Matej Cepl
8a27bf7896
- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
request (bpo#43075, boo#1189287).
- Add missing security announcement to
bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
old: devel:languages:python:Factory/python
new: home:fusionfuture:branches:devel:languages:python:Factory/python rev None
Index: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
===================================================================
--- bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch (revision 296)
+++ bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch (revision 3)
@@ -19,3 +19,8 @@
self.status = status
self.reason = reason.strip()
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
+@@ -0,0 +1,2 @@
++mod:`http.client` now avoids infinitely reading potential HTTP headers after a
++``100 Continue`` status response from the server.
Index: python-base.changes
===================================================================
--- python-base.changes (revision 296)
+++ python-base.changes (revision 3)
@@ -1,4 +1,12 @@
-------------------------------------------------------------------
+Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
+ request (bpo#43075, boo#1189287).
+- Add missing security announcement to
+ bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
+
+-------------------------------------------------------------------
Mon Aug 9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
Index: python-base.spec
===================================================================
--- python-base.spec (revision 296)
+++ python-base.spec (revision 3)
@@ -105,6 +105,8 @@
Patch62: CVE-2021-23336-only-amp-as-query-sep.patch
# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391
+Patch64: bpo43075-fix-ReDoS-in-request.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@@ -233,6 +235,7 @@
%patch61 -p1
%patch62 -p1
%patch63 -p1
+%patch64 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
Index: python-doc.changes
===================================================================
--- python-doc.changes (revision 296)
+++ python-doc.changes (revision 3)
@@ -1,4 +1,12 @@
-------------------------------------------------------------------
+Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
+ request (bpo#43075, boo#1189287).
+- Add missing security announcement to
+ bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
+
+-------------------------------------------------------------------
Mon Aug 9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
Index: python-doc.spec
===================================================================
--- python-doc.spec (revision 296)
+++ python-doc.spec (revision 3)
@@ -107,6 +107,8 @@
Patch62: CVE-2021-23336-only-amp-as-query-sep.patch
# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391
+Patch64: bpo43075-fix-ReDoS-in-request.patch
# COMMON-PATCH-END
Provides: pyth_doc
Provides: pyth_ps
@@ -177,6 +179,7 @@
%patch61 -p1
%patch62 -p1
%patch63 -p1
+%patch64 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
Index: python.changes
===================================================================
--- python.changes (revision 296)
+++ python.changes (revision 3)
@@ -1,4 +1,12 @@
-------------------------------------------------------------------
+Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
+ request (bpo#43075, boo#1189287).
+- Add missing security announcement to
+ bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
+
+-------------------------------------------------------------------
Mon Aug 9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
Index: python.spec
===================================================================
--- python.spec (revision 296)
+++ python.spec (revision 3)
@@ -107,6 +107,8 @@
Patch62: CVE-2021-23336-only-amp-as-query-sep.patch
# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391
+Patch64: bpo43075-fix-ReDoS-in-request.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@@ -291,6 +293,7 @@
%patch61 -p1
%patch62 -p1
%patch63 -p1
+%patch64 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
Index: bpo43075-fix-ReDoS-in-request.patch
===================================================================
--- bpo43075-fix-ReDoS-in-request.patch (added)
+++ bpo43075-fix-ReDoS-in-request.patch (revision 3)
@@ -0,0 +1,15 @@
+--- a/Lib/urllib2.py
++++ b/Lib/urllib2.py
+@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
+
+ # allow for double- and single-quoted realm values
+ # (single quotes are a violation of the RFC, but appear in the wild)
+- rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
++ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
+ 'realm=(["\']?)([^"\']*)\\2', re.I)
+
+ # XXX could pre-emptively send auth info already accepted (RFC 2617,
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
+@@ -0,0 +1 @@
++Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
OBS-URL: https://build.opensuse.org/request/show/911251
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=297
Python in SUSE
==============
* Documentation *
You can find documentation in seprarate packages: python-doc and
python-doc-pdf. These contan following documents:
Tutorial, What's New in Python, Global Module Index, Library Reference,
Macintosh Module Reference, Installing Python Modules, Distributing Python
Modules, Language Reference, Extending and Embedding, Python/C API,
Documenting Python
The python-doc package constains many text files from source tarball.
* Interactive mode *
Interactive mode is by default enhanced with of history and command completion.
If you don't like these features, you can unset PYTHONSTARTUP variable in your
.profile or disable it system wide in /etc/profile.d/python.sh.