Replace whole repo with latest content from branch stream-2.7-rhel-8.8.0

Content corresponds with RHEL dist-git commit 55ee5eb

.gitignore

@@ -1,2 +1 @@
-SOURCES/Python-2.7.18-noexe.tar.xz
-/Python-2.7.18-noexe.tar.xz
+/*.tar.*

00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch

@@ -0,0 +1,41 @@
+diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
+--- a/Lib/multiprocessing/connection.py
++++ b/Lib/multiprocessing/connection.py
+@@ -41,6 +41,10 @@
+ # A very generous timeout when it comes to local connections...
+ CONNECTION_TIMEOUT = 20.
+ 
++# The hmac module implicitly defaults to using MD5.
++# Support using a stronger algorithm for the challenge/response code:
++HMAC_DIGEST_NAME='sha256'
++
+ _mmap_counter = itertools.count()
+ 
+ default_family = 'AF_INET'
+@@ -700,12 +704,16 @@
+ WELCOME = b'#WELCOME#'
+ FAILURE = b'#FAILURE#'
+ 
++def get_digestmod_for_hmac():
++    import hashlib
++    return getattr(hashlib, HMAC_DIGEST_NAME)
++
+ def deliver_challenge(connection, authkey):
+     import hmac
+     assert isinstance(authkey, bytes)
+     message = os.urandom(MESSAGE_LENGTH)
+     connection.send_bytes(CHALLENGE + message)
+-    digest = hmac.new(authkey, message).digest()
++    digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
+     response = connection.recv_bytes(256)        # reject large message
+     if response == digest:
+         connection.send_bytes(WELCOME)
+@@ -719,7 +727,7 @@
+     message = connection.recv_bytes(256)         # reject large message
+     assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
+     message = message[len(CHALLENGE):]
+-    digest = hmac.new(authkey, message).digest()
++    digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
+     connection.send_bytes(digest)
+     response = connection.recv_bytes(256)        # reject large message
+     if response != WELCOME:

00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch

@@ -96,3 +96,23 @@ index 00000000000..5185fac2e29
 +length hostname involving bidirectional characters were decoded. Some protocols
 +such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
 +to supply such a name.
+diff -urNp a/Lib/encodings/idna.py b/Lib/encodings/idna.py
+--- a/Lib/encodings/idna.py	2023-02-16 08:58:06.884171667 +0100
++++ b/Lib/encodings/idna.py	2023-02-16 08:59:31.931296399 +0100
+@@ -101,6 +101,16 @@ def ToASCII(label):
+     raise UnicodeError("label empty or too long")
+ 
+ def ToUnicode(label):
++    if len(label) > 1024:
++        # Protection from https://github.com/python/cpython/issues/98433.
++        # https://datatracker.ietf.org/doc/html/rfc5894#section-6
++        # doesn't specify a label size limit prior to NAMEPREP. But having
++        # one makes practical sense.
++        # This leaves ample room for nameprep() to remove Nothing characters
++        # per https://www.rfc-editor.org/rfc/rfc3454#section-3.1 while still
++        # preventing us from wasting time decoding a big thing that'll just
++        # hit the actual <= 63 length limit in Step 6.
++        raise UnicodeError("label way too long")
+     # Step 1: Check for ASCII
+     if isinstance(label, str):
+         pure_ascii = True

python2.spec

@@ -104,7 +104,7 @@ Summary: An interpreted, interactive, object-oriented programming language
 Name: %{python}
 # Remember to also rebase python2-docs when changing this:
 Version: 2.7.18
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: Python
 Group: Development/Languages
 Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@@ -2089,6 +2089,9 @@ fi
 # ======================================================
 
 %changelog
+* Thu Feb 16 2023 Josef Ridky <jridky@redhat.com> - 2.7.18-13
+- Add missing part of fix for CVE-2022-45061 (#2145071)
+
 * Wed Dec 21 2022 Charalampos Stratakis <cstratak@redhat.com> - 2.7.18-12
 - Security fix for CVE-2022-45061: CPU denial of service via inefficient IDNA decoder
 Resolves: rhbz#2144072