From 9f86e564dadb556c59bdc3794760d162ddf6f91894d353037efb5b50b2e53ec8 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 1 Mar 2023 22:01:21 +0000 Subject: [PATCH] - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=344 --- python-doc.changes | 12 ++++++++++++ python-doc.spec | 5 +++++ python.changes | 7 +++++++ python.spec | 5 +++++ 4 files changed, 29 insertions(+) diff --git a/python-doc.changes b/python-doc.changes index 6bba928..8c408a2 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl + +- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, + bsc#1208471) blocklists bypass via the urllib.parse component + when supplying a URL that starts with blank characters + +------------------------------------------------------------------- +Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk + +- Disable NIS for new products, it's deprecated and gets removed + ------------------------------------------------------------------- Thu Jan 19 07:14:09 UTC 2023 - Matej Cepl diff --git a/python-doc.spec b/python-doc.spec index 99b593a..190eee9 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -141,6 +141,10 @@ Patch73: CVE-2022-45061-DoS-by-IDNA-decode.patch # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com # switching verification off on the old SLE doesn't work Patch74: skip_unverified_test.patch +# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com +# blocklist bypass via the urllib.parse component when supplying +# a URL that starts with blank characters +Patch75: CVE-2023-24329-blank-URL-bypass.patch # COMMON-PATCH-END Provides: pyth_doc = %{version} Provides: pyth_ps = %{version} @@ -224,6 +228,7 @@ Python, and Macintosh Module Reference in PDF format. %if 0%{?sle_version} && 0%{?sle_version} < 150000 %patch74 -p1 %endif +%patch75 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python.changes b/python.changes index f5173f6..8c408a2 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl + +- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, + bsc#1208471) blocklists bypass via the urllib.parse component + when supplying a URL that starts with blank characters + ------------------------------------------------------------------- Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk diff --git a/python.spec b/python.spec index f5621a0..f2202ba 100644 --- a/python.spec +++ b/python.spec @@ -141,6 +141,10 @@ Patch73: CVE-2022-45061-DoS-by-IDNA-decode.patch # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com # switching verification off on the old SLE doesn't work Patch74: skip_unverified_test.patch +# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com +# blocklist bypass via the urllib.parse component when supplying +# a URL that starts with blank characters +Patch75: CVE-2023-24329-blank-URL-bypass.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -342,6 +346,7 @@ that rely on earlier non-verification behavior. %if 0%{?sle_version} && 0%{?sle_version} < 150000 %patch74 -p1 %endif +%patch75 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar