Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2024.08 updates. #177

Merged
merged 42 commits into from
Nov 25, 2024
Merged

2024.08 updates. #177

merged 42 commits into from
Nov 25, 2024

Conversation

dumol
Copy link
Contributor

@dumol dumol commented Jul 25, 2024

Scope

Patch Python and OpenSSL for as many security issues as feasibly possible. Fixes #176

Update libs and modules, if possible.

Changes

Python security hot patches applied on all platforms for: CVE-2017-18207, CVE-2021-4189, CVE-2022-45061, CVE-2022-48565, CVE-2024-7592.

Patched Python 2.7.18 sources on non-Windows platforms for: CVE-2022-48560, CVE-2022-48566, CVE-2023-40217, CVE-2024-0397.

Patched OpenSSL 1.1.1w sources for: CVE-2023-5678, CVE-2024-0727, CVE-2024-2511, CVE-2024-4741, CVE-2024-5535.

Patched our cryptography sources for CVE-2023-49083.

Lib updates:

  • libffi to 3.4.6
  • zlib to 1.3.1
  • sqlite to 3.46.0.

Python modules updates:

  • psutil to 5.9.6 on generic glibc-based Linux,
  • psutil to 6.0.0 on the other platforms.

Drive-by changes:

  • compat tests are now disabled as the branch for Python 2.7 tests is unmaintained
  • macOS package is now built on macOS 13.

How to try and test the changes

reviewers: @adiroiban

For a quick picture of the overall security situation per OS, check external_deps.fods in LibreOffice Calc.

To check other changes to our scripts and docs:

git diff master .github/ chevah_build  python-modules/chevah-python-test/ src/*/README

For the cryptography patch:

git diff master python-modules/cryptography*

For Python 2.7.18 patches:

git diff master src/python

For OpenSSL 1.1.1w patches:

git diff master src/openssl

@dumol dumol self-assigned this Jul 25, 2024
@dumol
Copy link
Contributor Author

dumol commented Jul 31, 2024

Getting closer with this, but compat tests no longer run because pyflakes 3.2.0 is not actually compatible with python 2.7.18, AFAICT from https://github.com/chevah/python-package/actions/runs/10180457358/job/28158367575?pr=177:

Collecting pyflakes>=1.5.0
  Downloading https://bin.chevah.com:20443/pypi/simple/pyflakes/pyflakes-3.2.0-py2.py3-none-any.whl (62 kB)
ERROR: Package 'pyflakes' requires a different Python: 2.7.18 not in '>=3.8'

Any ideas, @adiroiban?

@adiroiban
Copy link
Member

adiroiban commented Jul 31, 2024

I think that we can just release this and then we will see how it goes in chevah/server series-4 branch

chevah/compat trunk branch no longer supports python 2.7

if you want to run chevah/compat tests, they should be executed based on this commit

chevah/compat@d4a3dfc

this should be for version 1.0.9 which should still support python 2.7

unfortunately, I did a bad job tracking the versions for chevah/compat and we don't have any tags for that.

@dumol
Copy link
Contributor Author

dumol commented Aug 1, 2024

We were using this branch: https://github.com/chevah/compat/tree/py2-support. That's why I was surprised to see an error about Python 3 being required.

When checking out chevah/compat@d4a3dfc, there are other errors:

Looking in indexes: https://bin.chevah.com:20443/pypi/simple
Processing /home/runner/work/python-package/python-package/python-package/build/compat
    ERROR: Command errored out with exit status 1:
     command: /home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-req-build-A7ErlR/setup.py'"'"'; __file__='"'"'/tmp/pip-req-build-A7ErlR/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-HK3uj0
         cwd: /tmp/pip-req-build-A7ErlR/
    Complete output (19 lines):
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-req-build-A7ErlR/setup.py", line 8, in <module>
        setup()
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/__init__.py", line 161, in setup
        _install_setup_requires(attrs)
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/__init__.py", line 154, in _install_setup_requires
        dist.parse_config_files(ignore_option_errors=True)
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/dist.py", line 703, in parse_config_files
        self._finalize_requires()
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/dist.py", line 506, in _finalize_requires
        self._convert_extras_requirements()
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/dist.py", line 520, in _convert_extras_requirements
        for r in pkg_resources.parse_requirements(v):
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3094, in parse_requirements
        yield Requirement(line)
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3103, in __init__
        raise RequirementParseError(str(e))
    pkg_resources.RequirementParseError: Invalid requirement, parse error at "'; Requir'"
    ----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
WARNING: You are using pip version 20.3.4chevah1; however, version 20.3.4 is available.
You should consider upgrading via the '/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/bin/python -m pip install --upgrade pip' command.
Failed to run:
pip install --trusted-host pypi.chevah.com --trusted-host deag.chevah.com:10042 --index-url=https://bin.chevah.com:20443/pypi/simple --build /home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/pip-build .[dev]
PWD : /home/runner/work/python-package/python-package/python-package/build/compat
Fail: ./brink.sh deps

From https://github.com/chevah/python-package/actions/runs/10196943648/job/28208745488?pr=177

@dumol
Copy link
Contributor Author

dumol commented Aug 1, 2024

@adiroiban: I've disabled compat tests for now to produce packages to test with server 4.x.x. They are currently available at https://bin.chevah.com:20443/testing/2.7.18.4a3120a/

@dumol dumol requested a review from adiroiban August 16, 2024 10:15
@dumol dumol changed the title 2024.07 updates. 2024.08 updates. Aug 16, 2024
@dumol dumol merged commit a67ce7f into master Nov 25, 2024
9 checks passed
@dumol dumol deleted the 202407-updates branch November 25, 2024 12:22
@dumol
Copy link
Contributor Author

dumol commented Nov 25, 2024

No new commits at https://github.com/ActiveState/cpython/commits/2.7/. I'm merging this while still relevant to the upstream patches.

If needed, more changes can be added in another branch/PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Fix CVE-2022-45061.
3 participants