From 45541dc9520c8255e029859286131826f726f44c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 02 2022 07:49:50 +0000 Subject: import python27-python-2.7.18-4.el7 --- diff --git a/SOURCES/00366-CVE-2021-3733.patch b/SOURCES/00366-CVE-2021-3733.patch new file mode 100644 index 0000000..beffdf0 --- /dev/null +++ b/SOURCES/00366-CVE-2021-3733.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Tue, 14 Sep 2021 11:34:43 +0200 +Subject: [PATCH] 00366-CVE-2021-3733.patch + +00366 # +CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler + +Fix Regular Expression Denial of Service (ReDoS) vulnerability in +urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex +has quadratic worst-case complexity and it allows cause a denial of +service when identifying crafted invalid RFCs. This ReDoS issue is on +the client side and needs remote attackers to control the HTTP server. + +Backported from Python 3 together with another backward-compatible +improvement of the regex from fix for CVE-2020-8492. + +Co-authored-by: Yeting Li +--- + Lib/urllib2.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Lib/urllib2.py b/Lib/urllib2.py +index fd19e1ae943..e286583ecba 100644 +--- a/Lib/urllib2.py ++++ b/Lib/urllib2.py +@@ -858,7 +858,7 @@ class AbstractBasicAuthHandler: + + # allow for double- and single-quoted realm values + # (single quotes are a violation of the RFC, but appear in the wild) +- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' ++ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+' + 'realm=(["\']?)([^"\']*)\\2', re.I) + + # XXX could pre-emptively send auth info already accepted (RFC 2617, diff --git a/SOURCES/00368-CVE-2021-3737.patch b/SOURCES/00368-CVE-2021-3737.patch new file mode 100644 index 0000000..667c049 --- /dev/null +++ b/SOURCES/00368-CVE-2021-3737.patch @@ -0,0 +1,89 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Fri, 17 Sep 2021 07:56:50 +0200 +Subject: [PATCH] 00368-CVE-2021-3737.patch + +00368 # +CVE-2021-3737: http client infinite line reading (DoS) after a HTTP 100 Continue + +Fixes http.client potential denial of service where it could get stuck reading +lines from a malicious server after a 100 Continue response. + +Backported from Python 3. + +Co-authored-by: Gregory P. Smith +Co-authored-by: Gen Xu +--- + Lib/httplib.py | 32 +++++++++++++++++++++++--------- + Lib/test/test_httplib.py | 8 ++++++++ + 2 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/Lib/httplib.py b/Lib/httplib.py +index a63677477d5..f9a27619e62 100644 +--- a/Lib/httplib.py ++++ b/Lib/httplib.py +@@ -365,6 +365,25 @@ class HTTPMessage(mimetools.Message): + # It's not a header line; skip it and try the next line. + self.status = 'Non-header line where header expected' + ++ ++def _read_headers(fp): ++ """Reads potential header lines into a list from a file pointer. ++ Length of line is limited by _MAXLINE, and number of ++ headers is limited by _MAXHEADERS. ++ """ ++ headers = [] ++ while True: ++ line = fp.readline(_MAXLINE + 1) ++ if len(line) > _MAXLINE: ++ raise LineTooLong("header line") ++ headers.append(line) ++ if len(headers) > _MAXHEADERS: ++ raise HTTPException("got more than %d headers" % _MAXHEADERS) ++ if line in (b'\r\n', b'\n', b''): ++ break ++ return headers ++ ++ + class HTTPResponse: + + # strict: If true, raise BadStatusLine if the status line can't be +@@ -453,15 +472,10 @@ class HTTPResponse: + if status != CONTINUE: + break + # skip the header from the 100 response +- while True: +- skip = self.fp.readline(_MAXLINE + 1) +- if len(skip) > _MAXLINE: +- raise LineTooLong("header line") +- skip = skip.strip() +- if not skip: +- break +- if self.debuglevel > 0: +- print "header:", skip ++ skipped_headers = _read_headers(self.fp) ++ if self.debuglevel > 0: ++ print("headers:", skipped_headers) ++ del skipped_headers + + self.status = status + self.reason = reason.strip() +diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py +index b5fec9aa1ec..d05c0fc28d2 100644 +--- a/Lib/test/test_httplib.py ++++ b/Lib/test/test_httplib.py +@@ -700,6 +700,14 @@ class BasicTest(TestCase): + resp = httplib.HTTPResponse(FakeSocket(body)) + self.assertRaises(httplib.LineTooLong, resp.begin) + ++ def test_overflowing_header_limit_after_100(self): ++ body = ( ++ 'HTTP/1.1 100 OK\r\n' ++ 'r\n' * 32768 ++ ) ++ resp = httplib.HTTPResponse(FakeSocket(body)) ++ self.assertRaises(httplib.HTTPException, resp.begin) ++ + def test_overflowing_chunked_line(self): + body = ( + 'HTTP/1.1 200 OK\r\n' diff --git a/SOURCES/00372-CVE-2021-4189.patch b/SOURCES/00372-CVE-2021-4189.patch new file mode 100644 index 0000000..95f11a8 --- /dev/null +++ b/SOURCES/00372-CVE-2021-4189.patch @@ -0,0 +1,80 @@ +diff --git a/Lib/ftplib.py b/Lib/ftplib.py +index 6644554..0550f0a 100644 +--- a/Lib/ftplib.py ++++ b/Lib/ftplib.py +@@ -108,6 +108,8 @@ class FTP: + file = None + welcome = None + passiveserver = 1 ++ # Disables https://bugs.python.org/issue43285 security if set to True. ++ trust_server_pasv_ipv4_address = False + + # Initialization method (called by class instantiation). + # Initialize host to localhost, port to standard ftp port +@@ -310,8 +312,13 @@ class FTP: + return sock + + def makepasv(self): ++ """Internal: Does the PASV or EPSV handshake -> (address, port)""" + if self.af == socket.AF_INET: +- host, port = parse227(self.sendcmd('PASV')) ++ untrusted_host, port = parse227(self.sendcmd('PASV')) ++ if self.trust_server_pasv_ipv4_address: ++ host = untrusted_host ++ else: ++ host = self.sock.getpeername()[0] + else: + host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername()) + return host, port +diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py +index 8a3eb06..62a3f5e 100644 +--- a/Lib/test/test_ftplib.py ++++ b/Lib/test/test_ftplib.py +@@ -67,6 +67,10 @@ class DummyFTPHandler(asynchat.async_chat): + self.rest = None + self.next_retr_data = RETR_DATA + self.push('220 welcome') ++ # We use this as the string IPv4 address to direct the client ++ # to in response to a PASV command. To test security behavior. ++ # https://bugs.python.org/issue43285/. ++ self.fake_pasv_server_ip = '252.253.254.255' + + def collect_incoming_data(self, data): + self.in_buffer.append(data) +@@ -109,7 +113,8 @@ class DummyFTPHandler(asynchat.async_chat): + sock.bind((self.socket.getsockname()[0], 0)) + sock.listen(5) + sock.settimeout(10) +- ip, port = sock.getsockname()[:2] ++ port = sock.getsockname()[1] ++ ip = self.fake_pasv_server_ip + ip = ip.replace('.', ',') + p1, p2 = divmod(port, 256) + self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2)) +@@ -577,6 +582,26 @@ class TestFTPClass(TestCase): + # IPv4 is in use, just make sure send_epsv has not been used + self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv') + ++ def test_makepasv_issue43285_security_disabled(self): ++ """Test the opt-in to the old vulnerable behavior.""" ++ self.client.trust_server_pasv_ipv4_address = True ++ bad_host, port = self.client.makepasv() ++ self.assertEqual( ++ bad_host, self.server.handler_instance.fake_pasv_server_ip) ++ # Opening and closing a connection keeps the dummy server happy ++ # instead of timing out on accept. ++ socket.create_connection((self.client.sock.getpeername()[0], port), ++ timeout=TIMEOUT).close() ++ ++ def test_makepasv_issue43285_security_enabled_default(self): ++ self.assertFalse(self.client.trust_server_pasv_ipv4_address) ++ trusted_host, port = self.client.makepasv() ++ self.assertNotEqual( ++ trusted_host, self.server.handler_instance.fake_pasv_server_ip) ++ # Opening and closing a connection keeps the dummy server happy ++ # instead of timing out on accept. ++ socket.create_connection((trusted_host, port), timeout=TIMEOUT).close() ++ + def test_line_too_long(self): + self.assertRaises(ftplib.Error, self.client.sendcmd, + 'x' * self.client.maxline * 2) diff --git a/SOURCES/00377-CVE-2022-0391.patch b/SOURCES/00377-CVE-2022-0391.patch new file mode 100644 index 0000000..655d54e --- /dev/null +++ b/SOURCES/00377-CVE-2022-0391.patch @@ -0,0 +1,127 @@ +diff --git a/Doc/library/urlparse.rst b/Doc/library/urlparse.rst +index 97d1119257c..c08c3dc8e8f 100644 +--- a/Doc/library/urlparse.rst ++++ b/Doc/library/urlparse.rst +@@ -125,6 +125,9 @@ The :mod:`urlparse` module defines the following functions: + decomposed before parsing, or is not a Unicode string, no error will be + raised. + ++ Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline ++ ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL. ++ + .. versionchanged:: 2.5 + Added attributes to return value. + +@@ -321,6 +324,10 @@ The :mod:`urlparse` module defines the following functions: + + .. seealso:: + ++ `WHATWG`_ - URL Living standard ++ Working Group for the URL Standard that defines URLs, domains, IP addresses, the ++ application/x-www-form-urlencoded format, and their API. ++ + :rfc:`3986` - Uniform Resource Identifiers + This is the current standard (STD66). Any changes to urlparse module + should conform to this. Certain deviations could be observed, which are +@@ -345,6 +352,7 @@ The :mod:`urlparse` module defines the following functions: + :rfc:`1738` - Uniform Resource Locators (URL) + This specifies the formal syntax and semantics of absolute URLs. + ++.. _WHATWG: https://url.spec.whatwg.org/ + + .. _urlparse-result-object: + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 21875bb2991..16eefed56f6 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -618,6 +618,55 @@ class UrlParseTestCase(unittest.TestCase): + self.assertEqual(p1.path, '863-1234') + self.assertEqual(p1.params, 'phone-context=+1-914-555') + ++ def test_urlsplit_remove_unsafe_bytes(self): ++ # Remove ASCII tabs and newlines from input, for http common case scenario. ++ url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urlparse.urlsplit(url) ++ self.assertEqual(p.scheme, "http") ++ self.assertEqual(p.netloc, "www.python.org") ++ self.assertEqual(p.path, "/javascript:alert('msg')/") ++ self.assertEqual(p.query, "query=something") ++ self.assertEqual(p.fragment, "fragment") ++ self.assertEqual(p.username, None) ++ self.assertEqual(p.password, None) ++ self.assertEqual(p.hostname, "www.python.org") ++ self.assertEqual(p.port, None) ++ self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Remove ASCII tabs and newlines from input as bytes, for http common case scenario. ++ url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urlparse.urlsplit(url) ++ self.assertEqual(p.scheme, b"http") ++ self.assertEqual(p.netloc, b"www.python.org") ++ self.assertEqual(p.path, b"/javascript:alert('msg')/") ++ self.assertEqual(p.query, b"query=something") ++ self.assertEqual(p.fragment, b"fragment") ++ self.assertEqual(p.username, None) ++ self.assertEqual(p.password, None) ++ self.assertEqual(p.hostname, b"www.python.org") ++ self.assertEqual(p.port, None) ++ self.assertEqual(p.geturl(), b"http://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # any scheme ++ url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urlparse.urlsplit(url) ++ self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Remove ASCII tabs and newlines from input as bytes, any scheme. ++ url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urlparse.urlsplit(url) ++ self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Unsafe bytes is not returned from urlparse cache. ++ # scheme is stored after parsing, sending an scheme with unsafe bytes *will not* return an unsafe scheme ++ url = "https://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ scheme = "htt\nps" ++ for _ in range(2): ++ p = urlparse.urlsplit(url, scheme=scheme) ++ self.assertEqual(p.scheme, "https") ++ self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ + + def test_attributes_bad_port(self): + """Check handling of non-integer ports.""" +diff --git a/Lib/urlparse.py b/Lib/urlparse.py +index 69504d8fd93..6cc40a8d2fb 