Update to newer upstream release that has our patch to the unittests

- Fix for http://bugs.python.org/issue17997#msg194950 which affects us since
  setuptools copies that code. Changed to use
  python-backports-ssl_match_hostname so that future issues can be fixed in
  that package.

.gitignore

@@ -12,3 +12,4 @@ distribute-0.6.14.tar.gz
 /setuptools-0.9.5.tar.gz
 /setuptools-0.9.6.tar.gz
 /setuptools-1.1.6.tar.gz
+/setuptools-1.1.7.tar.gz

0001-Import-socket.error-so-the-code-throws-the-correct-e.patch

@@ -0,0 +1,24 @@
+From 78a4d637f1db446d06f68929d76e76acd7121628 Mon Sep 17 00:00:00 2001
+From: Toshio Kuratomi <toshio@fedoraproject.org>
+Date: Mon, 28 Oct 2013 10:54:34 -0700
+Subject: [PATCH] Import socket.error so the code throws the correct exception
+
+---
+ setuptools/ssl_support.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/setuptools/ssl_support.py b/setuptools/ssl_support.py
+index 2aec655..479b0d2 100644
+--- a/setuptools/ssl_support.py
++++ b/setuptools/ssl_support.py
+@@ -44,6 +44,7 @@ is_available = ssl is not None and object not in (HTTPSHandler, HTTPSConnection)
+ try:
+     from socket import create_connection
+ except ImportError:
++    from socket import error
+     _GLOBAL_DEFAULT_TIMEOUT = getattr(socket, '_GLOBAL_DEFAULT_TIMEOUT', object())
+     def create_connection(address, timeout=_GLOBAL_DEFAULT_TIMEOUT,
+                           source_address=None):
+-- 
+1.8.3.1
+

python-setuptools.spec

@@ -7,7 +7,7 @@
 %global srcname setuptools
 
 Name:           python-setuptools
-Version:        1.1.6
+Version:        1.1.7
 Release:        1%{?dist}
 Summary:        Easily build and distribute Python packages
 
@@ -17,13 +17,19 @@ URL:            http://pypi.python.org/pypi/%{srcname}
 Source0:        http://pypi.python.org/packages/source/s/%{srcname}/%{srcname}-%{version}.tar.gz
 Source1:        psfl.txt
 Source2:        zpl.txt
-# Submitted upstream
-# https://bitbucket.org/tarek/distribute/issue/363/skip-test_sdist_with_utf8_encoded_filename
-Patch0: distribute-skip-sdist_with_utf8_encoded_filename.patch
+# https://github.com/jaraco/setuptools/pull/2
+# Fixes security issue: http://bugs.python.org/issue17997#msg194950
+Patch0: setuptools-ssl-match_hostname-wildcard.patch
+# https://github.com/jaraco/setuptools/pull/3
+# Shouldn't actually affect us as it's compat for 2.5 or earlier
+Patch1: 0001-Import-socket.error-so-the-code-throws-the-correct-e.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildArch:      noarch
+# Require this so that we use a system copy of the match_hostname() function
+Requires: python-backports-ssl_match_hostname
+BuildRequires: python-backports-ssl_match_hostname
 BuildRequires:  python2-devel
 %if 0%{?with_python3}
 BuildRequires:  python3-devel
@@ -53,6 +59,10 @@ execute the software that requires pkg_resources.py.
 Summary:        Easily build and distribute Python 3 packages
 Group:          Applications/System
 
+# Note: Do not need to Require python3-backports-ssl_match_hostname because it
+# has been present since python3-3.2.  We do not ship python3-3.0 or
+# python3-3.1 anywhere
+
 %description -n python3-setuptools
 Setuptools is a collection of enhancements to the Python 3 distutils that allow
 you to more easily build and distribute Python 3 packages, especially ones that
@@ -67,6 +77,7 @@ execute the software that requires pkg_resources.py.
 %setup -q -n %{srcname}-%{version}
 
 %patch0 -p1
+%patch1 -p1
 
 find -name '*.txt' -exec chmod -x \{\} \;
 find . -name '*.orig' -exec rm \{\} \;
@@ -150,6 +161,13 @@ rm -rf %{buildroot}
 %endif # with_python3
 
 %changelog
+* Mon Oct 28 2013 Toshio Kuratomi <toshio@fedoraproject.org> - 1.1.7-1
+- Update to newer upstream release that has our patch to the unittests
+- Fix for http://bugs.python.org/issue17997#msg194950 which affects us since
+  setuptools copies that code. Changed to use
+  python-backports-ssl_match_hostname so that future issues can be fixed in
+  that package.
+
 * Sat Oct 26 2013 Toshio Kuratomi <toshio@fedoraproject.org> - 1.1.6-1
 - Update to newer upstream release.  Some minor incompatibilities listed but
   they should affect few, if any consumers.
@@ -269,10 +287,10 @@ rm -rf %{buildroot}
 * Thu Feb 04 2010 Toshio Kuratomi <toshio@fedoraproject.org> - 0.6.10-3
 - First build with python3 support enabled.
   
