- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,

bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=344

python-doc.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed Mar  1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+  bsc#1208471) blocklists bypass via the urllib.parse component
+  when supplying a URL that starts with blank characters
+
+-------------------------------------------------------------------
+Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
+
+- Disable NIS for new products, it's deprecated and gets removed
+
 -------------------------------------------------------------------
 Thu Jan 19 07:14:09 UTC 2023 - Matej Cepl <mcepl@suse.com>
 

python-doc.spec

@@ -141,6 +141,10 @@ Patch73:        CVE-2022-45061-DoS-by-IDNA-decode.patch
 # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com
 # switching verification off on the old SLE doesn't work
 Patch74:        skip_unverified_test.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc = %{version}
 Provides:       pyth_ps = %{version}
@@ -224,6 +228,7 @@ Python, and Macintosh Module Reference in PDF format.
 %if 0%{?sle_version} && 0%{?sle_version} < 150000
 %patch74 -p1
 %endif
+%patch75 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar

python.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar  1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+  bsc#1208471) blocklists bypass via the urllib.parse component
+  when supplying a URL that starts with blank characters
+
 -------------------------------------------------------------------
 Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 

python.spec

@@ -141,6 +141,10 @@ Patch73:        CVE-2022-45061-DoS-by-IDNA-decode.patch
 # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com
 # switching verification off on the old SLE doesn't work
 Patch74:        skip_unverified_test.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -342,6 +346,7 @@ that rely on earlier non-verification behavior.
 %if 0%{?sle_version} && 0%{?sle_version} < 150000
 %patch74 -p1
 %endif
+%patch75 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar