From cf658381d6b9733d80c6a14a21b7627636f33bf0 Mon Sep 17 00:00:00 2001 From: Tomas Orsava Date: Fri, 8 Jul 2016 12:21:18 +0200 Subject: Fix CVE-2016-0772 and CVE-2016-5699 (rhbz#1348973, rhbz#1348982) CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647) Raise an error when STARTTLS fails (upstream patch) CVE-2016-5699 python: http protocol steam injection attack (rhbz#1303699) Disabled HTTP header injections in http.client (upstream patch) --- python34.spec | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'python34.spec') diff --git a/python34.spec b/python34.spec index 3136192..b78dc38 100644 --- a/python34.spec +++ b/python34.spec @@ -148,7 +148,7 @@ Summary: Version 3 of the Python programming language aka Python 3000 Name: python%{pyshortver} Version: %{pybasever}.3 -Release: 4%{?dist} +Release: 5%{?dist} License: Python Group: Development/Languages @@ -738,6 +738,23 @@ Patch203: 00203-disable-threading-test-koji.patch # openssl requires DH keys to be > 768bits Patch204: 00204-increase-dh-keys-size.patch +# 00237 # +# CVE-2016-0772 python: smtplib StartTLS stripping attack +# https://bugzilla.redhat.com/show_bug.cgi?id=1303647 +# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394 +# Raise an error when STARTTLS fails +# Resolves: rhbz#1348973 +Patch237: 00237-CVE-2016-0772-smtplib.patch + +# 00238 # +# CVE-2016-5699 python: http protocol steam injection attack +# https://bugzilla.redhat.com/show_bug.cgi?id=1303699 +# FIXED UPSTREAM: https://hg.python.org/cpython/rev/bf3e1c9b80e9 +# Disabled HTTP header injections in http.client +# Resolves: rhbz#1348982 +Patch238: 00238-CVE-2016-5699-http-client.patch + + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora 17 onwards, @@ -1028,6 +1045,8 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en %patch202 -p1 %patch203 -p1 %patch204 -p1 +%patch237 -p1 +%patch238 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there @@ -1977,6 +1996,13 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Fri Jul 08 2016 Tomas Orsava - 3.4.3-5 +- Fix for CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647) + Raise an error when STARTTLS fails (upstream patch) +- Fix for CVE-2016-5699 python: http protocol steam injection attack (rhbz#1303699) + Disabled HTTP header injections in http.client (upstream patch) +Resolves: rhbz#1348973, rhbz#1348982 + * Mon Jan 25 2016 Orion Poplawski - 3.4.3-4 - Make relocating Python by changing _prefix actually work - Disable test_gdb on aarch64 (rhbz#1196181), it joins all other non x86 arches -- cgit