Fix for CVE-2021-28861

2022-09-14 12:02:11 +02:00 · 2022-09-14 12:02:11 +02:00 · cd4147361f
commit cd4147361f
parent 1fa182b4cb
3 changed files with 155 additions and 1 deletions
--- a/python3.6.spec
+++ b/python3.6.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: Python


@ -497,6 +497,20 @@ Patch378: 00378-support-expat-2-4-5.patch
 # Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
 Patch382: 00382-cve-2015-20107.patch

+# 00386 # 0e4bced7d3cd0f94ebfbcc209e10dbf81607b073
+# CVE-2021-28861
+#
+# Fix an open redirection vulnerability in the `http.server` module when
+# an URI path starts with `//` that could produce a 301 Location header
+# with a misleading target.  Vulnerability discovered, and logic fix
+# proposed, by Hamza Avvan (@hamzaavvan).
+#
+# Test and comments authored by Gregory P. Smith [Google].
+#
+# Upstream: https://github.com/python/cpython/pull/93879
+# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2120642
+Patch386: 00386-cve-2021-28861.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1687,6 +1701,10 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Wed Sep 14 2022 Lumír Balhar <lbalhar@redhat.com> - 3.6.15-11
+- Fix for CVE-2021-28861
+Resolves: rhbz#2120785
+
 * Wed Jul 20 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.6.15-10
 - Fix test_tarfile on ppc64le
 Resolves: rhbz#2109120