-DOS.patch

@@ -14,17 +14,15 @@ https://bugs.python.org/issue35746
 
 Co-authored-by: Christian Heimes <christian@python.org>
 ---
- Lib/test/talos-2019-0758.pem                  | 22 +++++++++++++++++++
- Lib/test/test_ssl.py                          | 22 +++++++++++++++++++
- .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst  |  3 +++
- Modules/_ssl.c                                |  4 ++++
- 4 files changed, 51 insertions(+)
+ Lib/test/test_ssl.py                                               |   21 ++++++++++
+ Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst |    3 +
+ 2 files changed, 24 insertions(+)
  create mode 100644 Lib/test/talos-2019-0758.pem
  create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
 
 --- a/Lib/test/test_ssl.py
 +++ b/Lib/test/test_ssl.py
-@@ -256,6 +256,27 @@ class BasicSocketTests(unittest.TestCase
+@@ -287,6 +287,27 @@ class BasicSocketTests(unittest.TestCase
              }
          )
  

do-not-use-non-ascii-in-test_ssl.patch

@@ -1,6 +1,10 @@
+---
+ Lib/test/test_ssl.py |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
 --- a/Lib/test/test_ssl.py
 +++ b/Lib/test/test_ssl.py
-@@ -1021,7 +1021,7 @@ class ContextTests(unittest.TestCase):
+@@ -1052,7 +1052,7 @@ class ContextTests(unittest.TestCase):
  
  
      def test_load_dh_params(self):

openssl-111-middlebox-compat.patch

@@ -8,12 +8,12 @@ Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
 
 https://bugs.python.org/issue34834
 ---
- Lib/test/test_ssl.py | 5 +++++
- 1 file changed, 5 insertions(+)
+ Lib/test/test_ssl.py |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
 
 --- a/Lib/test/test_ssl.py
 +++ b/Lib/test/test_ssl.py
-@@ -807,8 +807,12 @@ class ContextTests(unittest.TestCase):
+@@ -838,8 +838,12 @@ class ContextTests(unittest.TestCase):
          default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
          # SSLContext also enables these by default
          default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |

openssl-111-ssl_options.patch

@@ -1,6 +1,10 @@
+---
+ Lib/test/test_ssl.py |    8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
 --- a/Lib/test/test_ssl.py
 +++ b/Lib/test/test_ssl.py
-@@ -807,12 +807,8 @@ class ContextTests(unittest.TestCase):
+@@ -838,12 +838,8 @@ class ContextTests(unittest.TestCase):
          default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
          # SSLContext also enables these by default
          default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |

python-2.7.4-canonicalize2.patch

@@ -1,3 +1,9 @@
+---
+ Python/sysmodule.c |   26 +++++++++++++++++++-------
+ configure.ac       |    2 +-
+ pyconfig.h.in      |    3 +++
+ 3 files changed, 23 insertions(+), 8 deletions(-)
+
 --- a/Python/sysmodule.c
 +++ b/Python/sysmodule.c
 @@ -1638,7 +1638,20 @@ PySys_SetArgvEx(int argc, char **argv, i
@@ -28,7 +34,7 @@
          }
 -#endif /* HAVE_READLINK */
 +#endif /* resolve method selection */
-+        
++
  #if SEP == '\\' /* Special case for MS filename syntax */
          if (argc > 0 && argv0 != NULL && strcmp(argv0, "-c") != 0) {
              char *q;
@@ -54,6 +60,17 @@
          if (PyList_Insert(path, 0, a) < 0)
              Py_FatalError("sys.path.insert(0) failed");
          Py_DECREF(a);
+--- a/configure.ac
++++ b/configure.ac
+@@ -3165,7 +3165,7 @@ AC_CHECK_FUNCS(alarm setitimer getitimer
+  getpriority getresuid getresgid getpwent getspnam getspent getsid getwd \
+  initgroups kill killpg lchown lstat mkfifo mknod mktime mmap \
+  mremap nice pathconf pause plock poll pthread_init \
+- putenv readlink realpath \
++ putenv readlink realpath canonicalize_file_name \
+  select sem_open sem_timedwait sem_getvalue sem_unlink setegid seteuid \
+  setgid \
+  setlocale setregid setreuid setsid setpgid setpgrp setuid setvbuf snprintf \
 --- a/pyconfig.h.in
 +++ b/pyconfig.h.in
 @@ -109,6 +109,9 @@
@@ -66,14 +83,3 @@
  /* Define to 1 if you have the `chown' function. */
  #undef HAVE_CHOWN
  
---- a/configure.ac
-+++ b/configure.ac
-@@ -3159,7 +3159,7 @@ AC_CHECK_FUNCS(alarm setitimer getitimer
-  getpriority getresuid getresgid getpwent getspnam getspent getsid getwd \
-  initgroups kill killpg lchown lstat mkfifo mknod mktime mmap \
-  mremap nice pathconf pause plock poll pthread_init \
-- putenv readlink realpath \
-+ putenv readlink realpath canonicalize_file_name \
-  select sem_open sem_timedwait sem_getvalue sem_unlink setegid seteuid \
-  setgid \
-  setlocale setregid setreuid setsid setpgid setpgrp setuid setvbuf snprintf \

python-2.7.5-multilib.patch

@@ -1,47 +1,21 @@
---- a/configure.ac
-+++ b/configure.ac
-@@ -773,6 +773,41 @@ SunOS*)
-     ;;
- esac
- 
-+AC_SUBST(ARCH)
-+AC_MSG_CHECKING(ARCH)
-+ARCH=`uname -m`
-+case $ARCH in
-+i?86) ARCH=i386;;
-+esac
-+AC_MSG_RESULT($ARCH)
-+
-+AC_SUBST(LIB)
-+AC_MSG_CHECKING(LIB)
-+case $ac_sys_system in
-+Linux*)
-+  # Test if the compiler is 64bit
-+  echo 'int i;' > conftest.$ac_ext
-+  python_cv_cc_64bit_output=no
-+  if AC_TRY_EVAL(ac_compile); then
-+    case `/usr/bin/file conftest.$ac_objext` in
-+    *"ELF 64"*)
-+      python_cv_cc_64bit_output=yes
-+      ;;
-+    esac
-+  fi
-+  rm -rf conftest*
-+  ;;
-+esac
-+
-+case $ARCH:$python_cv_cc_64bit_output in
-+aarch64:yes | ppc64:yes | ppc64le:yes | powerpc64:yes | s390x:yes | sparc64:yes | x86_64:yes)
-+  LIB="lib64"
-+  ;;
-+*:*)
-+  LIB="lib"
-+  ;;
-+esac
-+AC_MSG_RESULT($LIB)
- 
- AC_SUBST(LIBRARY)
- AC_MSG_CHECKING(LIBRARY)
+---
+ Include/pythonrun.h              |    2 +
+ Lib/distutils/command/install.py |    4 ++-
+ Lib/distutils/sysconfig.py       |    7 ++++--
+ Lib/pydoc.py                     |    2 -
+ Lib/site.py                      |   40 +++++++++++++++++++++++++++------------
+ Lib/sysconfig.py                 |   12 +++++------
+ Lib/test/test_dl.py              |    5 ++--
+ Lib/test/test_site.py            |   16 +++++++++++----
+ Lib/trace.py                     |    4 +--
+ Makefile.pre.in                  |    5 +++-
+ Modules/getpath.c                |    4 ++-
+ Python/getplatform.c             |   20 +++++++++++++++++++
+ Python/sysmodule.c               |    4 +++
+ configure.ac                     |   35 ++++++++++++++++++++++++++++++++++
+ setup.py                         |   15 ++++++--------
+ 15 files changed, 135 insertions(+), 40 deletions(-)
+
 --- a/Include/pythonrun.h
 +++ b/Include/pythonrun.h
 @@ -108,6 +108,8 @@ PyAPI_FUNC(char *) Py_GetPath(void);
@@ -75,7 +49,7 @@
          'data'   : '$base',
 --- a/Lib/distutils/sysconfig.py
 +++ b/Lib/distutils/sysconfig.py
-@@ -119,8 +119,11 @@ def get_python_lib(plat_specific=0, stan
+@@ -129,8 +129,11 @@ def get_python_lib(plat_specific=0, stan
          prefix = plat_specific and EXEC_PREFIX or PREFIX
  
