From 2c04be55bdb4d1d22f3af9c82332881ae08f6f843b4c8f4163b54aa9063f7e10 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Thu, 8 Dec 2022 10:47:18 +0000 Subject: [PATCH] =?UTF-8?q?-=20Update=20to=203.9.16:=20=20=20-=20python=20?= =?UTF-8?q?-m=20http.server=20no=20longer=20allows=20terminal=20control=20?= =?UTF-8?q?=20=20=20=20characters=20sent=20within=20a=20garbage=20request?= =?UTF-8?q?=20to=20be=20printed=20to=20the=20=20=20=20=20stderr=20server?= =?UTF-8?q?=20log.=20=20=20=20=20This=20is=20done=20by=20changing=20the=20?= =?UTF-8?q?http.server=20=20=20=20=20BaseHTTPRequestHandler=20.log=5Fmessa?= =?UTF-8?q?ge=20method=20to=20replace=20control=20=20=20=20=20characters?= =?UTF-8?q?=20with=20a=20\xHH=20hex=20escape=20before=20printing.=20=20=20?= =?UTF-8?q?-=20Avoid=20publishing=20list=20of=20active=20per-interpreter?= =?UTF-8?q?=20audit=20hooks=20=20=20=20=20via=20the=20gc=20module=20=20=20?= =?UTF-8?q?-=20The=20IDNA=20codec=20decoder=20used=20on=20DNS=20hostnames?= =?UTF-8?q?=20by=20socket=20or=20=20=20=20=20asyncio=20related=20name=20re?= =?UTF-8?q?solution=20functions=20no=20longer=20involves=20=20=20=20=20a?= =?UTF-8?q?=20quadratic=20algorithm.=20This=20prevents=20a=20potential=20C?= =?UTF-8?q?PU=20denial=20=20=20=20=20of=20service=20if=20an=20out-of-spec?= =?UTF-8?q?=20excessive=20length=20hostname=20=20=20=20=20involving=20bidi?= =?UTF-8?q?rectional=20characters=20were=20decoded.=20Some=20=20=20=20=20p?= =?UTF-8?q?rotocols=20such=20as=20urllib=20http=203xx=20redirects=20potent?= =?UTF-8?q?ially=20allow=20=20=20=20=20for=20an=20attacker=20to=20supply?= =?UTF-8?q?=20such=20a=20name=20(CVE-2015-20107).=20=20=20-=20Update=20bun?= =?UTF-8?q?dled=20libexpat=20to=202.5.0=20=20=20-=20Port=20XKCP=E2=80=99s?= =?UTF-8?q?=20fix=20for=20the=20buffer=20overflows=20in=20SHA-3=20=20=20?= =?UTF-8?q?=20=20(CVE-2022-37454).=20=20=20-=20On=20Linux=20the=20multipro?= =?UTF-8?q?cessing=20module=20returns=20to=20using=20=20=20=20=20filesyste?= =?UTF-8?q?m=20backed=20unix=20domain=20sockets=20for=20communication=20wi?= =?UTF-8?q?th=20=20=20=20=20the=20forkserver=20process=20instead=20of=20th?= =?UTF-8?q?e=20Linux=20abstract=20socket=20=20=20=20=20namespace.=20Only?= =?UTF-8?q?=20code=20that=20chooses=20to=20use=20the=20=E2=80=9Cforkserver?= =?UTF-8?q?=E2=80=9D=20=20=20=20=20start=20method=20is=20affected.=20=20?= =?UTF-8?q?=20=20=20Abstract=20sockets=20have=20no=20permissions=20and=20c?= =?UTF-8?q?ould=20allow=20any=20=20=20=20=20user=20on=20the=20system=20in?= =?UTF-8?q?=20the=20same=20network=20namespace=20(often=20=20=20=20=20the?= =?UTF-8?q?=20whole=20system)=20to=20inject=20code=20into=20the=20multipro?= =?UTF-8?q?cessing=20=20=20=20=20forkserver=20process.=20This=20was=20a=20?= =?UTF-8?q?potential=20privilege=20=20=20=20=20escalation.=20Filesystem=20?= =?UTF-8?q?based=20socket=20permissions=20restrict=20this=20=20=20=20=20to?= =?UTF-8?q?=20the=20forkserver=20process=20user=20as=20was=20the=20default?= =?UTF-8?q?=20in=20Python?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=126 --- ...nx.locale._-as-gettext-in-pyspecific.patch | 4 +- CVE-2015-20107-mailcap-unsafe-filenames.patch | 136 ------------------ ...022-42919-loc-priv-mulitproc-forksrv.patch | 59 -------- Python-3.9.15.tar.xz | 3 - Python-3.9.15.tar.xz.asc | 16 --- Python-3.9.16.tar.xz | 3 + Python-3.9.16.tar.xz.asc | 16 +++ python39.changes | 44 ++++++ python39.spec | 14 +- 9 files changed, 66 insertions(+), 229 deletions(-) delete mode 100644 CVE-2015-20107-mailcap-unsafe-filenames.patch delete mode 100644 CVE-2022-42919-loc-priv-mulitproc-forksrv.patch delete mode 100644 Python-3.9.15.tar.xz delete mode 100644 Python-3.9.15.tar.xz.asc create mode 100644 Python-3.9.16.tar.xz create mode 100644 Python-3.9.16.tar.xz.asc diff --git a/98437-sphinx.locale._-as-gettext-in-pyspecific.patch b/98437-sphinx.locale._-as-gettext-in-pyspecific.patch index 46454d4..826428c 100644 --- a/98437-sphinx.locale._-as-gettext-in-pyspecific.patch +++ b/98437-sphinx.locale._-as-gettext-in-pyspecific.patch @@ -30,7 +30,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for content = self.content add_text = nodes.strong(label, label) if self.arguments: -@@ -266,7 +266,7 @@ class AuditEvent(Directive): +@@ -179,7 +179,7 @@ class AuditEvent(Directive): else: args = [] @@ -39,7 +39,7 @@ Subject: [PATCH 1/2] fix(doc-tools): use sphinx.locale._ as gettext() for text = label.format(name="``{}``".format(name), args=", ".join("``{}``".format(a) for a in args if a)) -@@ -445,7 +445,7 @@ class DeprecatedRemoved(Directive): +@@ -358,7 +358,7 @@ class DeprecatedRemoved(Directive): else: label = self._removed_label diff --git a/CVE-2015-20107-mailcap-unsafe-filenames.patch b/CVE-2015-20107-mailcap-unsafe-filenames.patch deleted file mode 100644 index d3dfb86..0000000 --- a/CVE-2015-20107-mailcap-unsafe-filenames.patch +++ /dev/null @@ -1,136 +0,0 @@ -From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001 -From: Petr Viktorin -Date: Wed, 27 Apr 2022 18:17:33 +0200 -Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe - filenames/types/params - ---- - Doc/library/mailcap.rst | 12 ++++ - Lib/mailcap.py | 26 +++++++++- - Lib/test/test_mailcap.py | 8 ++- - Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 + - 4 files changed, 46 insertions(+), 4 deletions(-) - ---- a/Doc/library/mailcap.rst -+++ b/Doc/library/mailcap.rst -@@ -60,6 +60,18 @@ standard. However, mailcap files are su - use) to determine whether or not the mailcap line applies. :func:`findmatch` - will automatically check such conditions and skip the entry if the check fails. - -+ .. versionchanged:: 3.11 -+ -+ To prevent security issues with shell metacharacters (symbols that have -+ special effects in a shell command line), ``findmatch`` will refuse -+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_`` -+ into the returned command line. -+ -+ If a disallowed character appears in *filename*, ``findmatch`` will always -+ return ``(None, None)`` as if no entry was found. -+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*), -+ ``findmatch`` will ignore all mailcap entries which use that value. -+ A :mod:`warning ` will be raised in either case. - - .. function:: getcaps() - ---- a/Lib/mailcap.py -+++ b/Lib/mailcap.py -@@ -2,6 +2,7 @@ - - import os - import warnings -+import re - - __all__ = ["getcaps","findmatch"] - -@@ -13,6 +14,11 @@ def lineno_sort_key(entry): - else: - return 1, 0 - -+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search -+ -+class UnsafeMailcapInput(Warning): -+ """Warning raised when refusing unsafe input""" -+ - - # Part 1: top-level interface. - -@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view' - entry to use. - - """ -+ if _find_unsafe(filename): -+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None, None - entries = lookup(caps, MIMEtype, key) - # XXX This code should somehow check for the needsterminal flag. - for e in entries: - if 'test' in e: - test = subst(e['test'], filename, plist) -+ if test is None: -+ continue - if test and os.system(test) != 0: - continue - command = subst(e[key], MIMEtype, filename, plist) -- return command, e -+ if command is not None: -+ return command, e - return None, None - - def lookup(caps, MIMEtype, key=None): -@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, pli - elif c == 's': - res = res + filename - elif c == 't': -+ if _find_unsafe(MIMEtype): -+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None - res = res + MIMEtype - elif c == '{': - start = i -@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, pli - i = i+1 - name = field[start:i] - i = i+1 -- res = res + findparam(name, plist) -+ param = findparam(name, plist) -+ if _find_unsafe(param): -+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None -+ res = res + param - # XXX To do: - # %n == number of parts if type is multipart/* - # %F == list of alternating type and filename for parts ---- a/Lib/test/test_mailcap.py -+++ b/Lib/test/test_mailcap.py -@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCa - (["", "audio/*", "foo.txt"], ""), - (["echo foo", "audio/*", "foo.txt"], "echo foo"), - (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"), -- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"), -+ (["echo %t", "audio/*", "foo.txt"], None), -+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"), - (["echo \\%t", "audio/*", "foo.txt"], "echo %t"), - (["echo foo", "audio/*", "foo.txt", plist], "echo foo"), - (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3") -@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase): - ('"An audio fragment"', audio_basic_entry)), - ([c, "audio/*"], - {"filename": fname}, -- ("/usr/local/bin/showaudio audio/*", audio_entry)), -+ (None, None)), -+ ([c, "audio/wav"], -+ {"filename": fname}, -+ ("/usr/local/bin/showaudio audio/wav", audio_entry)), - ([c, "message/external-body"], - {"plist": plist}, - ("showexternal /dev/null default john python.org /tmp foo bar", message_entry)) ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst -@@ -0,0 +1,4 @@ -+The deprecated mailcap module now refuses to inject unsafe text (filenames, -+MIME types, parameters) into shell commands. Instead of using such text, it -+will warn and act as if a match was not found (or for test commands, as if -+the test failed). diff --git a/CVE-2022-42919-loc-priv-mulitproc-forksrv.patch b/CVE-2022-42919-loc-priv-mulitproc-forksrv.patch deleted file mode 100644 index e616e48..0000000 --- a/CVE-2022-42919-loc-priv-mulitproc-forksrv.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 85178d5849a4d9b5b46e7b91b1ebad7425139b44 Mon Sep 17 00:00:00 2001 -From: "Gregory P. Smith" -Date: Thu, 20 Oct 2022 15:30:09 -0700 -Subject: [PATCH] gh-97514: Don't use Linux abstract sockets for - multiprocessing (GH-98501) - -Linux abstract sockets are insecure as they lack any form of filesystem -permissions so their use allows anyone on the system to inject code into -the process. - -This removes the default preference for abstract sockets in -multiprocessing introduced in Python 3.9+ via -https://github.com/python/cpython/pull/18866 while fixing -https://github.com/python/cpython/issues/84031. - -Explicit use of an abstract socket by a user now generates a -RuntimeWarning. If we choose to keep this warning, it should be -backported to the 3.7 and 3.8 branches. -(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17) - -Co-authored-by: Gregory P. Smith ---- - Lib/multiprocessing/connection.py | 5 --- - Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 ++++++++++ - 2 files changed, 15 insertions(+), 5 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst - ---- a/Lib/multiprocessing/connection.py -+++ b/Lib/multiprocessing/connection.py -@@ -73,11 +73,6 @@ def arbitrary_address(family): - if family == 'AF_INET': - return ('localhost', 0) - elif family == 'AF_UNIX': -- # Prefer abstract sockets if possible to avoid problems with the address -- # size. When coding portable applications, some implementations have -- # sun_path as short as 92 bytes in the sockaddr_un