%global _empty_manifest_terminate_build 0 Name: python-Products.PloneHotfix20210518 Version: 1.6 Release: 1 Summary: Various Plone hotfixes, 2021-05-18 License: GPL URL: https://plone.org/security/hotfix/20210518 Source0: https://mirrors.aliyun.com/pypi/web/packages/84/82/4cbd7bab685000b7a4df20745886f752cbece8bb2dcc5ceede9ba2a0ef62/Products.PloneHotfix20210518-1.6.tar.gz BuildArch: noarch Requires: python3-setuptools %description This hotfix fixes several security issues: - Remote Code Execution via traversal in expressions via aliases. Reported by David Miller. - Remote Code Execution via traversal in expressions (no aliases). Reported by Calum Hutton. - Remote Code Execution via traversal in expressions via string formatter. Reported by David Miller. - Writing arbitrary files via docutils and Python Script. Reported by Calum Hutton. - Stored XSS from file upload (svg, html). Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke. - XSS vulnerability in CMFDiffTool. Reported by Igor Margitich. - Reflected XSS in various spots. Reported by Calum Hutton. - Various information disclosures: GS, QI, all_users. Reported by Calum Hutton. - Stored XSS from user fullname. Reported by Tino Kautschke. - Blind SSRF via feedparser accessing an internal URL. Reported by Subodh Kumar Shree. - Server Side Request Forgery via event ical URL. Reported by MisakiKata and David Miller. - Server Side Request Forgery via lxml parser. Reported by MisakiKata and David Miller. - XSS in folder contents on Plone 5.0 and higher. Reported by Matt Moreschi. Only included since version 1.5 of the hotfix. - Remote Code Execution via Python Script. Reported by Calum Hutton. Only Plone 5.2 on Python 3 is vulnerable. Only included since version 1.6 of the hotfix. %package -n python3-Products.PloneHotfix20210518 Summary: Various Plone hotfixes, 2021-05-18 Provides: python-Products.PloneHotfix20210518 BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: python3-pip %description -n python3-Products.PloneHotfix20210518 This hotfix fixes several security issues: - Remote Code Execution via traversal in expressions via aliases. Reported by David Miller. - Remote Code Execution via traversal in expressions (no aliases). Reported by Calum Hutton. - Remote Code Execution via traversal in expressions via string formatter. Reported by David Miller. - Writing arbitrary files via docutils and Python Script. Reported by Calum Hutton. - Stored XSS from file upload (svg, html). Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke. - XSS vulnerability in CMFDiffTool. Reported by Igor Margitich. - Reflected XSS in various spots. Reported by Calum Hutton. - Various information disclosures: GS, QI, all_users. Reported by Calum Hutton. - Stored XSS from user fullname. Reported by Tino Kautschke. - Blind SSRF via feedparser accessing an internal URL. Reported by Subodh Kumar Shree. - Server Side Request Forgery via event ical URL. Reported by MisakiKata and David Miller. - Server Side Request Forgery via lxml parser. Reported by MisakiKata and David Miller. - XSS in folder contents on Plone 5.0 and higher. Reported by Matt Moreschi. Only included since version 1.5 of the hotfix. - Remote Code Execution via Python Script. Reported by Calum Hutton. Only Plone 5.2 on Python 3 is vulnerable. Only included since version 1.6 of the hotfix. %package help Summary: Development documents and examples for Products.PloneHotfix20210518 Provides: python3-Products.PloneHotfix20210518-doc %description help This hotfix fixes several security issues: - Remote Code Execution via traversal in expressions via aliases. Reported by David Miller. - Remote Code Execution via traversal in expressions (no aliases). Reported by Calum Hutton. - Remote Code Execution via traversal in expressions via string formatter. Reported by David Miller. - Writing arbitrary files via docutils and Python Script. Reported by Calum Hutton. - Stored XSS from file upload (svg, html). Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke. - XSS vulnerability in CMFDiffTool. Reported by Igor Margitich. - Reflected XSS in various spots. Reported by Calum Hutton. - Various information disclosures: GS, QI, all_users. Reported by Calum Hutton. - Stored XSS from user fullname. Reported by Tino Kautschke. - Blind SSRF via feedparser accessing an internal URL. Reported by Subodh Kumar Shree. - Server Side Request Forgery via event ical URL. Reported by MisakiKata and David Miller. - Server Side Request Forgery via lxml parser. Reported by MisakiKata and David Miller. - XSS in folder contents on Plone 5.0 and higher. Reported by Matt Moreschi. Only included since version 1.5 of the hotfix. - Remote Code Execution via Python Script. Reported by Calum Hutton. Only Plone 5.2 on Python 3 is vulnerable. Only included since version 1.6 of the hotfix. %prep %autosetup -n Products.PloneHotfix20210518-1.6 %build %py3_build %install %py3_install install -d -m755 %{buildroot}/%{_pkgdocdir} if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi pushd %{buildroot} if [ -d usr/lib ]; then find usr/lib -type f -printf "\"/%h/%f\"\n" >> filelist.lst fi if [ -d usr/lib64 ]; then find usr/lib64 -type f -printf "\"/%h/%f\"\n" >> filelist.lst fi if [ -d usr/bin ]; then find usr/bin -type f -printf "\"/%h/%f\"\n" >> filelist.lst fi if [ -d usr/sbin ]; then find usr/sbin -type f -printf "\"/%h/%f\"\n" >> filelist.lst fi touch doclist.lst if [ -d usr/share/man ]; then find usr/share/man -type f -printf "\"/%h/%f.gz\"\n" >> doclist.lst fi popd mv %{buildroot}/filelist.lst . mv %{buildroot}/doclist.lst . %files -n python3-Products.PloneHotfix20210518 -f filelist.lst %dir %{python3_sitelib}/* %files help -f doclist.lst %{_docdir}/* %changelog * Fri Jun 09 2023 Python_Bot - 1.6-1 - Package Spec generated