From 238c94258511bddd31a0c63610fb2a3024472ca5 Mon Sep 17 00:00:00 2001 From: CentOS Buildsys Date: Dec 29 2013 00:16:56 +0000 Subject: import python-backports-ssl_match_hostname-3.4.0.2-4.el7.src.rpm --- diff --git a/.python-backports-ssl_match_hostname.metadata b/.python-backports-ssl_match_hostname.metadata index f56591a..6ea0657 100644 --- a/.python-backports-ssl_match_hostname.metadata +++ b/.python-backports-ssl_match_hostname.metadata @@ -1 +1 @@ -6b6abbe957cdca15050f9b026f313032f9f583c2 SOURCES/backports.ssl_match_hostname-3.2a3.tar.gz +da4e41f3b110279d2382df47ac1e4f10c63cf954 SOURCES/backports.ssl_match_hostname-3.4.0.2.tar.gz diff --git a/SOURCES/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch b/SOURCES/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch deleted file mode 100644 index 7b58dc2..0000000 --- a/SOURCES/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch +++ /dev/null @@ -1,29 +0,0 @@ -# HG changeset patch -# User Antoine Pitrou -# Date 1368892602 -7200 -# Node ID c627638753e2d25a98950585b259104a025937a9 -# Parent 9682241dc8fcb4b1aef083bd30860efa070c3d6d -Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). - -Index: backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py -=================================================================== ---- backports.ssl_match_hostname-3.2a3.orig/src/backports/ssl_match_hostname/__init__.py -+++ backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py -@@ -7,9 +7,16 @@ __version__ = '3.2.2' - class CertificateError(ValueError): - pass - --def _dnsname_to_pat(dn): -+def _dnsname_to_pat(dn, max_wildcards=1): - pats = [] - for frag in dn.split(r'.'): -+ if frag.count('*') > max_wildcards: -+ # Issue #17980: avoid denials of service by refusing more -+ # than one wildcard per fragment. A survery of established -+ # policy among SSL implementations showed it to be a -+ # reasonable choice. -+ raise CertificateError( -+ "too many wildcards in certificate DNS name: " + repr(dn)) - if frag == '*': - # When '*' is a fragment by itself, it matches a non-empty dotless - # fragment. diff --git a/SOURCES/ssl_match_hostname-issue12000.patch b/SOURCES/ssl_match_hostname-issue12000.patch deleted file mode 100644 index 86c18c3..0000000 --- a/SOURCES/ssl_match_hostname-issue12000.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py.orig backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py ---- backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py.orig 2010-10-15 17:40:13.000000000 -0500 -+++ backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py 2013-02-05 17:24:13.706427017 -0600 -@@ -2,7 +2,7 @@ - - import re - --__version__ = '3.2a3' -+__version__ = '3.2.2' - - class CertificateError(ValueError): - pass -@@ -37,8 +37,9 @@ def match_hostname(cert, hostname): - if _dnsname_to_pat(value).match(hostname): - return - dnsnames.append(value) -- if not san: -- # The subject is only checked when subjectAltName is empty -+ if not dnsnames: -+ # The subject is only checked when there is no dNSName entry -+ # in subjectAltName - for sub in cert.get('subject', ()): - for key, value in sub: - # XXX according to RFC 2818, the most specific Common Name diff --git a/SPECS/python-backports-ssl_match_hostname.spec b/SPECS/python-backports-ssl_match_hostname.spec index e248399..6a24626 100644 --- a/SPECS/python-backports-ssl_match_hostname.spec +++ b/SPECS/python-backports-ssl_match_hostname.spec @@ -1,25 +1,18 @@ %global module_name backports.ssl_match_hostname -%global alphatag a3 -%global fullversion %{version}%{alphatag} Name: python-backports-ssl_match_hostname -Version: 3.2 -Release: 0.3.%{alphatag}%{?dist} -Summary: The ssl.match_hostname() function from Python 3.2 +Version: 3.4.0.2 +Release: 4%{?dist} +Summary: The ssl.match_hostname() function from Python 3 -# Webpages claim MIT but the code is cut-and-paste from Python source code License: Python URL: https://bitbucket.org/brandon/backports.ssl_match_hostname -Source0: http://pypi.python.org/packages/source/b/backports.ssl_match_hostname/backports.ssl_match_hostname-%{fullversion}.tar.gz -# From the upstream scm -Patch0: ssl_match_hostname-issue12000.patch -# Slightly modified version of patch against python3.2+ -# http://bugs.python.org/issue17980#msg189525 -Patch1: 00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch +Source0: http://pypi.python.org/packages/source/b/%{module_name}/%{module_name}-%{version}.tar.gz BuildArch: noarch BuildRequires: python2-devel BuildRequires: python-setuptools +Requires: python-backports %description The Secure Sockets layer is only actually secure if you check the hostname in @@ -36,10 +29,9 @@ The actual code inside comes verbatim from Python 3.2. %prep -%setup -qn %{module_name}-%{fullversion} -%patch0 -p1 -%patch1 -p1 +%setup -qn %{module_name}-%{version} mv src/backports/ssl_match_hostname/README.txt ./ +mv src/backports/ssl_match_hostname/LICENSE.txt ./ %build @@ -48,14 +40,37 @@ python setup.py build %install python setup.py install --skip-build --root %{buildroot} +rm %{buildroot}%{python_sitelib}/backports/__init__.py* %files -%doc README.txt +%doc README.txt LICENSE.txt %{python_sitelib}/* %changelog +* Fri Dec 27 2013 Daniel Mach - 3.4.0.2-4 +- Mass rebuild 2013-12-27 + +* Thu Dec 19 2013 Endi S. Dewata - 3.4.0.2-3 +- Restore python-backports dependency on RHEL + +* Mon Dec 09 2013 Endi S. Dewata - 3.4.0.2-2 +- Drop python-backports dependency on RHEL + +* Sun Oct 27 2013 Toshio Kuratomi - 3.4.0.2-1 +- Update to upstream 3.4.0.2 for a security fix +- http://bugs.python.org/issue17997 + +* Mon Sep 02 2013 Ian Weller - 3.4.0.1-1 +- Update to upstream 3.4.0.1 + +* Mon Aug 19 2013 Ian Weller - 3.2-0.5.a3 +- Use python-backports instead of providing backports/__init__.py + +* Sun Aug 04 2013 Fedora Release Engineering - 3.2-0.4.a3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + * Mon May 20 2013 Toshio Kuratomi - 3.2-0.3.a3 - Add patch for CVE 2013-2099 https://bugzilla.redhat.com/show_bug.cgi?id=963260