Fix CVE-2016-0772 and CVE-2016-5699 (rhbz#1348973, rhbz#1348982)

CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647)
  Raise an error when STARTTLS fails (upstream patch)
CVE-2016-5699 python: http protocol steam injection attack (rhbz#1303699)
  Disabled HTTP header injections in http.client (upstream patch)

1 files changed, 34 insertions, 0 deletions

diff --git a/00237-CVE-2016-0772-smtplib.patch b/00237-CVE-2016-0772-smtplib.patch
new file mode 100644
index 0000000..d3213bd
--- /dev/null
+++ b/00237-CVE-2016-0772-smtplib.patch
@@ -0,0 +1,34 @@
+From 5b67aca6fb4246e84981d6361ba218bd52e73ac2 Mon Sep 17 00:00:00 2001
+From: Tomas Orsava <torsava@redhat.com>
+Date: Tue, 21 Jun 2016 15:52:03 +0200
+Subject: [PATCH] Raise an error when STARTTLS fails
+
+CVE-2016-0772 python: smtplib StartTLS stripping attack
+rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
+
+Based on an upstream change by Benjamin Peterson <benjamin@python.org>
+- in changeset 101887:d590114c2394 3.4
+- https://hg.python.org/cpython/rev/d590114c2394
+---
+ Lib/smtplib.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/Lib/smtplib.py b/Lib/smtplib.py
+index dc16ef6..8bc806b 100755
+--- a/Lib/smtplib.py
++++ b/Lib/smtplib.py
+@@ -655,6 +655,11 @@ class SMTP:
+             self.ehlo_resp = None
+             self.esmtp_features = {}
+             self.does_esmtp = 0
++        else:
++            # RFC 3207:
++            # 501 Syntax error (no parameters allowed)
++            # 454 TLS not available due to temporary reason
++            raise SMTPResponseException(resp, reply)
+         return (resp, reply)
+ 
+     def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
+-- 
+2.5.5
+