Hello community,
here is the log from the commit of package python-bugzilla.1823 for
openSUSE:12.2:Update checked in at 2013-07-06 09:55:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/python-bugzilla.1823 (Old)
and /work/SRC/openSUSE:12.2:Update/.python-bugzilla.1823.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-bugzilla.1823"
Changes:
--------
New Changes file:
--- /dev/null 2013-07-02 09:26:14.908030755 +0200
+++
/work/SRC/openSUSE:12.2:Update/.python-bugzilla.1823.new/python-bugzilla.changes
2013-07-06 09:55:07.000000000 +0200
@@ -0,0 +1,61 @@
+-------------------------------------------------------------------
+Fri Jun 28 11:25:24 UTC 2013 - [email protected]
+
+- CVE-2013-2191 (bnc#825876) - validate SSL certificates and hostnames
+
+-------------------------------------------------------------------
+Tue Jan 31 17:07:33 UTC 2012 - [email protected]
+
+- remove basic auth credentials from backtraces
+- Novell Bugzilla is the default when using bugzilla command line tool
+
+-------------------------------------------------------------------
+Fri Jan 27 17:53:03 UTC 2012 - [email protected]
+
+- update to openSUSE-1 tag from openSUSE's git branch
+ * better handling of NovellBugzilla instances
+ * using HTTP basic auth instead of IChain
+
+-------------------------------------------------------------------
+Fri Jul 29 09:04:07 UTC 2011 - [email protected]
+
+- update to 0.6.2, rebased all patches
+ * backport --outputformat feature from git
+
+-------------------------------------------------------------------
+Fri Jul 29 08:50:47 UTC 2011 - [email protected]
+
+- add 0005-Add-Bugzilla34._query.patch fixing query command
+- add 0020-allow-various-bnc-instances-in-NovellBugzilla.patch
+
+-------------------------------------------------------------------
+Mon May 23 12:36:47 UTC 2011 - [email protected]
+
+- update to 0.6.1
+ * many new parameters for bugzilla command-line tool like --target_milestone,
+ --private, --status, --assignee, et all
+ * add support for Bugzilla 36
+ * Unicode related fixes
+- SUSE specific fixes
+ * novell bugzilla support in getBugzillaClassForURL
+ * obfuscated password support in oscrc
+ * move novell bugzilla to 3.4
+ * xmlrpclib changes done in python 2.7 from master [bug#685842]
+- create suse branch for stashing SUSE specific changes
+ https://gitorious.org/opensuse/python-bugzilla/commits/suse
+
+-------------------------------------------------------------------
+Thu Jun 17 15:55:51 CEST 2010 - [email protected]
+
+- recognize Novell bugzilla in default constructor
+
+-------------------------------------------------------------------
+Wed Aug 26 09:18:54 UTC 2009 - [email protected]
+
+- Added a patch with support of obfuscated passwords introduced in osc-0.121
+
+-------------------------------------------------------------------
+Wed Jul 22 08:52:01 CEST 2009 - [email protected]
+
+- Initial packaging of python-bugzilla 0.5 with Novell Bugzilla patches
+
New:
----
python-bugzilla-0.6.2-CVE-2013-2191-ssl-validate.patch
python-bugzilla-0.6.2-backtraces.patch
python-bugzilla-0.6.2-novell-default.patch
python-bugzilla-0.6.2-openSUSE-1.tar.bz2
python-bugzilla.changes
python-bugzilla.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-bugzilla.spec ++++++
#
# spec file for package python-bugzilla
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: python-bugzilla
Version: 0.6.2
Release: 0
Summary: Python library for bugzilla
License: GPL-2.0+
Group: Development/Libraries/Python
Url: https://fedorahosted.org/python-bugzilla/
#Source:
https://fedorahosted.org/releases/p/y/python-bugzilla/%{name}-%{version}.tar.bz2
Source: %{name}-%{version}-openSUSE-1.tar.bz2
# https://gitorious.org/opensuse/python-bugzilla
Patch0: %{name}-0.6.2-novell-default.patch
Patch1: %{name}-0.6.2-backtraces.patch
Patch2: %{name}-0.6.2-CVE-2013-2191-ssl-validate.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: python
BuildArch: noarch
%{py_requires}
%description
This is a python module that provides a nice, python-ish interface to Bugzilla
over XMLRPC.
