Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package trytond for openSUSE:Factory checked in at 2021-02-15 23:19:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/trytond (Old) and /work/SRC/openSUSE:Factory/.trytond.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "trytond" Mon Feb 15 23:19:15 2021 rev:55 rq:872368 version:5.0.33 Changes: -------- --- /work/SRC/openSUSE:Factory/trytond/trytond.changes 2021-02-09 21:17:12.726838472 +0100 +++ /work/SRC/openSUSE:Factory/.trytond.new.28504/trytond.changes 2021-02-15 23:21:22.851851099 +0100 @@ -1,0 +2,10 @@ +Mon Feb 15 11:44:23 UTC 2021 - Axel Braun <axel.br...@gmx.de> + +- fix_werkzeug.patch adjusted + +------------------------------------------------------------------- +Fri Feb 12 18:10:08 UTC 2021 - Axel Braun <axel.br...@gmx.de> + +- Version 5.0.33 - Security fix for https://bugs.tryton.org/issue10068 + +------------------------------------------------------------------- Old: ---- trytond-5.0.32.tar.gz New: ---- trytond-5.0.33.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ trytond.spec ++++++ --- /var/tmp/diff_new_pack.Mp0l3E/_old 2021-02-15 23:21:23.515852090 +0100 +++ /var/tmp/diff_new_pack.Mp0l3E/_new 2021-02-15 23:21:23.519852096 +0100 @@ -20,7 +20,7 @@ %define majorver 5.0 %define base_name tryton Name: trytond -Version: %{majorver}.32 +Version: %{majorver}.33 Release: 0 Summary: An Enterprise Resource Planning (ERP) system License: GPL-3.0-or-later ++++++ fix_werkzeug.patch ++++++ --- /var/tmp/diff_new_pack.Mp0l3E/_old 2021-02-15 23:21:23.563852162 +0100 +++ /var/tmp/diff_new_pack.Mp0l3E/_new 2021-02-15 23:21:23.563852162 +0100 @@ -1,13 +1,11 @@ -Index: trytond-5.0.18/trytond/wsgi.py -=================================================================== ---- trytond-5.0.18.orig/trytond/wsgi.py -+++ trytond-5.0.18/trytond/wsgi.py -@@ -9,8 +9,19 @@ import traceback +diff -U 3 -dHrN -- a/trytond/wsgi.py b/trytond/wsgi.py +--- a/trytond/wsgi.py 2021-02-12 10:14:41.000000000 +0100 ++++ b/trytond/wsgi.py 2021-02-15 12:37:50.432511576 +0100 +@@ -10,13 +10,23 @@ from werkzeug.wrappers import Response from werkzeug.routing import Map, Rule from werkzeug.exceptions import abort, HTTPException, InternalServerError -from werkzeug.contrib.fixers import ProxyFix --from werkzeug.wsgi import SharedDataMiddleware +try: + from werkzeug.middleware.proxy_fix import ProxyFix + @@ -17,6 +15,12 @@ + x_port=num_proxies, x_prefix=num_proxies) +except ImportError: + from werkzeug.contrib.fixers import ProxyFix as NumProxyFix + try: + from werkzeug.security import safe_join + except ImportError: + safe_join = posixpath.join +- +-from werkzeug.wsgi import SharedDataMiddleware +try: + from werkzeug.middleware.shared_data import SharedDataMiddleware +except ImportError: @@ -24,7 +28,7 @@ import wrapt -@@ -150,6 +161,6 @@ if config.get('web', 'root'): +@@ -157,6 +167,6 @@ app.wsgi_app = SharedDataMiddlewareIndex(app.wsgi_app, static_files) num_proxies = config.getint('web', 'num_proxies') if num_proxies: ++++++ trytond-5.0.32.tar.gz -> trytond-5.0.33.