From ad45ed76696bd72e5e71222f9804808062857d12d5185a4d6b262db1d8fbeb52 Mon Sep 17 00:00:00 2001 From: Jan Matejek Date: Tue, 30 Sep 2014 15:34:42 +0000 Subject: [PATCH] - update to 2.7.8 * bugfix-only release, dozens of bugs fixed * fixes CVE-2014-4650 directory traversal in CGIHTTPServer * fixes CVE-2014-7185 (bnc#898572) potential buffer overflow in buffer() - dropped upstreamed CVE-2014-4650-CGIHTTPserver-traversal.patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=167 --- CVE-2014-4650-CGIHTTPServer-traversal.patch | 35 --------------------- Python-2.7.7.tar.xz | 3 -- Python-2.7.7.tar.xz.asc | 17 ---------- Python-2.7.8.tar.xz | 3 ++ Python-2.7.8.tar.xz.asc | 17 ++++++++++ python-2.7.7-docs-html.tar.bz2 | 3 -- python-2.7.7-docs-pdf-a4.tar.bz2 | 3 -- python-2.7.7-docs-pdf-letter.tar.bz2 | 3 -- python-2.7.8-docs-html.tar.bz2 | 3 ++ python-2.7.8-docs-pdf-a4.tar.bz2 | 3 ++ python-2.7.8-docs-pdf-letter.tar.bz2 | 3 ++ python-base.changes | 9 ++++++ python-base.spec | 5 +-- python-doc.changes | 5 +++ python-doc.spec | 5 +-- python.changes | 6 ++++ python.spec | 5 +-- 17 files changed, 52 insertions(+), 76 deletions(-) delete mode 100644 CVE-2014-4650-CGIHTTPServer-traversal.patch delete mode 100644 Python-2.7.7.tar.xz delete mode 100644 Python-2.7.7.tar.xz.asc create mode 100644 Python-2.7.8.tar.xz create mode 100644 Python-2.7.8.tar.xz.asc delete mode 100644 python-2.7.7-docs-html.tar.bz2 delete mode 100644 python-2.7.7-docs-pdf-a4.tar.bz2 delete mode 100644 python-2.7.7-docs-pdf-letter.tar.bz2 create mode 100644 python-2.7.8-docs-html.tar.bz2 create mode 100644 python-2.7.8-docs-pdf-a4.tar.bz2 create mode 100644 python-2.7.8-docs-pdf-letter.tar.bz2 diff --git a/CVE-2014-4650-CGIHTTPServer-traversal.patch b/CVE-2014-4650-CGIHTTPServer-traversal.patch deleted file mode 100644 index 688e38e..0000000 --- a/CVE-2014-4650-CGIHTTPServer-traversal.patch +++ /dev/null @@ -1,35 +0,0 @@ - -# HG changeset patch -# User Benjamin Peterson -# Date 1402796189 25200 -# Node ID b4bab078876811c7d95231d08aa6fa7142fdda66 -# Parent bb8b0c7fefd0c5ed99b3f336178a4f9554a1d0ef -url unquote the path before checking if it refers to a CGI script (closes #21766) - -diff --git a/Lib/CGIHTTPServer.py b/Lib/CGIHTTPServer.py ---- a/Lib/CGIHTTPServer.py -+++ b/Lib/CGIHTTPServer.py -@@ -84,7 +84,7 @@ class CGIHTTPRequestHandler(SimpleHTTPSe - path begins with one of the strings in self.cgi_directories - (and the next character is a '/' or the end of the string). - """ -- collapsed_path = _url_collapse_path(self.path) -+ collapsed_path = _url_collapse_path(urllib.unquote(self.path)) - dir_sep = collapsed_path.find('/', 1) - head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] - if head in self.cgi_directories: -diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py ---- a/Lib/test/test_httpservers.py -+++ b/Lib/test/test_httpservers.py -@@ -510,6 +510,11 @@ class CGIHTTPServerTestCase(BaseTestCase - (res.read(), res.getheader('Content-type'), res.status)) - self.assertEqual(os.environ['SERVER_SOFTWARE'], signature) - -+ def test_urlquote_decoding_in_cgi_check(self): -+ res = self.request('/cgi-bin%2ffile1.py') -+ self.assertEqual((b'Hello World\n', 'text/html', 200), -+ (res.read(), res.getheader('Content-type'), res.status)) -+ - - class SimpleHTTPRequestHandlerTestCase(unittest.TestCase): - """ Test url parsing """ diff --git a/Python-2.7.7.tar.xz b/Python-2.7.7.tar.xz deleted file mode 100644 index f90ee16..0000000 --- a/Python-2.7.7.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2983e3cd089b30c50e2b2234f07c2ac4fb8a5df230ab8f2e1133a1d8b208da78 -size 10496500 diff --git a/Python-2.7.7.tar.xz.asc b/Python-2.7.7.tar.xz.asc deleted file mode 100644 index bdd2220..0000000 --- a/Python-2.7.7.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.22 (GNU/Linux) - -iQIcBAABAgAGBQJTiinXAAoJEATDZ8IYrdT/rp4P/Rnl1l4O3LgrL+F96ASNqzRJ -b2lxcgEzbiuSCxYTsHrNb8nElcl2XozkDb3IOGT9s2dpl0NobcrYkQ5ia0/Tk6XP -mJ4B99mIiFJfAssBBIZglG6I2xiJHaV/XNzZj6NIvGrvyyeuW8GqOOG1KDME4UyQ -JRqnozC0O1YNzaHmppDjRaKea9ualmmLiAC3N2J6svtB97AkKrUsxFPdqLso776T -119ZlZ6MEQx5hs8YgJ+J62gBKzkP/m2yiSu0tf36QUxsYISWlbwjyvqS6cuzRNjl -VXlXyKTq7RcU/10VvLYENnA0U5dXIFKZv4BWCj/4wHmujEz2DenwziXUVb38ot+K -bAXk9OMUVHzzFwny0pLbQxFXOAXopUx3qtcwXSiOoaK72VxqhKqLH/UP6rL7n3tn -Un4wpNYA6pd3O4dZVIbZ3IjfueTasGdKdX6DxLjlvD916w0+zeiYZeohCe/HeT93 -+Yp4tibpexHPqgln+6/M17Oj8ungqyuD6Y91mPyfOhr8FoPK1z/NyLQit8f97Mkl -OJkqOfqoNfOxPPuP1oiN4rb4EttkmFtJ45BOsfsksXDF9IIDKwonOSxDbeTekW8Z -RGg2FKXFsnOSpH+NcEkPizY5vsYB7DUH7NB992ovZmUUmUuAS6n0wNyiUqwtQN60 -sFbdz+EXOO6KTcQx0y3z -=tcoa ------END PGP SIGNATURE----- diff --git a/Python-2.7.8.tar.xz b/Python-2.7.8.tar.xz new file mode 100644 index 0000000..79714b8 --- /dev/null +++ b/Python-2.7.8.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:edde10a0cb7d14e2735e682882d5b287028d1485c456758154c19573db68075a +size 10525244 diff --git a/Python-2.7.8.tar.xz.asc b/Python-2.7.8.tar.xz.asc new file mode 100644 index 0000000..52c6b46 --- /dev/null +++ b/Python-2.7.8.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (GNU/Linux) + +iQIcBAABAgAGBQJTsMzVAAoJEATDZ8IYrdT/CxkQAIfecKxGpMHg9ID5QuwHcYJE +GjF9JnassnCdrpHWDqe8+iYJhEPpmbLsVP34ZKeYkvvEh6eBJSUeAw2tL/ok7mIJ +yELB4bSYuztLQdh5T5CRSRq409AmDTDauuWDoaXmm9Qg5ydsEEY1YZwWEZwHO2Kb +Se8IKfMv0/AYQ9HwHAhaeIABBG9G1oCJUc1gkQTYjxz9+JwruJVrRIKwD4vWysVF +FkTshos6QEV0HajAdcJisQ7BcgRyzgw4AKLiMdFFax/2NwaH6E0lqno4vb3E64Od +wk6HPJ1qm63bfbxNje4TqCRzO2VJiVxM7KHTr/OUjFJlJLxNIYxMPl0CWMNauWVQ +LqpTp12raMWb+OasvBPguEpbg8JSGhFw677+VkI/Vq67kojFRVuR55KHZqtd6RDC +V6mGVgl+Z/Pfz9JzWr8qHCuFrfydE2eOHUh5MH2ylcDk5f69WDKxLZeeRzbrPzHj +/GCILORil4gWuXFivk3Uk09uiO56ceYcsBYAYuFrT+K45tHsAboPZ8Yt526+lP8Q +eVBWApElC/GI5ksp6vbGJfXo3z3xORLSrS2UDuHap7/mBS91E7Hc13BNjt+gjNDO +dXxeJWYDk0iVC+HP2igbQPFVGy39BMDD7rDQ2SnoPWbJlJrEeJQULUoRPpk17kTw +X9vqhK54dxLgaLR+2MOS +=LDrl +-----END PGP SIGNATURE----- diff --git a/python-2.7.7-docs-html.tar.bz2 b/python-2.7.7-docs-html.tar.bz2 deleted file mode 100644 index 22f3ffa..0000000 --- a/python-2.7.7-docs-html.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0086dea3641d7b311425339357c52dd2ba5694f0d4d2c9ae1782e898707a8bd6 -size 4494590 diff --git a/python-2.7.7-docs-pdf-a4.tar.bz2 b/python-2.7.7-docs-pdf-a4.tar.bz2 deleted file mode 100644 index 2f39d8b..0000000 --- a/python-2.7.7-docs-pdf-a4.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6fc5eef11803c9b84aaab30c09c20ffd492f105089fe918e93ec1d65b6b87a6a -size 10728634 diff --git a/python-2.7.7-docs-pdf-letter.tar.bz2 b/python-2.7.7-docs-pdf-letter.tar.bz2 deleted file mode 100644 index 73af103..0000000 --- a/python-2.7.7-docs-pdf-letter.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fdc09f1a41744ac664d86241072f9525d2c6edb46919b0c197da0eb3e1ffff7d -size 10779787 diff --git a/python-2.7.8-docs-html.tar.bz2 b/python-2.7.8-docs-html.tar.bz2 new file mode 100644 index 0000000..b437920 --- /dev/null +++ b/python-2.7.8-docs-html.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b1b969be6dab30a1820320340579f6cc5b23c25acdd3e7de0d212574439978bf +size 4487849 diff --git a/python-2.7.8-docs-pdf-a4.tar.bz2 b/python-2.7.8-docs-pdf-a4.tar.bz2 new file mode 100644 index 0000000..ba81d23 --- /dev/null +++ b/python-2.7.8-docs-pdf-a4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1a217af2067e4deda02cbc83a169aa2399dcb4e72465c352ed4e98b9c1a94a18 +size 10907347 diff --git a/python-2.7.8-docs-pdf-letter.tar.bz2 b/python-2.7.8-docs-pdf-letter.tar.bz2 new file mode 100644 index 0000000..4b248cc --- /dev/null +++ b/python-2.7.8-docs-pdf-letter.