Testing S12merge

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=258
2019-11-12 14:04:49 +00:00 · 2019-11-12 14:04:49 +00:00 · 9abff58a55
commit 9abff58a55
parent 00800c2a14
6 changed files with 180 additions and 163 deletions
--- a/CVE-2017-18207.patch
+++ b/CVE-2017-18207.patch
@ -0,0 +1,22 @@
 From ae0ed14794ced2c51c822fc6f0d3ca92064619dd Mon Sep 17 00:00:00 2001
 From: BT123 <abcdyzhang@163.com>
 Date: Fri, 17 Nov 2017 16:45:45 +0800
 Subject: [PATCH] bug in wave.py
 ---
 Lib/wave.py | 2 ++
 1 file changed, 2 insertions(+)
 Index: Python-2.7.13/Lib/wave.py
 ===================================================================
 --- Python-2.7.13.orig/Lib/wave.py	2018-06-07 17:00:25.370728844 +0000
 +++ Python-2.7.13/Lib/wave.py	2018-06-07 17:02:51.768202800 +0000
@@ -272,6 +272,8 @@ class Wave_read:
             self._sampwidth = (sampwidth + 7) // 8
         else:
             raise Error, 'unknown format: %r' % (wFormatTag,)
 +        if self._nchannels == 0:
 +            raise Error, "The audio file in wav format should have at least one channel!"
         self._framesize = self._nchannels * self._sampwidth
         self._comptype = 'NONE'
         self._compname = 'not compressed'
--- a/macros.python2
+++ b/macros.python2
@ -1,10 +1,8 @@
 # legacy macros. commented but kept for the sake of possible recovery of their values
-#%py_ver			%(python -c "import sys; v=sys.version_info[:2]; print '%%d.%%d'%%v" 2>/dev/null || echo PYTHON-NOT-FOUND)
+%py_prefix		%(python -c "import sys; print sys.prefix" 2>/dev/null || echo PYTHON-NOT-FOUND)
-#%py_prefix		%(python -c "import sys; print sys.prefix" 2>/dev/null || echo PYTHON-NOT-FOUND)
+%py_libdir		%{py_prefix}/%{_lib}/python%{py_ver}
-#%py_libdir		%{py_prefix}/%{_lib}/python%{py_ver}
+%py_incdir		%{py_prefix}/include/python%{py_ver}
-#%py_incdir		%{py_prefix}/include/python%{py_ver}
+%py_sitedir		%{py_libdir}/site-packages
 #%py_sitedir		%{py_libdir}/site-packages
 #%__python2              /usr/bin/python2
 # these might be still in use somewhere
 %py_compile(O)	\
--- a/python-base.changes
+++ b/python-base.changes
@ -1,11 +1,5 @@
 -------------------------------------------------------------------
-Tue Nov  5 04:24:05 UTC 2019 - Steve Kowalik <steven.kowalik@suse.com>
+Tue Nov 12 14:11:27 CET 2019 - Matej Cepl <mcepl@suse.com>
 - Add adapted-from-F00251-change-user-install-location.patch fixing
  pip/distutils to install into /usr/local.
 -------------------------------------------------------------------
 Thu Oct 24 14:40:39 CEST 2019 - Matej Cepl <mcepl@suse.com>
 - Update to 2.7.17:
  - a bug fix release in the Python 2.7.x series. It is expected
@ -17,6 +11,15 @@ Thu Oct 24 14:40:39 CEST 2019 - Matej Cepl <mcepl@suse.com>
  - CVE-2019-9947-no-ctrl-char-http.patch
  - CVE-2019-9948-avoid_local-file.patch
 - Readjusted CVE-2017-18207.patch (for its description, see
  below).
 -------------------------------------------------------------------
 Tue Nov  5 04:24:05 UTC 2019 - Steve Kowalik <steven.kowalik@suse.com>
 - Add adapted-from-F00251-change-user-install-location.patch fixing
  pip/distutils to install into /usr/local.