It was originally written specifically for Red Hat's Bugzilla instance, but now
supports the Web Services provided by upstream Bugzilla 3.0 and 3.2 also.
It also includes a 'bugzilla' commandline client which can be used for quick,
ad-hoc bugzilla jiggery-pokery. I guess you could use it in shell scripts too,
but gosh - why not just write something in Python instead?
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
export CFLAGS="%{optflags}"
%{__python} setup.py build
%install
%{__python} setup.py install \
--root=%{buildroot} \
--prefix=%{_prefix} \
--record-rpm=INSTALLED_FILES
sed -i 's#%{_mandir}/man1/bugzilla.1#%{_mandir}/man1/bugzilla.1.gz#'
INSTALLED_FILES
%clean
rm -rf %{buildroot}
%files -f INSTALLED_FILES
%defattr(-,root,root,0755)
%changelog
++++++ python-bugzilla-0.6.2-CVE-2013-2191-ssl-validate.patch ++++++
Index: python-bugzilla-0.6.2/bugzilla/base.py
===================================================================
--- python-bugzilla-0.6.2.orig/bugzilla/base.py 2013-06-28 12:36:49.861947869
+0200
+++ python-bugzilla-0.6.2/bugzilla/base.py 2013-06-28 13:18:08.508875654
+0200
@@ -10,6 +10,7 @@
# the full text of the license.
import xmlrpclib, urllib2
+import httplib, socket, ssl
try:
import cookielib
except ImportError:
@@ -102,7 +103,8 @@
cookies persistently.
'''
def __init__(self, url=None, user=None, password=None,
- cookiefile=os.path.expanduser('~/.bugzillacookies')):
+ cookiefile=os.path.expanduser('~/.bugzillacookies'),
+ sslverify=True):
# Settings the user might want to tweak
self.user = user or ''
self.password = password or ''
@@ -115,6 +117,7 @@
else:
self._cookiefile = True
self.cookiefile = cookiefile
+ self._sslverify = bool(sslverify)
self.user_agent = user_agent
self.logged_in = False
@@ -253,6 +256,11 @@
If 'user' and 'password' are both set, we'll run login(). Otherwise
you'll have to login() yourself before some methods will work.
'''
+
+ # init ssl verification
+ if self._sslverify:
+ httplib.HTTPSConnection = VerifiedHTTPSConnection
+
# Set up the transport
if url.startswith('https'):
self._transport = SafeCookieTransport()
@@ -1050,6 +1058,44 @@
else:
request = request_with_cookies # python 2.6 and earlier
+
+class SSLVerifyError(Exception):
+ pass
+
+class VerifiedHTTPSConnection(httplib.HTTPSConnection):
+
+ def _get_valid_hosts(self, cert):
+ if 'subjectAltName' in cert:
+ return [x[1] for x in cert['subjectAltName']
+ if x[0].lower() == 'dns']
+ else:
+ return [x[0][1] for x in cert['subject']
+ if x[0][0].lower() == 'commonname']
+
+ def validate_hosts(self):
+ cert = self.sock.getpeercert()
+ hosts = self._get_valid_hosts(cert)
+ import re
+ for host in hosts:
+ host_re = host.replace('.', '\.').replace('*', '[^.]*')
+ if re.search('^%s$' % (host_re,), self.host, re.I):
+ return
+ raise SSLVerifyError("hostnames in certificate don't match request")
+
+ def connect(self):
+ # overrides the version in httplib so that we do
+ # certificate verification
+ sock = socket.create_connection((self.host, self.port),
+ self.timeout)
+ if self._tunnel_host:
+ self.sock = sock
+ self._tunnel()
+ # wrap the socket using verification with the root
+ # certs in trusted_root_certs
+ self.sock = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_REQUIRED,
ca_certs='/etc/ssl/certs')
+ self.validate_hosts()
+
+
class BasicAuthTransport(xmlrpclib.SafeTransport):
"""A subclass of xmlrpclib.SafeTransport that allows setting HTTP Basic
Auth
without exposing it as part of URL in backtraces."""
Index: python-bugzilla-0.6.2/bin/bugzilla
===================================================================
--- python-bugzilla-0.6.2.orig/bin/bugzilla 2013-06-28 12:36:49.839947240
+0200
+++ python-bugzilla-0.6.2/bin/bugzilla 2013-06-28 13:16:52.103689280 +0200
@@ -55,6 +55,8 @@
p.add_option('--bztype',default='auto',
help="Bugzilla type. Autodetected if not set. "
"Available types: %s" % " ".join(bugzilla.classlist))
+ p.add_option('--nosslverify', dest='sslverify', action='store_false',
default=True,
+ help="don't error on invalid bugzilla SSL certificate")
p.add_option('--user',
help="username")
p.add_option('--password',
@@ -363,7 +365,7 @@
bzclass = getattr(bugzilla,global_opt.bztype)
else:
parser.error("bztype must be one of: %s" % str(bugzilla.classlist))
- bz=bzclass(url=global_opt.bugzilla)
+ bz=bzclass(url=global_opt.bugzilla, sslverify=global_opt.sslverify)
# Handle 'login' action
if action == 'login':
++++++ python-bugzilla-0.6.2-backtraces.patch ++++++
diff --git a/bugzilla/base.py b/bugzilla/base.py
index cfaea45..96a05d7 100644
--- a/bugzilla/base.py
+++ b/bugzilla/base.py
@@ -1050,7 +1050,22 @@ class CookieTransport(xmlrpclib.Transport):
else:
request = request_with_cookies # python 2.6 and earlier
-class SafeCookieTransport(xmlrpclib.SafeTransport,CookieTransport):
+class BasicAuthTransport(xmlrpclib.SafeTransport):
+ """A subclass of xmlrpclib.SafeTransport that allows setting HTTP Basic
Auth
+ without exposing it as part of URL in backtraces."""
+ auth_params = None
+
+ def get_host_info(self, host):
+ host, extra_headers, x509 = xmlrpclib.Transport.get_host_info(self,
host)
+ if isinstance(self.auth_params, tuple):
+ import base64
+ auth = base64.encodestring("%s:%s" % self.auth_params).strip()
+ if extra_headers is None:
+ extra_headers = []
+ extra_headers.append(("Authorization", "Basic " + auth))
+ return host, extra_headers, x509
+
+class SafeCookieTransport(BasicAuthTransport,CookieTransport):
'''SafeTransport subclass that supports cookies.'''
scheme = 'https'
# Override the appropriate request method
diff --git a/bugzilla/nvlbugzilla.py b/bugzilla/nvlbugzilla.py
index 7e2ec32..5804de4 100644
--- a/bugzilla/nvlbugzilla.py
+++ b/bugzilla/nvlbugzilla.py
@@ -39,8 +39,8 @@ class NovellBugzilla(Bugzilla34):
super(NovellBugzilla, self).__init__(**kwargs)
def _login(self, user, password):
- # using basic auth, so login happens implicitly at connect
- pass
+ # set up data for basic auth transport
+ self._transport.auth_params = (self.user, self.password)
def _logout(self):
# using basic auth, no logout
@@ -57,17 +57,9 @@ class NovellBugzilla(Bugzilla34):
if not hostname.startswith('api'):
hostname = 'api'+hostname
- self.readconfig()
- # set up basic auth url
- if self.user and self.password:
- hostname = self.user + ':' + self.password + '@' + hostname
-
# force https scheme (because of the basic auth)
url = urlparse.urlunsplit(('https', hostname, path, spliturl.query,
spliturl.fragment))
- ret = super(NovellBugzilla, self).connect(url)
- # prevent our username+pass url from showing up in __repr__
- self.url = origurl
- return ret
+ return super(NovellBugzilla, self).connect(url)
@classmethod
def _read_osc_password(cls, c):
++++++ python-bugzilla-0.6.2-novell-default.patch ++++++
Index: python-bugzilla-0.6.2/bin/bugzilla
===================================================================
--- python-bugzilla-0.6.2.orig/bin/bugzilla
+++ python-bugzilla-0.6.2/bin/bugzilla
@@ -22,7 +22,7 @@ import xmlrpclib
from tempfile import NamedTemporaryFile
version = '0.6.2'
-default_bz = 'https://bugzilla.redhat.com/xmlrpc.cgi'
+default_bz = 'https://bugzilla.novell.com/xmlrpc.cgi'
# Initial simple logging stuff
logging.basicConfig()
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
