Reapply the patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=276
This commit is contained in:
Git OBS Bridge
parent
c010d2e825
commit
f814036fff
@ -10,16 +10,21 @@ catastrophic backtracking.
|
||||
|
||||
Vulnerability reported by Matt Schwager.
|
||||
---
|
||||
Lib/urllib/request.py | 2 +-
|
||||
.../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++
|
||||
Lib/urllib2.py | 2 +-
|
||||
Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++
|
||||
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
|
||||
|
||||
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
|
||||
index a6d350a97a452..72de8b2206885 100644
|
||||
--- a/Lib/urllib/request.py
|
||||
+++ b/Lib/urllib/request.py
|
||||
@@ -937,7 +937,7 @@ class AbstractBasicAuthHandler:
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
|
||||
@@ -0,0 +1,4 @@
|
||||
+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
|
||||
+:mod:`urllib.request` module uses an inefficient regular expression which can
|
||||
+be exploited by an attacker to cause a denial of service. Fix the regex to
|
||||
+prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
|
||||
--- a/Lib/urllib2.py
|
||||
+++ b/Lib/urllib2.py
|
||||
@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
|
||||
|
||||
# allow for double- and single-quoted realm values
|
||||
# (single quotes are a violation of the RFC, but appear in the wild)
|
||||
@ -28,33 +33,3 @@ index a6d350a97a452..72de8b2206885 100644
|
||||
'realm=(["\']?)([^"\']*)\\2', re.I)
|
||||
|
||||
# XXX could pre-emptively send auth info already accepted (RFC 2617,
|
||||
diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
|
||||
new file mode 100644
|
||||
index 0000000000000..2c2622f4e8d54
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
|
||||
@@ -0,0 +1,4 @@
|
||||
+The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
|
||||
+:mod:`urllib.request` module uses an inefficient regular expression which can
|
||||
+be exploited by an attacker to cause a denial of service. Fix the regex to
|
||||
+prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
|
||||
|
||||
From 7c4bae4e611cf8c03601ecca93cf6482226c52aa Mon Sep 17 00:00:00 2001
|
||||
From: Victor Stinner <vstinner@python.org>
|
||||
Date: Thu, 30 Jan 2020 23:12:18 +0100
|
||||
Subject: [PATCH 2/2] Add CVE-2020-8492 to the NEWS entry
|
||||
|
||||
---
|
||||
.../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
|
||||
index 2c2622f4e8d54..92f186dcb1e49 100644
|
||||
--- a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
|
||||
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
|
||||
@@ -1,4 +1,4 @@
|
||||
-The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
|
||||
+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
|
||||
:mod:`urllib.request` module uses an inefficient regular expression which can
|
||||
be exploited by an attacker to cause a denial of service. Fix the regex to
|
||||
prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user