Update to 3.9.14

Security fixes for CVE-2020-10735 and CVE-2021-28861 Removed upstreamed part of the FIPS patch Resolves: rhbz#2120642, rhbz#1834423, rhbz#2128249
2022-09-21 14:24:44 +02:00 · 2022-09-21 14:24:44 +02:00 · c7e52cdf75
commit c7e52cdf75
parent 2ccf414f48
3 changed files with 38 additions and 81 deletions
--- a/00329-fips.patch
+++ b/00329-fips.patch
@ -1,55 +1,4 @@
-From 3ccbf41ad18431fcb7e6e83cb4b6bf13c6c22f3e Mon Sep 17 00:00:00 2001
-From: Christian Heimes <christian@python.org>
-Date: Wed, 27 Jul 2022 09:19:49 +0200
-Subject: [PATCH] gh-95280: Fix test_get_ciphers on systems without RSA key
- exchange (GH-95282) (cherry picked from commit
- 565403038b75eb64ea483b2757ba30769246d853)
-
-Co-authored-by: Christian Heimes <christian@python.org>
---
- Lib/test/test_ssl.py                             | 16 ++++++++++++++--
- ...2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst |  2 ++
- 2 files changed, 16 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst
-
-diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index 9f364fa4bbb6d..f97227b11bcde 100644
--- a/Lib/test/test_ssl.py
-+++ b/Lib/test/test_ssl.py
-@@ -1177,8 +1177,20 @@ def test_get_ciphers(self):
-         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
-         ctx.set_ciphers('AESGCM')
-         names = set(d['name'] for d in ctx.get_ciphers())
-        self.assertIn('AES256-GCM-SHA384', names)
-        self.assertIn('AES128-GCM-SHA256', names)
-+        expected = {
-+            'AES128-GCM-SHA256',
-+            'ECDHE-ECDSA-AES128-GCM-SHA256',
-+            'ECDHE-RSA-AES128-GCM-SHA256',
-+            'DHE-RSA-AES128-GCM-SHA256',
-+            'AES256-GCM-SHA384',
-+            'ECDHE-ECDSA-AES256-GCM-SHA384',
-+            'ECDHE-RSA-AES256-GCM-SHA384',
-+            'DHE-RSA-AES256-GCM-SHA384',
-+        }
-+        intersection = names.intersection(expected)
-+        self.assertGreaterEqual(
-+            len(intersection), 2, f"\ngot: {sorted(names)}\nexpected: {sorted(expected)}"
-+        )
- 
-     def test_options(self):
-         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
-diff --git a/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst b/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst
-new file mode 100644
-index 0000000000000..523d9d5f2f8bf
--- /dev/null
-+++ b/Misc/NEWS.d/next/Tests/2022-07-26-15-22-19.gh-issue-95280.h8HvbP.rst
-@@ -0,0 +1,2 @@
-+Fix problem with ``test_ssl`` ``test_get_ciphers`` on systems that require
-+perfect forward secrecy (PFS) ciphers.
-
-
-From 37aa11f4c57e08bd3859c0de1c22f1d5296b6fdc Mon Sep 17 00:00:00 2001
+From a350f1e323977baffc6d709c0dc877c7f3faba73 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Wed, 11 Aug 2021 16:51:03 +0200
 Subject: [PATCH 01/10] Backport PyModule_AddObjectRef as
@ -122,10 +71,10 @@ index 13482c6..fca1083 100644
 PyModule_AddIntConstant(PyObject *m, const char *name, long value)
 {
 -- 
-2.35.3
+2.37.3


-From 3fc28233b7244bb891499a974c3f3cda42454760 Mon Sep 17 00:00:00 2001
+From 500314edea579965f5641d8ebdce8c8899fe2838 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Fri, 13 Aug 2021 13:16:43 +0200
 Subject: [PATCH 02/10] _hashopenssl: Uncomment and use initialization function
@ -195,10 +144,10 @@ index 4db058c..56dfff9 100644
 
     return m;
 -- 
-2.35.3
+2.37.3


-From 309e06621a9a8b8220c8f83d588cc76e1fa2380d Mon Sep 17 00:00:00 2001
+From 76402d145bb24912f92d4013b8464e87b1493b45 Mon Sep 17 00:00:00 2001
 From: Christian Heimes <christian@python.org>
 Date: Sat, 27 Mar 2021 14:55:03 +0100
 Subject: [PATCH 03/10] bpo-40645: use C implementation of HMAC (GH-24920,
@ -978,10 +927,10 @@ index 68aa765..4466ec4 100644
 -/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/
 +/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/
 -- 
-2.35.3
+2.37.3


-From 2656f4998c17d8a63b5b45462a2dae5b1b3d520f Mon Sep 17 00:00:00 2001
+From 668a5b57d6454ff1a0e5c4db80002321e38cadfd Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Thu, 12 Dec 2019 16:58:31 +0100
 Subject: [PATCH 04/10] Expose blake2b and blake2s hashes from OpenSSL
@ -1188,10 +1137,10 @@ index 4466ec4..54c22b2 100644
 -/*[clinic end generated code: output=7ff9aad0bd53e7ce input=a9049054013a1b77]*/
 +/*[clinic end generated code: output=fab05055e982f112 input=a9049054013a1b77]*/
 -- 
-2.35.3
+2.37.3


-From 652264a57ab6564bfe775d88502776df95cd897d Mon Sep 17 00:00:00 2001
+From 1613c11b882e192456592a6adb63f73351f82829 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 1 Aug 2019 17:57:05 +0200
 Subject: [PATCH 05/10] Use a stronger hash in multiprocessing handshake
@ -1236,10 +1185,10 @@ index 510e4b5..b68f2fb 100644
     response = connection.recv_bytes(256)        # reject large message
     if response != WELCOME:
 -- 
-2.35.3
+2.37.3


-From 4a8637f114196b1ab19435ea64c19c7acf77776c Mon Sep 17 00:00:00 2001
+From c0413586c6fb26bd4b7c4d5c40094ceeffb74612 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 25 Jul 2019 17:19:06 +0200
 Subject: [PATCH 06/10] Disable Python's hash implementations in FIPS mode,
@ -1497,10 +1446,10 @@ index 0bec170..479f4b5 100644
             ))
 
 -- 
-2.35.3
+2.37.3


-From 165bcd0377075dbac9fa3f988ed5189668597ab6 Mon Sep 17 00:00:00 2001
+From 205bd746c16c7f8ac09251316c62bf78d6c31611 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Fri, 29 Jan 2021 14:16:21 +0100
 Subject: [PATCH 07/10] Use python's fall back crypto implementations only if
@ -1664,10 +1613,10 @@ index fa4a8d7..ec6c883 100644
     def test_pbkdf2_hmac_py(self):
         self._test_pbkdf2_hmac(builtin_hashlib.pbkdf2_hmac, builtin_hashes)
 -- 
-2.35.3
+2.37.3


-From f4383a6e0be8b75db2380fdcf0174b09709b613f Mon Sep 17 00:00:00 2001
+From 016e7dbfd92bd24b5f7cb613786fb99456ca6069 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Wed, 31 Jul 2019 15:43:43 +0200
 Subject: [PATCH 08/10] Test equivalence of hashes for the various digests with
@ -1823,10 +1772,10 @@ index ec6c883..0fd036f 100644
 class KDFTests(unittest.TestCase):
 
 -- 
-2.35.3
+2.37.3


-From 5ecf11d53225bbe04e35970a834bcc90cd944391 Mon Sep 17 00:00:00 2001
+From 7c7a3260746d06d5f319944dc40d51f7642d92dc Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Mon, 26 Aug 2019 19:39:48 +0200
 Subject: [PATCH 09/10] Guard against Python HMAC in FIPS mode
@ -1940,10 +1889,10 @@ index adf52ad..41e6a14 100644
     def test_realcopy_old(self):
         # Testing if the copy method created a real copy.
 -- 
-2.35.3
+2.37.3


