diff --git a/.gitignore b/.gitignore index ca62443..5db1717 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ /3.2.1.tar.gz /3.2.2.tar.gz /3.3.0.tar.gz +/3.4.0.tar.gz diff --git a/0001-Serverless-test-suite-workaround.patch b/0001-Serverless-test-suite-workaround.patch deleted file mode 100644 index 5481571..0000000 --- a/0001-Serverless-test-suite-workaround.patch +++ /dev/null @@ -1,41 +0,0 @@ -From bc392400e5d53c8f65b7adb1bc1dd2e88a4d510b Mon Sep 17 00:00:00 2001 -From: Haikel Guemar -Date: Thu, 1 Oct 2015 11:26:44 +0200 -Subject: [PATCH 1/2] Serverless test suite workaround - ---- - test/__init__.py | 10 +++------- - 1 file changed, 3 insertions(+), 7 deletions(-) - -diff --git a/test/__init__.py b/test/__init__.py -index 62e6bdf..d06120d 100644 ---- a/test/__init__.py -+++ b/test/__init__.py -@@ -366,12 +366,6 @@ def setup(): - - def teardown(): - c = client_context.client -- c.drop_database("pymongo-pooling-tests") -- c.drop_database("pymongo_test") -- c.drop_database("pymongo_test1") -- c.drop_database("pymongo_test2") -- c.drop_database("pymongo_test_mike") -- c.drop_database("pymongo_test_bernie") - if client_context.auth_enabled and not client_context.user_provided: - c.admin.remove_user(db_user) - -@@ -386,8 +380,10 @@ class PymongoTestRunner(unittest.TextTestRunner): - return result - - --def test_cases(suite): -+def test_cases(suite=None): - """Iterator over all TestCases within a TestSuite.""" -+ if suite is None: -+ return - for suite_or_case in suite._tests: - if isinstance(suite_or_case, unittest.TestCase): - # unittest.TestCase --- -2.5.0 - diff --git a/0001-Use-ssl.match_hostname-from-the-Python-stdlib.patch b/0001-Use-ssl.match_hostname-from-the-Python-stdlib.patch new file mode 100644 index 0000000..1a3e546 --- /dev/null +++ b/0001-Use-ssl.match_hostname-from-the-Python-stdlib.patch @@ -0,0 +1,50 @@ +From 2ceb8396c6bb3c5ef486a971f2a091f8d702fc15 Mon Sep 17 00:00:00 2001 +From: Randy Barlow +Date: Sun, 18 Dec 2016 17:37:39 -0500 +Subject: [PATCH] Use ssl_match_hostname from Python's stdlib. + +The patch removes the usage of the bundled ssl.match_hostname library as it was +vulnerable to CVE-2013-7440 and CVE-2013-2099, and wasn't needed +anyway since Fedora >= 22 has the needed module in the Python +standard library. It adjusts imports so that they exclusively +use the code from Python. + +Fixes CVE-2013-2099 and CVE-2013-7440. +--- + pymongo/errors.py | 5 +---- + pymongo/pool.py | 3 +-- + 2 files changed, 2 insertions(+), 6 deletions(-) + +diff --git a/pymongo/errors.py b/pymongo/errors.py +index fb4c9e48..e8e6350b 100644 +--- a/pymongo/errors.py ++++ b/pymongo/errors.py +@@ -16,10 +16,7 @@ + + from bson.errors import * + +-try: +- from ssl import CertificateError +-except ImportError: +- from pymongo.ssl_match_hostname import CertificateError ++from ssl import CertificateError + + + class PyMongoError(Exception): +diff --git a/pymongo/pool.py b/pymongo/pool.py +index d6c5b773..5ca82c2d 100644 +--- a/pymongo/pool.py ++++ b/pymongo/pool.py +@@ -49,8 +49,7 @@ from pymongo.network import (command, + from pymongo.read_concern import DEFAULT_READ_CONCERN + from pymongo.read_preferences import ReadPreference + from pymongo.server_type import SERVER_TYPE +-# Always use our backport so we always have support for IP address matching +-from pymongo.ssl_match_hostname import match_hostname, CertificateError ++from ssl import match_hostname, CertificateError + + # For SNI support. According to RFC6066, section 3, IPv4 and IPv6 literals are + # not permitted for SNI hostname. +-- +2.11.0 + diff --git a/0002-Use-ssl.match_hostname-from-the-Python-stdlib.patch b/0002-Use-ssl.match_hostname-from-the-Python-stdlib.patch deleted file mode 100644 index 1d9540e..0000000 --- a/0002-Use-ssl.match_hostname-from-the-Python-stdlib.patch +++ /dev/null @@ -1,159 +0,0 @@ -From e6adec8cae7c4a7840fb012c6479856caaf18aba Mon Sep 17 00:00:00 2001 -From: Randy Barlow -Date: Fri, 15 Jul 2016 10:12:16 -0400 -Subject: [PATCH] Use ssl.match_hostname from the Python stdlib. - -This patch removes the bundled ssl.match_hostname library as it was -vulnerable to CVE-2013-7440 and CVE-2013-2099, and wasn't needed -anyway since Fedora >= 22 has the needed module in the Python -standard library. It also adjusts imports so that they exclusively -use the code from Python. ---- - pymongo/errors.py | 5 +-- - pymongo/pool.py | 6 +-- - pymongo/ssl_match_hostname.py | 100 ------------------------------------------ - 3 files changed, 2 insertions(+), 109 deletions(-) - delete mode 100644 pymongo/ssl_match_hostname.py - -diff --git a/pymongo/errors.py b/pymongo/errors.py -index fb4c9e4..e8e6350 100644 ---- a/pymongo/errors.py -+++ b/pymongo/errors.py -@@ -16,10 +16,7 @@ - - from bson.errors import * - --try: -- from ssl import CertificateError --except ImportError: -- from pymongo.ssl_match_hostname import CertificateError -+from ssl import CertificateError - - - class PyMongoError(Exception): -diff --git a/pymongo/pool.py b/pymongo/pool.py -index 6e9cc75..41bef83 100644 ---- a/pymongo/pool.py -+++ b/pymongo/pool.py -@@ -44,11 +44,7 @@ from pymongo.server_type import SERVER_TYPE - # main thread, to avoid the deadlock. See PYTHON-607. - u'foo'.encode('idna') - --try: -- from ssl import match_hostname, CertificateError --except ImportError: -- # These don't require the ssl module -- from pymongo.ssl_match_hostname import match_hostname, CertificateError -+from ssl import match_hostname, CertificateError - - - def _raise_connection_failure(address, error): -diff --git a/pymongo/ssl_match_hostname.py b/pymongo/ssl_match_hostname.py -deleted file mode 100644 -index f74df15..0000000 ---- a/pymongo/ssl_match_hostname.py -+++ /dev/null -@@ -1,100 +0,0 @@ --# Backport of the match_hostname logic introduced in python 3.2 --# http://hg.python.org/releasing/3.3.5/file/993955b807b3/Lib/ssl.py -- --import re -- -- --class CertificateError(ValueError): -- pass -- -- --def _dnsname_match(dn, hostname, max_wildcards=1): -- """Matching according to RFC 6125, section 6.4.3 -- -- http://tools.ietf.org/html/rfc6125#section-6.4.3 -- """ -- pats = [] -- if not dn: -- return False -- -- parts = dn.split(r'.') -- leftmost = parts[0] -- remainder = parts[1:] -- -- wildcards = leftmost.count('*') -- if wildcards > max_wildcards: -- # Issue #17980: avoid denials of service by refusing more -- # than one wildcard per fragment. A survey of established -- # policy among SSL implementations showed it to be a -- # reasonable choice. -- raise CertificateError( -- "too many wildcards in certificate DNS name: " + repr(dn)) -- -- # speed up common case w/o wildcards -- if not wildcards: -- return dn.lower() == hostname.lower() -- -- # RFC 6125, section 6.4.3, subitem 1. -- # The client SHOULD NOT attempt to match a presented identifier in which -- # the wildcard character comprises a label other than the left-most label. -- if leftmost == '*': -- # When '*' is a fragment by itself, it matches a non-empty dotless -- # fragment. -- pats.append('[^.]+') -- elif leftmost.startswith('xn--') or hostname.startswith('xn--'): -- # RFC 6125, section 6.4.3, subitem 3. -- # The client SHOULD NOT attempt to match a presented identifier -- # where the wildcard character is embedded within an A-label or -- # U-label of an internationalized domain name. -- pats.append(re.escape(leftmost)) -- else: -- # Otherwise, '*' matches any dotless string, e.g. www* -- pats.append(re.escape(leftmost).replace(r'\*', '[^.]*')) -- -- # add the remaining fragments, ignore any wildcards -- for frag in remainder: -- pats.append(re.escape(frag)) -- -- pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) -- return pat.match(hostname) -- -- --def match_hostname(cert, hostname): -- """Verify that *cert* (in decoded format as returned by -- SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 -- rules are followed, but IP addresses are not accepted for *hostname*. -- -- CertificateError is raised on failure. On success, the function -- returns nothing. -- """ -- if not cert: -- raise ValueError("empty or no certificate") -- dnsnames = [] -- san = cert.get('subjectAltName', ()) -- for key, value in san: -- if key == 'DNS': -- if _dnsname_match(value, hostname): -- return -- dnsnames.append(value) -- if not dnsnames: -- # The subject is only checked when there is no dNSName entry -- # in subjectAltName -- for sub in cert.get('subject', ()): -- for key, value in sub: -- # XXX according to RFC 2818, the most specific Common Name -- # must be used. -- if key == 'commonName': -- if _dnsname_match(value, hostname): -- return -- dnsnames.append(value) -- if len(dnsnames) > 1: -- raise CertificateError("hostname %r " -- "doesn't match either of %s" -- % (hostname, ', '.join(map(repr, dnsnames)))) -- elif len(dnsnames) == 1: -- raise CertificateError("hostname %r " -- "doesn't match %r" -- % (hostname, dnsnames[0])) -- else: -- raise CertificateError("no appropriate commonName or " -- "subjectAltName fields were found") --- -2.9.0 - diff --git a/python-pymongo.spec b/python-pymongo.spec index 78631fc..fcfd299 100644 --- a/python-pymongo.spec +++ b/python-pymongo.spec @@ -5,19 +5,18 @@ } Name: python-pymongo -Version: 3.3.0 -Release: 6%{?dist} +Version: 3.4.0 +Release: 1%{?dist} # All code is ASL 2.0 except bson/time64*.{c,h} which is MIT License: ASL 2.0 and MIT Summary: Python driver for MongoDB URL: http://api.mongodb.org/python Source0: https://github.com/mongodb/mongo-python-driver/archive/%{version}.tar.gz -Patch01: 0001-Serverless-test-suite-workaround.patch # This patch removes the bundled ssl.match_hostname library as it was vulnerable to CVE-2013-7440 # and CVE-2013-2099, and wasn't needed anyway since Fedora >= 22 has the needed module in the Python # standard library. It also adjusts imports so that they exclusively use the code from Python. -Patch02: 0002-Use-ssl.match_hostname-from-the-Python-stdlib.patch +Patch01: 0001-Use-ssl.match_hostname-from-the-Python-stdlib.patch %ifnarch armv7hl ppc64 s390 s390x # These are needed for tests, and the tests don't work on armv7hl. @@ -26,7 +25,6 @@ BuildRequires: mongodb-server BuildRequires: net-tools BuildRequires: procps-ng %endif -BuildRequires: python-nose BuildRequires: python-tools BuildRequires: python2-devel BuildRequires: python2-setuptools @@ -74,7 +72,7 @@ contains the python3 version of this module. %package -n python2-pymongo Summary: Python driver for MongoDB -Requires: python2-bson = %{version}-%{release} +Requires: python2-bson%{?_isa} = %{version}-%{release} Provides: pymongo = %{version}-%{release} Obsoletes: pymongo <= 2.1.1-4 %{?python_provide:%python_provide python2-pymongo} @@ -87,7 +85,7 @@ this module. %package -n python3-pymongo Summary: Python driver for MongoDB -Requires: python3-bson = %{version}-%{release} +Requires: python3-bson%{?_isa} = %{version}-%{release} %{?python_provide:%python_provide python3-pymongo} @@ -121,8 +119,12 @@ contains the python3 version of this module. %prep %setup -q -n mongo-python-driver-%{version} -%patch01 -p1 -b .test -%patch02 -p1 -b .ssl +%patch01 -p1 -b .ssl + +# Remove the bundled ssl.match_hostname library as it was vulnerable to CVE-2013-7440 +# and CVE-2013-2099, and isn't needed anyway since Fedora >= 22 has the needed module in the Python +# standard library. +rm pymongo/ssl_match_hostname.py rm -rf %{py3dir} cp -a . %{py3dir} @@ -141,13 +143,13 @@ popd %install -%{__python2} setup.py install --skip-build --root $RPM_BUILD_ROOT +%py2_install # Fix permissions chmod 755 %{buildroot}%{python2_sitearch}/bson/*.so chmod 755 %{buildroot}%{python2_sitearch}/pymongo/*.so pushd %{py3dir} -%{__python3} setup.py install --skip-build --root $RPM_BUILD_ROOT +%py3_install # Fix permissions chmod 755 %{buildroot}%{python3_sitearch}/bson/*.so chmod 755 %{buildroot}%{python3_sitearch}/pymongo/*.so @@ -222,6 +224,12 @@ pkill mongod %changelog +* Sun Dec 18 2016 Randy Barlow - 3.4.0-1 +- Update to 3.4.0 (#1400227). +- Use new install macros. +- Drop unneeded BuildRequires on python-nose. +- pymongo now requires bson by arch as it should. + * Fri Dec 09 2016 Charalampos Stratakis - 3.3.0-6 - Rebuild for Python 3.6 diff --git a/sources b/sources index 4407799..ce28164 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1de42b3e27ff20406c23fae2b99d1afa 3.3.0.tar.gz +SHA512 (3.4.0.tar.gz) = 0a8c86ec6f1821fe405ca28a645103c85b5256dd76a201dfeb89bca0c90eb911139f584d784936add7f355f1b80ad6689b2c76dedd162b49496542402b55ccdf