From 8135f900415b09b39130b3a9d97bfc01fb28bb396492ddfdf53d5ec07a145b4b Mon Sep 17 00:00:00 2001 From: Daniel Garcia Date: Tue, 9 Jul 2024 06:49:18 +0000 Subject: [PATCH 1/3] - Update to 2024.7.4 (CVE-2024-39689, bsc#1227519): Removed certs: * Subject: CN=GLOBALTRUST 2020 O=e-commerce monitoring GmbH - 2024.06.02 Added certs: * Subject: CN=FIRMAPROFESIONAL CA ROOT-A WEB O=Firmaprofesional SA - 2024.02.02 Added certs: * Subject: CN=Telekom Security TLS ECC Root 2020 O=Deutsche Telekom Security GmbH * Subject: CN=Telekom Security TLS RSA Root 2023 O=Deutsche Telekom Security GmbH Removed certs: * Subject: O=SECOM Trust.net OU=Security Communication RootCA1 * Fix leaking certificate issue OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-certifi?expand=0&rev=72 --- certifi-2023.11.17.tar.gz | 3 --- certifi-2024.7.4.tar.gz | 3 +++ python-certifi.changes | 20 ++++++++++++++++++++ python-certifi.spec | 5 ++--- 4 files changed, 25 insertions(+), 6 deletions(-) delete mode 100644 certifi-2023.11.17.tar.gz create mode 100644 certifi-2024.7.4.tar.gz diff --git a/certifi-2023.11.17.tar.gz b/certifi-2023.11.17.tar.gz deleted file mode 100644 index d2286aa..0000000 --- a/certifi-2023.11.17.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9b469f3a900bf28dc19b8cfbf8019bf47f7fdd1a65a1d4ffb98fc14166beb4d1 -size 163637 diff --git a/certifi-2024.7.4.tar.gz b/certifi-2024.7.4.tar.gz new file mode 100644 index 0000000..effdf42 --- /dev/null +++ b/certifi-2024.7.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b +size 164065 diff --git a/python-certifi.changes b/python-certifi.changes index 5d48c36..706b91a 100644 --- a/python-certifi.changes +++ b/python-certifi.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Tue Jul 9 06:36:13 UTC 2024 - Daniel Garcia + +- Update to 2024.7.4 (CVE-2024-39689, bsc#1227519): + Removed certs: + * Subject: CN=GLOBALTRUST 2020 O=e-commerce monitoring GmbH + +- 2024.06.02 + Added certs: + * Subject: CN=FIRMAPROFESIONAL CA ROOT-A WEB O=Firmaprofesional SA + +- 2024.02.02 + Added certs: + * Subject: CN=Telekom Security TLS ECC Root 2020 O=Deutsche Telekom Security GmbH + * Subject: CN=Telekom Security TLS RSA Root 2023 O=Deutsche Telekom Security GmbH + Removed certs: + * Subject: O=SECOM Trust.net OU=Security Communication RootCA1 + + * Fix leaking certificate issue + ------------------------------------------------------------------- Tue Nov 28 09:10:25 UTC 2023 - Dirk Müller diff --git a/python-certifi.spec b/python-certifi.spec index bed12b7..ea79c37 100644 --- a/python-certifi.spec +++ b/python-certifi.spec @@ -1,7 +1,7 @@ # # spec file for package python-certifi # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,10 +16,9 @@ # -%{?!python_module:%define python_module() python-%{**} python3-%{**}} %{?sle15_python_module_pythons} Name: python-certifi -Version: 2023.11.17 +Version: 2024.7.4 Release: 0 Summary: Python package for providing Mozilla's CA Bundle License: MPL-2.0 From 221cccf0a46ce451c9f9b54d418ab9e874e0400917a44eda0fe5c82fd99a5e5c Mon Sep 17 00:00:00 2001 From: Daniel Garcia Date: Tue, 9 Jul 2024 07:12:42 +0000 Subject: [PATCH 2/3] OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-certifi?expand=0&rev=73 --- ...on-certifi-shipped-requests-cabundle.patch | 40 +++++++++++-------- python-certifi.spec | 3 +- two-basic-unit-tests.patch | 30 +++++++++----- 3 files changed, 44 insertions(+), 29 deletions(-) diff --git a/python-certifi-shipped-requests-cabundle.patch b/python-certifi-shipped-requests-cabundle.patch index e4f0800..8f7e172 100644 --- a/python-certifi-shipped-requests-cabundle.patch +++ b/python-certifi-shipped-requests-cabundle.patch @@ -1,21 +1,28 @@ -diff -Nru certifi-2022.9.24.orig/certifi/core.py certifi-2022.9.24/certifi/core.py ---- certifi-2022.9.24.orig/certifi/core.py 2022-09-13 22:15:32.000000000 +0200 -+++ certifi-2022.9.24/certifi/core.py 2022-11-15 12:56:32.415823730 +0100 -@@ -3,106 +3,18 @@ +Index: certifi-2024.7.4/certifi/core.py +=================================================================== +--- certifi-2024.7.4.orig/certifi/core.py ++++ certifi-2024.7.4/certifi/core.py +@@ -3,112 +3,19 @@ certifi.py ~~~~~~~~~~ This module returns the installation location of cacert.pem or its contents. --""" --import sys -- - --if sys.version_info >= (3, 11): +Patched by openSUSE: return the system bundle -+""" - -- from importlib.resources import as_file, files + """ +-import sys +-import atexit +import io +-def exit_cacert_ctx() -> None: +- _CACERT_CTX.__exit__(None, None, None) # type: ignore[union-attr] + ++def read_text(_module=None, _path=None, encoding="ascii"): ++ with io.open(where(), "r", encoding=encoding) as data: ++ return data.read() + +-if sys.version_info >= (3, 11): + +- from importlib.resources import as_file, files +- - _CACERT_CTX = None - _CACERT_PATH = None - @@ -40,6 +47,7 @@ diff -Nru certifi-2022.9.24.orig/certifi/core.py certifi-2022.9.24/certifi/core. - # we will also store that at the global level as well. - _CACERT_CTX = as_file(files("certifi").joinpath("cacert.pem")) - _CACERT_PATH = str(_CACERT_CTX.__enter__()) +- atexit.register(exit_cacert_ctx) - - return _CACERT_PATH - @@ -75,6 +83,7 @@ diff -Nru certifi-2022.9.24.orig/certifi/core.py certifi-2022.9.24/certifi/core. - # we will also store that at the global level as well. - _CACERT_CTX = get_path("certifi", "cacert.pem") - _CACERT_PATH = str(_CACERT_CTX.__enter__()) +- atexit.register(exit_cacert_ctx) - - return _CACERT_PATH - @@ -106,14 +115,11 @@ diff -Nru certifi-2022.9.24.orig/certifi/core.py certifi-2022.9.24/certifi/core. - # of assuming we're on the filesystem and munge the path directly. - def where() -> str: - f = os.path.dirname(__file__) -+def read_text(_module=None, _path=None, encoding="ascii"): -+ with io.open(where(), "r", encoding=encoding) as data: -+ return data.read() - -- return os.path.join(f, "cacert.pem") +def where(): + return "/etc/ssl/ca-bundle.pem" +- return os.path.join(f, "cacert.pem") + - def contents() -> str: - return read_text("certifi", "cacert.pem", encoding="ascii") +def contents() -> str: diff --git a/python-certifi.spec b/python-certifi.spec index ea79c37..4f46d2f 100644 --- a/python-certifi.spec +++ b/python-certifi.spec @@ -56,8 +56,7 @@ Note that on SUSE packages the used CA bundle is actually the system bundle %install %python_install -%{python_expand chmod +x %{buildroot}%{$python_sitelib}/certifi/core.py - sed -i "s|#!%{_bindir}/env python|#!%__$python|" %{buildroot}/%{$python_sitelib}/certifi/core.py +%{python_expand # rm %{buildroot}%{$python_sitelib}/certifi/cacert.pem } diff --git a/two-basic-unit-tests.patch b/two-basic-unit-tests.patch index b39bc06..3e33f60 100644 --- a/two-basic-unit-tests.patch +++ b/two-basic-unit-tests.patch @@ -11,14 +11,18 @@ Subject: [PATCH 1/2] add 2 basic unit tests create mode 100644 certifi/tests/__init__.py create mode 100755 certifi/tests/test_certifi.py +Index: certifi-2024.7.4/certifi/tests/__init__.py +=================================================================== --- /dev/null -+++ b/certifi/tests/__init__.py ++++ certifi-2024.7.4/certifi/tests/__init__.py @@ -0,0 +1,2 @@ +# certifi.tests module + +Index: certifi-2024.7.4/certifi/tests/test_certifi.py +=================================================================== --- /dev/null -+++ b/certifi/tests/test_certifi.py -@@ -0,0 +1,19 @@ ++++ certifi-2024.7.4/certifi/tests/test_certifi.py +@@ -0,0 +1,23 @@ +# -*- coding: utf-8 -*- +""" +unit tests to make sure everything behaves as expected @@ -31,15 +35,21 @@ Subject: [PATCH 1/2] add 2 basic unit tests + + +class TestCertifi(unittest.TestCase): -+ def test_cabundle_exists(self): -+ """Check that the reported bundle exists""" -+ self.assertTrue(os.path.exists(certifi.where())) ++ def test_cabundle_exists(self) -> None: ++ assert os.path.exists(certifi.where()) + -+ def test_read_contents(self): -+ """Check that the returned contents contain a certificate""" -+ self.assertIn("-----BEGIN CERTIFICATE-----", certifi.contents()) ++ def test_read_contents(self) -> None: ++ content = certifi.contents() ++ assert "-----BEGIN CERTIFICATE-----" in content ++ ++ def test_py_typed_exists(self) -> None: ++ assert os.path.exists( ++ os.path.join(os.path.dirname(certifi.__file__), 'py.typed') ++ ) +Index: certifi-2024.7.4/.github/workflows/python-package.yml +=================================================================== --- /dev/null -+++ b/.github/workflows/python-package.yml ++++ certifi-2024.7.4/.github/workflows/python-package.yml @@ -0,0 +1,40 @@ +# This workflow will install Python dependencies, run tests and lint with a variety of Python versions +# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions From e80402201fb3c31138bc37dd248287e74685815bd8a72e02b9f7a2e950525e79 Mon Sep 17 00:00:00 2001 From: Daniel Garcia Date: Tue, 9 Jul 2024 07:13:56 +0000 Subject: [PATCH 3/3] - Refresh patches python-certifi-shipped-requests-cabundle.patch and two-basic-unit-tests.patch - Remove executable bit from core.py file OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-certifi?expand=0&rev=74 --- python-certifi.changes | 3 +++ 1 file changed, 3 insertions(+) diff --git a/python-certifi.changes b/python-certifi.changes index 706b91a..c578d6c 100644 --- a/python-certifi.changes +++ b/python-certifi.changes @@ -1,6 +1,9 @@ ------------------------------------------------------------------- Tue Jul 9 06:36:13 UTC 2024 - Daniel Garcia +- Refresh patches python-certifi-shipped-requests-cabundle.patch and + two-basic-unit-tests.patch +- Remove executable bit from core.py file - Update to 2024.7.4 (CVE-2024-39689, bsc#1227519): Removed certs: * Subject: CN=GLOBALTRUST 2020 O=e-commerce monitoring GmbH