-From 532ce8649bf743c029aa5ddb25d74604d9798da9 Mon Sep 17 00:00:00 2001
+From 0db6e1bad3663006fe9352819bbbb53bfc5637be Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Wed, 25 Aug 2021 16:44:43 +0200
 Subject: [PATCH 10/10] Disable hash-based PYCs in FIPS mode
@ -1986,15 +1935,13 @@ index bba3642..02db901 100644
         return PycInvalidationMode.CHECKED_HASH
     else:
 diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
-index 86ac8f0..dc042f7 100644
+index 6dc0813..b9d5f9a 100644
 --- a/Lib/test/support/__init__.py
 +++ b/Lib/test/support/__init__.py
-@@ -3294,3 +3294,17 @@ def clear_ignored_deprecations(*tokens: object) -> None:
-     if warnings.filters != new_filters:
-         warnings.filters[:] = new_filters
+@@ -3296,6 +3296,20 @@ def clear_ignored_deprecations(*tokens: object) -> None:
         warnings._filters_mutated()
-+
-+
+ 
+ 
 +def fails_in_fips_mode(expected_error):
 +    import _hashlib
 +    if _hashlib.get_fips_mode():
@ -2007,6 +1954,11 @@ index 86ac8f0..dc042f7 100644
 +        def _decorator(func):
 +            return func
 +    return _decorator
+
+
+ @contextlib.contextmanager
+ def adjust_int_max_str_digits(max_digits):
+     """Temporarily change the integer string conversion length limit."""
 diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py
 index 7cb1370..61df232 100644
 --- a/Lib/test/test_cmd_line_script.py
@ -2222,5 +2174,5 @@ index 8358d70..1b7fb85 100644
         uint64_t x;
         char data[sizeof(uint64_t)];
 -- 
-2.35.3
+2.37.3

--- a/python3.9.spec
+++ b/python3.9.spec
@ -13,11 +13,11 @@ URL: https://www.python.org/

 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.13
+%global general_version %{pybasever}.14
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 3%{?dist}
+Release: 1%{?dist}
 License: Python


@ -1810,6 +1810,11 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Wed Sep 21 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.14-1
+- Update to 3.9.14
+- Security fixes for CVE-2020-10735 and CVE-2021-28861
+Resolves: rhbz#2120642, rhbz#1834423, rhbz#2128249
+
 * Mon Jul 25 2022 Lumír Balhar <lbalhar@redhat.com> - 3.9.13-3
 - Fix test_get_ciphers in test_ssl.py for FIPS mode
 Resolves: rhbz#2058233
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (Python-3.9.13.tar.xz) = e9664e7f908092df11236b22465d217531d6f0378e88d889108d19fe77f28f46ffb629b8733f84b41409e255367321893a2b1bd64518930d9d8cae5d1b774d23
-SHA512 (Python-3.9.13.tar.xz.asc) = 9367afe8ec32195adbb64fa32eb9e3881cfdbbb38efcb5e0804a15486232aecbc81ed20a8ffed652f06a881744f3efd2c2df3cc652d70671c94d6668a17a391e
+SHA512 (Python-3.9.14.tar.xz) = 691a7814cf6c7bee96d8dbb7c5c85cb11f2e999101e20491b99435cdec07c3bbd5ce43ad3d9c64f695383b79197884caa1965c4346e4525e23b09c686271e4ab
+SHA512 (Python-3.9.14.tar.xz.asc) = 7cffff00ecc94d32a61e763b4ebd73caf83994e3a24b682d45453f34631e4feabcffbaae5e511952656ab6e64945bc2a3d1fb440f788352f262ffa00ec3d2203