Skip to content

2024.08 updates.#177

Merged
dumol merged 42 commits into
masterfrom
202407-updates
Nov 25, 2024
Merged

2024.08 updates.#177
dumol merged 42 commits into
masterfrom
202407-updates

Conversation

@dumol

@dumol dumol commented Jul 25, 2024
edited
Loading

Copy link
Copy Markdown
Contributor

Scope

Patch Python and OpenSSL for as many security issues as feasibly possible. Fixes #176

Update libs and modules, if possible.

Changes

Python security hot patches applied on all platforms for: CVE-2017-18207, CVE-2021-4189, CVE-2022-45061, CVE-2022-48565, CVE-2024-7592.

Patched Python 2.7.18 sources on non-Windows platforms for: CVE-2022-48560, CVE-2022-48566, CVE-2023-40217, CVE-2024-0397.

Patched OpenSSL 1.1.1w sources for: CVE-2023-5678, CVE-2024-0727, CVE-2024-2511, CVE-2024-4741, CVE-2024-5535.

Patched our cryptography sources for CVE-2023-49083.

Lib updates:

  • libffi to 3.4.6
  • zlib to 1.3.1
  • sqlite to 3.46.0.

Python modules updates:

  • psutil to 5.9.6 on generic glibc-based Linux,
  • psutil to 6.0.0 on the other platforms.

Drive-by changes:

  • compat tests are now disabled as the branch for Python 2.7 tests is unmaintained
  • macOS package is now built on macOS 13.

How to try and test the changes

reviewers: @adiroiban

For a quick picture of the overall security situation per OS, check external_deps.fods in LibreOffice Calc.

To check other changes to our scripts and docs:

git diff master .github/ chevah_build  python-modules/chevah-python-test/ src/*/README

For the cryptography patch:

git diff master python-modules/cryptography*

For Python 2.7.18 patches:

git diff master src/python

For OpenSSL 1.1.1w patches:

git diff master src/openssl

@dumol dumol self-assigned this Jul 25, 2024
dumol added 13 commits July 25, 2024 10:14
@dumol
Updated zlib sources to 1.3.1.
25e41b2
@dumol
Updated zlib version to build to 1.3.1.
4da1782
@dumol
Security updates for OpenSSL 1.1.1w from Ubuntu 20.04.
66fccb9
@dumol
Updated SQLite sources and DLLs to 3.46.0.
97458f6
@dumol
Updated SQLite version to build/use to 3.46.0.
0fd1549
@dumol
Python hot patches for some CVE issues on all platforms.
077d6ec
@dumol
Adjusted hot fixes to cleanly apply on Windows.
deaf977
@dumol
Patched Python sources for CVE-2022-48560, CVE-2022-48566, CVE-2023-4…
a118e7a 
…0217.
@dumol
Document today's patching.
133bafe
@dumol
Patched our cryptography sources for CVE-2023-49083. Other safety iss…
8b3196a 
…ues not relevant for our old versions.
@dumol
Patched our cryptography sources for CVE-2023-49083, take two.
1909628
@dumol
Ignore one more safety id for requests: 71064.
5c55344
@dumol
Ignore safety id for one more of its deps: idna.
7c690ac
@dumol

dumol commented Jul 31, 2024

Copy link
Copy Markdown
Contributor Author

Getting closer with this, but compat tests no longer run because pyflakes 3.2.0 is not actually compatible with python 2.7.18, AFAICT from https://github.com/chevah/python-package/actions/runs/10180457358/job/28158367575?pr=177:

Collecting pyflakes>=1.5.0
  Downloading https://bin.chevah.com:20443/pypi/simple/pyflakes/pyflakes-3.2.0-py2.py3-none-any.whl (62 kB)
ERROR: Package 'pyflakes' requires a different Python: 2.7.18 not in '>=3.8'

Any ideas, @adiroiban?

@adiroiban

adiroiban commented Jul 31, 2024
edited
Loading

Copy link
Copy Markdown
Member

I think that we can just release this and then we will see how it goes in chevah/server series-4 branch

chevah/compat trunk branch no longer supports python 2.7

if you want to run chevah/compat tests, they should be executed based on this commit

chevah/compat@d4a3dfc

this should be for version 1.0.9 which should still support python 2.7

unfortunately, I did a bad job tracking the versions for chevah/compat and we don't have any tags for that.

@dumol

dumol commented Aug 1, 2024

Copy link
Copy Markdown
Contributor Author

We were using this branch: https://github.com/chevah/compat/tree/py2-support. That's why I was surprised to see an error about Python 3 being required.

When checking out chevah/compat@d4a3dfc, there are other errors:

Looking in indexes: https://bin.chevah.com:20443/pypi/simple
Processing /home/runner/work/python-package/python-package/python-package/build/compat
    ERROR: Command errored out with exit status 1:
     command: /home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-req-build-A7ErlR/setup.py'"'"'; __file__='"'"'/tmp/pip-req-build-A7ErlR/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-HK3uj0
         cwd: /tmp/pip-req-build-A7ErlR/
    Complete output (19 lines):
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-req-build-A7ErlR/setup.py", line 8, in <module>
        setup()
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/__init__.py", line 161, in setup
        _install_setup_requires(attrs)
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/__init__.py", line 154, in _install_setup_requires
        dist.parse_config_files(ignore_option_errors=True)
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/dist.py", line 703, in parse_config_files
        self._finalize_requires()
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/dist.py", line 506, in _finalize_requires
        self._convert_extras_requirements()
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/dist.py", line 520, in _convert_extras_requirements
        for r in pkg_resources.parse_requirements(v):
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3094, in parse_requirements
        yield Requirement(line)
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3103, in __init__
        raise RequirementParseError(str(e))
    pkg_resources.RequirementParseError: Invalid requirement, parse error at "'; Requir'"
    ----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
WARNING: You are using pip version 20.3.4chevah1; however, version 20.3.4 is available.
You should consider upgrading via the '/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/bin/python -m pip install --upgrade pip' command.
Failed to run:
pip install --trusted-host pypi.chevah.com --trusted-host deag.chevah.com:10042 --index-url=https://bin.chevah.com:20443/pypi/simple --build /home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/pip-build .[dev]
PWD : /home/runner/work/python-package/python-package/python-package/build/compat
Fail: ./brink.sh deps

From https://github.com/chevah/python-package/actions/runs/10196943648/job/28208745488?pr=177

@dumol

dumol commented Aug 1, 2024

Copy link
Copy Markdown
Contributor Author

@adiroiban: I've disabled compat tests for now to produce packages to test with server 4.x.x. They are currently available at https://bin.chevah.com:20443/testing/2.7.18.4a3120a/

@dumol dumol requested a review from adiroiban August 16, 2024 10:15
@dumol dumol changed the title 2024.07 updates. 2024.08 updates. Aug 16, 2024
@dumol dumol merged commit a67ce7f into master Nov 25, 2024
@dumol dumol deleted the 202407-updates branch November 25, 2024 12:22
@dumol

dumol commented Nov 25, 2024

Copy link
Copy Markdown
Contributor Author

No new commits at https://github.com/ActiveState/cpython/commits/2.7/. I'm merging this while still relevant to the upstream patches.

If needed, more changes can be added in another branch/PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adiroiban adiroiban Awaiting requested review from adiroiban

Assignees

@dumol dumol

Labels

needs-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix CVE-2022-45061.

3 participants

@dumol @adiroiban @chevah-robot