      if os.name == "posix":
@@ -368,9 +342,53 @@
      SET_SYS_FROM_STRING("executable",
                          PyString_FromString(Py_GetProgramFullPath()));
      SET_SYS_FROM_STRING("prefix",
+--- a/configure.ac
++++ b/configure.ac
+@@ -773,6 +773,41 @@ SunOS*)
+     ;;
+ esac
+ 
++AC_SUBST(ARCH)
++AC_MSG_CHECKING(ARCH)
++ARCH=`uname -m`
++case $ARCH in
++i?86) ARCH=i386;;
++esac
++AC_MSG_RESULT($ARCH)
++
++AC_SUBST(LIB)
++AC_MSG_CHECKING(LIB)
++case $ac_sys_system in
++Linux*)
++  # Test if the compiler is 64bit
++  echo 'int i;' > conftest.$ac_ext
++  python_cv_cc_64bit_output=no
++  if AC_TRY_EVAL(ac_compile); then
++    case `/usr/bin/file conftest.$ac_objext` in
++    *"ELF 64"*)
++      python_cv_cc_64bit_output=yes
++      ;;
++    esac
++  fi
++  rm -rf conftest*
++  ;;
++esac
++
++case $ARCH:$python_cv_cc_64bit_output in
++aarch64:yes | ppc64:yes | ppc64le:yes | powerpc64:yes | s390x:yes | sparc64:yes | x86_64:yes)
++  LIB="lib64"
++  ;;
++*:*)
++  LIB="lib"
++  ;;
++esac
++AC_MSG_RESULT($LIB)
+ 
+ AC_SUBST(LIBRARY)
+ AC_MSG_CHECKING(LIBRARY)
 --- a/setup.py
 +++ b/setup.py
-@@ -456,7 +456,7 @@ class PyBuildExt(build_ext):
+@@ -502,7 +502,7 @@ class PyBuildExt(build_ext):
      def detect_modules(self):
          # Ensure that /usr/local is always used
          if not cross_compiling:
@@ -379,7 +397,7 @@
              add_dir_to_list(self.compiler.include_dirs, '/usr/local/include')
          if cross_compiling:
              self.add_gcc_paths()
-@@ -782,11 +782,11 @@ class PyBuildExt(build_ext):
+@@ -828,11 +828,11 @@ class PyBuildExt(build_ext):
              elif curses_library:
                  readline_libs.append(curses_library)
              elif self.compiler.find_library_file(lib_dirs +
@@ -393,7 +411,7 @@
                                     extra_link_args=readline_extra_link_args,
                                     libraries=readline_libs) )
          else:
-@@ -1933,18 +1933,17 @@ class PyBuildExt(build_ext):
+@@ -1979,18 +1979,17 @@ class PyBuildExt(build_ext):
          # Check for various platform-specific directories
          if host_platform == 'sunos5':
              include_dirs.append('/usr/openwin/include')

python-2.7.9-sles-disable-verification-by-default.patch

@@ -0,0 +1,25 @@
+---
+ Lib/ssl.py |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/Lib/ssl.py
++++ b/Lib/ssl.py
+@@ -497,7 +497,17 @@ def _get_https_context_factory():
+             return _create_unverified_context
+     return create_default_context
+ 
+-_create_default_https_context = _get_https_context_factory()
++try:
++    # load the TLS checks policy from separate package
++    import sle_tls_checks_policy as policy
++    if policy.get_policy:
++        _create_default_https_context = policy.get_policy()
++    else:
++        # empty policy file means simply enable strict verification
++        _create_default_https_context = _get_https_context_factory()
++except ImportError:
++    # policy not present, disable verification for backwards compatibility
++    _create_default_https_context = _create_unverified_context
+ 
+ # PEP 493: "private" API to configure HTTPS defaults without monkeypatching
+ def _https_verify_certificates(enable=True):

python-base.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Nov 22 20:55:13 UTC 2022 - Matej Cepl <mcepl@suse.com>
+
+- Restore python-2.7.9-sles-disable-verification-by-default.patch
+  for SLE-12.
+
 -------------------------------------------------------------------
 Wed Nov  9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
 

python-base.spec

@@ -58,6 +58,8 @@ Patch22:        python-2.7-libffi-aarch64.patch
 Patch24:        python-bsddb6.patch
 # PATCH-FIX-UPSTREAM accept directory-based CA paths as well
 Patch33:        python-2.7.9-ssl_ca_path.patch
+# PATCH-FEATURE-SLE disable SSL verification-by-default in http clients
+Patch34:        python-2.7.9-sles-disable-verification-by-default.patch
 # PATCH-FIX-UPSTREAM do not use non-ASCII filename in test_ssl.py
 Patch35:        do-not-use-non-ascii-in-test_ssl.patch
 # PATCH-FIX-UPSTREAM bmwiedemann@suse.de -- allow python packages to build reproducibly
@@ -243,6 +245,9 @@ other applications.
 %patch22 -p1
 %patch24 -p1
 %patch33 -p1
+%if %{suse_version} < 1500 && !0%{?is_opensuse}
+%patch34 -p1
+%endif
 %patch35 -p1
 %patch38 -p1
 %ifarch ppc ppc64 ppc64le

python-bsddb6.patch

@@ -13,8 +13,8 @@ This patch was partially autogenerated:
  Lib/bsddb/test/test_replication.py |   25 +-------
  Modules/_bsddb.c                   |  108 +++++++++++++++++++++++++++++++++----
  Modules/bsddb.h                    |    2 
- setup.py                           |    6 +-
- 6 files changed, 120 insertions(+), 41 deletions(-)
+ setup.py                           |    4 +
+ 6 files changed, 118 insertions(+), 41 deletions(-)
 
 --- a/Lib/bsddb/test/test_all.py
 +++ b/Lib/bsddb/test/test_all.py
@@ -368,7 +368,7 @@ This patch was partially autogenerated:
  
 --- a/setup.py
 +++ b/setup.py
-@@ -905,7 +905,7 @@ class PyBuildExt(build_ext):
+@@ -951,7 +951,7 @@ class PyBuildExt(build_ext):
          # a release.  Most open source OSes come with one or more
          # versions of BerkeleyDB already installed.
  
@@ -377,7 +377,7 @@ This patch was partially autogenerated:
          min_db_ver = (4, 3)
          db_setup_debug = False   # verbose debug prints from this script?
  
-@@ -945,6 +945,7 @@ class PyBuildExt(build_ext):
+@@ -991,6 +991,7 @@ class PyBuildExt(build_ext):
          # construct a list of paths to look for the header file in on
          # top of the normal inc_dirs.
          db_inc_paths = [
@@ -385,7 +385,7 @@ This patch was partially autogenerated:
              '/usr/include/db4',
              '/usr/local/include/db4',
              '/opt/sfw/include/db4',
-@@ -984,6 +985,7 @@ class PyBuildExt(build_ext):
+@@ -1030,6 +1031,7 @@ class PyBuildExt(build_ext):
          for dn in inc_dirs:
              std_variants.append(os.path.join(dn, 'db3'))
              std_variants.append(os.path.join(dn, 'db4'))

