Zlib inflate security fix. (#171)

* Updated zlib sources to 1.2.13.

* Use zlib 1.2.13 to fix CVE-2022-37434.

* Updated OpenSSL 1.1.1 sources to version 1.1.1s.

* Use OpenSSL 1.1.1s.

* Updated safety and its exceptions.

* Use safety 1.9.0.

* Updated psutil to 5.9.3.

* Use safety 1.8.7.

* Updated OpenSSL 1.1.1 version to check for.

* Updated libffi sources to version 3.4.4.

* Use libffi version 3.4.4.

* Updated SQLite sources to version 3.39.4.

* Updated SQLite DLLs.

* Use SQLite version 3.39.4.

* Updated external deps sheets.

* Try latest psutil on CentOS 5.

* Revert "Try latest psutil on CentOS 5."

This reverts commit 1958e27.

* Try latest psutil working on CentOS 5.

* Updated external deps sheets.

Author: dumol

chevah_build

@@ -13,20 +13,20 @@ set -o errtrace   # trap errors in functions as well
 set -o pipefail   # don't ignore exit codes when piping output
 
 PYTHON_BUILD_VERSION="2.7.18"
-LIBFFI_VERSION="3.4.2"
-ZLIB_VERSION="1.2.12"
+LIBFFI_VERSION="3.4.4"
+ZLIB_VERSION="1.2.13"
 BZIP2_VERSION="1.0.8"
 # We statically build the BSD libedit on selected platforms to get the
 # readline module available without linking to the GPL-only readline libs.
 LIBEDIT_VERSION="20170329-3.1"
-OPENSSL_VERSION="1.1.1q"
-SQLITE_VERSION="3.37.2"
+OPENSSL_VERSION="1.1.1s"
+SQLITE_VERSION="3.39.4"
 
 # Python modules versions to be used everywhere possible.
 PYSQLITE_VERSION="2.8.3"
 CFFI_VERSION="1.15.1"
 SCANDIR_VERSION="1.10.0"
-PSUTIL_VERSION="5.9.2"
+PSUTIL_VERSION="5.9.3"
 SUBPROCESS32_VERSION="3.5.4"
 
 # Versions no longer upgradable because of Python 2 deprecation.
@@ -35,8 +35,8 @@ PYOPENSSL_VERSION="21.0.0"
 # Backported fix for https://github.com/pypa/pip/issues/9827
 # at https://github.com/chevah/pip/tree/20.3.4chevah.
 PIP_VERSION="20.3.4chevah1"
-# For pip <21.1, click <8.0.0, dparse <0.5.2.
-SAFETY_IGNORED_OPTS="-i 40291 -i 47833 -i 50571"
+# For pip <21.1, click <8.0.0, dparse <0.5.2, wheel <0.38.0, safety <2.2.0.
+SAFETY_IGNORED_OPTS="-i 40291 -i 47833 -i 50571 -i 51499 -i 51358"
 # setuptools 44.x is the last series to support Python 2.7.
 # More at https://github.com/pypa/setuptools/pull/1955.
 SETUPTOOLS_VERSION="44.1.1"
@@ -295,14 +295,15 @@ case $OS in
         export PATH="/usr/local/bin:$PATH"
         # In particular, Perl's Test::Simple and its deps are required.
         execute perl -MTest::Simple -e 1
-        # Version 5.9.2 of psutil not working properly on CentOS 5.
+        # Version 5.9.2/5.9.3 of psutil not working properly on CentOS 5.
+        # More at https://github.com/giampaolo/psutil/issues/2164.
         PIP_LIBRARIES="\
             cryptography==${CRYPTOGRAPHY_VERSION} \
             pyOpenSSL==${PYOPENSSL_VERSION} \
             scandir==${SCANDIR_VERSION} \
             subprocess32==${SUBPROCESS32_VERSION} \
             bcrypt==${BCRYPT_VERSION} \
-            psutil=="5.9.0" \
+            psutil=="5.9.1" \
             setproctitle==${SETPROCTITLE_VERSION}
             "
         ;;
@@ -696,6 +697,7 @@ command_test() {
     execute $PYTHON_BIN -m pip list --outdated --format=columns
     # Safety needs PyYAML, which needs Cython, which needs to be built on AIX.
     aix_ld_hack init
+    # This is the newest version that still works with Python 2.7.x.
     execute $PYTHON_BIN -m pip install $PIP_ARGS safety==1.8.7
     execute $PYTHON_BIN -m safety check --full-report \
         ${SAFETY_FALSE_POSITIVES_OPTS-} ${SAFETY_IGNORED_OPTS:-}

external_deps.csv

@@ -2,27 +2,27 @@ OS,AIX,,,Amazon,Alpine,Debian,FreeBSD,,HP-UX,macOS,OS X,RHEL,,,SLES,Solaris,,,,U
 OS Version,5.3³,6.1³,7.1+¹,2+¹,3.12+¹,5.0+²,11.4³,12.2+³,11.31³,10.13+¹,10.8³,5.11-7.x¹,8.x¹,9.x¹,11SP4+²,10u8+³,11.0/11.1³,11.2³,11.4³,14.04/16.04¹,18.04¹,20.04¹,22.04¹,"XP, 2003, 2008³","2012r2, 2016, 2019, 2022¹"
 OpenSSL⁶,"1.0.2v-chevah2 (statically linked with stdlib “ssl”)
 1.0.2v-chevah2 (statically linked with cryptography)",1.0.2k (from AIX Web Download Pack Programs),"1.0.2v-chevah4 (statically linked with stdlib “ssl”)
-1.0.2v-chevah4 (statically linked with cryptography)","1.1.1q (statically linked with stdlib “ssl”)
-1.1.1q (statically linked with cryptography)","1.1.1q (statically linked with stdlib “ssl”)
-1.1.1q (statically linked with cryptography)","1.1.1q (statically linked with stdlib “ssl”)
-1.1.1q (statically linked with cryptography)",1.0.1u,1.0.2s,1.0.2h,"1.1.1q (statically linked with stdlib “ssl”)
-1.1.1q (statically linked with cryptography)","1.1.1g (statically built for stdlib “ssl”)
-1.1.1g (bundled with upstream cryptography 2.9.1)","1.1.1q (statically linked with stdlib “ssl”)
-1.1.1q (statically linked with cryptography)","1.1.1cFIPS /
-1.1.1k FIPS","1.1.1q (statically linked with stdlib “ssl”)
-1.1.1q (statically linked with cryptography)","1.1.1q (statically linked with stdlib “ssl”)
-1.1.1q (statically linked with cryptography)",1.0.2n (from upstream Oracle patches),1.0.0x,1.0.1h,"
-1.0.2o","1.1.1q (statically linked with stdlib “ssl”)
-1.1.1q (statically linked with cryptography)",1.1.0g,1.1.1f,"1.1.1q (statically linked with stdlib “ssl”)
-1.1.1q (statically linked with cryptography)","1.0.2t (bundled with upstream Python 2.7.18)
+1.0.2v-chevah4 (statically linked with cryptography)","1.1.1s (statically linked with stdlib “ssl”)
+1.1.1s (statically linked with cryptography)","1.1.1s (statically linked with stdlib “ssl”)
+1.1.1s (statically linked with cryptography)","1.1.1s (statically linked with stdlib “ssl”)
+1.1.1s (statically linked with cryptography)",1.0.1u,1.0.2s,1.0.2h,"1.1.1s (statically linked with stdlib “ssl”)
+1.1.1s (statically linked with cryptography)","1.1.1g (statically built for stdlib “ssl”)
+1.1.1g (bundled with upstream cryptography 2.9.1)","1.1.1s (statically linked with stdlib “ssl”)
+1.1.1s (statically linked with cryptography)","1.1.1cFIPS /
+1.1.1k FIPS","1.1.1s (statically linked with stdlib “ssl”)
+1.1.1s (statically linked with cryptography)","1.1.1s (statically linked with stdlib “ssl”)
+1.1.1s (statically linked with cryptography)",1.0.2n (from upstream Oracle patches),1.0.0x,1.0.1h,"
+1.0.2o","1.1.1s (statically linked with stdlib “ssl”)
+1.1.1s (statically linked with cryptography)",1.1.0g,1.1.1f,"1.1.1s (statically linked with stdlib “ssl”)
+1.1.1s (statically linked with cryptography)","1.0.2t (bundled with upstream Python 2.7.18)
 1.1.1g (bundled with upstream cryptography 2.9.1)","1.0.2t⁹ (bundled with upstream Python 2.7.18)
-1.1.1q (built from upstream sources for cryptography)"
+1.1.1s (built from upstream sources for cryptography)"
 Python,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.8⁴,2.7.18¹¹,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18+patches,2.7.18¹¹,2.7.18¹³
-SQLite,3.34.1,3.34.1,3.37.2,3.37.2,3.37.2,3.37.2,3.30.1,3.34.1,3.34.1,3.37.2,3.30.1,3.37.2,3.37.2,3.37.2,3.37.2,3.34.1,3.30.1,3.34.1,3.34.1,3.37.2,3.37.2,3.37.2,3.37.2,3.30.1 (we overwrite version from upstream Python at build time),3.37.2 (we overwrite version from upstream Python at build time)
+SQLite,3.34.1,3.34.1,3.39.4,3.39.4,3.39.4,3.39.4,3.30.1,3.34.1,3.34.1,3.39.4,3.30.1,3.39.4,3.39.4,3.39.4,3.39.4,3.34.1,3.30.1,3.34.1,3.34.1,3.39.4,3.39.4,3.39.4,3.39.4,3.30.1 (we overwrite version from upstream Python at build time),3.39.4 (we overwrite version from upstream Python at build time)
 Expat,2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.1.0⁵ (bundled with Python 2.7.8),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python),2.2.8 (bundled with Python)
-zlib,1.2.12,p/o,1.2.12,1.2.12,p/o,1.2.12,p/o,p/o,1.2.12,p/o,p/o,1.2.12,p/o,1.2.12,1.2.12,p/o,p/o,p/o,p/o,1.2.12,p/o,p/o,1.2.12,1.2.11⁸ (bundled with Python),1.2.11⁸ (bundled with Python)
+zlib,1.2.12,p/o,1.2.13,1.2.13,p/o,1.2.13,p/o,p/o,1.2.12,p/o,p/o,1.2.13,p/o,1.2.13,1.2.13,p/o,p/o,p/o,p/o,1.2.13,p/o,p/o,1.2.13,1.2.11⁸ (bundled with Python),1.2.11⁸ (bundled with Python)
 bzip2,1.0.8,1.0.8,1.0.8,1.0.8,1.0.8,1.0.8,p/o,p/o,1.0.8,p/o,p/o,1.0.8,1.0.8,1.0.8,1.0.8,p/o,p/o,p/o,p/o,1.0.8,1.0.8,1.0.8,1.0.8,1.0.6 (bundled with Python),1.0.6 (bundled with Python)
-libffi,3.4.2,3.4.2,3.4.2,p/o,3.4.2,3.4.2,3.4.2,3.4.2,3.4.2,p/o,p/o,3.4.2,p/o,3.4.2,3.4.2,n/a,n/a,3.4.2,3.4.2,p/o,p/o,p/o,p/o,n/a,n/a
+libffi,3.4.4,3.4.2,3.4.4,p/o,3.4.4,3.4.4,3.4.2,3.4.2,3.4.2,p/o,p/o,3.4.4,p/o,3.4.4,3.4.4,n/a,n/a,3.4.2,3.4.2,p/o,p/o,p/o,p/o,n/a,n/a
 libedit,n/a,n/a,n/a,n/a,20170329-3.1,n/a,20170329-3.1,20170329-3.1,n/a,20170329-3.1,20170329-3.1,n/a,20170329-3.1,n/a,n/a,n/a,20170329-3.1,20170329-3.1,20170329-3.1,n/a,20170329-3.1,20170329-3.1,n/a,n/a,n/a
 pysqlite,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,2.8.3,"n/a, upstream sqlite3 is used","n/a, upstream sqlite3 is used"
 pip,20.3.4¹⁴,9.0.3¹⁴,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,9.0.3¹⁴,20.3.4chevah1,20.3.4¹⁴,20.3.4chevah1,9.0.3¹⁴,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4¹⁴,9.0.3¹⁴,20.3.4¹⁴,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4chevah1,20.3.4¹⁴,20.3.4chevah1
@@ -39,7 +39,7 @@ enum34,1.1.10,1.1.6,1.1.10,1.1.10,1.1.10,1.1.10,1.1.6,1.1.10,n/a,1.1.10,1.1.6,1.
 idna,n/a,2.6,n/a,n/a,n/a,n/a,2.6,n/a,n/a,n/a,2.6,n/a,n/a,n/a,n/a,n/a,2.6,n/a,n/a,n/a,n/a,n/a,n/a,2.6,n/a
 pyOpenSSL,19.1.0,19.1.0,19.1.0,21.0.0,21.0.0,21.0.0,19.1.0,21.0.0,0.13.1⁷,21.0.0,19.1.0,21.0.0,21.0.0,21.0.0,21.0.0,0.13.1⁷,0.13.1⁷,0.13.1⁷,19.1.0,21.0.0,21.0.0,21.0.0,21.0.0,19.1.0,21.0.0
 scandir,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0,1.10.0
-psutil,n/a,5.6.5,5.9.2,5.9.0,5.9.0,5.9.0,n/a,5.9.2,n/a,5.9.2,5.6.5,5.9.0,5.9.2,5.9.0,5.9.0,n/a,n/a,n/a,5.9.2,5.9.0,5.9.2,5.9.2,5.9.0,n/a,5.9.2
+psutil,n/a,5.6.5,5.9.3,5.9.1,5.9.3,5.9.1,n/a,5.9.2,n/a,5.9.3,5.6.5,5.9.1,5.9.3,5.9.1,5.9.1,n/a,n/a,n/a,5.9.2,5.9.1,5.9.3,5.9.3,5.9.1,n/a,1.10.0
 subprocess32,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4,3.5.4
 bcrypt,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,n/a,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7,3.1.7
 pywin32,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,n/a,,n/a,227,228
@@ -52,7 +52,7 @@ Colour codes:,DARKGREY: Tier 2 platforms and their problematic dependencies,,,,,
 ,"BLUE: possible vulnerabilities found upstream, but no released version has them yet",,,,,,,,,,,5. https://github.com/libexpat/libexpat/blob/master/expat/Changes,,,,,,,,,,,,,
 ,ORANGE: minor vulnerabilities found,,,,,,,,,,,"6. Unless specified otherwise, OpenSSL libs are linked against dynamically",,,,,,,,,,,,,
 ,RED: major vulnerabilities found,,,,,,,,,,,"7. pyOpenSSL 0.14 and newer is a major rewrite, so it's not clear to what extent their vulnerabilities do apply",,,,,,,,,,,,,
-,MAGENTA: vulnerability status could not be established,,,,,,,,,,,8. https://cve.report/CVE-2018-25032,,,,,,,,,,,,,
+,MAGENTA: vulnerability status could not be established,,,,,,,,,,,8. https://cve.report/CVE-2018-25032 and https://cve.report/CVE-2022-37434 ,,,,,,,,,,,,,
 ,DEFAULT COLOUR: maintained upstream or not applicable,,,,,,,,,,,9. https://www.openssl.org/news/openssl-1.0.2-notes.html,,,,,,,,,,,,,
 ,,,,,,,,,,,,10. https://www.openssl.org/news/openssl-1.1.1-notes.html,,,,,,,,,,,,,
 ,,,,,,,,,,,,11. https://github.com/ActiveState/cpython/tags,,,,,,,,,,,,,