Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2021-08-28 22:28:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Sat Aug 28 22:28:52 2021 rev:156 rq:914454 version:2.7.18 Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2021-08-18 08:55:36.714994695 +0200 +++ /work/SRC/openSUSE:Factory/.python.new.1899/python-base.changes 2021-08-28 22:29:03.529971023 +0200 @@ -1,0 +2,18 @@ +Thu Aug 26 15:35:10 UTC 2021 - Fusion Future <[email protected]> + +- Renamed patch for assigned CVE: + * bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch -> + CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch + (boo#1189241, CVE-2021-3737) + +------------------------------------------------------------------- +Mon Aug 23 11:16:24 UTC 2021 - Fusion Future <[email protected]> + +- Renamed patch for assigned CVE: + * bpo43075-fix-ReDoS-in-request.patch -> CVE-2021-3733-fix-ReDoS-in-request.patch + (boo#1189287, CVE-2021-3733) +- Fix python-doc build (bpo#35293): + * sphinx-update-removed-function.patch +- Update documentation formatting for Sphinx 3.0 (bpo#40204). + +------------------------------------------------------------------- python-doc.changes: same change python.changes: same change Old: ---- bpo43075-fix-ReDoS-in-request.patch bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch New: ---- CVE-2021-3733-fix-ReDoS-in-request.patch CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch sphinx-update-removed-function.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.CwCqKl/_old 2021-08-28 22:29:05.129972682 +0200 +++ /var/tmp/diff_new_pack.CwCqKl/_new 2021-08-28 22:29:05.133972686 +0200 @@ -103,10 +103,12 @@ # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ [email protected] # this patch makes things totally awesome Patch62: CVE-2021-23336-only-amp-as-query-sep.patch -# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 -Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch -# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 -Patch64: bpo43075-fix-ReDoS-in-request.patch +# PATCH-FIX-UPSTREAM CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 +Patch63: CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch +# PATCH-FIX-UPSTREAM CVE-2021-3733-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 +Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch +# PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build +Patch65: sphinx-update-removed-function.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -236,6 +238,7 @@ %patch62 -p1 %patch63 -p1 %patch64 -p1 +%patch65 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.CwCqKl/_old 2021-08-28 22:29:05.161972715 +0200 +++ /var/tmp/diff_new_pack.CwCqKl/_new 2021-08-28 22:29:05.165972719 +0200 @@ -105,15 +105,17 @@ # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ [email protected] # this patch makes things totally awesome Patch62: CVE-2021-23336-only-amp-as-query-sep.patch -# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 -Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch -# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 -Patch64: bpo43075-fix-ReDoS-in-request.patch +# PATCH-FIX-UPSTREAM CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 +Patch63: CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch +# PATCH-FIX-UPSTREAM CVE-2021-3733-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 +Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch +# PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build +Patch65: sphinx-update-removed-function.patch # COMMON-PATCH-END -Provides: pyth_doc -Provides: pyth_ps -Obsoletes: pyth_doc -Obsoletes: pyth_ps +Provides: pyth_doc = %{version} +Provides: pyth_ps = %{version} +Obsoletes: pyth_doc < %{version} +Obsoletes: pyth_ps < %{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch Enhances: python = %{version} @@ -127,8 +129,8 @@ %package pdf Summary: Python PDF Documentation Group: Development/Languages/Python -Provides: pyth_pdf -Obsoletes: pyth_pdf +Provides: pyth_pdf = %{version} +Obsoletes: pyth_pdf < %{version} Provides: python2-doc-pdf = %{version} %description pdf @@ -180,9 +182,16 @@ %patch62 -p1 %patch63 -p1 %patch64 -p1 +%patch65 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac + +# Update documentation formatting for Sphinx 3.0 (bpo#40204) +for i in `find Doc/ -type f -name "*.rst"` +do + sed -i 's/:c:type:/:c:expr:/g' $i +done # COMMON-PREP-END %build ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.CwCqKl/_old 2021-08-28 22:29:05.189972744 +0200 +++ /var/tmp/diff_new_pack.CwCqKl/_new 2021-08-28 22:29:05.193972749 +0200 @@ -105,10 +105,12 @@ # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ [email protected] # this patch makes things totally awesome Patch62: CVE-2021-23336-only-amp-as-query-sep.patch -# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 -Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch -# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 -Patch64: bpo43075-fix-ReDoS-in-request.patch +# PATCH-FIX-UPSTREAM CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 +Patch63: CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch +# PATCH-FIX-UPSTREAM CVE-2021-3733-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 +Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch +# PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build +Patch65: sphinx-update-removed-function.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -294,6 +296,7 @@ %patch62 -p1 %patch63 -p1 %patch64 -p1 +%patch65 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ CVE-2021-3733-fix-ReDoS-in-request.patch ++++++ --- a/Lib/urllib2.py +++ b/Lib/urllib2.py @@ -856,7 +856,7 @@ class AbstractBasicAuthHandler: # allow for double- and single-quoted realm values # (single quotes are a violation of the RFC, but appear in the wild) - rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+' + rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+' 'realm=(["\']?)([^"\']*)\\2', re.I) # XXX could pre-emptively send auth info already accepted (RFC 2617, --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -0,0 +1 @@ +Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. ++++++ CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch ++++++ --- a/Lib/httplib.py +++ b/Lib/httplib.py @@ -449,6 +449,7 @@ class HTTPResponse: if status != CONTINUE: break # skip the header from the 100 response + header_count = 0 while True: skip = self.fp.readline(_MAXLINE + 1) if len(skip) > _MAXLINE: @@ -458,6 +459,10 @@ class HTTPResponse: break if self.debuglevel > 0: print "header:", skip + # CVE-2021-3737: Fix infinitely reading potential HTTP headers on a 100 Continue status response from the server + header_count += 1 + if header_count > _MAXHEADERS: + raise HTTPException("got more than %d headers" % _MAXHEADERS) self.status = status self.reason = reason.strip() --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst @@ -0,0 +1,2 @@ +mod:`http.client` now avoids infinitely reading potential HTTP headers after a +``100 Continue`` status response from the server. ++++++ sphinx-update-removed-function.patch ++++++ --- a/Doc/tools/extensions/pyspecific.py +++ b/Doc/tools/extensions/pyspecific.py @@ -103,7 +103,11 @@ class ImplementationDetail(Directive): # Support for documenting decorators from sphinx import addnodes -from sphinx.domains.python import PyModulelevel, PyClassmember +try: + from sphinx.domains.python import PyFunction, PyMethod +except ImportError: + from sphinx.domains.python import PyClassmember as PyMethod + from sphinx.domains.python import PyModulelevel as PyFunction class PyDecoratorMixin(object): def handle_signature(self, sig, signode): @@ -114,16 +118,16 @@ class PyDecoratorMixin(object): def needs_arglist(self): return False -class PyDecoratorFunction(PyDecoratorMixin, PyModulelevel): +class PyDecoratorFunction(PyDecoratorMixin, PyFunction): def run(self): # a decorator function is a function after all self.name = 'py:function' - return PyModulelevel.run(self) + return PyFunction.run(self) -class PyDecoratorMethod(PyDecoratorMixin, PyClassmember): +class PyDecoratorMethod(PyDecoratorMixin, PyMethod): def run(self): self.name = 'py:method' - return PyClassmember.run(self) + return PyMethod.run(self) # Support for building "topic help" for pydoc --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2020-09-12-17-37-13.bpo-35293._cOwPD.rst @@ -0,0 +1 @@ +Fix RemovedInSphinx40Warning when building the documentation. Patch by Dong-hee Na.
