download.lst
| 4
external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1
| 59 ++++++++++
external/python3/UnpackedTarball_python3.mk
| 1
3 files changed, 62 insertions(+), 2 deletions(-)
New commits:
commit a57dd8eba9c0799dd42eb547a37622bce8fdb0b3
Author: Michael Stahl <michael.st...@cib.de>
AuthorDate: Mon Jan 14 17:33:37 2019 +0100
Commit: Michael Stahl <michael.st...@cib.de>
CommitDate: Tue Jan 15 10:36:11 2019 +0100
python3: add patch bpo-17239: Disable external entities in SAX parser
Change-Id: I44e969d8d3a8fe6b6426d61a1cbe83154c8518dd
Reviewed-on: https://gerrit.libreoffice.org/66329
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@cib.de>
diff --git
a/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1
b/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1
new file mode 100644
index 000000000000..489e5d0e89ee
--- /dev/null
+++
b/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1
@@ -0,0 +1,59 @@
+From 582d188e6e3487180891f1fc457a80dec8be26a8 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christ...@python.org>
+Date: Mon, 24 Sep 2018 14:38:31 +0200
+Subject: [PATCH] [3.6] bpo-17239: Disable external entities in SAX parser
+ (GH-9217) (GH-9512)
+
+The SAX parser no longer processes general external entities by default
+to increase security. Before, the parser created network connections
+to fetch remote files or loaded local files from the file system for DTD
+and entities.
+
+Signed-off-by: Christian Heimes <christ...@python.org>
+
+https://bugs.python.org/issue17239.
+(cherry picked from commit 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45)
+
+Co-authored-by: Christian Heimes <christ...@python.org>
+
+
+
+https://bugs.python.org/issue17239
+---
+ Doc/library/xml.dom.pulldom.rst | 14 +++++
+ Doc/library/xml.rst | 6 +-
+ Doc/library/xml.sax.rst | 8 +++
+ Doc/whatsnew/3.6.rst | 18 +++++-
+ Lib/test/test_pulldom.py | 7 +++
+ Lib/test/test_sax.py | 60 ++++++++++++++++++-
+ Lib/test/test_xml_etree.py | 13 ++++
+ Lib/xml/sax/expatreader.py | 2 +-
+ .../2018-09-11-18-30-55.bpo-17239.kOpwK2.rst | 3 +
+ 9 files changed, 125 insertions(+), 6 deletions(-)
+ create mode 100644
Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
+
+diff --git a/Lib/xml/sax/expatreader.py b/Lib/xml/sax/expatreader.py
+index 421358fa5b..5066ffc2fa 100644
+--- a/Lib/xml/sax/expatreader.py
++++ b/Lib/xml/sax/expatreader.py
+@@ -95,7 +95,7 @@ class ExpatParser(xmlreader.IncrementalParser,
xmlreader.Locator):
+ self._lex_handler_prop = None
+ self._parsing = 0
+ self._entity_stack = []
+- self._external_ges = 1
++ self._external_ges = 0
+ self._interning = None
+
+ # XMLReader methods
+diff --git
a/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
b/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
+new file mode 100644
+index 0000000000..8dd0fe8c1b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
+@@ -0,0 +1,3 @@
++The xml.sax and xml.dom.minidom parsers no longer processes external
++entities by default. External DTD and ENTITY declarations no longer
++load files or create network connections.
+--
+2.20.1
+
diff --git a/external/python3/UnpackedTarball_python3.mk
b/external/python3/UnpackedTarball_python3.mk
index ea5e160c3536..09bd9fa2edf6 100644
--- a/external/python3/UnpackedTarball_python3.mk
+++ b/external/python3/UnpackedTarball_python3.mk
@@ -27,6 +27,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,python3,\
external/python3/ubsan.patch.0 \
external/python3/python-3.5.tweak.strip.soabi.patch \
external/python3/darwin.patch.0 \
+
external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1
\
))
ifneq ($(filter DRAGONFLY FREEBSD LINUX NETBSD OPENBSD SOLARIS,$(OS)),)
commit 5e96a5c664aea950111199e56bda412512a849b0
Author: Michael Stahl <michael.st...@cib.de>
AuthorDate: Mon Jan 14 16:19:58 2019 +0100
Commit: Michael Stahl <michael.st...@cib.de>
CommitDate: Tue Jan 15 10:36:00 2019 +0100
curl: upgrade to release 7.63.0
fixes CVE-2018-16840
Change-Id: Ica995a28a71eb5d5277d045d57fee9ba0f88883f
Reviewed-on: https://gerrit.libreoffice.org/66328
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@cib.de>
diff --git a/download.lst b/download.lst
index 0ce01b38bf6a..e93847c57e59 100644
--- a/download.lst
+++ b/download.lst
@@ -29,8 +29,8 @@ export CPPUNIT_SHA256SUM :=
3d569869d27b48860210c758c4f313082103a5e58219a7669b52
export CPPUNIT_TARBALL := cppunit-1.14.0.tar.gz
export CT2N_SHA256SUM :=
71b238efd2734be9800af07566daea8d6685aeed28db5eb5fa0e6453f4d85de3
export CT2N_TARBALL :=
1f467e5bb703f12cbbb09d5cf67ecf4a-converttexttonumber-1-5-0.oxt
-export CURL_SHA256SUM :=
eaa812e9a871ea10dbe8e1d3f8f12a64a8e3e62aeab18cb23742e2f1727458ae
-export CURL_TARBALL := curl-7.61.1.tar.gz
+export CURL_SHA256SUM :=
d483b89062832e211c887d7cf1b65c902d591b48c11fe7d174af781681580b41
+export CURL_TARBALL := curl-7.63.0.tar.gz
export EBOOK_SHA256SUM :=
7e8d8ff34f27831aca3bc6f9cc532c2f90d2057c778963b884ff3d1e34dfe1f9
export EBOOK_TARBALL := libe-book-0.1.3.tar.xz
export EPOXY_SHA256SUM :=
a9562386519eb3fd7f03209f279f697a8cba520d3c155d6e253c3e138beca7d8
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
