Commit f88be98b authored by Matthias Klose's avatar Matthias Klose

- checkin patches for 2.7.15-6 - 2.7.15-9

parent b0beb352
python2.7 (2.7.15-9) unstable; urgency=medium
* Update to 20190216 from the 2.7 branch.
- Backport of TLS 1.3 related fixes from 3.7.
* Drop the local TLS 1.3 backports.
-- Matthias Klose <doko@debian.org> Sat, 16 Feb 2019 11:39:20 +0100
python2.7 (2.7.15-8) unstable; urgency=medium
* Fix typo in autopkg test.
-- Matthias Klose <doko@debian.org> Sun, 03 Feb 2019 14:13:16 +0100
python2.7 (2.7.15-7) unstable; urgency=medium
* Expect the test_site test failing as in 3.7.
-- Matthias Klose <doko@debian.org> Sun, 03 Feb 2019 12:51:14 +0100
python2.7 (2.7.15-6) unstable; urgency=medium
* Update to 20190201 from the 2.7 branch.
- CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline().
- CVE-2018-14647: _elementtree.c doesn't call XML_SetHashSalt().
Closes: #921039.
- CVE-2019-5010: DsO vulnerability exists in the X509 certificate parser.
Closes: #921040.
* Bump standards version.
* Update symbols file.
-- Matthias Klose <doko@debian.org> Fri, 01 Feb 2019 08:18:31 +0100
python2.7 (2.7.15-5) unstable; urgency=medium
* Update to 20181127 from the 2.7 branch.
......
......@@ -21,7 +21,7 @@ Build-Conflicts: tcl8.4-dev, tk8.4-dev,
python2.7-xml, python-xml,
autoconf2.13, python-cxx-dev,
hardening-wrapper
Standards-Version: 4.2.1
Standards-Version: 4.3.0
Vcs-Browser: https://salsa.debian.org/cpython-team/python2
Vcs-Git: https://salsa.debian.org/cpython-team/python2.git
XS-Testsuite: autopkgtest
......
......@@ -21,7 +21,7 @@ Build-Conflicts: tcl8.4-dev, tk8.4-dev,
@PVER@-xml, python-xml,
autoconf2.13, python-cxx-dev,
hardening-wrapper
Standards-Version: 4.2.1
Standards-Version: 4.3.0
Vcs-Browser: https://salsa.debian.org/cpython-team/python2
Vcs-Git: https://salsa.debian.org/cpython-team/python2.git
XS-Testsuite: autopkgtest
......
......@@ -1256,6 +1256,7 @@
(optional)_Py_expm1@Base @VER@
_Py_findlabel@Base @VER@
(arch=i386 lpia m68k)_Py_force_double@Base @VER@
_Py_freegrammar@Base @VER@
(arch=amd64 i386 lpia)_Py_get_387controlword@Base @VER@
_Py_gitidentifier@Base 2.7.1
_Py_gitversion@Base 2.7.1
......
From 9e32244ea7d2621030f040b0f4e5af89480ecc0f Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Wed, 15 Aug 2018 09:07:28 +0200
Subject: [PATCH] [2.7] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
(GH-8760)
Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
default.
Also update multissltests to test with latest OpenSSL.
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71)
Co-authored-by: Christian Heimes <christian@python.org>
---
Doc/library/ssl.rst | 8 ++--
Lib/test/test_ssl.py | 37 +++++++++++--------
.../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | 3 ++
3 files changed, 27 insertions(+), 21 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 042103177230..7c7c85b833a8 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -294,11 +294,6 @@ purposes.
3DES was dropped from the default cipher string.
- .. versionchanged:: 2.7.15
-
- TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
- and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
-
.. function:: _https_verify_certificates(enable=True)
Specifies whether or not server certificates are verified when creating
@@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients.
when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
give the currently selected cipher.
+ OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
+ cannot be disabled with :meth:`~SSLContext.set_ciphers`.
+
.. method:: SSLContext.set_alpn_protocols(protocols)
Specify which protocols the socket should advertise during the SSL/TLS
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 7d06dc57c8e1..2746a81ce080 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -2772,19 +2772,24 @@ def test_do_handshake_enotconn(self):
sock.do_handshake()
self.assertEqual(cm.exception.errno, errno.ENOTCONN)
- def test_default_ciphers(self):
- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
- try:
- # Force a set of weak ciphers on our client context
- context.set_ciphers("DES")
- except ssl.SSLError:
- self.skipTest("no DES cipher available")
- with ThreadedEchoServer(CERTFILE,
- ssl_version=ssl.PROTOCOL_SSLv23,
- chatty=False) as server:
- with closing(context.wrap_socket(socket.socket())) as s:
- with self.assertRaises(ssl.SSLError):
- s.connect((HOST, server.port))
+ def test_no_shared_ciphers(self):
+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ server_context.load_cert_chain(SIGNED_CERTFILE)
+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ client_context.verify_mode = ssl.CERT_REQUIRED
+ client_context.check_hostname = True
+
+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
+ client_context.options |= ssl.OP_NO_TLSv1_3
+ # Force different suites on client and master
+ client_context.set_ciphers("AES128")
+ server_context.set_ciphers("AES256")
+ with ThreadedEchoServer(context=server_context) as server:
+ s = client_context.wrap_socket(
+ socket.socket(),
+ server_hostname="localhost")
+ with self.assertRaises(ssl.SSLError):
+ s.connect((HOST, server.port))
self.assertIn("no shared cipher", str(server.conn_errors[0]))
def test_version_basic(self):
@@ -2815,9 +2820,9 @@ def test_tls1_3(self):
with context.wrap_socket(socket.socket()) as s:
s.connect((HOST, server.port))
self.assertIn(s.cipher()[0], [
- 'TLS13-AES-256-GCM-SHA384',
- 'TLS13-CHACHA20-POLY1305-SHA256',
- 'TLS13-AES-128-GCM-SHA256',
+ 'TLS_AES_256_GCM_SHA384',
+ 'TLS_CHACHA20_POLY1305_SHA256',
+ 'TLS_AES_128_GCM_SHA256',
])
@unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
new file mode 100644
index 000000000000..bd719a47e8f8
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
@@ -0,0 +1,3 @@
+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
+default.
From 41ff2b42613e2b21c71f8cc85c38b41044f41c29 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Fri, 28 Sep 2018 14:15:52 +0100
Subject: [PATCH] bpo-34818: Add missing closing() wrapper in test_tls1_3.
Python 2.7 socket classes do not implement context manager protocol,
hence closing() is required around it. Resolves testcase error
traceback.
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
https://bugs.python.org/issue34818
---
Lib/test/test_ssl.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index dc14e22ad121..a5ba49b321ef 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -2812,7 +2812,7 @@ def test_tls1_3(self):
ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
)
with ThreadedEchoServer(context=context) as server:
- with context.wrap_socket(socket.socket()) as s:
+ with closing(context.wrap_socket(socket.socket())) as s:
s.connect((HOST, server.port))
self.assertIn(s.cipher()[0], [
'TLS13-AES-256-GCM-SHA384',
From 4fa35e8b1ebb2a8e88ba7c4c9cd2a17b35638ee6 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Fri, 28 Sep 2018 16:34:16 +0100
Subject: [PATCH] bpo-34834: Fix test_ssl.test_options to account for
OP_ENABLE_MIDDLEBOX_COMPAT.
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
https://bugs.python.org/issue34834
---
Lib/test/test_ssl.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index dc14e22ad121..03a76ee6aba2 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -777,6 +777,11 @@ def test_options(self):
default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
default |= ssl.OP_NO_COMPRESSION
+ if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1):
+ # define MIDDLEBOX constant, as python2.7 does not know about it
+ # but it is used by default.
+ OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L
+ default |= OP_ENABLE_MIDDLEBOX_COMPAT
self.assertEqual(default, ctx.options)
ctx.options |= ssl.OP_NO_TLSv1
self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
From 65e10ca6815f1471e49bf7ad34d6652f079d31c8 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Fri, 28 Sep 2018 17:30:19 +0100
Subject: [PATCH] bpo-34836: fix test_default_ecdh_curve, needs no tlsv1.3.
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
https://bugs.python.org/issue34836
---
Lib/test/test_ssl.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index dc14e22ad121..bc3be9d0b132 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -2826,6 +2826,9 @@ def test_default_ecdh_curve(self):
# should be enabled by default on SSL contexts.
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.load_cert_chain(CERTFILE)
+ # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
+ # cipher name.
+ context.options |= ssl.OP_NO_TLSv1_3
# Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
# explicitly using the 'ECCdraft' cipher alias. Otherwise,
# our default cipher list should prefer ECDH-based ciphers
......@@ -2,8 +2,6 @@
# DP: - installs into $prefix/dist-packages instead of $prefix/site-packages.
# DP: - doesn't encode the python version into the egg name.
Index: b/Doc/install/index.rst
===================================================================
--- a/Doc/install/index.rst
+++ b/Doc/install/index.rst
@@ -255,6 +255,8 @@ is pure Python or contains extensions ("
......@@ -64,8 +62,6 @@ Index: b/Doc/install/index.rst
The most convenient way is to add a path configuration file to a directory
that's already on Python's path, usually to the :file:`.../site-packages/`
directory. Path configuration files have an extension of :file:`.pth`, and each
Index: b/Lib/distutils/command/install.py
===================================================================
--- a/Lib/distutils/command/install.py
+++ b/Lib/distutils/command/install.py
@@ -47,6 +47,20 @@ INSTALL_SCHEMES = {
......@@ -150,8 +146,6 @@ Index: b/Lib/distutils/command/install.py
# finalize_unix ()
Index: b/Lib/distutils/command/install_egg_info.py
===================================================================
--- a/Lib/distutils/command/install_egg_info.py
+++ b/Lib/distutils/command/install_egg_info.py
@@ -14,18 +14,37 @@ class install_egg_info(Command):
......@@ -197,8 +191,6 @@ Index: b/Lib/distutils/command/install_egg_info.py
self.target = os.path.join(self.install_dir, basename)
self.outputs = [self.target]
Index: b/Lib/distutils/sysconfig.py
===================================================================
--- a/Lib/distutils/sysconfig.py
+++ b/Lib/distutils/sysconfig.py
@@ -115,6 +115,7 @@ def get_python_lib(plat_specific=0, stan
......@@ -218,8 +210,6 @@ Index: b/Lib/distutils/sysconfig.py
else:
return os.path.join(libpython, "site-packages")
Index: b/Lib/site.py
===================================================================
--- a/Lib/site.py
+++ b/Lib/site.py
@@ -273,6 +273,13 @@ def addusersitepackages(known_paths):
......@@ -236,8 +226,6 @@ Index: b/Lib/site.py
return known_paths
def getsitepackages():
Index: b/Lib/sysconfig.py
===================================================================
--- a/Lib/sysconfig.py
+++ b/Lib/sysconfig.py
@@ -16,6 +16,26 @@ _INSTALL_SCHEMES = {
......@@ -308,8 +296,6 @@ Index: b/Lib/sysconfig.py
return os.path.join(inc_dir, 'pyconfig.h')
def get_scheme_names():
Index: b/Lib/test/test_import.py
===================================================================
--- a/Lib/test/test_import.py
+++ b/Lib/test/test_import.py
@@ -301,7 +301,7 @@ class ImportTests(unittest.TestCase):
......@@ -321,11 +307,9 @@ Index: b/Lib/test/test_import.py
def test_import_by_filename(self):
path = os.path.abspath(TESTFN)
Index: b/Lib/test/test_site.py
===================================================================
--- a/Lib/test/test_site.py
+++ b/Lib/test/test_site.py
@@ -253,10 +253,13 @@ class HelperFunctionsTests(unittest.Test
@@ -255,10 +255,13 @@ class HelperFunctionsTests(unittest.Test
elif os.sep == '/':
# OS X, Linux, FreeBSD, etc
self.assertEqual(len(dirs), 2)
......@@ -342,8 +326,6 @@ Index: b/Lib/test/test_site.py
self.assertEqual(dirs[1], wanted)
else:
# other platforms
Index: b/Lib/test/test_sysconfig.py
===================================================================
--- a/Lib/test/test_sysconfig.py
+++ b/Lib/test/test_sysconfig.py
@@ -239,8 +239,8 @@ class TestSysConfig(unittest.TestCase):
......@@ -357,8 +339,6 @@ Index: b/Lib/test/test_sysconfig.py
self.assertEqual(get_scheme_names(), wanted)
@unittest.skipIf(sys.platform.startswith('win'),
Index: b/Lib/distutils/tests/test_install.py
===================================================================
--- a/Lib/distutils/tests/test_install.py
+++ b/Lib/distutils/tests/test_install.py
@@ -194,7 +194,7 @@ class InstallTestCase(support.TempdirMan
......@@ -379,21 +359,17 @@ Index: b/Lib/distutils/tests/test_install.py
self.assertEqual(found, expected)
def test_debug_mode(self):
Index: b/Lib/distutils/tests/test_bdist_dumb.py
===================================================================
--- a/Lib/distutils/tests/test_bdist_dumb.py
+++ b/Lib/distutils/tests/test_bdist_dumb.py
@@ -87,7 +87,7 @@ class BuildDumbTestCase(support.TempdirM
fp.close()
contents = sorted(os.path.basename(fn) for fn in contents)
contents = sorted(filter(None, map(os.path.basename, contents)))
- wanted = ['foo-0.1-py%s.%s.egg-info' % sys.version_info[:2], 'foo.py']
+ wanted = ['foo-0.1.egg-info', 'foo.py']
if not sys.dont_write_bytecode:
wanted.append('foo.pyc')
self.assertEqual(contents, sorted(wanted))
Index: b/Lib/pydoc.py
===================================================================
--- a/Lib/pydoc.py
+++ b/Lib/pydoc.py
@@ -392,6 +392,7 @@ class Doc:
......
This source diff could not be displayed because it is too large. You can view the blob instead.
# DP: Use /etc/lsb-release to identify the platform.
Index: b/Lib/platform.py
===================================================================
--- a/Lib/platform.py
+++ b/Lib/platform.py
@@ -290,7 +290,7 @@ _release_version = re.compile(r'([^0-9]+
@@ -293,7 +293,7 @@ _release_version = re.compile(r'([^0-9]+
_supported_dists = (
'SuSE', 'debian', 'fedora', 'redhat', 'centos',
'mandrake', 'mandriva', 'rocks', 'slackware', 'yellowdog', 'gentoo',
......@@ -13,7 +11,7 @@ Index: b/Lib/platform.py
def _parse_release_file(firstline):
@@ -319,6 +319,10 @@ def _parse_release_file(firstline):
@@ -322,6 +322,10 @@ def _parse_release_file(firstline):
id = l[1]
return '', version, id
......@@ -24,7 +22,7 @@ Index: b/Lib/platform.py
def linux_distribution(distname='', version='', id='',
supported_dists=_supported_dists,
@@ -343,6 +347,25 @@ def linux_distribution(distname='', vers
@@ -346,6 +350,25 @@ def linux_distribution(distname='', vers
args given as parameters.
"""
......
......@@ -70,8 +70,4 @@ issue27239.diff
rename-md5-init.diff
local-doc-references.diff
m-i-p-s-r6.diff
bpo-33570.diff
bpo-34818.diff
bpo-34834.diff
bpo-34836.diff
multiarch-libc.diff
......@@ -72,6 +72,9 @@ case "$vendor" in Debian)
TESTEXCLUSIONS="$TESTEXCLUSIONS test_ftplib test_ssl"
esac
# test_site: site-/dist-packages mismatches
TESTEXCLUSIONS="$TESTEXCLUSIONS test_site"
if [ "$su_user" = nobody ]; then
log=/dev/null
else
......
......@@ -70,6 +70,9 @@ case "$vendor" in Debian)
TESTEXCLUSIONS="$TESTEXCLUSIONS test_ftplib test_ssl"
esac
# test_site: site-/dist-packages mismatches
TESTEXCLUSIONS="$TESTEXCLUSIONS test_site"
# TODO: test_ctypes fails on arm64 on the debug build
echo "uname: $(uname -a)"
case "$(uname -m)" in armv8*|aarch64*)
......
......@@ -77,6 +77,9 @@ case "$vendor" in Debian)
TESTEXCLUSIONS="$TESTEXCLUSIONS test_ftplib test_ssl"
esac
# test_site: site-/dist-packages mismatches
TESTEXCLUSIONS="$TESTEXCLUSIONS test_site"
if [ "$su_user" = nobody ]; then
log=/dev/null
else
......
......@@ -67,6 +67,9 @@ case "$vendor" in Debian)
TESTEXCLUSIONS="$TESTEXCLUSIONS test_ftplib test_ssl"
esac
# test_site: site-/dist-packages mismatches
TESTEXCLUSIONS="$TESTEXCLUSIONS test_site"
# TODO: test_ctypes fails on arm64 on the debug build
echo "uname: $(uname -a)"
case "$(uname -m)" in armv8*|aarch64*)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment