- http.server: Fix an open redirection vulnerability in the HTTP server

when an URI path starts with //. (bsc#1202624, CVE-2021-28861) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=113
2022-09-01 03:50:33 +00:00
parent f343483635
commit a2b82842e5
3 changed files with 137 additions and 0 deletions
--- a/python39.spec
+++ b/python39.spec
@@ -161,6 +161,9 @@ Patch35:        support-expat-CVE-2022-25236-patched.patch
 # PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
 # avoid the command injection in the mailcap module.
 Patch36:        CVE-2015-20107-mailcap-unsafe-filenames.patch
+# PATCH-FIX-UPSTREAM CVE-2021-28861 bsc#1202624 gh#python/cpython#94093
+# Coerce // to / in Lib/http/server.py
+Patch37:        CVE-2021-28861-double-slash-path.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -420,6 +423,7 @@ other applications.
 %endif
 %patch35 -p1
 %patch36 -p1
+%patch37 -p1

 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac