- Add patch CVE-2021-28861-double-slash-path.patch:

* BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. (bsc#1202624, CVE-2021-28861) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=330
2022-09-07 04:48:27 +00:00
parent 9a59733bbe
commit de85457a6c
7 changed files with 109 additions and 0 deletions
--- a/python.spec
+++ b/python.spec
@@ -129,6 +129,9 @@ Patch69:        CVE-2022-0391-urllib_parse-newline-parsing.patch
 # PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
 # avoid the command injection in the mailcap module.
 Patch70:        CVE-2015-20107-mailcap-unsafe-filenames.patch
+# PATCH-FIX-UPSTREAM CVE-2021-28861 bsc#1202624
+# Coerce // to / in Lib/BaseHTTPServer.py
+Patch71:        CVE-2021-28861-double-slash-path.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -319,6 +322,7 @@ that rely on earlier non-verification behavior.
 %patch68 -p1
 %patch69 -p1
 %patch70 -p1
+%patch71 -p1

 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar