2 files changed, 2 insertions, 251 deletions
diff --git a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
deleted file mode 100644
index e16b99bcb9..0000000000
--- a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
+++ /dev/null
@@ -1,248 +0,0 @@
-From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <vstinner@python.org>
-Date: Thu, 2 Apr 2020 02:52:20 +0200
-Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
- (GH-18284)
-Upstream-Status: Backport
-(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
-CVE: CVE-2020-8492
-The AbstractBasicAuthHandler class of the urllib.request module uses
-an inefficient regular expression which can be exploited by an
-attacker to cause a denial of service. Fix the regex to prevent the
-catastrophic backtracking. Vulnerability reported by Ben Caller
-and Matt Schwager.
-AbstractBasicAuthHandler of urllib.request now parses all
-WWW-Authenticate HTTP headers and accepts multiple challenges per
-header: use the realm of the first Basic challenge.
-Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
-Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
- Lib/test/test_urllib2.py                      | 90 ++++++++++++-------
- Lib/urllib/request.py                         | 69 ++++++++++----
- .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst  |  3 +
- .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst  |  5 ++
- 4 files changed, 115 insertions(+), 52 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
- create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
-index 8abedaac98..e69ac3e213 100644
--- a/Lib/test/test_urllib2.py
-+++ b/Lib/test/test_urllib2.py
-@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase):
-         bypass = {'exclude_simple': True, 'exceptions': []}
-         self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
- 
-    def test_basic_auth(self, quote_char='"'):
-        opener = OpenerDirector()
-        password_manager = MockPasswordManager()
-        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-        realm = "ACME Widget Store"
-        http_handler = MockHTTPHandler(
-            401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
-            (quote_char, realm, quote_char))
-        opener.add_handler(auth_handler)
-        opener.add_handler(http_handler)
-        self._test_basic_auth(opener, auth_handler, "Authorization",
-                              realm, http_handler, password_manager,
-                              "http://acme.example.com/protected",
-                              "http://acme.example.com/protected",
-                              )
-
-    def test_basic_auth_with_single_quoted_realm(self):
-        self.test_basic_auth(quote_char="'")
-
-    def test_basic_auth_with_unquoted_realm(self):
-        opener = OpenerDirector()
-        password_manager = MockPasswordManager()
-        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-        realm = "ACME Widget Store"
-        http_handler = MockHTTPHandler(
-            401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
-        opener.add_handler(auth_handler)
-        opener.add_handler(http_handler)
-        with self.assertWarns(UserWarning):
-+    def check_basic_auth(self, headers, realm):
-+        with self.subTest(realm=realm, headers=headers):
-+            opener = OpenerDirector()
-+            password_manager = MockPasswordManager()
-+            auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-+            body = '\r\n'.join(headers) + '\r\n\r\n'
-+            http_handler = MockHTTPHandler(401, body)
-+            opener.add_handler(auth_handler)
-+            opener.add_handler(http_handler)
-             self._test_basic_auth(opener, auth_handler, "Authorization",
-                                realm, http_handler, password_manager,
-                                "http://acme.example.com/protected",
-                                "http://acme.example.com/protected",
-                                )
-+                                  realm, http_handler, password_manager,
-+                                  "http://acme.example.com/protected",
-+                                  "http://acme.example.com/protected")
-+
-+    def test_basic_auth(self):
-+        realm = "realm2@example.com"
-+        realm2 = "realm2@example.com"
-+        basic = f'Basic realm="{realm}"'
-+        basic2 = f'Basic realm="{realm2}"'
-+        other_no_realm = 'Otherscheme xxx'
-+        digest = (f'Digest realm="{realm2}", '
-+                  f'qop="auth, auth-int", '
-+                  f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
-+                  f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
-+        for realm_str in (
-+            # test "quote" and 'quote'
-+            f'Basic realm="{realm}"',
-+            f"Basic realm='{realm}'",
-+
-+            # charset is ignored
-+            f'Basic realm="{realm}", charset="UTF-8"',
-+
-+            # Multiple challenges per header
-+            f'{basic}, {basic2}',
-+            f'{basic}, {other_no_realm}',
-+            f'{other_no_realm}, {basic}',
-+            f'{basic}, {digest}',
-+            f'{digest}, {basic}',
-+        ):
-+            headers = [f'WWW-Authenticate: {realm_str}']
-+            self.check_basic_auth(headers, realm)
-+
-+        # no quote: expect a warning
-+        with support.check_warnings(("Basic Auth Realm was unquoted",
-+                                     UserWarning)):
-+            headers = [f'WWW-Authenticate: Basic realm={realm}']
-+            self.check_basic_auth(headers, realm)
-+
-+        # Multiple headers: one challenge per header.
-+        # Use the first Basic realm.
-+        for challenges in (
-+            [basic,  basic2],
-+            [basic,  digest],
-+            [digest, basic],
-+        ):
-+            headers = [f'WWW-Authenticate: {challenge}'
-+                       for challenge in challenges]
-+            self.check_basic_auth(headers, realm)
- 
-     def test_proxy_basic_auth(self):
-         opener = OpenerDirector()
-diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
-index 7fe50535da..2a3d71554f 100644
--- a/Lib/urllib/request.py
-+++ b/Lib/urllib/request.py
-@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
- 
-     # allow for double- and single-quoted realm values
-     # (single quotes are a violation of the RFC, but appear in the wild)
-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
-                    'realm=(["\']?)([^"\']*)\\2', re.I)
-+    rx = re.compile('(?:^|,)'   # start of the string or ','
-+                    '[ \t]*'    # optional whitespaces
-+                    '([^ \t]+)' # scheme like "Basic"
-+                    '[ \t]+'    # mandatory whitespaces
-+                    # realm=xxx
-+                    # realm='xxx'
-+                    # realm="xxx"
-+                    'realm=(["\']?)([^"\']*)\\2',
-+                    re.I)
- 
-     # XXX could pre-emptively send auth info already accepted (RFC 2617,
-     # end of section 2, and section 1.2 immediately after "credentials"
-@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler:
-         self.passwd = password_mgr
-         self.add_password = self.passwd.add_password
- 
-+    def _parse_realm(self, header):
-+        # parse WWW-Authenticate header: accept multiple challenges per header
-+        found_challenge = False
-+        for mo in AbstractBasicAuthHandler.rx.finditer(header):
-+            scheme, quote, realm = mo.groups()
-+            if quote not in ['"', "'"]:
-+                warnings.warn("Basic Auth Realm was unquoted",
-+                              UserWarning, 3)
-+
-+            yield (scheme, realm)
-+
-+            found_challenge = True
-+
-+        if not found_challenge:
-+            if header:
-+                scheme = header.split()[0]
-+            else:
-+                scheme = ''
-+            yield (scheme, None)
-+
-     def http_error_auth_reqed(self, authreq, host, req, headers):
-         # host may be an authority (without userinfo) or a URL with an
-         # authority
-        # XXX could be multiple headers
-        authreq = headers.get(authreq, None)
-+        headers = headers.get_all(authreq)
-+        if not headers:
-+            # no header found
-+            return
- 
-        if authreq:
-            scheme = authreq.split()[0]
-            if scheme.lower() != 'basic':
-                raise ValueError("AbstractBasicAuthHandler does not"
-                                 " support the following scheme: '%s'" %
-                                 scheme)
-            else:
-                mo = AbstractBasicAuthHandler.rx.search(authreq)
-                if mo:
-                    scheme, quote, realm = mo.groups()
-                    if quote not in ['"',"'"]:
-                        warnings.warn("Basic Auth Realm was unquoted",
-                                      UserWarning, 2)
-                    if scheme.lower() == 'basic':
-                        return self.retry_http_basic_auth(host, req, realm)
-+        unsupported = None
-+        for header in headers:
-+            for scheme, realm in self._parse_realm(header):
-+                if scheme.lower() != 'basic':
-+                    unsupported = scheme
-+                    continue
-+
-+                if realm is not None:
-+                    # Use the first matching Basic challenge.
-+                    # Ignore following challenges even if they use the Basic
-+                    # scheme.
-+                    return self.retry_http_basic_auth(host, req, realm)
-+
-+        if unsupported is not None:
-+            raise ValueError("AbstractBasicAuthHandler does not "
-+                             "support the following scheme: %r"
-+                             % (scheme,))
- 
-     def retry_http_basic_auth(self, host, req, realm):
-         user, pw = self.passwd.find_user_password(realm, host)
-diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
-new file mode 100644
-index 0000000000..be80ce79d9
--- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
-@@ -0,0 +1,3 @@
-+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
-+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
-+per header: use the realm of the first Basic challenge.
-diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-new file mode 100644
-index 0000000000..9f2800581c
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-@@ -0,0 +1,5 @@
-+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
-+:mod:`urllib.request` module uses an inefficient regular expression which can
-+be exploited by an attacker to cause a denial of service. Fix the regex to
-+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
-+and Matt Schwager.
-- 
-2.24.1
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.3.bb
index 072ce97472..3aa8980e13 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.3.bb
@@ -33,7 +33,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://0001-configure.ac-fix-LIBPL.patch \
           file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
           file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
-           file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \
           file://CVE-2019-20907.patch \
           file://CVE-2020-14422.patch \
           file://CVE-2020-26116.patch \
@@ -47,8 +46,8 @@ SRC_URI_append_class-native = " \
           file://0001-Don-t-search-system-for-headers-libraries.patch \
           "
-SRC_URI[md5sum] = "e9d6ebc92183a177b8e8a58cad5b8d67"
+SRC_URI[md5sum] = "3000cf50aaa413052aef82fd2122ca78"
-SRC_URI[sha256sum] = "2646e7dc233362f59714c6193017bb2d6f7b38d6ab4a0cb5fbac5c36c4d845df"
+SRC_URI[sha256sum] = "dfab5ec723c218082fe3d5d7ae17ecbdebffa9a1aea4d64aa3a2ecdd2e795864"
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"

diff --git a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch deleted file mode 100644 index e16b99bcb9..0000000000 --- a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch +++ /dev/null
@@ -1,248 +0,0 @@
1	From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
2	From: Victor Stinner <vstinner@python.org>
3	Date: Thu, 2 Apr 2020 02:52:20 +0200
4	Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
5	(GH-18284)
6
7	Upstream-Status: Backport
8	(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
9
10	CVE: CVE-2020-8492
11
12	The AbstractBasicAuthHandler class of the urllib.request module uses
13	an inefficient regular expression which can be exploited by an
14	attacker to cause a denial of service. Fix the regex to prevent the
15	catastrophic backtracking. Vulnerability reported by Ben Caller
16	and Matt Schwager.
17
18	AbstractBasicAuthHandler of urllib.request now parses all
19	WWW-Authenticate HTTP headers and accepts multiple challenges per
20	header: use the realm of the first Basic challenge.
21
22	Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
23	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
24	---
25	Lib/test/test_urllib2.py \| 90 ++++++++++++-------
26	Lib/urllib/request.py \| 69 ++++++++++----
27	.../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst \| 3 +
28	.../2020-01-30-16-15-29.bpo-39503.B299Yq.rst \| 5 ++
29	4 files changed, 115 insertions(+), 52 deletions(-)
30	create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
31	create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
32
33	diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
34	index 8abedaac98..e69ac3e213 100644
35	--- a/Lib/test/test_urllib2.py
36	+++ b/Lib/test/test_urllib2.py
37	@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase):
38	bypass = {'exclude_simple': True, 'exceptions': []}
39	self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
40
41	- def test_basic_auth(self, quote_char='"'):
42	- opener = OpenerDirector()
43	- password_manager = MockPasswordManager()
44	- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
45	- realm = "ACME Widget Store"
46	- http_handler = MockHTTPHandler(
47	- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
48	- (quote_char, realm, quote_char))
49	- opener.add_handler(auth_handler)
50	- opener.add_handler(http_handler)
51	- self._test_basic_auth(opener, auth_handler, "Authorization",
52	- realm, http_handler, password_manager,
53	- "http://acme.example.com/protected",
54	- "http://acme.example.com/protected",
55	- )
56	-
57	- def test_basic_auth_with_single_quoted_realm(self):
58	- self.test_basic_auth(quote_char="'")
59	-
60	- def test_basic_auth_with_unquoted_realm(self):
61	- opener = OpenerDirector()
62	- password_manager = MockPasswordManager()
63	- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
64	- realm = "ACME Widget Store"
65	- http_handler = MockHTTPHandler(
66	- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
67	- opener.add_handler(auth_handler)
68	- opener.add_handler(http_handler)
69	- with self.assertWarns(UserWarning):
70	+ def check_basic_auth(self, headers, realm):
71	+ with self.subTest(realm=realm, headers=headers):
72	+ opener = OpenerDirector()
73	+ password_manager = MockPasswordManager()
74	+ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
75	+ body = '\r\n'.join(headers) + '\r\n\r\n'
76	+ http_handler = MockHTTPHandler(401, body)
77	+ opener.add_handler(auth_handler)
78	+ opener.add_handler(http_handler)
79	self._test_basic_auth(opener, auth_handler, "Authorization",
80	- realm, http_handler, password_manager,
81	- "http://acme.example.com/protected",
82	- "http://acme.example.com/protected",
83	- )
84	+ realm, http_handler, password_manager,
85	+ "http://acme.example.com/protected",
86	+ "http://acme.example.com/protected")
87	+
88	+ def test_basic_auth(self):
89	+ realm = "realm2@example.com"
90	+ realm2 = "realm2@example.com"
91	+ basic = f'Basic realm="{realm}"'
92	+ basic2 = f'Basic realm="{realm2}"'
93	+ other_no_realm = 'Otherscheme xxx'
94	+ digest = (f'Digest realm="{realm2}", '
95	+ f'qop="auth, auth-int", '
96	+ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
97	+ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
98	+ for realm_str in (
99	+ # test "quote" and 'quote'
100	+ f'Basic realm="{realm}"',
101	+ f"Basic realm='{realm}'",
102	+
103	+ # charset is ignored
104	+ f'Basic realm="{realm}", charset="UTF-8"',
105	+
106	+ # Multiple challenges per header
107	+ f'{basic}, {basic2}',
108	+ f'{basic}, {other_no_realm}',
109	+ f'{other_no_realm}, {basic}',
110	+ f'{basic}, {digest}',
111	+ f'{digest}, {basic}',
112	+ ):
113	+ headers = [f'WWW-Authenticate: {realm_str}']
114	+ self.check_basic_auth(headers, realm)
115	+
116	+ # no quote: expect a warning
117	+ with support.check_warnings(("Basic Auth Realm was unquoted",
118	+ UserWarning)):
119	+ headers = [f'WWW-Authenticate: Basic realm={realm}']
120	+ self.check_basic_auth(headers, realm)
121	+
122	+ # Multiple headers: one challenge per header.
123	+ # Use the first Basic realm.
124	+ for challenges in (
125	+ [basic, basic2],
126	+ [basic, digest],
127	+ [digest, basic],
128	+ ):
129	+ headers = [f'WWW-Authenticate: {challenge}'
130	+ for challenge in challenges]
131	+ self.check_basic_auth(headers, realm)
132
133	def test_proxy_basic_auth(self):
134	opener = OpenerDirector()
135	diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
136	index 7fe50535da..2a3d71554f 100644
137	--- a/Lib/urllib/request.py
138	+++ b/Lib/urllib/request.py
139	@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
140
141	# allow for double- and single-quoted realm values
142	# (single quotes are a violation of the RFC, but appear in the wild)
143	- rx = re.compile('(?:.,)[ \t]*([^ \t]+)[ \t]+'
144	- 'realm=(["\']?)([^"\']*)\\2', re.I)
145	+ rx = re.compile('(?:^\|,)' # start of the string or ','
146	+ '[ \t]*' # optional whitespaces
147	+ '([^ \t]+)' # scheme like "Basic"
148	+ '[ \t]+' # mandatory whitespaces
149	+ # realm=xxx
150	+ # realm='xxx'
151	+ # realm="xxx"
152	+ 'realm=(["\']?)([^"\']*)\\2',
153	+ re.I)
154
155	# XXX could pre-emptively send auth info already accepted (RFC 2617,
156	# end of section 2, and section 1.2 immediately after "credentials"
157	@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler:
158	self.passwd = password_mgr
159	self.add_password = self.passwd.add_password
160
161	+ def _parse_realm(self, header):
162	+ # parse WWW-Authenticate header: accept multiple challenges per header
163	+ found_challenge = False
164	+ for mo in AbstractBasicAuthHandler.rx.finditer(header):
165	+ scheme, quote, realm = mo.groups()
166	+ if quote not in ['"', "'"]:
167	+ warnings.warn("Basic Auth Realm was unquoted",
168	+ UserWarning, 3)
169	+
170	+ yield (scheme, realm)
171	+
172	+ found_challenge = True
173	+
174	+ if not found_challenge:
175	+ if header:
176	+ scheme = header.split()[0]
177	+ else:
178	+ scheme = ''
179	+ yield (scheme, None)
180	+
181	def http_error_auth_reqed(self, authreq, host, req, headers):
182	# host may be an authority (without userinfo) or a URL with an
183	# authority
184	- # XXX could be multiple headers
185	- authreq = headers.get(authreq, None)
186	+ headers = headers.get_all(authreq)
187	+ if not headers:
188	+ # no header found
189	+ return
190
191	- if authreq:
192	- scheme = authreq.split()[0]
193	- if scheme.lower() != 'basic':
194	- raise ValueError("AbstractBasicAuthHandler does not"
195	- " support the following scheme: '%s'" %
196	- scheme)
197	- else:
198	- mo = AbstractBasicAuthHandler.rx.search(authreq)
199	- if mo:
200	- scheme, quote, realm = mo.groups()
201	- if quote not in ['"',"'"]:
202	- warnings.warn("Basic Auth Realm was unquoted",
203	- UserWarning, 2)
204	- if scheme.lower() == 'basic':
205	- return self.retry_http_basic_auth(host, req, realm)
206	+ unsupported = None
207	+ for header in headers:
208	+ for scheme, realm in self._parse_realm(header):
209	+ if scheme.lower() != 'basic':
210	+ unsupported = scheme
211	+ continue
212	+
213	+ if realm is not None:
214	+ # Use the first matching Basic challenge.
215	+ # Ignore following challenges even if they use the Basic
216	+ # scheme.
217	+ return self.retry_http_basic_auth(host, req, realm)
218	+
219	+ if unsupported is not None:
220	+ raise ValueError("AbstractBasicAuthHandler does not "
221	+ "support the following scheme: %r"
222	+ % (scheme,))
223
224	def retry_http_basic_auth(self, host, req, realm):
225	user, pw = self.passwd.find_user_password(realm, host)
226	diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
227	new file mode 100644
228	index 0000000000..be80ce79d9
229	--- /dev/null
230	+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
231	@@ -0,0 +1,3 @@
232	+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
233	+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
234	+per header: use the realm of the first Basic challenge.
235	diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
236	new file mode 100644
237	index 0000000000..9f2800581c
238	--- /dev/null
239	+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
240	@@ -0,0 +1,5 @@
241	+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
242	+:mod:`urllib.request` module uses an inefficient regular expression which can
243	+be exploited by an attacker to cause a denial of service. Fix the regex to
244	+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
245	+and Matt Schwager.
246	--
247	2.24.1
248


diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.3.bb index 072ce97472..3aa8980e13 100644 --- a/meta/recipes-devtools/python/python3_3.8.2.bb +++ b/meta/recipes-devtools/python/python3_3.8.3.bb
@@ -33,7 +33,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
33	file://0001-configure.ac-fix-LIBPL.patch \	33	file://0001-configure.ac-fix-LIBPL.patch \
34	file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \	34	file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
35	file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \	35	file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
36	file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \
37	file://CVE-2019-20907.patch \	36	file://CVE-2019-20907.patch \
38	file://CVE-2020-14422.patch \	37	file://CVE-2020-14422.patch \
39	file://CVE-2020-26116.patch \	38	file://CVE-2020-26116.patch \
@@ -47,8 +46,8 @@ SRC_URI_append_class-native = " \
47	file://0001-Don-t-search-system-for-headers-libraries.patch \	46	file://0001-Don-t-search-system-for-headers-libraries.patch \
48	"	47	"
49		48
50	SRC_URI[md5sum] = "e9d6ebc92183a177b8e8a58cad5b8d67"	49	SRC_URI[md5sum] = "3000cf50aaa413052aef82fd2122ca78"
51	SRC_URI[sha256sum] = "2646e7dc233362f59714c6193017bb2d6f7b38d6ab4a0cb5fbac5c36c4d845df"	50	SRC_URI[sha256sum] = "dfab5ec723c218082fe3d5d7ae17ecbdebffa9a1aea4d64aa3a2ecdd2e795864"
52		51
53	# exclude pre-releases for both python 2.x and 3.x	52	# exclude pre-releases for both python 2.x and 3.x
54	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"	53	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"