2024.08 updates.

[dumol]

Scope

Patch Python and OpenSSL for as many security issues as feasibly possible. Fixes #176

Update libs and modules, if possible.

Changes

Python security hot patches applied on all platforms for: CVE-2017-18207, CVE-2021-4189, CVE-2022-45061, CVE-2022-48565, CVE-2024-7592.

Patched Python 2.7.18 sources on non-Windows platforms for: CVE-2022-48560, CVE-2022-48566, CVE-2023-40217, CVE-2024-0397.

Patched OpenSSL 1.1.1w sources for: CVE-2023-5678, CVE-2024-0727, CVE-2024-2511, CVE-2024-4741, CVE-2024-5535.

Patched our cryptography sources for CVE-2023-49083.

Lib updates:

• libffi to 3.4.6
• zlib to 1.3.1
• sqlite to 3.46.0.

Python modules updates:

• psutil to 5.9.6 on generic glibc-based Linux,
• psutil to 6.0.0 on the other platforms.

Drive-by changes:

• compat tests are now disabled as the branch for Python 2.7 tests is unmaintained
• macOS package is now built on macOS 13.

How to try and test the changes

reviewers: @adiroiban

For a quick picture of the overall security situation per OS, check external_deps.fods in LibreOffice Calc.

To check other changes to our scripts and docs:

git diff master .github/ chevah_build  python-modules/chevah-python-test/ src/*/README

For the cryptography patch:

git diff master python-modules/cryptography*

For Python 2.7.18 patches:

git diff master src/python

For OpenSSL 1.1.1w patches:

git diff master src/openssl

[dumol]

Getting closer with this, but compat tests no longer run because pyflakes 3.2.0 is not actually compatible with python 2.7.18, AFAICT from https://github.com/chevah/python-package/actions/runs/10180457358/job/28158367575?pr=177:

Collecting pyflakes>=1.5.0
  Downloading https://bin.chevah.com:20443/pypi/simple/pyflakes/pyflakes-3.2.0-py2.py3-none-any.whl (62 kB)
ERROR: Package 'pyflakes' requires a different Python: 2.7.18 not in '>=3.8'

Any ideas, @adiroiban?

[adiroiban]

I think that we can just release this and then we will see how it goes in chevah/server series-4 branch

chevah/compat trunk branch no longer supports python 2.7

if you want to run chevah/compat tests, they should be executed based on this commit

chevah/compat@d4a3dfc

this should be for version 1.0.9 which should still support python 2.7

unfortunately, I did a bad job tracking the versions for chevah/compat and we don't have any tags for that.

[dumol]

We were using this branch: https://github.com/chevah/compat/tree/py2-support. That's why I was surprised to see an error about Python 3 being required.

When checking out chevah/compat@d4a3dfc, there are other errors:

Looking in indexes: https://bin.chevah.com:20443/pypi/simple
Processing /home/runner/work/python-package/python-package/python-package/build/compat
    ERROR: Command errored out with exit status 1:
     command: /home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-req-build-A7ErlR/setup.py'"'"'; __file__='"'"'/tmp/pip-req-build-A7ErlR/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-HK3uj0
         cwd: /tmp/pip-req-build-A7ErlR/
    Complete output (19 lines):
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-req-build-A7ErlR/setup.py", line 8, in <module>
        setup()
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/__init__.py", line 161, in setup
        _install_setup_requires(attrs)
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/__init__.py", line 154, in _install_setup_requires
        dist.parse_config_files(ignore_option_errors=True)
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/dist.py", line 703, in parse_config_files
        self._finalize_requires()
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/dist.py", line 506, in _finalize_requires
        self._convert_extras_requirements()
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/setuptools/dist.py", line 520, in _convert_extras_requirements
        for r in pkg_resources.parse_requirements(v):
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3094, in parse_requirements
        yield Requirement(line)
      File "/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3103, in __init__
        raise RequirementParseError(str(e))
    pkg_resources.RequirementParseError: Invalid requirement, parse error at "'; Requir'"
    ----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
WARNING: You are using pip version 20.3.4chevah1; however, version 20.3.4 is available.
You should consider upgrading via the '/home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/bin/python -m pip install --upgrade pip' command.
Failed to run:
pip install --trusted-host pypi.chevah.com --trusted-host deag.chevah.com:10042 --index-url=https://bin.chevah.com:20443/pypi/simple --build /home/runner/work/python-package/python-package/python-package/build/compat/build-python-package/pip-build .[dev]
PWD : /home/runner/work/python-package/python-package/python-package/build/compat
Fail: ./brink.sh deps

From https://github.com/chevah/python-package/actions/runs/10196943648/job/28208745488?pr=177

[dumol]

@adiroiban: I've disabled compat tests for now to produce packages to test with server 4.x.x. They are currently available at https://bin.chevah.com:20443/testing/2.7.18.4a3120a/

[dumol]

No new commits at https://github.com/ActiveState/cpython/commits/2.7/. I'm merging this while still relevant to the upstream patches.

If needed, more changes can be added in another branch/PR.