rpms/python-pip
7
0
Fork 0
Code Issues Pull Requests Releases Activity

updating to pip 1.4.1 and removing old CVE patch that's not needed anymore

Browse Source
This commit is contained in:
Tim Flink 2013-10-14 15:13:50 -06:00
parent 6064dd1ddb
commit 42d5421d50
3 changed files with 7 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
0001-fix-for-http-bugs.python.org-issue17980-in-code-back.patch
View File

@ -1,36 +0,0 @@
From ca207acb4fdea344bb3a775d44aa0d9f59ad31a1 Mon Sep 17 00:00:00 2001
From: Toshio Kuratomi <toshio@fedoraproject.org>
Date: Mon, 15 Jul 2013 10:58:20 -0700
Subject: [PATCH] fix for http://bugs.python.org/issue17980 in code backported
from the python3 stdlib
---
pip/backwardcompat/ssl_match_hostname.py | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/pip/backwardcompat/ssl_match_hostname.py b/pip/backwardcompat/ssl_match_hostname.py
index 5707649..a6fadf4 100644
--- a/pip/backwardcompat/ssl_match_hostname.py
+++ b/pip/backwardcompat/ssl_match_hostname.py
@@ -7,9 +7,17 @@ __version__ = '3.2a3'
class CertificateError(ValueError):
pass
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
pats = []
for frag in dn.split(r'.'):
+ if frag.count('*') > max_wildcards:
+ # Issue #17980: avoid denials of service by refusing more
+ # than one wildcard per fragment. A survery of established
+ # policy among SSL implementations showed it to be a
+ # reasonable choice.
+ raise CertificateError(
+ "too many wildcards in certificate DNS name: " + repr(dn))
+
if frag == '*':
# When '*' is a fragment by itself, it matches a non-empty dotless
# fragment.
--
1.7.11.7

11
python-pip.spec
View File

@ -8,16 +8,14 @@
%global srcname pip %global srcname pip
Name: python-%{srcname} Name: python-%{srcname}
Version: 1.3.1 Version: 1.4.1
Release: 5%{?dist} Release: 1%{?dist}
Summary: A tool for installing and managing Python packages Summary: A tool for installing and managing Python packages
Group: Development/Libraries Group: Development/Libraries
License: MIT License: MIT
URL: http://www.pip-installer.org URL: http://www.pip-installer.org
Source0: http://pypi.python.org/packages/source/p/pip/%{srcname}-%{version}.tar.gz Source0: http://pypi.python.org/packages/source/p/pip/%{srcname}-%{version}.tar.gz
# Sent to dstufft (upstream)
Patch0: 0001-fix-for-http-bugs.python.org-issue17980-in-code-back.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch BuildArch: noarch
@ -50,7 +48,6 @@ easy_installable should be pip-installable as well.
%prep %prep
%setup -q -n %{srcname}-%{version} %setup -q -n %{srcname}-%{version}
%patch0 -p1
%{__sed} -i '1d' pip/__init__.py %{__sed} -i '1d' pip/__init__.py
@ -136,6 +133,10 @@ popd
%endif # with_python3 %endif # with_python3
%changelog %changelog
* Mon Oct 14 2013 Tim Flink <tflink@fedoraproject.org> - 1.4.1-1
- Removed patch for CVE 2013-2099 as it has been included in the upstream 1.4.1 release
- Updated version to 1.4.1
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-5 * Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

1
sources
View File

@ -1 +1,2 @@
6afbb46aeb48abac658d4df742bff714 pip-1.4.1.tar.gz
cbb27a191cebc58997c4da8513863153 pip-1.3.1.tar.gz cbb27a191cebc58997c4da8513863153 pip-1.3.1.tar.gz