struct. -- if util.abstract_sockets_supported: -- return f"\0listener-{os.getpid()}-{next(_mmap_counter)}" - return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir()) - elif family == 'AF_PIPE': - return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' % ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst -@@ -0,0 +1,15 @@ -+On Linux the :mod:`multiprocessing` module returns to using filesystem backed -+unix domain sockets for communication with the *forkserver* process instead of -+the Linux abstract socket namespace. Only code that chooses to use the -+:ref:`"forkserver" start method ` is affected. -+ -+Abstract sockets have no permissions and could allow any user on the system in -+the same `network namespace -+`_ (often the -+whole system) to inject code into the multiprocessing *forkserver* process. -+This was a potential privilege escalation. Filesystem based socket permissions -+restrict this to the *forkserver* process user as was the default in Python 3.8 -+and earlier. -+ -+This prevents Linux `CVE-2022-42919 -+`_. diff --git a/Python-3.9.15.tar.xz b/Python-3.9.15.tar.xz deleted file mode 100644 index c3f4517..0000000 --- a/Python-3.9.15.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:12daff6809528d9f6154216950423c9e30f0e47336cb57c6aa0b4387dd5eb4b2 -size 19712208 diff --git a/Python-3.9.15.tar.xz.asc b/Python-3.9.15.tar.xz.asc deleted file mode 100644 index 8895f7d..0000000 --- a/Python-3.9.15.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmNFhjEACgkQsmmV4xAl -BWhJRA/9H5hksRFz3av1uOB/HDVlglMwxIPJOzk57z6aknzc/ItxVz54UXK46XL7 -t9kSmb2zFo+TVfusE/By17ozf+j1WK8uTr8LrO2uvUC+Sck22U4WIwTkqj95/6sP -Fmzrqsx1OyyCc6zJAMO6yo2hpxGmDcpxqVrn+lJ+INpuvf54bKerbFwV3+z6MxSe -s48b2YGuLK1ttjFEOrrsGxf8sS7SNByckBMQDHf++5g95zUczlZ4j5UH15GZ+wHn -NDW3/kccFGHjBHGGsNjZCIwmFN0+yA6BtbTEsX/nAyfcD45u7w5TQEmVp+knTtU8 -G3Z3C6aCATxBG4UKpO5DxL+UqcC5IvFT1mcKN+TgFluX5X7ENo3QPMGiww906NGr -/6KztH7kURjUfI0cNQIxkJcnjNXGAbIumgokKOjcyIlWzxnb0I6cQsaj0yg0zUQG -zIwugTjwoA00JZiV+WZxsFfkrOpxOWCLXFLdA2ph5BM1W0nqBFH21ZIBns77uoHe -1wM0A1meu6AFFgQZREGV6twyqAnsGGgf+x2Y4a/s9MTLYphoMSEIUOvnbwAzsBbL -+FThjD2o1bsm8E1V9d18hvw/jhsOCievKt4a3Fqnl2wPMjvoRaEYevyv3QNBjg1i -bLAhT0QpnE68h6doi7FgKd5sdp6OGQT5wUOUseQSAINO9k8R7RQ= -=Qc71 ------END PGP SIGNATURE----- diff --git a/Python-3.9.16.tar.xz b/Python-3.9.16.tar.xz new file mode 100644 index 0000000..05262ef --- /dev/null +++ b/Python-3.9.16.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:22dddc099246dd2760665561e8adb7394ea0cc43a72684c6480f9380f7786439 +size 19738796 diff --git a/Python-3.9.16.tar.xz.asc b/Python-3.9.16.tar.xz.asc new file mode 100644 index 0000000..1fd2df0 --- /dev/null +++ b/Python-3.9.16.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPjAQACgkQsmmV4xAl +BWjzjQ//TQ9AtAs3RwRfGfJigHl3TG5lfYYdzAZIwEtt6NUw8tVKriCBMSvsJDjD +rlFX64SPWaDlTggnatU88sj1y4AtGpf517GbYKwJ1oLQjcCSIs6WSxD7CZAfb4CL +257KMANkT/n46luovTraqhAyLXp8fVWIEoSt3+6RgNYshjv00V6+L0HoE6jkzBRV +si6KHDUCyIydOJEtAt79w5Ze/pFxJjIlGZ6WxyRVEy77cyQKh0g4dSdQ15HZAsfr +fvv8rOmd8VXwIMi4xaUaHMddQxNrydDldDpKR4L1Lay/nY3OvSLI1AMw0D7n/FVO +HxgYvxwkRqHPgbDIBLoHe7nsou0621ELS+j6M7cRoqAjsSfEOwpHOBw7k4+zOoa3 +4FHvru6TmT1p2iT6GSRllp/XspAzSelJeaFWA0Rs57MQ14gtXrw5hQHyZ1NgMzZi +TMpnj0tGHufQYn2ZQqGUIySvtH3S5eIZgZGdPETJ5k09mcRVEKcdujTbkrIcOYtC +GoPCw+3Qe7feVZLzElnsela9bDZi3uWfZh2kVyhZPAvxXJ0VNVCLvPlCKpr0R7t5 +JJ7jMpblsA05FT6ZanbqWNFZtCHMjlkK1259oST3BMbBSHTFgY/KGJEHQTkYU3M2 +U5OSn4za47qFBTVIXQsqkLGEBU/wrxtNmerJel8YW3ZIrkoTv2E= +=dXB5 +-----END PGP SIGNATURE----- diff --git a/python39.changes b/python39.changes index 85172cb..9876b51 100644 --- a/python39.changes +++ b/python39.changes @@ -1,3 +1,47 @@ +------------------------------------------------------------------- +Thu Dec 8 10:43:43 UTC 2022 - Matej Cepl + +- Update to 3.9.16: + - python -m http.server no longer allows terminal control + characters sent within a garbage request to be printed to the + stderr server log. + This is done by changing the http.server + BaseHTTPRequestHandler .log_message method to replace control + characters with a \xHH hex escape before printing. + - Avoid publishing list of active per-interpreter audit hooks + via the gc module + - The IDNA codec decoder used on DNS hostnames by socket or + asyncio related name resolution functions no longer involves + a quadratic algorithm. This prevents a potential CPU denial + of service if an out-of-spec excessive length hostname + involving bidirectional characters were decoded. Some + protocols such as urllib http 3xx redirects potentially allow + for an attacker to supply such a name (CVE-2015-20107). + - Update bundled libexpat to 2.5.0 + - Port XKCP’s fix for the buffer overflows in SHA-3 + (CVE-2022-37454). + - On Linux the multiprocessing module returns to using + filesystem backed unix domain sockets for communication with + the forkserver process instead of the Linux abstract socket + namespace. Only code that chooses to use the “forkserver” + start method is affected. + Abstract sockets have no permissions and could allow any + user on the system in the same network namespace (often + the whole system) to inject code into the multiprocessing + forkserver process. This was a potential privilege + escalation. Filesystem based socket permissions restrict this + to the forkserver process user as was the default in Python + 3.8 and earlier. + This prevents Linux CVE-2022-42919. + - The deprecated mailcap module now refuses to inject unsafe + text (filenames, MIME types, parameters) into shell + commands. Instead of using such text, it will warn and act + as if a match was not found (or for test commands, as if the + test failed). +- Removed upstreamed patches: + - CVE-2015-20107-mailcap-unsafe-filenames.patch + - CVE-2022-42919-loc-priv-mulitproc-forksrv.patch + ------------------------------------------------------------------- Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl diff --git a/python39.spec b/python39.spec index 8fad38a..66fbfed 100644 --- a/python39.spec +++ b/python39.spec @@ -93,7 +93,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.9.15 +Version: 3.9.16 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -158,18 +158,9 @@ Patch34: skip-test_pyobject_freed_is_freed.patch # PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com # Makes Python resilient to changes of API of libexpat Patch35: support-expat-CVE-2022-25236-patched.patch -# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com -# avoid the command injection in the mailcap module. -Patch36: CVE-2015-20107-mailcap-unsafe-filenames.patch # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com # this patch makes things totally awesome Patch37: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch -# PATCH-FIX-UPSTREAM CVE-2022-42919-loc-priv-mulitproc-forksrv.patch bsc#1204886 mcepl@suse.com -# Avoid Linux specific local privilege escalation via the multiprocessing forkserver start method -Patch38: CVE-2022-42919-loc-priv-mulitproc-forksrv.patch -# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com -# Avoid DoS by decoding IDNA for too long domain names -Patch39: CVE-2022-45061-DoS-by-IDNA-decode.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -428,10 +419,7 @@ other applications. %patch05 -p1 %endif %patch35 -p1 -%patch36 -p1 %patch37 -p1 -%patch38 -p1 -%patch39 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac