906ed044aa
Fixes the following security issues:
- bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with
additional text after the address and only quad-dotted notation without
trailing whitespaces. Some inet_aton() implementations ignore whitespace
and all data after whitespace, e.g. ‘127.0.0.1 whatever’.
- bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file://
and local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
- bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded
whitespace or control characters through into the underlying http client
request. Such potentially malicious header injection URLs now cause an
http.client.InvalidURL exception to be raised.
- bpo-33529: Prevent fold function used in email header encoding from
entering infinite loop when there are too many non-ASCII characters in a
header.
- bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and
if the PATH environment variable is not set. Remove also the current
directory from posixpath.defpath. On Unix, shutil.which() and the
subprocess module no longer search the executable in the current directory
if the PATH environment variable is not set.
Also remove the following upstreamed patches:
- 0033-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
- 0034-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
From ad4537a75c798341824ab18bd1dc622f8dc2bc3a Mon Sep 17 00:00:00 2001
|
|
From: Adam Duskett <aduskett@gmail.com>
|
|
Date: Fri, 20 Jul 2018 10:17:39 -0400
|
|
Subject: [PATCH] Fix cross compiling the uuid module
|
|
|
|
Python 3.7 has a new _uuid module, however, the include directory
|
|
search path for uuid.h is hardcoded to /usr/include/uuid, which should
|
|
not be used when cross-compiling.
|
|
|
|
To fix this, use the same solution as the one used by the NIS
|
|
detection: append "uuid" to each of the include directories in
|
|
"inc_dirs", instead of hardcoding /usr/include/uuid.
|
|
|
|
Signed-off-by: Adam Duskett <aduskett@gmail.com>
|
|
[Thomas: drop STAGING_DIR based solution, use a solution similar to
|
|
the one used for the NIS detection.]
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
|
---
|
|
setup.py | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/setup.py b/setup.py
|
|
index 1a7085c5c4..f33d0b57b8 100644
|
|
--- a/setup.py
|
|
+++ b/setup.py
|
|
@@ -1671,7 +1671,8 @@ class PyBuildExt(build_ext):
|
|
missing.append('_tkinter')
|
|
|
|
# Build the _uuid module if possible
|
|
- uuid_incs = find_file("uuid.h", inc_dirs, ["/usr/include/uuid"])
|
|
+ uuid_incs = find_file("uuid.h", inc_dirs,
|
|
+ [os.path.join(inc_dir, 'uuid') for inc_dir in inc_dirs])
|
|
if uuid_incs is not None:
|
|
if self.compiler.find_library_file(lib_dirs, 'uuid'):
|
|
uuid_libs = ['uuid']
|
|
--
|
|
2.14.4
|
|
|