Security fix for CVE-2024-6923 (rhbz#2303161)
This commit is contained in:
Tomáš Hrnčiar
parent
1bb7fee2bb
commit
2cfab79d11
2 changed files with 414 additions and 1 deletions
|
|
@ -17,7 +17,7 @@ URL: https://www.python.org/
|
|||
#global prerel ...
|
||||
%global upstream_version %{general_version}%{?prerel}
|
||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||
Release: 34%{?dist}
|
||||
Release: 35%{?dist}
|
||||
# Python is Python
|
||||
# pip MIT is and bundles:
|
||||
# appdirs: MIT
|
||||
|
|
@ -715,6 +715,35 @@ Patch427: 00427-zipextfile-tell-and-seek-cve-2024-0450.patch
|
|||
# Backported from 3.8.
|
||||
Patch431: 00431-cve-2024-4032.patch
|
||||
|
||||
# 00435 # f80b87e6a67eebe0693b895261bad2e9a58a4825
|
||||
# gh-121650: Encode newlines in headers, and verify
|
||||
# headers are sound (GH-122233)
|
||||
#
|
||||
# Per RFC 2047:
|
||||
#
|
||||
# > [...] these encoding schemes allow the
|
||||
# > encoding of arbitrary octet values, mail readers that implement this
|
||||
# > decoding should also ensure that display of the decoded data on the
|
||||
# > recipient's terminal will not cause unwanted side-effects
|
||||
#
|
||||
# It seems that the "quoted-word" scheme is a valid way to include
|
||||
# a newline character in a header value, just like we already allow
|
||||
# undecodable bytes or control characters.
|
||||
# They do need to be properly quoted when serialized to text, though.
|
||||
#
|
||||
# This should fail for custom fold() implementations that aren't careful
|
||||
# about newlines.
|
||||
#
|
||||
#
|
||||
# This patch also contains modified commit cherry picked from
|
||||
# c5bba853d5e7836f6d4340e18721d3fb3a6ee0f7.
|
||||
#
|
||||
# This commit was backported to simplify the backport of the other commit
|
||||
# fixing CVE. The only modification is a removal of one test case which
|
||||
# tests multiple changes in Python 3.7 and it wasn't working properly
|
||||
# with Python 3.6 where we backported only one change.
|
||||
Patch435: 00435-gh-121650-encode-newlines-in-headers-and-verify.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
|
|
@ -1984,6 +2013,9 @@ CheckPython optimized
|
|||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Fri Aug 16 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.6.15-35
|
||||
- Security fix for CVE-2024-6923 (rhbz#2303161)
|
||||
|
||||
* Thu Aug 01 2024 Miro Hrončok <mhroncok@redhat.com> - 3.6.15-34
|
||||
- Security fix for CVE-2024-6345 (in bundled setuptools wheel)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue