diff --git a/SOURCES/00305-CVE-2016-2183.patch b/SOURCES/00305-CVE-2016-2183.patch new file mode 100644 index 0000000..a846cb5 --- /dev/null +++ b/SOURCES/00305-CVE-2016-2183.patch @@ -0,0 +1,53 @@ +diff --git a/Lib/ssl.py b/Lib/ssl.py +index 038daa4..5311321 100644 +--- a/Lib/ssl.py ++++ b/Lib/ssl.py +@@ -143,38 +143,36 @@ if _ssl.HAS_TLS_UNIQUE: + else: + CHANNEL_BINDING_TYPES = [] + ++ + # Disable weak or insecure ciphers by default + # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL') + # Enable a better set of ciphers by default + # This list has been explicitly chosen to: + # * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE) + # * Prefer ECDHE over DHE for better performance +-# * Prefer any AES-GCM over any AES-CBC for better performance and security ++# * Prefer AEAD over CBC for better performance and security + # * Then Use HIGH cipher suites as a fallback +-# * Then Use 3DES as fallback which is secure but slow + # * Finally use RC4 as a fallback which is problematic but needed for + # compatibility some times. +-# * Disable NULL authentication, NULL encryption, and MD5 MACs for security +-# reasons ++# * Disable NULL authentication, NULL encryption, 3DES and MD5 MACs ++# for security reasons + _DEFAULT_CIPHERS = ( + 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:' +- 'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:ECDH+RC4:' +- 'DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5' ++ 'DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:ECDH+RC4:DH+RC4:RSA+RC4:!aNULL:!eNULL:' ++ '!MD5:!3DES' + ) + + # Restricted and more secure ciphers for the server side + # This list has been explicitly chosen to: + # * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE) + # * Prefer ECDHE over DHE for better performance +-# * Prefer any AES-GCM over any AES-CBC for better performance and security ++# * Prefer AEAD over CBC for better performance and security + # * Then Use HIGH cipher suites as a fallback +-# * Then Use 3DES as fallback which is secure but slow +-# * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, and RC4 for +-# security reasons ++# * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, RC4, and ++# 3DES for security reasons + _RESTRICTED_SERVER_CIPHERS = ( + 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:' +- 'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:' +- '!eNULL:!MD5:!DSS:!RC4' ++ 'DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!DSS:!RC4:!3DES' + ) + + diff --git a/SPECS/python.spec b/SPECS/python.spec index c70c0da..2af363e 100644 --- a/SPECS/python.spec +++ b/SPECS/python.spec @@ -106,7 +106,7 @@ Summary: An interpreted, interactive, object-oriented programming language Name: %{python} # Remember to also rebase python-docs when changing this: Version: 2.7.5 -Release: 68%{?dist} +Release: 69%{?dist} License: Python Group: Development/Languages Requires: %{python}-libs%{?_isa} = %{version}-%{release} @@ -1228,6 +1228,12 @@ Patch295: 00295-fix-https-behind-proxy.patch # Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1546351 Patch296: 00296-Readd-the-private-_set_hostport-api-to-httplib.patch +# 00305 # +# Remove 3DES from the cipher list to mitigate CVE-2016-2183 (sweet32). +# FIXED UPSTREAM: https://bugs.python.org/issue27850 +# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1584545 +Patch305: 00305-CVE-2016-2183.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora 17 onwards, @@ -1652,6 +1658,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c %patch287 -p1 %patch295 -p1 %patch296 -p1 +%patch305 -p1 # This shouldn't be necesarry, but is right now (2.2a3) @@ -2525,6 +2532,10 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Wed May 30 2018 Charalampos Stratakis - 2.7.5-70 +- Remove 3DS cipher to mitigate CVE-2016-2183 (sweet32). +Resolves: rhbz#1584545 + * Mon Feb 19 2018 Tomas Orsava - 2.7.5-68 - Add Conflicts tag with old virtualenv versions due to new behaviour of httplib (patch 295)