diff --git a/backport-3.7-bpo-43124-Fix-smtplib-multiple-CRLF-injection-GH.patch b/backport-3.7-bpo-43124-Fix-smtplib-multiple-CRLF-injection-GH.patch new file mode 100644 index 0000000000000000000000000000000000000000..a04730ba7245d75d1a55c00ae56e7fbcd9fcf1ce --- /dev/null +++ b/backport-3.7-bpo-43124-Fix-smtplib-multiple-CRLF-injection-GH.patch @@ -0,0 +1,128 @@ +From d2cc04cd3024869101e894f73307944d98d187c8 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 30 Aug 2021 12:16:24 -0700 +Subject: [PATCH] [3.7] bpo-43124: Fix smtplib multiple CRLF injection + (GH-25987) (GH-28037) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com> + +Co-authored-by: Łukasz Langa +(cherry picked from commit 0897253f426068ea6a6fbe0ada01689af9ef1019) +--- + Lib/smtplib.py | 11 +++-- + Lib/test/test_smtplib.py | 55 ++++++++++++++++++++++ + .../2021-05-08-11-50-46.bpo-43124.2CTM6M.rst | 2 + + 3 files changed, 65 insertions(+), 3 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-05-08-11-50-46.bpo-43124.2CTM6M.rst + +diff --git a/Lib/smtplib.py b/Lib/smtplib.py +index 22d5097..345f03d 100755 +--- a/Lib/smtplib.py ++++ b/Lib/smtplib.py +@@ -361,10 +361,15 @@ def send(self, s): + def putcmd(self, cmd, args=""): + """Send a command to the server.""" + if args == "": +- str = '%s%s' % (cmd, CRLF) ++ s = cmd + else: +- str = '%s %s%s' % (cmd, args, CRLF) +- self.send(str) ++ s = f'{cmd} {args}' ++ if '\r' in s or '\n' in s: ++ s = s.replace('\n', '\\n').replace('\r', '\\r') ++ raise ValueError( ++ f'command and arguments contain prohibited newline characters: {s}' ++ ) ++ self.send(f'{s}{CRLF}') + + def getreply(self): + """Get a reply from the server. +diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py +index b4149d3..a8c7402 100644 +--- a/Lib/test/test_smtplib.py ++++ b/Lib/test/test_smtplib.py +@@ -282,6 +282,16 @@ def testEXPNNotImplemented(self): + self.assertEqual(smtp.getreply(), expected) + smtp.quit() + ++ def test_issue43124_putcmd_escapes_newline(self): ++ # see: https://bugs.python.org/issue43124 ++ smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost', ++ timeout=10) # support.LOOPBACK_TIMEOUT in newer Pythons ++ self.addCleanup(smtp.close) ++ with self.assertRaises(ValueError) as exc: ++ smtp.putcmd('helo\nX-INJECTED') ++ self.assertIn("prohibited newline characters", str(exc.exception)) ++ smtp.quit() ++ + def testVRFY(self): + smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost', timeout=3) + expected = (252, b'Cannot VRFY user, but will accept message ' + \ +@@ -351,6 +361,51 @@ def testSendNeedingDotQuote(self): + mexpect = '%s%s\n%s' % (MSG_BEGIN, m, MSG_END) + self.assertEqual(self.output.getvalue(), mexpect) + ++ def test_issue43124_escape_localhostname(self): ++ # see: https://bugs.python.org/issue43124 ++ # connect and send mail ++ m = 'wazzuuup\nlinetwo' ++ smtp = smtplib.SMTP(HOST, self.port, local_hostname='hi\nX-INJECTED', ++ timeout=10) # support.LOOPBACK_TIMEOUT in newer Pythons ++ self.addCleanup(smtp.close) ++ with self.assertRaises(ValueError) as exc: ++ smtp.sendmail("hi@me.com", "you@me.com", m) ++ self.assertIn( ++ "prohibited newline characters: ehlo hi\\nX-INJECTED", ++ str(exc.exception), ++ ) ++ # XXX (see comment in testSend) ++ time.sleep(0.01) ++ smtp.quit() ++ ++ debugout = smtpd.DEBUGSTREAM.getvalue() ++ self.assertNotIn("X-INJECTED", debugout) ++ ++ def test_issue43124_escape_options(self): ++ # see: https://bugs.python.org/issue43124 ++ # connect and send mail ++ m = 'wazzuuup\nlinetwo' ++ smtp = smtplib.SMTP( ++ HOST, self.port, local_hostname='localhost', ++ timeout=10) # support.LOOPBACK_TIMEOUT in newer Pythons ++ ++ self.addCleanup(smtp.close) ++ smtp.sendmail("hi@me.com", "you@me.com", m) ++ with self.assertRaises(ValueError) as exc: ++ smtp.mail("hi@me.com", ["X-OPTION\nX-INJECTED-1", "X-OPTION2\nX-INJECTED-2"]) ++ msg = str(exc.exception) ++ self.assertIn("prohibited newline characters", msg) ++ self.assertIn("X-OPTION\\nX-INJECTED-1 X-OPTION2\\nX-INJECTED-2", msg) ++ # XXX (see comment in testSend) ++ time.sleep(0.01) ++ smtp.quit() ++ ++ debugout = smtpd.DEBUGSTREAM.getvalue() ++ self.assertNotIn("X-OPTION", debugout) ++ self.assertNotIn("X-OPTION2", debugout) ++ self.assertNotIn("X-INJECTED-1", debugout) ++ self.assertNotIn("X-INJECTED-2", debugout) ++ + def testSendNullSender(self): + m = 'A test message' + smtp = smtplib.SMTP(HOST, self.port, local_hostname='localhost', timeout=3) +diff --git a/Misc/NEWS.d/next/Security/2021-05-08-11-50-46.bpo-43124.2CTM6M.rst b/Misc/NEWS.d/next/Security/2021-05-08-11-50-46.bpo-43124.2CTM6M.rst +new file mode 100644 +index 0000000..e897d6c +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-05-08-11-50-46.bpo-43124.2CTM6M.rst +@@ -0,0 +1,2 @@ ++Made the internal ``putcmd`` function in :mod:`smtplib` sanitize input for ++presence of ``\r`` and ``\n`` characters to avoid (unlikely) command injection. +-- +1.8.3.1 + diff --git a/backport-bpo-12800-tarfile-Restore-fix-from-011525ee9.patch b/backport-bpo-12800-tarfile-Restore-fix-from-011525ee9.patch new file mode 100644 index 0000000000000000000000000000000000000000..06d7a362b0665abd9a6510c79af592820f82dcef --- /dev/null +++ b/backport-bpo-12800-tarfile-Restore-fix-from-011525ee9.patch @@ -0,0 +1,59 @@ +From 4fedd7123eaf147edd55eabbbd72e0bcc8368e47 Mon Sep 17 00:00:00 2001 +From: Julien Palard +Date: Wed, 25 Nov 2020 10:23:17 +0100 +Subject: [PATCH] bpo-12800: tarfile: Restore fix from 011525ee9 (GH-21409) + +Restore fix from 011525ee92eb1c13ad1a62d28725a840e28f8160. +--- + Lib/tarfile.py | 3 +++ + Lib/test/test_tarfile.py | 6 +++--- + Misc/NEWS.d/next/Library/2020-07-09-11-32-28.bpo-12800.fNgWwx.rst | 4 ++++ + 3 files changed, 10 insertions(+), 3 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2020-07-09-11-32-28.bpo-12800.fNgWwx.rst + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 3be5188..6d743da 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -2201,6 +2201,9 @@ class TarFile(object): + try: + # For systems that support symbolic and hard links. + if tarinfo.issym(): ++ if os.path.lexists(targetpath): ++ # Avoid FileExistsError on following os.symlink. ++ os.unlink(targetpath) + os.symlink(tarinfo.linkname, targetpath) + else: + # See extract(). +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 9133d60..fe68c6f 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -1314,11 +1314,11 @@ class WriteTest(WriteTestBase, unittest.TestCase): + f.write('something\n') + os.symlink(source_file, target_file) + tar = tarfile.open(temparchive,'w') +- tar.add(source_file) +- tar.add(target_file) ++ tar.add(source_file, arcname="source") ++ tar.add(target_file, arcname="symlink") + tar.close() + # Let's extract it to the location which contains the symlink +- tar = tarfile.open(temparchive,'r') ++ tar = tarfile.open(temparchive,'r', errorlevel=2) + # this should not raise OSError: [Errno 17] File exists + try: + tar.extractall(path=tempdir) +diff --git a/Misc/NEWS.d/next/Library/2020-07-09-11-32-28.bpo-12800.fNgWwx.rst b/Misc/NEWS.d/next/Library/2020-07-09-11-32-28.bpo-12800.fNgWwx.rst +new file mode 100644 +index 0000000..fdd7c5e +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2020-07-09-11-32-28.bpo-12800.fNgWwx.rst +@@ -0,0 +1,4 @@ ++Extracting a symlink from a tarball should succeed and overwrite the symlink ++if it already exists. The fix is to remove the existing file or symlink ++before extraction. Based on patch by Chris AtLee, Jeffrey Kintscher, and ++Senthil Kumaran. +-- +1.8.3.1 + diff --git a/backport-bpo-41815-SQLite-segfault-if-backup-called-on-closed.patch b/backport-bpo-41815-SQLite-segfault-if-backup-called-on-closed.patch new file mode 100644 index 0000000000000000000000000000000000000000..9ecb12bbaa5f1c04224ee763d8074a141b8e6aa1 --- /dev/null +++ b/backport-bpo-41815-SQLite-segfault-if-backup-called-on-closed.patch @@ -0,0 +1,68 @@ +From bfee9fad84531a471fd7864e88947320669f68e2 Mon Sep 17 00:00:00 2001 +From: Peter McCormick +Date: Sat, 19 Sep 2020 23:40:46 -0400 +Subject: [PATCH] bpo-41815: SQLite: segfault if backup called on closed + database (GH-22322) + +# [bpo-41815](): SQLite: fix segfault if backup called on closed database + +Attempting to backup a closed database will trigger segfault: + +```python +import sqlite3 +target = sqlite3.connect(':memory:') +source = sqlite3.connect(':memory:') +source.close() +source.backup(target) +``` +--- + Lib/sqlite3/test/backup.py | 7 +++++++ + Misc/NEWS.d/next/Library/2020-09-19-23-14-54.bpo-41815.RNpuX3.rst | 2 ++ + Modules/_sqlite/connection.c | 4 ++++ + 3 files changed, 13 insertions(+) + create mode 100644 Misc/NEWS.d/next/Library/2020-09-19-23-14-54.bpo-41815.RNpuX3.rst + +diff --git a/Lib/sqlite3/test/backup.py b/Lib/sqlite3/test/backup.py +index 903bacf..ad1da97 100644 +--- a/Lib/sqlite3/test/backup.py ++++ b/Lib/sqlite3/test/backup.py +@@ -36,6 +36,13 @@ class BackupTests(unittest.TestCase): + with self.assertRaises(sqlite.ProgrammingError): + self.cx.backup(bck) + ++ def test_bad_source_closed_connection(self): ++ bck = sqlite.connect(':memory:') ++ source = sqlite.connect(":memory:") ++ source.close() ++ with self.assertRaises(sqlite.ProgrammingError): ++ source.backup(bck) ++ + def test_bad_target_in_transaction(self): + bck = sqlite.connect(':memory:') + bck.execute('CREATE TABLE bar (key INTEGER)') +diff --git a/Misc/NEWS.d/next/Library/2020-09-19-23-14-54.bpo-41815.RNpuX3.rst b/Misc/NEWS.d/next/Library/2020-09-19-23-14-54.bpo-41815.RNpuX3.rst +new file mode 100644 +index 0000000..3560db9 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2020-09-19-23-14-54.bpo-41815.RNpuX3.rst +@@ -0,0 +1,2 @@ ++Fix SQLite3 segfault when backing up closed database. Patch contributed by ++Peter David McCormick. +diff --git a/Modules/_sqlite/connection.c b/Modules/_sqlite/connection.c +index 9eb61c1..2d2f4fd 100644 +--- a/Modules/_sqlite/connection.c ++++ b/Modules/_sqlite/connection.c +@@ -1489,6 +1489,10 @@ pysqlite_connection_backup(pysqlite_Connection *self, PyObject *args, PyObject * + sleep_ms = (int)ms; + } + ++ if (!pysqlite_check_thread(self) || !pysqlite_check_connection(self)) { ++ return NULL; ++ } ++ + if (!pysqlite_check_connection((pysqlite_Connection *)target)) { + return NULL; + } +-- +1.8.3.1 + diff --git a/backport-bpo-42183-Fix-a-stack-overflow-error-for-asyncio-Tas.patch b/backport-bpo-42183-Fix-a-stack-overflow-error-for-asyncio-Tas.patch new file mode 100644 index 0000000000000000000000000000000000000000..78d175d518912c661ee0288aa7d34952b3af0638 --- /dev/null +++ b/backport-bpo-42183-Fix-a-stack-overflow-error-for-asyncio-Tas.patch @@ -0,0 +1,105 @@ +From 42d873c63aa9d160c132be4a34599531574db12c Mon Sep 17 00:00:00 2001 +From: Andrew Svetlov +Date: Tue, 10 Nov 2020 15:58:31 +0200 +Subject: [PATCH] bpo-42183: Fix a stack overflow error for asyncio Task or + Future repr() (GH-23020) + +The overflow occurs under some circumstances when a task or future +recursively returns itself. + +Co-authored-by: Kyle Stanley +--- + Lib/asyncio/base_futures.py | 25 +++++++++++++++++++--- + Lib/test/test_asyncio/test_futures2.py | 18 ++++++++++++++++ + .../2020-10-29-11-17-35.bpo-42183.50ZcIi.rst | 4 ++++ + 3 files changed, 44 insertions(+), 3 deletions(-) + create mode 100644 Lib/test/test_asyncio/test_futures2.py + create mode 100644 Misc/NEWS.d/next/Library/2020-10-29-11-17-35.bpo-42183.50ZcIi.rst + +diff --git a/Lib/asyncio/base_futures.py b/Lib/asyncio/base_futures.py +index 5182884..2646fde 100644 +--- a/Lib/asyncio/base_futures.py ++++ b/Lib/asyncio/base_futures.py +@@ -2,6 +2,7 @@ __all__ = () + + import concurrent.futures._base + import reprlib ++from _thread import get_ident + + from . import format_helpers + +@@ -51,6 +52,16 @@ def _format_callbacks(cb): + return f'cb=[{cb}]' + + ++# bpo-42183: _repr_running is needed for repr protection ++# when a Future or Task result contains itself directly or indirectly. ++# The logic is borrowed from @reprlib.recursive_repr decorator. ++# Unfortunately, the direct decorator usage is impossible because of ++# AttributeError: '_asyncio.Task' object has no attribute '__module__' error. ++# ++# After fixing this thing we can return to the decorator based approach. ++_repr_running = set() ++ ++ + def _future_repr_info(future): + # (Future) -> str + """helper function for Future.__repr__""" +@@ -59,9 +70,17 @@ def _future_repr_info(future): + if future._exception is not None: + info.append(f'exception={future._exception!r}') + else: +- # use reprlib to limit the length of the output, especially +- # for very long strings +- result = reprlib.repr(future._result) ++ key = id(future), get_ident() ++ if key in _repr_running: ++ result = '...' ++ else: ++ _repr_running.add(key) ++ try: ++ # use reprlib to limit the length of the output, especially ++ # for very long strings ++ result = reprlib.repr(future._result) ++ finally: ++ _repr_running.discard(key) + info.append(f'result={result}') + if future._callbacks: + info.append(_format_callbacks(future._callbacks)) +diff --git a/Lib/test/test_asyncio/test_futures2.py b/Lib/test/test_asyncio/test_futures2.py +new file mode 100644 +index 0000000..c78b0cb +--- /dev/null ++++ b/Lib/test/test_asyncio/test_futures2.py +@@ -0,0 +1,18 @@ ++# IsolatedAsyncioTestCase based tests ++import asyncio ++import unittest ++ ++ ++class FutureTests(unittest.TestCase): ++ async def test_recursive_repr_for_pending_tasks(self): ++ # The call crashes if the guard for recursive call ++ # in base_futures:_future_repr_info is absent ++ # See Also: https://bugs.python.org/issue42183 ++ ++ async def func(): ++ return asyncio.all_tasks() ++ ++ # The repr() call should not raise RecursiveError at first. ++ # The check for returned string is not very reliable but ++ # exact comparison for the whole string is even weaker. ++ self.assertIn('...', repr(await asyncio.wait_for(func(), timeout=10))) +diff --git a/Misc/NEWS.d/next/Library/2020-10-29-11-17-35.bpo-42183.50ZcIi.rst b/Misc/NEWS.d/next/Library/2020-10-29-11-17-35.bpo-42183.50ZcIi.rst +new file mode 100644 +index 0000000..f6d7653 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2020-10-29-11-17-35.bpo-42183.50ZcIi.rst +@@ -0,0 +1,4 @@ ++Fix a stack overflow error for asyncio Task or Future repr(). ++ ++The overflow occurs under some circumstances when a Task or Future ++recursively returns itself. +-- +1.8.3.1 + diff --git a/backport-bpo-45001-Make-email-date-parsing-more-robust-agains.patch b/backport-bpo-45001-Make-email-date-parsing-more-robust-agains.patch new file mode 100644 index 0000000000000000000000000000000000000000..a30a2da55db78887a1fd3c632724d0564187c499 --- /dev/null +++ b/backport-bpo-45001-Make-email-date-parsing-more-robust-agains.patch @@ -0,0 +1,93 @@ +From e9b85afd7dc004460f6d914375ab67d617a8a7ff Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 30 Aug 2021 11:48:04 -0700 +Subject: [PATCH] bpo-45001: Make email date parsing more robust against + malformed input (GH-27946) (GH-27975) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Various date parsing utilities in the email module, such as +email.utils.parsedate(), are supposed to gracefully handle invalid +input, typically by raising an appropriate exception or by returning +None. + +The internal email._parseaddr._parsedate_tz() helper used by some of +these date parsing routines tries to be robust against malformed input, +but unfortunately it can still crash ungracefully when a non-empty but +whitespace-only input is passed. This manifests as an unexpected +IndexError. + +In practice, this can happen when parsing an email with only a newline +inside a ‘Date:’ header, which unfortunately happens occasionally in the +real world. + +Here's a minimal example: + + $ python + Python 3.9.6 (default, Jun 30 2021, 10:22:16) + [GCC 11.1.0] on linux + Type "help", "copyright", "credits" or "license" for more information. + >>> import email.utils + >>> email.utils.parsedate('foo') + >>> email.utils.parsedate(' ') + Traceback (most recent call last): + File "", line 1, in + File "/usr/lib/python3.9/email/_parseaddr.py", line 176, in parsedate + t = parsedate_tz(data) + File "/usr/lib/python3.9/email/_parseaddr.py", line 50, in parsedate_tz + res = _parsedate_tz(data) + File "/usr/lib/python3.9/email/_parseaddr.py", line 72, in _parsedate_tz + if data[0].endswith(',') or data[0].lower() in _daynames: + IndexError: list index out of range + +The fix is rather straight-forward: guard against empty lists, after +splitting on whitespace, but before accessing the first element. +(cherry picked from commit 989f6a3800f06b2bd31cfef7c3269a443ad94fac) + +Co-authored-by: wouter bolsterlee +--- + Lib/email/_parseaddr.py | 2 ++ + Lib/test/test_email/test_email.py | 2 ++ + Misc/NEWS.d/next/Library/2021-08-26-16-25-48.bpo-45001.tn_dKp.rst | 2 ++ + 3 files changed, 6 insertions(+) + create mode 100644 Misc/NEWS.d/next/Library/2021-08-26-16-25-48.bpo-45001.tn_dKp.rst + +diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py +index 41ff6f8..178329f 100644 +--- a/Lib/email/_parseaddr.py ++++ b/Lib/email/_parseaddr.py +@@ -67,6 +67,8 @@ def _parsedate_tz(data): + if not data: + return + data = data.split() ++ if not data: # This happens for whitespace-only input. ++ return None + # The FWS after the comma after the day-of-week is optional, so search and + # adjust for this. + if data[0].endswith(',') or data[0].lower() in _daynames: +diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py +index 9e5c6ad..64bcdcc 100644 +--- a/Lib/test/test_email/test_email.py ++++ b/Lib/test/test_email/test_email.py +@@ -2967,6 +2967,8 @@ def test_formatdate_usegmt(self): + def test_parsedate_returns_None_for_invalid_strings(self): + self.assertIsNone(utils.parsedate('')) + self.assertIsNone(utils.parsedate_tz('')) ++ self.assertIsNone(utils.parsedate(' ')) ++ self.assertIsNone(utils.parsedate_tz(' ')) + self.assertIsNone(utils.parsedate('0')) + self.assertIsNone(utils.parsedate_tz('0')) + self.assertIsNone(utils.parsedate('A Complete Waste of Time')) +diff --git a/Misc/NEWS.d/next/Library/2021-08-26-16-25-48.bpo-45001.tn_dKp.rst b/Misc/NEWS.d/next/Library/2021-08-26-16-25-48.bpo-45001.tn_dKp.rst +new file mode 100644 +index 0000000..55cc409 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2021-08-26-16-25-48.bpo-45001.tn_dKp.rst +@@ -0,0 +1,2 @@ ++Made email date parsing more robust against malformed input, namely a ++whitespace-only ``Date:`` header. Patch by Wouter Bolsterlee. +-- +1.8.3.1 + diff --git a/python3.spec b/python3.spec index 415d7e16bbff6608ae87a8eb6bf7770eedc97f9f..6639c1f28f8b6af0198138f7a2191b66122f172f 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.7.9 -Release: 19 +Release: 20 License: Python %global branchversion 3.7 @@ -154,6 +154,11 @@ Patch6043: backport-36356-Fix-memory-leak-in-_asynciomodule.c-GH-165.patch Patch6044: backport-36285-Fix-integer-overflow-in-the-array-module.patch Patch6045: backport-CVE-2021-4189.patch Patch6046: backport-CVE-2022-0391.patch +Patch6047: backport-bpo-12800-tarfile-Restore-fix-from-011525ee9.patch +Patch6048: backport-bpo-42183-Fix-a-stack-overflow-error-for-asyncio-Tas.patch +Patch6049: backport-bpo-41815-SQLite-segfault-if-backup-called-on-closed.patch +Patch6050: backport-bpo-45001-Make-email-date-parsing-more-robust-agains.patch +Patch6051: backport-3.7-bpo-43124-Fix-smtplib-multiple-CRLF-injection-GH.patch Recommends: %{name}-help = %{version}-%{release} Provides: python%{branchversion} = %{version}-%{release} @@ -294,6 +299,11 @@ rm Lib/ensurepip/_bundled/*.whl %patch6044 -p1 %patch6045 -p1 %patch6046 -p1 +%patch6047 -p1 +%patch6048 -p1 +%patch6049 -p1 +%patch6050 -p1 +%patch6051 -p1 sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py rm configure pyconfig.h.in @@ -895,6 +905,16 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Sat Feb 19 2022 shixuantong - 3.7.9-20 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:bpo-43124: Fix smtplib multiple CRLF injection + bpo-12800: tarfile: Restore fix from 011525ee9 + bpo-41815: SQLite: segfault if backup called on closed database + bpo-42183: Fix a stack overflow error for asyncio Task or Future repr() + bpo-45001: Make email date parsing more robust against malformed input + * Thu Feb 17 2022 shixuantong - 3.7.9-19 - Type:CVE - CVE:CVE-2021-4189 CVE-2022-0391