import python3-3.6.8-41.el8
This commit is contained in:
parent
82f6e57718
commit
be68a5416f
|
@ -0,0 +1,40 @@
|
||||||
|
From 29c669440dddba61d18e1b7fdd57180cae9e4ae3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Yeting Li <liyt@ios.ac.cn>
|
||||||
|
Date: Wed, 7 Apr 2021 19:27:41 +0800
|
||||||
|
Subject: [PATCH] bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler
|
||||||
|
(GH-24391)
|
||||||
|
|
||||||
|
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
|
||||||
|
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
|
||||||
|
has quadratic worst-case complexity and it allows cause a denial of
|
||||||
|
service when identifying crafted invalid RFCs. This ReDoS issue is on
|
||||||
|
the client side and needs remote attackers to control the HTTP server.
|
||||||
|
(cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1)
|
||||||
|
|
||||||
|
Co-authored-by: Yeting Li <liyt@ios.ac.cn>
|
||||||
|
---
|
||||||
|
Lib/urllib/request.py | 2 +-
|
||||||
|
.../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 1 +
|
||||||
|
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
|
||||||
|
|
||||||
|
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
|
||||||
|
index 6624e04317ba2..56565405a7097 100644
|
||||||
|
--- a/Lib/urllib/request.py
|
||||||
|
+++ b/Lib/urllib/request.py
|
||||||
|
@@ -947,7 +947,7 @@ class AbstractBasicAuthHandler:
|
||||||
|
# (single quotes are a violation of the RFC, but appear in the wild)
|
||||||
|
rx = re.compile('(?:^|,)' # start of the string or ','
|
||||||
|
'[ \t]*' # optional whitespaces
|
||||||
|
- '([^ \t]+)' # scheme like "Basic"
|
||||||
|
+ '([^ \t,]+)' # scheme like "Basic"
|
||||||
|
'[ \t]+' # mandatory whitespaces
|
||||||
|
# realm=xxx
|
||||||
|
# realm='xxx'
|
||||||
|
diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000..1c9f727e965fb
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
|
|
@ -14,7 +14,7 @@ URL: https://www.python.org/
|
||||||
# WARNING When rebasing to a new Python version,
|
# WARNING When rebasing to a new Python version,
|
||||||
# remember to update the python3-docs package as well
|
# remember to update the python3-docs package as well
|
||||||
Version: %{pybasever}.8
|
Version: %{pybasever}.8
|
||||||
Release: 40%{?dist}
|
Release: 41%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
|
|
||||||
|
|
||||||
|
@ -610,6 +610,12 @@ Patch362: 00362-threading-enumerate-rlock.patch
|
||||||
# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1972293
|
# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1972293
|
||||||
Patch364: 00364-thread-exit.patch
|
Patch364: 00364-thread-exit.patch
|
||||||
|
|
||||||
|
# 00366 #
|
||||||
|
# CVE-2021-3733: Denial of service when identifying crafted invalid RFCs
|
||||||
|
# Upstream: https://bugs.python.org/issue43075
|
||||||
|
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995234
|
||||||
|
Patch366: 00366-CVE-2021-3733.patch
|
||||||
|
|
||||||
# (New patches go here ^^^)
|
# (New patches go here ^^^)
|
||||||
#
|
#
|
||||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||||
|
@ -943,6 +949,7 @@ git apply %{PATCH351}
|
||||||
%patch360 -p1
|
%patch360 -p1
|
||||||
%patch362 -p1
|
%patch362 -p1
|
||||||
%patch364 -p1
|
%patch364 -p1
|
||||||
|
%patch366 -p1
|
||||||
|
|
||||||
# Remove files that should be generated by the build
|
# Remove files that should be generated by the build
|
||||||
# (This is after patching, so that we can use patches directly from upstream)
|
# (This is after patching, so that we can use patches directly from upstream)
|
||||||
|
@ -1868,6 +1875,10 @@ fi
|
||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 09 2021 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-41
|
||||||
|
- Security fix for CVE-2021-3733: Denial of service when identifying crafted invalid RFCs
|
||||||
|
Resolves: rhbz#1995234
|
||||||
|
|
||||||
* Thu Jul 29 2021 Tomas Orsava <torsava@redhat.com> - 3.6.8-40
|
* Thu Jul 29 2021 Tomas Orsava <torsava@redhat.com> - 3.6.8-40
|
||||||
- Adjusted the postun scriptlets to enable upgrading to RHEL 9
|
- Adjusted the postun scriptlets to enable upgrading to RHEL 9
|
||||||
- Resolves: rhbz#1933055
|
- Resolves: rhbz#1933055
|
||||||
|
|
Loading…
Reference in New Issue