-* Thu Jan 29 2010 Toshio Kuratomi <toshio@fedoraproject.org> - 0.6.10-2
+* Fri Jan 29 2010 Toshio Kuratomi <toshio@fedoraproject.org> - 0.6.10-2
 - Really disable the python3 portion
 
-* Thu Jan 29 2010 Toshio Kuratomi <toshio@fedoraproject.org> - 0.6.10-1
+* Fri Jan 29 2010 Toshio Kuratomi <toshio@fedoraproject.org> - 0.6.10-1
 - Update the python3 portions but disable for now.
 - Update to 0.6.10
 - Remove %%pre scriptlet as the file has a different name than the old
@@ -283,7 +301,7 @@ rm -rf %{buildroot}
 - Don't need python3-tools since the library is now in the python3 package
 - Few other changes to cleanup style
 
-* Thu Jan 22 2010 David Malcolm <dmalcolm@redhat.com> - 0.6.9-2
+* Fri Jan 22 2010 David Malcolm <dmalcolm@redhat.com> - 0.6.9-2
 - add python3 subpackage
 
 * Mon Dec 14 2009 Toshio Kuratomi <toshio@fedoraproject.org> - 0.6.9-1

setuptools-ssl-match_hostname-wildcard.patch

@@ -0,0 +1,110 @@
+diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
+--- b/setuptools/ssl_support.py
++++ b/setuptools/ssl_support.py
+@@ -85,26 +85,75 @@
+ try:
+     from ssl import CertificateError, match_hostname
+ except ImportError:
++    try:
++        from backports.ssl_match_hostname import CertificateError
++        from backports.ssl_match_hostname import match_hostname
++    except ImportError:
++        CertificateError = None
++        match_hostname = None
++
++if not CertificateError:
+     class CertificateError(ValueError):
+         pass
+ 
+-    def _dnsname_to_pat(dn):
++if not match_hostname:
++    def _dnsname_match(dn, hostname, max_wildcards=1):
++        """Matching according to RFC 6125, section 6.4.3
++
++        http://tools.ietf.org/html/rfc6125#section-6.4.3
++        """
+         pats = []
+-        for frag in dn.split(r'.'):
+-            if frag == '*':
+-                # When '*' is a fragment by itself, it matches a non-empty dotless
+-                # fragment.
+-                pats.append('[^.]+')
+-            else:
+-                # Otherwise, '*' matches any dotless fragment.
+-                frag = re.escape(frag)
+-                pats.append(frag.replace(r'\*', '[^.]*'))
+-        return re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
++        if not dn:
++            return False
++
++        # Ported from python3-syntax:
++        # leftmost, *remainder = dn.split(r'.')
++        parts = dn.split(r'.')
++        leftmost = parts[0]
++        remainder = parts[1:]
++
++        wildcards = leftmost.count('*')
++        if wildcards > max_wildcards:
++            # Issue #17980: avoid denials of service by refusing more
++            # than one wildcard per fragment.  A survey of established
++            # policy among SSL implementations showed it to be a
++            # reasonable choice.
++            raise CertificateError(
++                "too many wildcards in certificate DNS name: " + repr(dn))
++
++        # speed up common case w/o wildcards
++        if not wildcards:
++            return dn.lower() == hostname.lower()
++
++        # RFC 6125, section 6.4.3, subitem 1.
++        # The client SHOULD NOT attempt to match a presented identifier in which
++        # the wildcard character comprises a label other than the left-most label.
++        if leftmost == '*':
++            # When '*' is a fragment by itself, it matches a non-empty dotless
++            # fragment.
++            pats.append('[^.]+')
++        elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
++            # RFC 6125, section 6.4.3, subitem 3.
++            # The client SHOULD NOT attempt to match a presented identifier
++            # where the wildcard character is embedded within an A-label or
++            # U-label of an internationalized domain name.
++            pats.append(re.escape(leftmost))
++        else:
++            # Otherwise, '*' matches any dotless string, e.g. www*
++            pats.append(re.escape(leftmost).replace(r'\*', '[^.]*'))
++
++        # add the remaining fragments, ignore any wildcards
++        for frag in remainder:
++            pats.append(re.escape(frag))
++
++        pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
++        return pat.match(hostname)
++
+ 
+     def match_hostname(cert, hostname):
+         """Verify that *cert* (in decoded format as returned by
+-        SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 rules
+-        are mostly followed, but IP addresses are not accepted for *hostname*.
++        SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125
++        rules are followed, but IP addresses are not accepted for *hostname*.
+ 
+         CertificateError is raised on failure. On success, the function
+         returns nothing.
+@@ -115,7 +164,7 @@
+         san = cert.get('subjectAltName', ())
+         for key, value in san:
+             if key == 'DNS':
+-                if _dnsname_to_pat(value).match(hostname):
++                if _dnsname_match(value, hostname):
+                     return
+                 dnsnames.append(value)
+         if not dnsnames:
+@@ -126,7 +175,7 @@
+                     # XXX according to RFC 2818, the most specific Common Name
+                     # must be used.
+                     if key == 'commonName':
+-                        if _dnsname_to_pat(value).match(hostname):
++                        if _dnsname_match(value, hostname):
+                             return
+                         dnsnames.append(value)
+         if len(dnsnames) > 1:

sources

@@ -1 +1 @@
-ee82ea53def4480191061997409d2996  setuptools-1.1.6.tar.gz
+1f33594d25d574a1640ffb84667c6759  setuptools-1.1.7.tar.gz