begin quotation from Michael Gilbert (in <jMfPP-2tW-7@gated-at.bofh.it>): > On Fri, Sep 21, 2012 at 11:40 AM, Arne Wichmann wrote: > > Ok, I just created one more fixed version of python2.6 for my own use. > > Whoever is interested can find it at [1] for the time being. If anybody has > > comments or improvements I am also interested. > > Would you mind attaching a debdiff so we can see what you did? If > your changes look reasonable, I may be willing to work with you to > sponsor a stable-proposed update: > http://www.debian.org/releases/proposed-updates Attached. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (aw@linux.de)
reverted:
--- python2.6-2.6.6/.pbuilderrc
+++ python2.6-2.6.6.orig/.pbuilderrc
@@ -1,163 +0,0 @@
-# Idea stolen at https://wiki.ubuntu.com/PbuilderHowto
-# Enhanced to support experimental, backports and oldstable.
-# Does not build with non-free by default anymore.
-
-unset CCACHEDIR
-
-# DIST NONFREE ARCH CUSTOM should be added to env_keep in your sudoers config.
-OLDSTABLE="lenny"
-OLDSTABLE_ARCHIVED="false"
-STABLE="squeeze"
-TESTING="wheezy"
-UNSTABLE="sid"
-
-# Codenames for Debian suites according to their alias. Update these when
-# needed.
-UNSTABLE_CODENAME="unstable"
-TESTING_CODENAME="testing"
-STABLE_CODENAME="stable"
-OLDSTABLE_CODENAME="oldstable"
-
-
-# List of Debian suites.
-DEBIAN_SUITES=($UNSTABLE_CODENAME $TESTING_CODENAME $STABLE_CODENAME $OLDSTABLE_CODENAME
- $UNSTABLE $TESTING $STABLE $OLDSTABLE experimental)
-
-# List of Ubuntu suites. Update these when needed.
-UBUNTU_SUITES=("jaunty" "intrepid" "hardy" "gutsy" "lucid" "maverick")
-
-# Mirrors to use. Update these to your preferred mirror.
-DEBIAN_MIRROR="ftp2.de.debian.org"
-UBUNTU_MIRROR="debian.netcologne.de"
-
-# Use Cowbuilder
-PDEBUILD_PBUILDER=cowbuilder
-
-# Optionally use the changelog of a package to determine the suite to use if
-# none set.
-if [ -z "${DIST}" ] && [ -r "debian/changelog" ]; then
- DIST=$(dpkg-parsechangelog | awk '/^Distribution: / {print $2}')
-fi
-
-# Optionally set a default distribution if none is used. Note that you can set
-# your own default (i.e. ${DIST:="unstable"}).
-: ${DIST:="stable"}
-
-# Optionally change Debian codenames in $DIST to their aliases.
-case "$DIST" in
- $UNSTABLE_CODENAME|UNRELEASED)
- DIST="$UNSTABLE"
- ;;
- $TESTING_CODENAME|$TESTING_CODENAME-proposed-updates|$TESTING_CODENAME-security)
- DIST="$TESTING"
- ;;
- $STABLE_CODENAME|$STABLE_CODENAME-proposed-updates|$STABLE_CODENAME-security)
- DIST="$STABLE"
- ;;
- $OLDSTABLE_CODENAME|$OLDSTABLE_CODENAME-proposed-updates|$OLDSTABLE_CODENAME-security)
- DIST="$OLDSTABLE"
-esac
-
-# Optionally set the architecture to the host architecture if none set. Note
-# that you can set your own default (i.e. ${ARCH:="i386"}).
-: ${ARCH:="$(dpkg --print-architecture)"}
-
-DEBOOTSTRAPOPTS=(
- '--variant=buildd'
-)
-
-
-NAME="$DIST"
-if [ -n "${ARCH}" ]; then
- NAME="$NAME-$ARCH"
- DEBOOTSTRAPOPTS=("--arch" "$ARCH" "${DEBOOTSTRAPOPTS[@]}")
-fi
-if [ -n "${NONFREE}" ]; then
- NAME="$NAME-nonfree"
-fi
-
-#CUSTOM allows to create chroots per customer, or for whatever you need it
-if [ -n "${CUSTOM}" ]; then
- NAME="$NAME-$CUSTOM"
-fi
-
-BASETGZ="/var/cache/pbuilder/$NAME-base.tgz"
-BASEPATH="/var/cache/pbuilder/$NAME-base.cow"
-BUILDRESULT="/tmp/"
-BUILDPLACE="/var/cache/pbuilder/build/"
-
-if $(echo ${DEBIAN_SUITES[@]} | grep -q ${DIST%-backports}); then
- COMPONENTS="main"
- if [ -n "${NONFREE}" ]; then
- COMPONENTS="$COMPONENTS contrib non-free"
- fi
- DEBOOTSTRAPOPTS=(
- '--keyring' '/usr/share/keyrings/debian-archive-keyring.gpg'
- ${DEBOOTSTRAPOPTS[@]}
- )
-
- case "$DIST" in
- $OLDSTABLE)
- if [ "$OLDSTABLE_ARCHIVED" = "true" ]; then
- MIRRORSITE="http://archive.debian.org/debian/";
- else
- MIRRORSITE="http://$DEBIAN_MIRROR/debian/";
- fi
- ;;
- experimental)
- if [ -z "$OTHERMIRROR" ]; then
- OTHERMIRROR="deb http://$DEBIAN_MIRROR/debian experimental $COMPONENTS"
- else
- OTHERMIRROR="deb http://$DEBIAN_MIRROR/debian experimental $COMPONENTS | ${OTHERMIRROR}"
- fi
- ;;
- *-backports)
- if [ -z "$OTHERMIRROR" ]; then
- OTHERMIRROR="deb http://debian.netcologne.de/debian-backports/ $DIST $COMPONENTS"
- else
- OTHERMIRROR="deb http://debian.netcologne.de/debian-backports/ $DIST $COMPONENTS | ${OTHERMIRROR}"
- fi
- EXTRAPACKAGES="$EXTRAPACKAGES debian-backports-keyring"
- ;;
- esac
-
-elif $(echo ${UBUNTU_SUITES[@]} | grep -q ${DIST%-backports}); then
- # Ubuntu configuration
- MIRRORSITE="http://$UBUNTU_MIRROR/ubuntu/";
- COMPONENTS="main universe"
- if [ -n "${NONFREE}" ]; then
- COMPONENTS="$COMPONENTS multiverse"
- fi
-
- if [ -r /usr/share/keyrings/ubuntu-archive-keyring.gpg ]; then
- DEBOOTSTRAPOPTS=(
- '--keyring' '/usr/share/keyrings/ubuntu-archive-keyring.gpg'
- ${DEBOOTSTRAPOPTS[@]}
- )
- fi
-
- case "$DIST" in
- *-backports)
- OTHERMIRROR="deb $MIRRORSITE $DIST $COMPONENTS"
- ;;
- esac
-else
- echo "Unknown distribution: $DIST"
- exit 1
-fi
-
-case "$0" in
- */pdebuild)
- : do nothing
- ;;
- *)
- DIST=${DIST%-backports}
- DIST=${DIST/experimental/$UNSTABLE}
- DISTRIBUTION=$DIST
- ;;
-esac
-
-# : ${HOOKDIR:="$HOME/.pbuilder/hooks.d"}
-
-DEBOOTSTRAP="debootstrap"
-PKGNAME_LOGFILE="yes"
diff -u python2.6-2.6.6/debian/changelog python2.6-2.6.6/debian/changelog
--- python2.6-2.6.6/debian/changelog
+++ python2.6-2.6.6/debian/changelog
@@ -1,17 +1,3 @@
-python2.6 (2.6.6-8.aw2) stable; urgency=low
-
- * Non-maintainer upload.
- * CVE-2011-3389. Closes: #684511
-
- -- Arne Wichmann <aw@linux.de> Fri, 21 Sep 2012 14:51:07 +0200
-
-python2.6 (2.6.6-8.aw1) stable; urgency=low
-
- * Non-maintainer upload.
- * CVE-2011-1521. Closes: #628455
-
- -- Arne Wichmann <aw@linux.de> Fri, 21 Sep 2012 14:48:32 +0200
-
python2.6 (2.6.6-8) unstable; urgency=low
* Disable the profiled builds on m68k and sparc. Closes: #606091.
reverted:
--- python2.6-2.6.6/debian/patches/9a4131ada792.diff
+++ python2.6-2.6.6.orig/debian/patches/9a4131ada792.diff
@@ -1,34 +0,0 @@
-# HG changeset patch
-# User Antoine Pitrou <solipsis@pitrou.net>
-# Date 1327653765 -3600
-# Node ID 9a4131ada792123aa4dded51bf67f583fc515db2
-# Parent 62fa61f2ee7d6a7861eccebc8f727d5cf6996065
-Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
-
-diff --git a/Misc/NEWS b/Misc/NEWS
---- a/Misc/NEWS
-+++ b/Misc/NEWS
-@@ -13,6 +13,9 @@ Core and Builtins
- Library
- -------
-
-+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
-+ IV attack countermeasure.
-+
-
- What's New in Python 2.6.7?
- ===========================
-diff --git a/Modules/_ssl.c b/Modules/_ssl.c
---- a/Modules/_ssl.c
-+++ b/Modules/_ssl.c
-@@ -357,7 +357,8 @@ newPySSLObject(PySocketSockObject *Sock,
- }
-
- /* ssl compatibility */
-- SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
-+ SSL_CTX_set_options(self->ctx,
-+ SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
-
- verification_mode = SSL_VERIFY_NONE;
- if (certreq == PY_SSL_CERT_OPTIONAL)
-
diff -u python2.6-2.6.6/debian/patches/series.in python2.6-2.6.6/debian/patches/series.in
--- python2.6-2.6.6/debian/patches/series.in
+++ python2.6-2.6.6/debian/patches/series.in
@@ -1,5 +1,3 @@
-9a4131ada792.diff
-9eeda8e3a13f.diff
// svn-updates.diff
deb-setup.diff
deb-locations.diff
reverted:
--- python2.6-2.6.6/debian/patches/9eeda8e3a13f.diff
+++ python2.6-2.6.6.orig/debian/patches/9eeda8e3a13f.diff
@@ -1,103 +0,0 @@
-# HG changeset patch
-# User Guido van Rossum <guido@python.org>
-# AW: removed NEWS from patch
-Merge issue 11662 from 2.5.
-
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -162,6 +162,20 @@ Content-Type: text/html; charset=iso-885
- finally:
- self.unfakehttp()
-
-+ def test_invalid_redirect(self):
-+ # urlopen() should raise IOError for many error codes.
-+ self.fakehttp("""HTTP/1.1 302 Found
-+Date: Wed, 02 Jan 2008 03:03:54 GMT
-+Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e
-+Location: file:README
-+Connection: close
-+Content-Type: text/html; charset=iso-8859-1
-+""")
-+ try:
-+ self.assertRaises(IOError, urllib.urlopen, "http://python.org/";)
-+ finally:
-+ self.unfakehttp()
-+
- def test_empty_socket(self):
- # urlopen() raises IOError if the underlying socket does not send any
- # data. (#1680230)
-diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
---- a/Lib/test/test_urllib2.py
-+++ b/Lib/test/test_urllib2.py
-@@ -942,6 +942,27 @@ class HandlerTests(unittest.TestCase):
- self.assertEqual(count,
- urllib2.HTTPRedirectHandler.max_redirections)
-
-+ def test_invalid_redirect(self):
-+ from_url = "http://example.com/a.html";
-+ valid_schemes = ['http', 'https', 'ftp']
-+ invalid_schemes = ['file', 'imap', 'ldap']
-+ schemeless_url = "example.com/b.html"
-+ h = urllib2.HTTPRedirectHandler()
-+ o = h.parent = MockOpener()
-+ req = Request(from_url)
-+
-+ for scheme in invalid_schemes:
-+ invalid_url = scheme + '://' + schemeless_url
-+ self.assertRaises(urllib2.HTTPError, h.http_error_302,
-+ req, MockFile(), 302, "Security Loophole",
-+ MockHeaders({"location": invalid_url}))
-+
-+ for scheme in valid_schemes:
-+ valid_url = scheme + '://' + schemeless_url
-+ h.http_error_302(req, MockFile(), 302, "That's fine",
-+ MockHeaders({"location": valid_url}))
-+ self.assertEqual(o.req.get_full_url(), valid_url)
-+
- def test_cookie_redirect(self):
- # cookies shouldn't leak into redirected requests
- from cookielib import CookieJar
-diff --git a/Lib/urllib.py b/Lib/urllib.py
---- a/Lib/urllib.py
-+++ b/Lib/urllib.py
-@@ -652,6 +652,18 @@ class FancyURLopener(URLopener):
- fp.close()
- # In case the server sent a relative URL, join with original:
- newurl = basejoin(self.type + ":" + url, newurl)
-+
-+ # For security reasons we do not allow redirects to protocols
-+ # other than HTTP, HTTPS or FTP.
-+ newurl_lower = newurl.lower()
-+ if not (newurl_lower.startswith('http://') or
-+ newurl_lower.startswith('https://') or
-+ newurl_lower.startswith('ftp://')):
-+ raise IOError('redirect error', errcode,
-+ errmsg + " - Redirection to url '%s' is not allowed" %
-+ newurl,
-+ headers)
-+
- return self.open(newurl)
-
- def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
-diff --git a/Lib/urllib2.py b/Lib/urllib2.py
---- a/Lib/urllib2.py
-+++ b/Lib/urllib2.py
-@@ -578,6 +578,17 @@ class HTTPRedirectHandler(BaseHandler):
-
- newurl = urlparse.urljoin(req.get_full_url(), newurl)
-
-+ # For security reasons we do not allow redirects to protocols
-+ # other than HTTP, HTTPS or FTP.
-+ newurl_lower = newurl.lower()
-+ if not (newurl_lower.startswith('http://') or
-+ newurl_lower.startswith('https://') or
-+ newurl_lower.startswith('ftp://')):
-+ raise HTTPError(newurl, code,
-+ msg + " - Redirection to url '%s' is not allowed" %
-+ newurl,
-+ headers, fp)
-+
- # XXX Probably want to forget about the state of the current
- # request, although that might interact poorly with other
- # handlers that also use handler-specific request attributes
Attachment:
signature.asc
Description: Digital signature