Updates from Fedora 34:
- Backport security fixes from pip 21.1.1 - Resolve rpmlint warnings & fix changelog typos Mainly to fix CVE-2021-3572. Resolves: rhbz#1962856
This commit is contained in:
parent
9c5f9aa61e
commit
73f5d1f9c1
111
9760.patch
Normal file
111
9760.patch
Normal file
@ -0,0 +1,111 @@
|
|||||||
|
From 960c01adce491de00ef7a8d02a32fea31b15a1dc Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
|
||||||
|
Date: Fri, 2 Apr 2021 02:39:11 +0200
|
||||||
|
Subject: [PATCH] Update urllib3 to 1.26.4 to fix CVE-2021-28363
|
||||||
|
|
||||||
|
---
|
||||||
|
news/CVE-2021-28363.vendor.rst | 1 +
|
||||||
|
src/pip/_vendor/urllib3/_version.py | 2 +-
|
||||||
|
src/pip/_vendor/urllib3/connection.py | 8 ++++++--
|
||||||
|
src/pip/_vendor/urllib3/exceptions.py | 12 +++++++++++-
|
||||||
|
src/pip/_vendor/urllib3/util/retry.py | 1 +
|
||||||
|
src/pip/_vendor/vendor.txt | 2 +-
|
||||||
|
6 files changed, 21 insertions(+), 5 deletions(-)
|
||||||
|
create mode 100644 news/CVE-2021-28363.vendor.rst
|
||||||
|
|
||||||
|
diff --git a/news/CVE-2021-28363.vendor.rst b/news/CVE-2021-28363.vendor.rst
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..29700ab7469
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/news/CVE-2021-28363.vendor.rst
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+Update urllib3 to 1.26.4 to fix CVE-2021-28363
|
||||||
|
diff --git a/src/pip/_vendor/urllib3/_version.py b/src/pip/_vendor/urllib3/_version.py
|
||||||
|
index 2dba29e3fbe..97c983300b0 100644
|
||||||
|
--- a/src/pip/_vendor/urllib3/_version.py
|
||||||
|
+++ b/src/pip/_vendor/urllib3/_version.py
|
||||||
|
@@ -1,2 +1,2 @@
|
||||||
|
# This file is protected via CODEOWNERS
|
||||||
|
-__version__ = "1.26.2"
|
||||||
|
+__version__ = "1.26.4"
|
||||||
|
diff --git a/src/pip/_vendor/urllib3/connection.py b/src/pip/_vendor/urllib3/connection.py
|
||||||
|
index 660d679c361..45580b7e1ea 100644
|
||||||
|
--- a/src/pip/_vendor/urllib3/connection.py
|
||||||
|
+++ b/src/pip/_vendor/urllib3/connection.py
|
||||||
|
@@ -67,7 +67,7 @@ class BrokenPipeError(Exception):
|
||||||
|
|
||||||
|
# When it comes time to update this value as a part of regular maintenance
|
||||||
|
# (ie test_recent_date is failing) update it to ~6 months before the current date.
|
||||||
|
-RECENT_DATE = datetime.date(2019, 1, 1)
|
||||||
|
+RECENT_DATE = datetime.date(2020, 7, 1)
|
||||||
|
|
||||||
|
_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
|
||||||
|
|
||||||
|
@@ -215,7 +215,7 @@ def putrequest(self, method, url, *args, **kwargs):
|
||||||
|
|
||||||
|
def putheader(self, header, *values):
|
||||||
|
""""""
|
||||||
|
- if SKIP_HEADER not in values:
|
||||||
|
+ if not any(isinstance(v, str) and v == SKIP_HEADER for v in values):
|
||||||
|
_HTTPConnection.putheader(self, header, *values)
|
||||||
|
elif six.ensure_str(header.lower()) not in SKIPPABLE_HEADERS:
|
||||||
|
raise ValueError(
|
||||||
|
@@ -490,6 +490,10 @@ def _connect_tls_proxy(self, hostname, conn):
|
||||||
|
self.ca_cert_dir,
|
||||||
|
self.ca_cert_data,
|
||||||
|
)
|
||||||
|
+ # By default urllib3's SSLContext disables `check_hostname` and uses
|
||||||
|
+ # a custom check. For proxies we're good with relying on the default
|
||||||
|
+ # verification.
|
||||||
|
+ ssl_context.check_hostname = True
|
||||||
|
|
||||||
|
# If no cert was provided, use only the default options for server
|
||||||
|
# certificate validation
|
||||||
|
diff --git a/src/pip/_vendor/urllib3/exceptions.py b/src/pip/_vendor/urllib3/exceptions.py
|
||||||
|
index d69958d5dfc..cba6f3f560f 100644
|
||||||
|
--- a/src/pip/_vendor/urllib3/exceptions.py
|
||||||
|
+++ b/src/pip/_vendor/urllib3/exceptions.py
|
||||||
|
@@ -289,7 +289,17 @@ class ProxySchemeUnknown(AssertionError, URLSchemeUnknown):
|
||||||
|
# TODO(t-8ch): Stop inheriting from AssertionError in v2.0.
|
||||||
|
|
||||||
|
def __init__(self, scheme):
|
||||||
|
- message = "Not supported proxy scheme %s" % scheme
|
||||||
|
+ # 'localhost' is here because our URL parser parses
|
||||||
|
+ # localhost:8080 -> scheme=localhost, remove if we fix this.
|
||||||
|
+ if scheme == "localhost":
|
||||||
|
+ scheme = None
|
||||||
|
+ if scheme is None:
|
||||||
|
+ message = "Proxy URL had no scheme, should start with http:// or https://"
|
||||||
|
+ else:
|
||||||
|
+ message = (
|
||||||
|
+ "Proxy URL had unsupported scheme %s, should use http:// or https://"
|
||||||
|
+ % scheme
|
||||||
|
+ )
|
||||||
|
super(ProxySchemeUnknown, self).__init__(message)
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
|
||||||
|
index ee51f922f84..d25a41b42ea 100644
|
||||||
|
--- a/src/pip/_vendor/urllib3/util/retry.py
|
||||||
|
+++ b/src/pip/_vendor/urllib3/util/retry.py
|
||||||
|
@@ -253,6 +253,7 @@ def __init__(
|
||||||
|
"Using 'method_whitelist' with Retry is deprecated and "
|
||||||
|
"will be removed in v2.0. Use 'allowed_methods' instead",
|
||||||
|
DeprecationWarning,
|
||||||
|
+ stacklevel=2,
|
||||||
|
)
|
||||||
|
allowed_methods = method_whitelist
|
||||||
|
if allowed_methods is _Default:
|
||||||
|
diff --git a/src/pip/_vendor/vendor.txt b/src/pip/_vendor/vendor.txt
|
||||||
|
index 51a5508479e..868baba6f01 100644
|
||||||
|
--- a/src/pip/_vendor/vendor.txt
|
||||||
|
+++ b/src/pip/_vendor/vendor.txt
|
||||||
|
@@ -13,7 +13,7 @@ requests==2.25.1
|
||||||
|
certifi==2020.12.05
|
||||||
|
chardet==4.0.0
|
||||||
|
idna==2.10
|
||||||
|
- urllib3==1.26.2
|
||||||
|
+ urllib3==1.26.4
|
||||||
|
resolvelib==0.5.4
|
||||||
|
retrying==1.3.3
|
||||||
|
setuptools==44.0.0
|
33
don-t-split-git-references-on-unicode-separators.patch
Normal file
33
don-t-split-git-references-on-unicode-separators.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From ca24e4bfa60cec8341ccf40000a41bc9592713df Mon Sep 17 00:00:00 2001
|
||||||
|
From: Karolina Surma <ksurma@redhat.com>
|
||||||
|
Date: Mon, 17 May 2021 11:34:30 +0200
|
||||||
|
Subject: [PATCH] Don't split git references on unicode separators
|
||||||
|
|
||||||
|
---
|
||||||
|
src/pip/_internal/vcs/git.py | 10 ++++++++--
|
||||||
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||||
|
diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
|
||||||
|
index cc22cd7..308e857 100644
|
||||||
|
--- a/src/pip/_internal/vcs/git.py
|
||||||
|
+++ b/src/pip/_internal/vcs/git.py
|
||||||
|
@@ -147,9 +147,15 @@ class Git(VersionControl):
|
||||||
|
on_returncode='ignore',
|
||||||
|
)
|
||||||
|
refs = {}
|
||||||
|
- for line in output.strip().splitlines():
|
||||||
|
+ # NOTE: We do not use splitlines here since that would split on other
|
||||||
|
+ # unicode separators, which can be maliciously used to install a
|
||||||
|
+ # different revision.
|
||||||
|
+ for line in output.strip().split("\n"):
|
||||||
|
+ line = line.rstrip("\r")
|
||||||
|
+ if not line:
|
||||||
|
+ continue
|
||||||
|
try:
|
||||||
|
- sha, ref = line.split()
|
||||||
|
+ sha, ref = line.split(" ", maxsplit=2)
|
||||||
|
except ValueError:
|
||||||
|
# Include the offending line to simplify troubleshooting if
|
||||||
|
# this error ever occurs.
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -22,7 +22,7 @@
|
|||||||
|
|
||||||
Name: python-%{srcname}
|
Name: python-%{srcname}
|
||||||
Version: %{base_version}%{?prerel:~%{prerel}}
|
Version: %{base_version}%{?prerel:~%{prerel}}
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Summary: A tool for installing and managing Python packages
|
Summary: A tool for installing and managing Python packages
|
||||||
|
|
||||||
# We bundle a lot of libraries with pip, which itself is under MIT license.
|
# We bundle a lot of libraries with pip, which itself is under MIT license.
|
||||||
@ -93,6 +93,17 @@ Patch5: nowarn-pip._internal.main.patch
|
|||||||
# Upstream issue: https://github.com/pypa/packaging/issues/368
|
# Upstream issue: https://github.com/pypa/packaging/issues/368
|
||||||
Patch6: no-version-warning.patch
|
Patch6: no-version-warning.patch
|
||||||
|
|
||||||
|
# Update vendored urrlib3 to 1.26.4 to fix CVE-2021-28363
|
||||||
|
# Security patch backported from pip 21.1
|
||||||
|
Patch7: https://github.com/pypa/pip/pull/9760.patch
|
||||||
|
|
||||||
|
# Don't split git references on unicode separators,
|
||||||
|
# which could be maliciously used to install a different revision on the
|
||||||
|
# repository.
|
||||||
|
# Security patch backported from pip 21.1.1
|
||||||
|
# Upstream PR: https://github.com/pypa/pip/pull/9827
|
||||||
|
Patch8: don-t-split-git-references-on-unicode-separators.patch
|
||||||
|
|
||||||
# Downstream only patch
|
# Downstream only patch
|
||||||
# Users might have local installations of pip from using
|
# Users might have local installations of pip from using
|
||||||
# `pip install --user --upgrade pip` on older/newer versions.
|
# `pip install --user --upgrade pip` on older/newer versions.
|
||||||
@ -149,7 +160,7 @@ Provides: bundled(python%{1}dist(retrying)) = 1.3.3
|
|||||||
Provides: bundled(python%{1}dist(setuptools)) = 44
|
Provides: bundled(python%{1}dist(setuptools)) = 44
|
||||||
Provides: bundled(python%{1}dist(six)) = 1.15
|
Provides: bundled(python%{1}dist(six)) = 1.15
|
||||||
Provides: bundled(python%{1}dist(toml)) = 0.10.2
|
Provides: bundled(python%{1}dist(toml)) = 0.10.2
|
||||||
Provides: bundled(python%{1}dist(urllib3)) = 1.26.2
|
Provides: bundled(python%{1}dist(urllib3)) = 1.26.4
|
||||||
Provides: bundled(python%{1}dist(webencodings)) = 0.5.1
|
Provides: bundled(python%{1}dist(webencodings)) = 0.5.1
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -396,6 +407,9 @@ pytest_k='not completion and
|
|||||||
%{python_wheeldir}/%{python_wheelname}
|
%{python_wheeldir}/%{python_wheelname}
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 17 2021 Karolina Surma <ksurma@redhat.com> - 21.0.1-4
|
||||||
|
- Backport security fixes from pip 21.1.1
|
||||||
|
|
||||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com>
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com>
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
@ -419,9 +433,6 @@ Resolves: rhbz#1922592
|
|||||||
- New resolver
|
- New resolver
|
||||||
- Fixes: rhbz#1893470
|
- Fixes: rhbz#1893470
|
||||||
|
|
||||||
* Fri Dec 04 2020 Miro Hrončok <mhroncok@redhat.com> - 20.2.4-2
|
|
||||||
- Disable tests and documentation in Fedora ELN (and RHEL)
|
|
||||||
|
|
||||||
* Mon Oct 19 2020 Lumír Balhar <lbalhar@redhat.com> - 20.2.4-1
|
* Mon Oct 19 2020 Lumír Balhar <lbalhar@redhat.com> - 20.2.4-1
|
||||||
- Update to 20.2.4 (#1889112)
|
- Update to 20.2.4 (#1889112)
|
||||||
|
|
||||||
@ -535,7 +546,7 @@ Resolves: rhbz#1922592
|
|||||||
- Create python-pip-wheel package with the wheel
|
- Create python-pip-wheel package with the wheel
|
||||||
|
|
||||||
* Tue Jul 31 2018 Miro Hrončok <mhroncok@redhat.com> - 18.0-2
|
* Tue Jul 31 2018 Miro Hrončok <mhroncok@redhat.com> - 18.0-2
|
||||||
- Remove redundant "Unicode"" from License
|
- Remove redundant "Unicode" from License
|
||||||
|
|
||||||
* Mon Jul 23 2018 Marcel Plch <mplch@redhat.com> - 18.0-7
|
* Mon Jul 23 2018 Marcel Plch <mplch@redhat.com> - 18.0-7
|
||||||
- Update to 18.0
|
- Update to 18.0
|
||||||
|
Loading…
Reference in New Issue
Block a user