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trytond-5.0.32/.hgtags new/trytond-5.0.33/.hgtags --- old/trytond-5.0.32/.hgtags 2021-02-01 22:50:57.000000000 +0100 +++ new/trytond-5.0.33/.hgtags 2021-02-12 10:14:44.000000000 +0100 @@ -51,3 +51,4 @@ 0b23f3ed8c1c099bdf64733bafd29e873b801a5a 5.0.30 bc3e5508144ab909a7980010ce21f9cc17be29f7 5.0.31 c485f522f9aa8c544e0857795c540c1b95c0407e 5.0.32 +268cdae7d36eb3730bc9b722518fa26bd778cdf3 5.0.33 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trytond-5.0.32/CHANGELOG new/trytond-5.0.33/CHANGELOG --- old/trytond-5.0.32/CHANGELOG 2021-02-01 22:50:56.000000000 +0100 +++ new/trytond-5.0.33/CHANGELOG 2021-02-12 10:14:44.000000000 +0100 @@ -1,3 +1,7 @@ +Version 5.0.33 - 2021-02-12 +* Bug fixes (see mercurial logs for details) +* Use safe_join in SharedDataMiddlewareIndex (issue10068) + Version 5.0.32 - 2021-02-01 * Bug fixes (see mercurial logs for details) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trytond-5.0.32/PKG-INFO new/trytond-5.0.33/PKG-INFO --- old/trytond-5.0.32/PKG-INFO 2021-02-01 22:50:59.296959200 +0100 +++ new/trytond-5.0.33/PKG-INFO 2021-02-12 10:14:46.511693200 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: trytond -Version: 5.0.32 +Version: 5.0.33 Summary: Tryton server Home-page: http://www.tryton.org/ Author: Tryton diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trytond-5.0.32/trytond/__init__.py new/trytond-5.0.33/trytond/__init__.py --- old/trytond-5.0.32/trytond/__init__.py 2021-01-01 16:10:47.000000000 +0100 +++ new/trytond-5.0.33/trytond/__init__.py 2021-02-01 22:51:13.000000000 +0100 @@ -5,7 +5,7 @@ import warnings from email import charset -__version__ = "5.0.32" +__version__ = "5.0.33" os.environ['TZ'] = 'UTC' if hasattr(time, 'tzset'): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trytond-5.0.32/trytond/wsgi.py new/trytond-5.0.33/trytond/wsgi.py --- old/trytond-5.0.32/trytond/wsgi.py 2019-08-11 19:34:43.000000000 +0200 +++ new/trytond-5.0.33/trytond/wsgi.py 2021-02-12 10:14:41.000000000 +0100 @@ -3,6 +3,7 @@ import http.client import logging import os +import posixpath import sys import traceback @@ -10,6 +11,11 @@ from werkzeug.routing import Map, Rule from werkzeug.exceptions import abort, HTTPException, InternalServerError from werkzeug.contrib.fixers import ProxyFix +try: + from werkzeug.security import safe_join +except ImportError: + safe_join = posixpath.join + from werkzeug.wsgi import SharedDataMiddleware import wrapt @@ -131,13 +137,14 @@ def get_directory_loader(self, directory): def loader(path): if path is not None: - path = os.path.join(directory, path) + path = safe_join(directory, path) else: path = directory - if os.path.isdir(path): - path = os.path.join(path, 'index.html') - if os.path.isfile(path): - return os.path.basename(path), self._opener(path) + if path is not None: + if os.path.isdir(path): + path = posixpath.join(path, 'index.html') + if os.path.isfile(path): + return os.path.basename(path), self._opener(path) return None, None return loader diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trytond-5.0.32/trytond.egg-info/PKG-INFO new/trytond-5.0.33/trytond.egg-info/PKG-INFO --- old/trytond-5.0.32/trytond.egg-info/PKG-INFO 2021-02-01 22:50:58.000000000 +0100 +++ new/trytond-5.0.33/trytond.egg-info/PKG-INFO 2021-02-12 10:14:45.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: trytond -Version: 5.0.32 +Version: 5.0.33 Summary: Tryton server Home-page: http://www.tryton.org/ Author: Tryton