 -------------------------------------------------------------------
 Tue Oct  8 19:46:52 CEST 2019 - Matej Cepl <mcepl@suse.com>
@ -30,7 +33,14 @@ Wed Sep 25 13:25:33 UTC 2019 - Bernhard Wiedemann <bwiedemann@suse.com>
 - Add bpo36302-sort-module-sources.patch (boo#1041090)
 -------------------------------------------------------------------
-Fri Jul 19 13:28:16 CEST 2019 - Matej Cepl <mcepl@suse.com>
+Mon Sep 16 15:57:54 CEST 2019 - Matej Cepl <mcepl@suse.com>
 - Add CVE-2019-16056-email-parse-addr.patch fixing the email
  module wrongly parses email addresses [bsc#1149955,
  CVE-2019-16056]
 -------------------------------------------------------------------
 Thu Jul 25 19:31:47 CEST 2019 - Matej Cepl <mcepl@suse.com>
 - boo#1141853 (CVE-2018-20852) add
  CVE-2018-20852-cookie-domain-check.patch fixing
@ -39,68 +49,49 @@ Fri Jul 19 13:28:16 CEST 2019 - Matej Cepl <mcepl@suse.com>
  cookies to the wrong server.
 -------------------------------------------------------------------
-Fri Jul 19 11:19:42 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
+Wed Jul  3 21:02:00 CEST 2019 - Matej Cepl <mcepl@suse.com>
- Skip test_urllib2_localnet that randomly fails in OBS
+- bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch
  which fixes regression introduced by the previous patch.
  (CVE-2019-10160)
  Upstream gh#python/cpython#13812
 -------------------------------------------------------------------
-Wed May 29 08:58:16 UTC 2019 - Martin Liška <mliska@suse.cz>
+Tue Apr  9 00:47:11 CEST 2019 - Matej Cepl <mcepl@suse.com>
 -  Set _lto_cflags to nil as it will prevent to propage LTO
   for Python modules that are built in a separate package.
 -------------------------------------------------------------------
 Thu May  2 08:40:33 CEST 2019 - Matej Cepl <mcepl@suse.com>
 - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch
  Address the issue by disallowing URL paths with embedded
  whitespace or control characters through into the underlying
  http client request. Such potentially malicious header
  injection URLs now cause a ValueError to be raised.
 -------------------------------------------------------------------
 Mon Apr  8 22:40:01 CEST 2019 - Matej Cepl <mcepl@suse.com>
 - bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch 
  removing unnecessary (and potentially harmful) URL scheme
  local-file://.
 -------------------------------------------------------------------
-Mon Apr  8 21:13:48 CEST 2019 - Matej Cepl <mcepl@suse.com>
+Tue Apr  9 00:46:36 CEST 2019 - Matej Cepl <mcepl@suse.com>
 - bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch
  Characters in the netloc attribute that decompose under NFKC
  normalization (as used by the IDNA encoding) into any of ``/``,
  ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the
  URL is decomposed before parsing, or is not a Unicode string,
-  no error will be raised.
+  no error will be raised (CVE-2019-9636).
  Upstream commits e37ef41 and 507bd8c.
 -------------------------------------------------------------------
-Thu Apr  4 22:28:24 CEST 2019 - Matej Cepl <mcepl@suse.com>
+Fri Jan 25 16:53:50 CET 2019 - mcepl@suse.com
- Update to 2.7.16:
+- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
-  * bugfix-only release: complete list of changes on
+  fixing bpo-34623.
-    https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.16rc1.rst
+
-  * Removed openssl-111.patch and CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
+-------------------------------------------------------------------
-    which are fully included in the tarball.
+Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
-  * Updated patches to apply cleanly:
+
-        CVE-2019-5010-null-defer-x509-cert-DOS.patch
+- bsc#1073748: add bpo-29347-dereferencing-undefined-pointers.patch
-        bpo36160-init-sysconfig_vars.patch
+  PyWeakref_NewProxy@Objects/weakrefobject.c creates new isntance
-        do-not-use-non-ascii-in-test_ssl.patch
+  of PyWeakReference struct and does not intialize wr_prev and
-        openssl-111-middlebox-compat.patch
+  wr_next of new isntance. These pointers can have garbage and
-        openssl-111-ssl_options.patch
+  point to random memory locations. 
