- Update to 3.8.17:
- gh-103142: The version of OpenSSL used in Windows and
Mac installers has been upgraded to 1.1.1u to address
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
fixed previously in 1.1.1t (gh-101727).
- gh-102153: urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329
(bsc#1208471).
- gh-99889: Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- gh-104049: Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- gh-103935: trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details (fixing
CVE-2007-4559, bsc#1203750).
- Remove upstreamed patches:
- CVE-2023-24329-blank-URL-bypass.patch
- CVE-2007-4559-filter-tarfile_extractall.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=130
This commit is contained in:
Git OBS Bridge
parent
bb69159320
commit
6037f4f429
File diff suppressed because it is too large
Load Diff
@ -1,55 +0,0 @@
|
||||
From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
|
||||
Date: Sat, 12 Nov 2022 15:43:33 -0500
|
||||
Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
|
||||
schemes that don't begin with an alphabetical ASCII character.
|
||||
|
||||
---
|
||||
Lib/test/test_urlparse.py | 18 ++++++++++
|
||||
Lib/urllib/parse.py | 2 -
|
||||
Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 +
|
||||
3 files changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/Lib/test/test_urlparse.py
|
||||
+++ b/Lib/test/test_urlparse.py
|
||||
@@ -676,6 +676,24 @@ class UrlParseTestCase(unittest.TestCase
|
||||
with self.assertRaises(ValueError):
|
||||
p.port
|
||||
|
||||
+ def test_attributes_bad_scheme(self):
|
||||
+ """Check handling of invalid schemes."""
|
||||
+ for bytes in (False, True):
|
||||
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
|
||||
+ for scheme in (".", "+", "-", "0", "http&", "६http"):
|
||||
+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
|
||||
+ url = scheme + "://www.example.net"
|
||||
+ if bytes:
|
||||
+ if url.isascii():
|
||||
+ url = url.encode("ascii")
|
||||
+ else:
|
||||
+ continue
|
||||
+ p = parse(url)
|
||||
+ if bytes:
|
||||
+ self.assertEqual(p.scheme, b"")
|
||||
+ else:
|
||||
+ self.assertEqual(p.scheme, "")
|
||||
+
|
||||
def test_attributes_without_netloc(self):
|
||||
# This example is straight from RFC 3261. It looks like it
|
||||
# should allow the username, hostname, and port to be filled
|
||||
--- a/Lib/urllib/parse.py
|
||||
+++ b/Lib/urllib/parse.py
|
||||
@@ -440,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragm
|
||||
clear_cache()
|
||||
netloc = query = fragment = ''
|
||||
i = url.find(':')
|
||||
- if i > 0:
|
||||
+ if i > 0 and url[0].isascii() and url[0].isalpha():
|
||||
if url[:i] == 'http': # optimize the common case
|
||||
url = url[i+1:]
|
||||
if url[:2] == '//':
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
|
||||
@@ -0,0 +1,2 @@
|
||||
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
|
||||
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d85dbb3774132473d8081dcb158f34a10ccad7a90b96c7e50ea4bb61f5ce4562
|
||||
size 19046724
|
||||
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPlyYACgkQsmmV4xAl
|
||||
BWhZ3RAAhtzObFVyAJIjaNHSnYClAq39NFOvAA2oFmTbNorF/sHAbV///9Zmm2we
|
||||
prT8gWUJJtPeX1+J3lj0GokthB/YggLIF6MjTL9klamXUWZrdsv8jM00T+nXMHU3
|
||||
Y4pgi0zXX4fhb5iOWeLli99T40+a/8AgbqVC0cv5d6Yk+CncYY2XsNoBuNC4dOoL
|
||||
FaSQMZUsTYf4CoZyHbAN3hs5kshaZRufAJ/LGDlZU3+luuy1PU4uNzqSSY6XMw4L
|
||||
Ar+tukCXwqIOu4baq2BYUF5VjfZrgviC7NxHZBeKuGQ3v7X0HmOWOxG59s1cmJkA
|
||||
CbyK3z/LRVmA33YyhU60QaqfUYHXhNZaMgEku2m3XTRaRkjF+Wg/LAtu01usOrYG
|
||||
BYivpD7yhVqXXvwWV3Y+lpcu8DhZTtXM3hTrN6XErLiYnN1G7sduSNabnOke6Td/
|
||||
p0Ki1UE4Ts+P8yN85/uHiGbjDejU2SRlAuWeSmeIKIyTUNPJoM5OSK9K6FgqxZef
|
||||
OYFDWVZg0Dll5bLU+f/Lw8mXVwF7dX2OUPeXauPm3LhKRHIYpfeuQ+PkP9KeIJn5
|
||||
DwfdvcKw3jVttopWgTS/pT6vu8zgOAZ6kuzhf/s+q8mB3cQRjfn7BMq/PFcNNZJG
|
||||
iLzJ2C5Q7tNn/5elUaV8TOPa2JwmiPViitE4OHqB+sH591JIh+g=
|
||||
=DwHA
|
||||
-----END PGP SIGNATURE-----
|
||||
3
Python-3.8.17.tar.xz
Normal file
3
Python-3.8.17.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:2e54b0c68191f16552f6de2e97a2396540572a219f6bbb28591a137cecc490a9
|
||||
size 20696584
|
||||
16
Python-3.8.17.tar.xz.asc
Normal file
16
Python-3.8.17.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmR/P90ACgkQsmmV4xAl
|
||||
BWgSZhAAkO3g9Wo9y6hK22U7RvEoe/t8hmsAjXCGRnHDywQWd/utJoROjbwE7C7M
|
||||
hACiYdBrEoBLV0UDtTkvkMiBwD32kKgjBYh8zUIpQt52ysbC4nZmvlRF2p9IfTVq
|
||||
x1MmlW4JwKCqc4Oj3me5sD3Z8JRuN9EuIYybnSRXhLLV6d7kn5MMJMbQ7L16Jc5I
|
||||
ORXUTzt9Oq49qZ6gIJxbtdvEuVNcpTYc0BYo/8eJtcVualPZ47hnHjQUnRfEd9Mq
|
||||
P3AEW4KCeuosOdjDxf/qXl6UvH79gpesSG1tzlDt7egmDk0DYwyod5cKntE2RIaU
|
||||
OcSvBG8QlzfOg2Yj1/zL5wcL90jVP5z2j/532tQeiycIMU1fEpBGPJm/q10IGZtg
|
||||
wa9Z84Z0FRU3FKBOLem89wtzQCUWBFWO0u7cRHyUYWyScmGCIJ2OaV7YQAfBwPYl
|
||||
sjnlFw2R9VvubdZK8uwYAWhjztRq40X0iutO3xTnOU6wX/doU02kfRzQltGXasKH
|
||||
kb+trWjCWVVK2HvxJUgj6cvPrpl7R+fIUMJMNfYirrzntqQM63AB291opisnIT+G
|
||||
OxZbSmDR5/LYG5HCEtMgZN0knMoiLbdB9LxI0p0x7W+yuk5Yn+E3W/7IwlfihvTz
|
||||
wlbFGFr4WVLH6065BOc0CYn0bMrU7mo8RFt2m1wrkOq0tzHcfXk=
|
||||
=m6a1
|
||||
-----END PGP SIGNATURE-----
|
||||
@ -1,3 +1,34 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 28 16:57:46 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
||||
|
||||
- Update to 3.8.17:
|
||||
- gh-103142: The version of OpenSSL used in Windows and
|
||||
Mac installers has been upgraded to 1.1.1u to address
|
||||
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
|
||||
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
|
||||
fixed previously in 1.1.1t (gh-101727).
|
||||
- gh-102153: urllib.parse.urlsplit() now strips leading C0
|
||||
control and space characters following the specification for
|
||||
URLs defined by WHATWG in response to CVE-2023-24329
|
||||
(bsc#1208471).
|
||||
- gh-99889: Fixed a security in flaw in uu.decode() that could
|
||||
allow for directory traversal based on the input if no
|
||||
out_file was specified.
|
||||
- gh-104049: Do not expose the local on-disk
|
||||
location in directory indexes produced by
|
||||
http.client.SimpleHTTPRequestHandler.
|
||||
- gh-103935: trace.__main__ now uses io.open_code() for files
|
||||
to be executed instead of raw open().
|
||||
- gh-102953: The extraction methods in tarfile, and
|
||||
shutil.unpack_archive(), have a new filter argument that
|
||||
allows limiting tar features than may be surprising or
|
||||
dangerous, such as creating files outside the destination
|
||||
directory. See Extraction filters for details (fixing
|
||||
CVE-2007-4559, bsc#1203750).
|
||||
- Remove upstreamed patches:
|
||||
- CVE-2023-24329-blank-URL-bypass.patch
|
||||
- CVE-2007-4559-filter-tarfile_extractall.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat May 6 17:31:35 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
||||
|
||||
|
||||
@ -92,7 +92,7 @@
|
||||
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
|
||||
%bcond_without profileopt
|
||||
Name: %{python_pkg_name}%{psuffix}
|
||||
Version: 3.8.16
|
||||
Version: 3.8.17
|
||||
Release: 0
|
||||
Summary: Python 3 Interpreter
|
||||
License: Python-2.0
|
||||
@ -176,13 +176,6 @@ Patch37: platlibdir-in-sys.patch
|
||||
# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
|
||||
# this patch makes things totally awesome
|
||||
Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
|
||||
# blocklist bypass via the urllib.parse component when supplying
|
||||
# a URL that starts with blank characters
|
||||
Patch39: CVE-2023-24329-blank-URL-bypass.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750 mcepl@suse.com
|
||||
# Implement PEP-706 to filter outcome of the tarball extracing
|
||||
Patch40: CVE-2007-4559-filter-tarfile_extractall.patch
|
||||
# PATCH-FIX-UPSTREAM 99366-patch.dict-can-decorate-async.patch bsc#[0-9]+ mcepl@suse.com
|
||||
# Patch for gh#python/cpython#98086
|
||||
Patch41: 99366-patch.dict-can-decorate-async.patch
|
||||
@ -458,8 +451,6 @@ other applications.
|
||||
%patch36 -p1
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
%patch39 -p1
|
||||
%patch40 -p1
|
||||
%patch41 -p1
|
||||
|
||||
# drop Autoconf version requirement
|
||||
|
||||
Loading…
Reference in New Issue
Block a user