Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2021-08-18 08:55:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Wed Aug 18 08:55:20 2021 rev:155 rq:911255 version:2.7.18 Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2021-03-05 13:44:44.159592725 +0100 +++ /work/SRC/openSUSE:Factory/.python.new.1899/python-base.changes 2021-08-18 08:55:36.714994695 +0200 @@ -1,0 +2,15 @@ +Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <[email protected]> + +- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in + request (bpo#43075, boo#1189287). +- Add missing security announcement to + bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch. + +------------------------------------------------------------------- +Mon Aug 9 15:16:15 UTC 2021 - Fusion Future <[email protected]> + +- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch + which fixes http client infinite line reading (DoS) after a http + 100 (bpo#44022, boo#1189241). + +------------------------------------------------------------------- python-doc.changes: same change python.changes: same change New: ---- bpo43075-fix-ReDoS-in-request.patch bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.CpcX88/_old 2021-08-18 08:55:38.274992944 +0200 +++ /var/tmp/diff_new_pack.CpcX88/_new 2021-08-18 08:55:38.278992940 +0200 @@ -103,6 +103,10 @@ # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ [email protected] # this patch makes things totally awesome Patch62: CVE-2021-23336-only-amp-as-query-sep.patch +# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 +Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch +# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 +Patch64: bpo43075-fix-ReDoS-in-request.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -230,6 +234,8 @@ %patch60 -p1 %patch61 -p1 %patch62 -p1 +%patch63 -p1 +%patch64 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.CpcX88/_old 2021-08-18 08:55:38.310992904 +0200 +++ /var/tmp/diff_new_pack.CpcX88/_new 2021-08-18 08:55:38.314992899 +0200 @@ -105,6 +105,10 @@ # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ [email protected] # this patch makes things totally awesome Patch62: CVE-2021-23336-only-amp-as-query-sep.patch +# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 +Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch +# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 +Patch64: bpo43075-fix-ReDoS-in-request.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -174,6 +178,8 @@ %patch60 -p1 %patch61 -p1 %patch62 -p1 +%patch63 -p1 +%patch64 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.CpcX88/_old 2021-08-18 08:55:38.338992873 +0200 +++ /var/tmp/diff_new_pack.CpcX88/_new 2021-08-18 08:55:38.342992868 +0200 @@ -105,6 +105,10 @@ # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ [email protected] # this patch makes things totally awesome Patch62: CVE-2021-23336-only-amp-as-query-sep.patch +# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 +Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch +# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 +Patch64: bpo43075-fix-ReDoS-in-request.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -288,6 +292,8 @@ %patch60 -p1 %patch61 -p1 %patch62 -p1 +%patch63 -p1 +%patch64 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ bpo43075-fix-ReDoS-in-request.patch ++++++ --- a/Lib/urllib2.py +++ b/Lib/urllib2.py @@ -856,7 +856,7 @@ class AbstractBasicAuthHandler: # allow for double- and single-quoted realm values # (single quotes are a violation of the RFC, but appear in the wild) - rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+' + rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+' 'realm=(["\']?)([^"\']*)\\2', re.I) # XXX could pre-emptively send auth info already accepted (RFC 2617, --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -0,0 +1 @@ +Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. ++++++ bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch ++++++ --- a/Lib/httplib.py +++ b/Lib/httplib.py @@ -449,6 +449,7 @@ class HTTPResponse: if status != CONTINUE: break # skip the header from the 100 response + header_count = 0 while True: skip = self.fp.readline(_MAXLINE + 1) if len(skip) > _MAXLINE: @@ -458,6 +459,10 @@ class HTTPResponse: break if self.debuglevel > 0: print "header:", skip + # bpo-44022: Fix http client infinite line reading (DoS) after a http 100 + header_count += 1 + if header_count > _MAXHEADERS: + raise HTTPException("got more than %d headers" % _MAXHEADERS) self.status = status self.reason = reason.strip() --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst @@ -0,0 +1,2 @@ +mod:`http.client` now avoids infinitely reading potential HTTP headers after a +``100 Continue`` status response from the server.