-        python-2.5.1-sqlite.patch
+  Python should not crash while destroying the isntance created
-        python-2.6-gettext-plurals.patch
+  in the same interpreter function. As per my understanding, both
-        python-2.7-dirs.patch
+  wr_prev and wr_next of PyWeakReference instance should be
-        python-2.7.2-fix_date_time_compiler.patch
+  initialized to NULL to avoid segfault. 
        python-2.7.4-canonicalize2.patch
        python-2.7.5-multilib.patch
        python-2.7.9-ssl_ca_path.patch
        python-bsddb6.diff
        remove-static-libpython.diff
  * Update python-2.7.5-multilib.patch to pass with new platlib
    regime.
 -------------------------------------------------------------------
 Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com
@ -114,17 +105,6 @@ Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com
  initiate or accept TLS connections using crafted certificates
  to trigger this vulnerability.
 -------------------------------------------------------------------
 Wed Dec 19 19:29:44 UTC 2018 - Todd R <toddrme2178@gmail.com>
 - Use upstream-recommended %{_rpmconfigdir}/macros.d directory
  for the rpm macros.
 -------------------------------------------------------------------
 Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
 - Add patch openssl-111.patch to work with openssl-1.1.1
 -------------------------------------------------------------------
 Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl <mcepl@suse.com>
@ -133,88 +113,65 @@ Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl <mcepl@suse.com>
  distutils.spawn. [bsc#1109663, CVE-2018-1000802]
 -------------------------------------------------------------------
-Mon May 21 18:41:43 UTC 2018 - michael@stroeder.com
+Fri Jun 29 10:24:27 UTC 2018 - mcepl@suse.com
- update to 2.7.15
+- Apply "CVE-2018-1061-DOS-via-regexp-difflib.patch" to prevent
-  * dozens of bugfixes, see NEWS for details
+  low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS
- removed obsolete patches:
+  (CVE-2018-1061). Prior to this patch mail server's timestamp was
-  * python-ncurses-6.0-accessors.patch
+  susceptible to catastrophic backtracking on long evil response from
-  * python-fix-shebang.patch
+  the server. Also, it was susceptible to catastrophic backtracking,
-  * gcc8-miscompilation-fix.patch
+  which was a potential DOS vector.
- add patch from upstream:
+  [bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060]
  * do-not-use-non-ascii-in-test_ssl.patch
 -------------------------------------------------------------------
-Fri Apr  6 10:11:22 UTC 2018 - mliska@suse.cz
+Thu Jun  7 17:04:40 UTC 2018 - psimons@suse.com
- Add gcc8-miscompilation-fix.patch (boo#1084650).
+- Apply "CVE-2017-18207.patch" to add a check to Lib/wave.py that
  verifies that at least one channel is provided. Prior to this
  check, attackers could cause a denial of service (divide-by-zero
  error and application crash) via a crafted wav format audio file.
  [bsc#1083507, CVE-2017-18207]
 -------------------------------------------------------------------
-Tue Feb 20 13:14:27 UTC 2018 - bwiedemann@suse.com
+Tue May 29 12:42:22 UTC 2018 - mcepl@suse.com
- Add python-sorted_tar.patch (boo#1081750)
+- Apply "python-sorted_tar.patch" (bsc#1086001)
    sort tarfile output directory listing
 -------------------------------------------------------------------
-Mon Feb  5 16:01:59 UTC 2018 - normand@linux.vnet.ibm.com
+Tue Mar 13 15:22:47 UTC 2018 - psimons@suse.com
- exclude test_socket & test_subprocess for PowerPC boo#1078485
+- Apply "python-2.7.14-CVE-2017-1000158.patch" to prevent integer
-  (same ref as previous change)
+  overflows in PyString_DecodeEscape that could have resulted in
  heap-based buffer overflow attacks and possible arbitrary code
  execution. [bsc#1068664, CVE-2017-1000158]
 - Apply "python-2.7.14-CVE-2018-1000030-1.patch" and
  "python-2.7.14-CVE-2018-1000030-2.patch" to remedy a bug that
  would crash the Python interpreter when multiple threads used the
  same I/O stream concurrently. This issue is not classified as a
  security vulnerability due to the fact that an attacker must be
  able to run code, however in some situations -- such as function
  as a service -- this vulnerability can potentially be used by an
  attacker to violate a trust boundary. [bsc#1079300,
  CVE-2018-1000030]
 -------------------------------------------------------------------
-Fri Feb  2 09:21:24 UTC 2018 - normand@linux.vnet.ibm.com
+Tue Feb 28 16:16:40 UTC 2017 - jmatejek@suse.com
- Add python-skip_random_failing_tests.patch bypass boo#1078485
+- SLE package update (bsc#1027282)
-  and exclude many tests for PowerPC
+- refresh python-2.7.5-multilib.patch
-
+- dropped upstreamed patches:
-------------------------------------------------------------------
+  python-fix-short-dh.patch
-Tue Jan 30 16:08:33 UTC 2018 - tchvatal@suse.com
+  python-2.7.7-mhlib-linkcount.patch
-
+  python-2.7-urllib2-localnet-ssl.patch
- Add patch python-fix-shebang.patch to fix bsc#1078326
+  CVE-2016-0772-smtplib-starttls.patch
-
+  CVE-2016-5699-http-header-injection.patch
-------------------------------------------------------------------
+  CVE-2016-5636-zipimporter-overflow.patch
-Fri Dec 22 16:49:38 UTC 2017 - jmatejek@suse.com
+  python-2.7-httpoxy.patch
-
+- Add python-ncurses-6.0-accessors.patch: Fix build with
- exclude test_regrtest for s390, where it does not segfault as it should
+  NCurses 6.0 and OPAQUE_WINDOW set to 1.
-  (fixes bsc#1073269)
+  (dimstar@opensuse.org)
 - fix segfault while creating weakref - bsc#1073748, bpo#29347
  (this is actually fixed by the 2.7.14 update; mentioning this for purposes
  of bugfix tracking)
 -------------------------------------------------------------------
 Mon Nov 20 16:11:48 UTC 2017 - jmatejek@suse.com
 - update to 2.7.14
  * dozens of bugfixes, see NEWS for details
  * fixed possible integer overflow in PyString_DecodeEscape (CVE-2017-1000158, bsc#1068664)
  * fixed segfaults with dict mutated during search
  * fixed possible free-after-use problems with buffer objects with custom indexing
  * fixed urllib.splithost to correctly parse fragments (bpo-30500)
 - drop upstreamed python-2.7.13-overflow_check.patch
 - drop unneeded python-2.7.12-makeopcode.patch
 - drop upstreamed 0001-2.7-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-3094.patch
 -------------------------------------------------------------------
 Thu Nov  2 16:53:42 UTC 2017 - mpluskal@suse.com
 - Call python2 instead of python in macros
 -------------------------------------------------------------------
 Thu Aug 17 08:58:02 CEST 2017 - kukuk@suse.de
 - Add libnsl-devel build requires for glibc obsoleting libnsl
 -------------------------------------------------------------------
 Mon May 15 14:03:01 UTC 2017 - jmatejek@suse.com
 - obsolete/provide python-argparse and provide python2-argparse,
  because the argparse module is available from python 2.7 up
 -------------------------------------------------------------------
 Fri Feb 24 17:08:25 UTC 2017 - bwiedemann@suse.com
 - Add reproducible.patch to allow reproducible builds of various
  python packages like python-amqp
  Upstream: https://github.com/python/cpython/pull/296
 -------------------------------------------------------------------
 Tue Jan  3 16:59:24 UTC 2017 - jmatejek@suse.com
@ -224,8 +181,8 @@ Tue Jan  3 16:59:24 UTC 2017 - jmatejek@suse.com
  * updated cipher lists for openssl wrapper, support openssl >= 1.1.0
  * properly fix HTTPoxy (CVE-2016-1000110)
  * profile-opt build now applies PGO to modules as well
- update python-2.7.10-overflow_check.patch
+- add python-2.7.13-overflow_check.patch, incorporating upstream changes
-  with python-2.7.13-overflow_check.patch, incorporating upstream changes
+  (bnc#964182)
 - add "-fwrapv" to optflags explicitly because upstream code still
  relies on it in many places
@ -257,34 +214,40 @@ Thu Jun 30 09:23:05 UTC 2016 - jmatejek@suse.com
 - modify shebang-fixing scriptlet to ignore makeopcodetargets.py
 -------------------------------------------------------------------
-Fri Jan 29 13:03:40 UTC 2016 - rguenther@suse.com
+Fri Jun 17 12:33:23 UTC 2016 - jmatejek@suse.com
- Add python-2.7.10-overflow_check.patch to fix broken overflow checks.