python-doc.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Nov 22 20:55:13 UTC 2022 - Matej Cepl <mcepl@suse.com>
+
+- Restore python-2.7.9-sles-disable-verification-by-default.patch
+  for SLE-12.
+
 -------------------------------------------------------------------
 Wed Nov  9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
 

python-doc.spec

@@ -57,6 +57,8 @@ Patch22:        python-2.7-libffi-aarch64.patch
 Patch24:        python-bsddb6.patch
 # PATCH-FIX-UPSTREAM accept directory-based CA paths as well
 Patch33:        python-2.7.9-ssl_ca_path.patch
+# PATCH-FEATURE-SLE disable SSL verification-by-default in http clients
+Patch34:        python-2.7.9-sles-disable-verification-by-default.patch
 # PATCH-FIX-UPSTREAM do not use non-ASCII filename in test_ssl.py
 Patch35:        do-not-use-non-ascii-in-test_ssl.patch
 # PATCH-FIX-UPSTREAM bmwiedemann@suse.de -- allow python packages to build reproducibly
@@ -180,6 +182,9 @@ Python, and Macintosh Module Reference in PDF format.
 %patch22 -p1
 %patch24 -p1
 %patch33 -p1
+%if %{suse_version} < 1500 && !0%{?is_opensuse}
+%patch34 -p1
+%endif
 %patch35 -p1
 %patch38 -p1
 %ifarch ppc ppc64 ppc64le

python.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Nov 22 20:55:13 UTC 2022 - Matej Cepl <mcepl@suse.com>
+
+- Restore python-2.7.9-sles-disable-verification-by-default.patch
+  for SLE-12.
+
 -------------------------------------------------------------------
 Wed Nov  9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
 

python.spec

@@ -57,6 +57,8 @@ Patch22:        python-2.7-libffi-aarch64.patch
 Patch24:        python-bsddb6.patch
 # PATCH-FIX-UPSTREAM accept directory-based CA paths as well
 Patch33:        python-2.7.9-ssl_ca_path.patch
+# PATCH-FEATURE-SLE disable SSL verification-by-default in http clients
+Patch34:        python-2.7.9-sles-disable-verification-by-default.patch
 # PATCH-FIX-UPSTREAM do not use non-ASCII filename in test_ssl.py
 Patch35:        do-not-use-non-ascii-in-test_ssl.patch
 # PATCH-FIX-UPSTREAM bmwiedemann@suse.de -- allow python packages to build reproducibly
@@ -296,6 +298,9 @@ that rely on earlier non-verification behavior.
 %patch22 -p1
 %patch24 -p1
 %patch33 -p1
+%if %{suse_version} < 1500 && !0%{?is_opensuse}
+%patch34 -p1
+%endif
 %patch35 -p1
 %patch38 -p1
 %ifarch ppc ppc64 ppc64le

remove-static-libpython.patch

@@ -1,3 +1,7 @@
+---
+ Makefile.pre.in |   26 +-------------------------
+ 1 file changed, 1 insertion(+), 25 deletions(-)
+
 --- a/Makefile.pre.in
 +++ b/Makefile.pre.in
 @@ -488,7 +488,7 @@ coverage-report: regen-grammar
@@ -28,7 +32,7 @@
  libpython$(VERSION).so: $(LIBRARY_OBJS)
  	if test $(INSTSONAME) != $(LDLIBRARY); then \
  		$(BLDSHARED) -Wl,-h$(INSTSONAME) -o $(INSTSONAME) $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM) $(LDLAST); \
-@@ -1220,18 +1208,6 @@ libainstall:	@DEF_MAKE_RULE@ python-conf
+@@ -1226,18 +1214,6 @@ libainstall:	@DEF_MAKE_RULE@ python-conf
  		else	true; \
  		fi; \
  	done