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3aebf5c70d2e6561093a33ce8c0481dd025e0ac553971579ee5a3a033b78593f +size 10961584 diff --git a/python-base.changes b/python-base.changes index e8074bb..b025853 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Sep 30 15:06:15 UTC 2014 - jmatejek@suse.com + +- update to 2.7.8 + * bugfix-only release, dozens of bugs fixed + * fixes CVE-2014-4650 directory traversal in CGIHTTPServer + * fixes CVE-2014-7185 (bnc#898572) potential buffer overflow in buffer() +- dropped upstreamed CVE-2014-4650-CGIHTTPserver-traversal.patch + ------------------------------------------------------------------- Wed Jul 23 16:48:38 UTC 2014 - jmatejek@suse.com diff --git a/python-base.spec b/python-base.spec index e7a4ad5..cd44309 100644 --- a/python-base.spec +++ b/python-base.spec @@ -17,7 +17,7 @@ Name: python-base -Version: 2.7.7 +Version: 2.7.8 Release: 0 Summary: Python Interpreter base package License: Python-2.0 @@ -57,8 +57,6 @@ Patch26: xmlrpc_gzip_27.patch # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib Patch28: smtplib_maxline-2.7.patch Patch29: python-2.7.6-poplib.patch -# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer -Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch # remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere) Patch31: python-2.7.7-mhlib-linkcount.patch # COMMON-PATCH-END @@ -153,7 +151,6 @@ other applications. %patch26 -p1 %patch28 -p1 %patch29 -p1 -%patch30 -p1 %patch31 -p1 # drop Autoconf version requirement diff --git a/python-doc.changes b/python-doc.changes index 79a03ed..07464c0 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Sep 30 15:32:07 UTC 2014 - jmatejek@suse.com + +- update to 2.7.8 + ------------------------------------------------------------------- Fri Jun 20 13:46:40 UTC 2014 - jmatejek@suse.com diff --git a/python-doc.spec b/python-doc.spec index 67c4668..e3840aa 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -16,7 +16,7 @@ # Name: python-doc -Version: 2.7.7 +Version: 2.7.8 Release: 0 Summary: Additional Package Documentation for Python License: Python-2.0 @@ -60,8 +60,6 @@ Patch26: xmlrpc_gzip_27.patch # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib Patch28: smtplib_maxline-2.7.patch Patch29: python-2.7.6-poplib.patch -# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer -Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch # remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere) Patch31: python-2.7.7-mhlib-linkcount.patch # COMMON-PATCH-END @@ -110,7 +108,6 @@ Python, and Macintosh Module Reference in PDF format. %patch26 -p1 %patch28 -p1 %patch29 -p1 -%patch30 -p1 %patch31 -p1 # drop Autoconf version requirement diff --git a/python.changes b/python.changes index 2051f51..6b071d3 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Sep 30 15:27:40 UTC 2014 - jmatejek@suse.com + +- update to 2.7.8 + * bugfix-only release, dozens of bugs fixed + ------------------------------------------------------------------- Fri Jun 20 13:46:22 UTC 2014 - jmatejek@suse.com diff --git a/python.spec b/python.spec index 9e6797b..33d5418 100644 --- a/python.spec +++ b/python.spec @@ -16,7 +16,7 @@ # Name: python -Version: 2.7.7 +Version: 2.7.8 Release: 0 Summary: Python Interpreter License: Python-2.0 @@ -61,8 +61,6 @@ Patch26: xmlrpc_gzip_27.patch # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib Patch28: smtplib_maxline-2.7.patch Patch29: python-2.7.6-poplib.patch -# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer -Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch # remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere) Patch31: python-2.7.7-mhlib-linkcount.patch # COMMON-PATCH-END @@ -187,7 +185,6 @@ implementation of the standard Unix DBM databases. %patch26 -p1 %patch28 -p1 %patch29 -p1 -%patch30 -p1 %patch31 -p1 # drop Autoconf version requirement