+- CVE-2016-0772-smtplib-starttls.patch:
-  [bnc#964182]
+  smtplib vulnerability opens startTLS stripping attack
  (CVE-2016-0772, bsc#984751)
 - CVE-2016-5636-zipimporter-overflow.patch:
  heap overflow when importing malformed zip files
  (CVE-2016-5636, bsc#985177)
 - CVE-2016-5699-http-header-injection.patch:
  incorrect validation of HTTP headers allow header injection
  (CVE-2016-5699, bsc#985348)
 - python-2.7-httpoxy.patch:
  HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY
  when REQUEST_METHOD is also set
  (CVE-2016-1000110, bsc#989523)
 -------------------------------------------------------------------
-Mon Sep 14 15:04:43 UTC 2015 - jmatejek@suse.com
+Mon Sep 14 13:45:03 UTC 2015 - jmatejek@suse.com
- copy strict-tls-checks subpackage from SLE to retain future compatibility
+- exclude tsl_check files from python-base to prevent file conflict
-  (not built in openSUSE)
+  with python-strict-tls-checks package (bnc#945401)
- do this properly to fix bnc#945401
+- update SLE check to exclude Leap which also has version 1315,
  just to be sure
 -------------------------------------------------------------------
-Wed Sep  9 12:19:01 UTC 2015 - dimstar@opensuse.org
+Mon Jun 29 08:32:44 UTC 2015 - meissner@suse.com
- Add python-ncurses-6.0-accessors.patch: Fix build with
+- python-fix-short-dh.patch: Bump DH parameters to 2048 bit
-  NCurses 6.0 and OPAQUE_WINDOW set to 1.
+  to fix logjam security issue. bsc#935856
 -------------------------------------------------------------------
 Wed Jun 10 11:19:58 UTC 2015 - dmueller@suse.com
- add __python2 compatibility macro (used by Fedora)
+- add __python2 compatibility macro (used by Fedora) (fate#318838)
 -------------------------------------------------------------------
 Sun May 24 14:36:37 UTC 2015 - michael@stroeder.com
 - update to 2.7.10
 - removed obsolete python-2.7-urllib2-localnet-ssl.patch
 -------------------------------------------------------------------
 Tue May 19 11:18:12 UTC 2015 - schwab@suse.de
@ -324,13 +287,21 @@ Wed Oct 22 13:30:24 UTC 2014 - dmueller@suse.com
 - skip test_thread in qemu_linux_user mode 
 -------------------------------------------------------------------
-Tue Sep 30 15:06:15 UTC 2014 - jmatejek@suse.com
+Wed Oct  1 13:00:59 UTC 2014 - jmatejek@suse.com
 - update to 2.7.8
  * bugfix-only release, dozens of bugs fixed
  * fixes CVE-2014-4650 directory traversal in CGIHTTPServer
  * fixes CVE-2014-7185 (bnc#898572) potential buffer overflow in buffer()
 - dropped upstreamed CVE-2014-4650-CGIHTTPserver-traversal.patch
 - dropped upstreamed CVE-2014-7185-buffer-wraparound.patch
 -------------------------------------------------------------------
 Wed Oct  1 13:00:59 UTC 2014 - jmatejek@suse.com
 - CVE-2014-7185-buffer-wraparound.patch: potential wraparound/overflow
  in buffer()
  (CVE-2014-7185, bnc#898572)
