Compare commits

...

No commits in common. 'c8-beta' and 'c9-beta' have entirely different histories.

@ -0,0 +1,17 @@
diff --git a/pymysql/converters.py b/pymysql/converters.py
index 1adac75..dbf97ca 100644
--- a/pymysql/converters.py
+++ b/pymysql/converters.py
@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None):
def escape_dict(val, charset, mapping=None):
- n = {}
- for k, v in val.items():
- quoted = escape_item(v, charset, mapping)
- n[k] = quoted
- return n
+ raise TypeError("dict can not be used as parameter")
def escape_sequence(val, charset, mapping=None):

@ -5,7 +5,7 @@
Name: python%{python3_pkgversion}-%{pypi_name}
Version: 1.1.0
Release: 2%{?dist}
Release: 3%{?dist}
Summary: Pure-Python MySQL client library
License: MIT
@ -13,6 +13,11 @@ URL: https://pypi.python.org/pypi/%{pypi_name}/
Source0: %pypi_source
Source1: setup.py
# Security fix for CVE-2024-36039: SQL injection if used with untrusted JSON input
# Resolved upstream: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2282821
Patch0: CVE-2024-36039.patch
BuildArch: noarch
BuildRequires: python%{python3_pkgversion}-devel
@ -35,7 +40,7 @@ and Jython.
%prep
%setup -qn %{pypi_name}-%{version}
%autosetup -n %{pypi_name}-%{version} -p1
rm -rf %{pypi_name}.egg-info
# Remove tests files so they are not installed globally.
rm -rf tests
@ -62,6 +67,10 @@ cp %{SOURCE1} .
%{python3_sitelib}/pymysql/
%changelog
* Fri May 31 2024 Charalampos Stratakis <cstratak@redhat.com> - 1.1.0-3
- Security fix for CVE-2024-36039
Resolves: RHEL-38371
* Tue Jan 23 2024 Miro Hrončok <mhroncok@redhat.com> - 1.1.0-2
- Rebuilt for timestamp .pyc invalidation mode

Loading…
Cancel
Save