Security fix for CVE-2023-24329

Resolves: rhbz#2174016
2023-05-26 02:15:16 +02:00 · 2023-05-26 02:15:16 +02:00 · 7e0a7b5bdb
commit 7e0a7b5bdb
parent 3afb626968
2 changed files with 246 additions and 1 deletions
--- a/python3.9.spec
+++ b/python3.9.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python


@ -387,6 +387,18 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
 # https://github.com/GrahamDumpleton/mod_wsgi/issues/730
 Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch

+# 00399 # c32eff86eb80f6a6bdcbf4b1b6535fbc627b51a2
+# CVE-2023-24329
+#
+# * gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
+#
+# `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
+#
+# This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%%20any%%20leading%%20and%%20trailing%%20C0%%20control%%20or%%20space%%20from%%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
+#
+# ---------
+Patch399: 00399-cve-2023-24329.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1802,6 +1814,10 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Mon May 29 2023 Lumír Balhar <lbalhar@redhat.com> - 3.9.16-2
+- Security fix for CVE-2023-24329
+- Resolves: rhbz#2174016
+
 * Wed Dec 07 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.16-1
 - Update to 3.9.16