100644 +--- a/Lib/urlparse.py ++++ b/Lib/urlparse.py +@@ -63,6 +63,9 @@ scheme_chars = ('abcdefghijklmnopqrstuvwxyz' + '0123456789' + '+-.') + ++# Unsafe bytes to be removed per WHATWG spec ++_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n'] ++ + MAX_CACHE_SIZE = 20 + _parse_cache = {} + +@@ -185,12 +188,19 @@ def _checknetloc(netloc): + "under NFKC normalization" + % netloc) + ++def _remove_unsafe_bytes_from_url(url): ++ for b in _UNSAFE_URL_BYTES_TO_REMOVE: ++ url = url.replace(b, "") ++ return url ++ + def urlsplit(url, scheme='', allow_fragments=True): + """Parse a URL into 5 components: + :///?# + Return a 5-tuple: (scheme, netloc, path, query, fragment). + Note that we don't break the components up in smaller bits + (e.g. netloc is a single string) and we don't expand % escapes.""" ++ url = _remove_unsafe_bytes_from_url(url) ++ scheme = _remove_unsafe_bytes_from_url(scheme) + allow_fragments = bool(allow_fragments) + key = url, scheme, allow_fragments, type(url), type(scheme) + cached = _parse_cache.get(key, None) diff --git a/SOURCES/00378-support-expat-2-4-5.patch b/SOURCES/00378-support-expat-2-4-5.patch new file mode 100644 index 0000000..d5036d5 --- /dev/null +++ b/SOURCES/00378-support-expat-2-4-5.patch @@ -0,0 +1,94 @@ +From 8df8ec5c8e5078ca0e09aa5cf76b4e1802357588 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 21 Feb 2022 15:48:32 +0100 +Subject: [PATCH] 00378-support-expat-2-4-5.patch + +00378 # +Support expat 2.4.5 + +Curly brackets were never allowed in namespace URIs +according to RFC 3986, and so-called namespace-validating +XML parsers have the right to reject them a invalid URIs. + +libexpat >=2.4.5 has become strcter in that regard due to +related security issues; with ET.XML instantiating a +namespace-aware parser under the hood, this test has no +future in CPython. + +References: +- https://datatracker.ietf.org/doc/html/rfc3968 +- https://www.w3.org/TR/xml-names/ + +Also, test_minidom.py: Support Expat >=2.4.5 + +Upstream: https://bugs.python.org/issue46811 + +Backported from Python 3. + +Co-authored-by: Sebastian Pipping +--- + Lib/test/test_minidom.py | 8 ++++++-- + Lib/test/test_xml_etree.py | 6 ------ + .../next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst | 1 + + 3 files changed, 7 insertions(+), 8 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst + +diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py +index 2eb6423..2c9a7a3 100644 +--- a/Lib/test/test_minidom.py ++++ b/Lib/test/test_minidom.py +@@ -6,12 +6,14 @@ from StringIO import StringIO + from test import support + import unittest + ++import pyexpat + import xml.dom + import xml.dom.minidom + import xml.parsers.expat + + from xml.dom.minidom import parse, Node, Document, parseString + from xml.dom.minidom import getDOMImplementation ++from xml.parsers.expat import ExpatError + + + tstfile = support.findfile("test.xml", subdir="xmltestdata") +@@ -1051,8 +1053,10 @@ class MinidomTest(unittest.TestCase): + + # Verify that character decoding errors raise exceptions instead + # of crashing +- self.assertRaises(UnicodeDecodeError, parseString, +- 'Comment \xe7a va ? Tr\xe8s bien ?') ++ self.assertRaises(ExpatError, parseString, ++ '') ++ self.assertRaises(ExpatError, parseString, ++ 'Comment \xe7a va ? Tr\xe8s bien ?') + + doc.unlink() + +diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py +index c75d55f..0855bc0 100644 +--- a/Lib/test/test_xml_etree.py ++++ b/Lib/test/test_xml_etree.py +@@ -1482,12 +1482,6 @@ class BugsTest(unittest.TestCase): + b"\n" + b'tãg') + +- def test_issue3151(self): +- e = ET.XML('') +- self.assertEqual(e.tag, '{${stuff}}localname') +- t = ET.ElementTree(e) +- self.assertEqual(ET.tostring(e), b'') +- + def test_issue6565(self): + elem = ET.XML("") + self.assertEqual(summarize_list(elem), ['tag']) +diff --git a/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst +new file mode 100644 +index 0000000..6969bd1 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst +@@ -0,0 +1 @@ ++Make test suite support Expat >=2.4.5 +-- +2.35.1 + diff --git a/SPECS/python.spec b/SPECS/python.spec index 891e14a..0d02a5f 100644 --- a/SPECS/python.spec +++ b/SPECS/python.spec @@ -122,7 +122,7 @@ Summary: An interpreted, interactive, object-oriented programming language Name: %{?scl_prefix}%{python} # Remember to also rebase python-docs when changing this: Version: 2.7.18 -Release: 3%{?dist} +Release: 4%{?dist} License: Python Group: Development/Languages %{?scl:Requires: %{scl}-runtime} @@ -733,6 +733,74 @@ Patch357: 00357-CVE-2021-3177.patch # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904 Patch359: 00359-CVE-2021-23336.patch +# 00366 # +# CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler +# +# Fix Regular Expression Denial of Service (ReDoS) vulnerability in +# urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex +# has quadratic worst-case complexity and it allows cause a denial of +# service when identifying crafted invalid RFCs. This ReDoS issue is on +# the client side and needs remote attackers to control the HTTP server. +# +# Backported from Python 3 together with another backward-compatible +# improvement of the regex from fix for CVE-2020-8492. +# +# Upstream: https://bugs.python.org/issue43075 +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995234 +Patch366: 00366-CVE-2021-3733.patch + +# 00368 # +# CVE-2021-3737: http client infinite line reading (DoS) after a HTTP 100 Continue +# +# Fixes http.client potential denial of service where it could get stuck reading +# lines from a malicious server after a 100 Continue response. +# +# Backported from Python 3. +# +# Upstream: https://bugs.python.org/issue44022 +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995162 +Patch368: 00368-CVE-2021-3737.patch + +# 00372 # +# CVE-2021-4189: ftplib should not use the host from the PASV response +# Upstream: https://bugs.python.org/issue43285 +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2036020 +Patch372: 00372-CVE-2021-4189.patch + +# 00377 # +# CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs +# +# ASCII newline and tab characters are stripped from the URL. +# +# Backported from Python 3. +# +# Upstream: https://bugs.python.org/issue43882 +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2047376 +Patch377: 00377-CVE-2022-0391.patch + +# 00378 # 32b7f6200303fb36d104ac8d2afa3afba1789c1b +# Support expat 2.4.5 +# +# Curly brackets were never allowed in namespace URIs +# according to RFC 3986, and so-called namespace-validating +# XML parsers have the right to reject them a invalid URIs. +# +# libexpat >=2.4.5 has become strcter in that regard due to +# related security issues; with ET.XML instantiating a +# namespace-aware parser under the hood, this test has no +# future in CPython. +# +# References: +# - https://datatracker.ietf.org/doc/html/rfc3968 +# - https://www.w3.org/TR/xml-names/ +# +# Also, test_minidom.py: Support Expat >=2.4.5 +# +# Upstream: https://bugs.python.org/issue46811 +# +# Backported from Python 3. +Patch378: 00378-support-expat-2-4-5.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora 17 onwards, @@ -1074,6 +1142,11 @@ git apply %{PATCH351} %patch355 -p1 %patch357 -p1 %patch359 -p1 +%patch366 -p1 +%patch368 -p1 +%patch372 -p1 +%patch377 -p1 +%patch378 -p1 # This shouldn't be necesarry, but is right now (2.2a3) find -name "*~" |xargs rm -f @@ -1945,6 +2018,11 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Wed Mar 16 2022 Charalampos Stratakis - 2.7.18-4 +- Security fixes for CVE-2021-3733, CVE-2021-3737, CVE-2021-4189 and CVE-2022-0391 +- Fix test suite issues with the latest expat security update +Resolves: rhbz#1995234, rhbz#1995162, rhbz#2036020, rhbz#2047376 + * Wed Jul 21 2021 Charalampos Stratakis - 2.7.18-3 - Security fixes for CVE-2021-3177, CVE-2021-23336 and CVE-2020-27619 Resolves: rhbz#1918168, rhbz#1928904, rhbz#1889886