 -------------------------------------------------------------------
 Wed Jul 23 16:48:38 UTC 2014 - jmatejek@suse.com
--- a/python-base.spec
+++ b/python-base.spec
@ -66,13 +66,16 @@ Patch47:        openssl-111-middlebox-compat.patch
 # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
 Patch48:        openssl-111-ssl_options.patch
 # PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 mcepl@suse.com
-# https://github.com/python/cpython/pull/11569
+# gh#python/cpython#11569
 # Fix segfault in ssl's cert parser
 Patch49:        CVE-2019-5010-null-defer-x509-cert-DOS.patch
 # PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com
 # Initialize sysconfig variables in test_site.
 Patch50:        bpo36160-init-sysconfig_vars.patch
-# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
+# PATCH-FIX-UPSTREAM CVE-2017-18207.patch gh#python/cpython#4437 psimons@suse.com
 # Add check for channels of wav file in Lib/wave.py
 Patch51:        CVE-2017-18207.patch
 # PATCH-FIX-UPSTREAM gh#python/cpython#12341
 Patch55:        bpo36302-sort-module-sources.patch
 # Fix installation in /usr/local (boo#1071941), adapted from Fedora
 # https://src.fedoraproject.org/rpms/python3/blob/master/f/00251-change-user-install-location.patch
@ -191,6 +194,7 @@ other applications.
 %patch48 -p1
 %patch49 -p1
 %patch50 -p1
 %patch51 -p1
 %patch55 -p1
 %patch56 -p1
--- a/python-doc.spec
+++ b/python-doc.spec
@ -66,14 +66,23 @@ Patch47:        openssl-111-middlebox-compat.patch
 # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
 Patch48:        openssl-111-ssl_options.patch
 # PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 mcepl@suse.com
-# https://github.com/python/cpython/pull/11569
+# gh#python/cpython#11569
 # Fix segfault in ssl's cert parser
 Patch49:        CVE-2019-5010-null-defer-x509-cert-DOS.patch
 # PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com
 # Initialize sysconfig variables in test_site.
 Patch50:        bpo36160-init-sysconfig_vars.patch
-# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
+# PATCH-FIX-UPSTREAM CVE-2017-18207.patch gh#python/cpython#4437 psimons@suse.com
 # Add check for channels of wav file in Lib/wave.py
 Patch51:        CVE-2017-18207.patch
 # PATCH-FIX-UPSTREAM gh#python/cpython#12341
 Patch55:        bpo36302-sort-module-sources.patch
 # Fix installation in /usr/local (boo#1071941), adapted from Fedora
 # https://src.fedoraproject.org/rpms/python3/blob/master/f/00251-change-user-install-location.patch
 # Set values of prefix and exec_prefix in distutils install command
 # to /usr/local if executable is /usr/bin/python* and RPM build
 # is not detected to make pip and distutils install into separate location
 Patch56:        adapted-from-F00251-change-user-install-location.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@ -131,7 +140,9 @@ Python, and Macintosh Module Reference in PDF format.
 %patch48 -p1
 %patch49 -p1
 %patch50 -p1
 %patch51 -p1
 %patch55 -p1
 %patch56 -p1
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python.spec
+++ b/python.spec
@ -71,14 +71,23 @@ Patch47:        openssl-111-middlebox-compat.patch
 # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
 Patch48:        openssl-111-ssl_options.patch
 # PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 mcepl@suse.com
-# https://github.com/python/cpython/pull/11569
+# gh#python/cpython#11569
 # Fix segfault in ssl's cert parser
 Patch49:        CVE-2019-5010-null-defer-x509-cert-DOS.patch
 # PATCH-FIX-UPSTREAM bpo36160-init-sysconfig_vars.patch gh#python/cpython#12131 mcepl@suse.com
 # Initialize sysconfig variables in test_site.
 Patch50:        bpo36160-init-sysconfig_vars.patch
-# PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
+# PATCH-FIX-UPSTREAM CVE-2017-18207.patch gh#python/cpython#4437 psimons@suse.com
 # Add check for channels of wav file in Lib/wave.py
 Patch51:        CVE-2017-18207.patch
 # PATCH-FIX-UPSTREAM gh#python/cpython#12341
 Patch55:        bpo36302-sort-module-sources.patch
 # Fix installation in /usr/local (boo#1071941), adapted from Fedora
 # https://src.fedoraproject.org/rpms/python3/blob/master/f/00251-change-user-install-location.patch
 # Set values of prefix and exec_prefix in distutils install command
 # to /usr/local if executable is /usr/bin/python* and RPM build
 # is not detected to make pip and distutils install into separate location
 Patch56:        adapted-from-F00251-change-user-install-location.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@ -236,7 +245,9 @@ that rely on earlier non-verification behavior.
 %patch48 -p1
 %patch49 -p1
 %patch50 -p1
 %patch51 -p1
 %patch55 -p1
 %patch56 -p1
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac