Merge branch 'aw.sr.2019.08.06' into 'master'

Misc package bumps for Maintainer: A. Wilcox, 2019-08-06

See merge request adelie/packages!312

9 files changed, 32 insertions, 401 deletions

diff --git a/system/python3/APKBUILD b/system/python3/APKBUILD
index 0bb9db2a2..f14f72b1c 100644
--- a/system/python3/APKBUILD
+++ b/system/python3/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Kiyoshi Aman <kiyoshi.aman@gmail.com>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=python3
-pkgver=3.6.8
+pkgver=3.6.9
 _basever="${pkgver%.*}"
 pkgrel=0
 pkgdesc="A high-level scripting language"
@@ -40,19 +40,23 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev xz-dev
 source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
 	musl-find_library.patch
 	fix-xattrs-glibc.patch
-	CVE-2019-9636.patch
-	CVE-2019-9740-and-9947.patch
-	test-fix-selfsign-cert.patch
 	"
 builddir="$srcdir/Python-$pkgver"
 
 # secfixes: python
+#   3.6.5-r0:
+#     - CVE-2018-1060
+#     - CVE-2018-1061
 #   3.6.8-r0:
 #     - CVE-2018-14647
 #     - CVE-2018-20406
 #     - CVE-2019-9636
 #     - CVE-2019-9740
 #     - CVE-2019-9947
+#   3.6.9-r0:
+#     - CVE-2018-20852
+#     - CVE-2019-5010
+#     - CVE-2019-9948
 
 prepare() {
 	default_prepare
@@ -172,9 +176,6 @@ wininst() {
 		"$subpkgdir"/usr/lib/python$_basever/distutils/command
 }
 
-sha512sums="b17867e451ebe662f50df83ed112d3656c089e7d750651ea640052b01b713b58e66aac9e082f71fd16f5b5510bc9b797f5ccd30f5399581e9aa406197f02938a  Python-3.6.8.tar.xz
+sha512sums="05de9c6f44d96a52bfce10ede4312de892573edaf8bece65926d19973a3a800d65eed7a857af945f69efcfb25efa3788e7a54016b03d80b611eb51c3ea074819  Python-3.6.9.tar.xz
 ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2  musl-find_library.patch
-37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad  fix-xattrs-glibc.patch
-bf2ec0bdba63b714f99aa9783a31ab935b234cabe4dc482769462a55bd572c74e03f192fbc5e8a7e2b9a887a5eef7dc0c3819fb464b656f73b500d1b65b591ad  CVE-2019-9636.patch
-daae79c8d914f0afe3c09ef15fa2838958e3d9a45e37bb7ebf84ce431b3635f48744011c640e0f6696922db76da199a55befb3754e335660b6d25f3dad2a8c4e  CVE-2019-9740-and-9947.patch
-34bb7353e93f74a0f70d9b44f9bb9a6561c47a6d2169e08390818113bcb8b25c6660dfab2c2ef2aba6c08805e71719227baf01285da7f8276c61fba422a1bad2  test-fix-selfsign-cert.patch"
+37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad  fix-xattrs-glibc.patch"
diff --git a/system/python3/CVE-2019-9636.patch b/system/python3/CVE-2019-9636.patch
deleted file mode 100644
index 45a2c8e97..000000000
--- a/system/python3/CVE-2019-9636.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From 23fc0416454c4ad5b9b23d520fbe6d89be3efc24 Mon Sep 17 00:00:00 2001
-From: Steve Dower <steve.dower@microsoft.com>
-Date: Mon, 11 Mar 2019 21:34:03 -0700
-Subject: [PATCH] [3.6] bpo-36216: Add check for characters in netloc that
- normalize to separators (GH-12201) (GH-12215)
-
----
- Doc/library/urllib.parse.rst                  | 18 +++++++++++++++
- Lib/test/test_urlparse.py                     | 23 +++++++++++++++++++
- Lib/urllib/parse.py                           | 17 ++++++++++++++
- .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst  |  3 +++
- 4 files changed, 61 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-
-diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
-index d991254d5ca1..647af613a315 100644
---- a/Doc/library/urllib.parse.rst
-+++ b/Doc/library/urllib.parse.rst
-@@ -121,6 +121,11 @@ or on combining URL components into a URL string.
-    Unmatched square brackets in the :attr:`netloc` attribute will raise a
-    :exc:`ValueError`.
- 
-+   Characters in the :attr:`netloc` attribute that decompose under NFKC
-+   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
-+   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
-+   decomposed before parsing, no error will be raised.
-+
-    .. versionchanged:: 3.2
-       Added IPv6 URL parsing capabilities.
- 
-@@ -133,6 +138,10 @@ or on combining URL components into a URL string.
-       Out-of-range port numbers now raise :exc:`ValueError`, instead of
-       returning :const:`None`.
- 
-+   .. versionchanged:: 3.6.9
-+      Characters that affect netloc parsing under NFKC normalization will
-+      now raise :exc:`ValueError`.
-+
- 
- .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
- 
-@@ -256,10 +265,19 @@ or on combining URL components into a URL string.
-    Unmatched square brackets in the :attr:`netloc` attribute will raise a
-    :exc:`ValueError`.
- 
-+   Characters in the :attr:`netloc` attribute that decompose under NFKC
-+   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
-+   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
-+   decomposed before parsing, no error will be raised.
-+
-    .. versionchanged:: 3.6
-       Out-of-range port numbers now raise :exc:`ValueError`, instead of
-       returning :const:`None`.
- 
-+   .. versionchanged:: 3.6.9
-+      Characters that affect netloc parsing under NFKC normalization will
-+      now raise :exc:`ValueError`.
-+
- 
- .. function:: urlunsplit(parts)
- 
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index be50b47603aa..e6638aee2244 100644
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -1,3 +1,5 @@
-+import sys
-+import unicodedata
- import unittest
- import urllib.parse
- 
-@@ -984,6 +986,27 @@ def test_all(self):
-                 expected.append(name)
-         self.assertCountEqual(urllib.parse.__all__, expected)
- 
-+    def test_urlsplit_normalization(self):
-+        # Certain characters should never occur in the netloc,
-+        # including under normalization.
-+        # Ensure that ALL of them are detected and cause an error
-+        illegal_chars = '/:#?@'
-+        hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
-+        denorm_chars = [
-+            c for c in map(chr, range(128, sys.maxunicode))
-+            if (hex_chars & set(unicodedata.decomposition(c).split()))
-+            and c not in illegal_chars
-+        ]
-+        # Sanity check that we found at least one such character
-+        self.assertIn('\u2100', denorm_chars)
-+        self.assertIn('\uFF03', denorm_chars)
-+
-+        for scheme in ["http", "https", "ftp"]:
-+            for c in denorm_chars:
-+                url = "{}://netloc{}false.netloc/path".format(scheme, c)
-+                with self.subTest(url=url, char='{:04X}'.format(ord(c))):
-+                    with self.assertRaises(ValueError):
-+                        urllib.parse.urlsplit(url)
- 
- class Utility_Tests(unittest.TestCase):
-     """Testcase to test the various utility functions in the urllib."""
-diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
-index 85e68c8b42c7..7b06f4d71d67 100644
---- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -391,6 +391,21 @@ def _splitnetloc(url, start=0):
-             delim = min(delim, wdelim)     # use earliest delim position
-     return url[start:delim], url[delim:]   # return (domain, rest)
- 
-+def _checknetloc(netloc):
-+    if not netloc or not any(ord(c) > 127 for c in netloc):
-+        return
-+    # looking for characters like \u2100 that expand to 'a/c'
-+    # IDNA uses NFKC equivalence, so normalize for this check
-+    import unicodedata
-+    netloc2 = unicodedata.normalize('NFKC', netloc)
-+    if netloc == netloc2:
-+        return
-+    _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
-+    for c in '/?#@:':
-+        if c in netloc2:
-+            raise ValueError("netloc '" + netloc2 + "' contains invalid " +
-+                             "characters under NFKC normalization")
-+
- def urlsplit(url, scheme='', allow_fragments=True):
-     """Parse a URL into 5 components:
-     <scheme>://<netloc>/<path>?<query>#<fragment>
-@@ -420,6 +435,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
-                 url, fragment = url.split('#', 1)
-             if '?' in url:
-                 url, query = url.split('?', 1)
-+            _checknetloc(netloc)
-             v = SplitResult(scheme, netloc, url, query, fragment)
-             _parse_cache[key] = v
-             return _coerce_result(v)
-@@ -443,6 +459,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
-         url, fragment = url.split('#', 1)
-     if '?' in url:
-         url, query = url.split('?', 1)
-+    _checknetloc(netloc)
-     v = SplitResult(scheme, netloc, url, query, fragment)
-     _parse_cache[key] = v
-     return _coerce_result(v)
-diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-new file mode 100644
-index 000000000000..5546394157f9
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-@@ -0,0 +1,3 @@
-+Changes urlsplit() to raise ValueError when the URL contains characters that
-+decompose under IDNA encoding (NFKC-normalization) into characters that
-+affect how the URL is parsed.
diff --git a/system/python3/CVE-2019-9740-and-9947.patch b/system/python3/CVE-2019-9740-and-9947.patch
deleted file mode 100644
index d387dd599..000000000
--- a/system/python3/CVE-2019-9740-and-9947.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From c50d437e942d4c4c45c8cd76329b05340c02eb31 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
-Date: Wed, 8 May 2019 18:33:24 +0200
-Subject: [PATCH] bpo-30458: Disallow control chars in http URLs. (GH-12755)
- (GH-13155)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Disallow control chars in http URLs in urllib.urlopen.  This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
-
-Disable https related urllib tests on a build without ssl (GH-13032)
-These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
-
-Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
-
-Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
----
- Lib/http/client.py                            | 15 ++++++
- Lib/test/test_urllib.py                       | 53 +++++++++++++++++++
- Lib/test/test_xmlrpc.py                       |  7 ++-
- .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst  |  1 +
- 4 files changed, 75 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-
-diff --git a/Lib/http/client.py b/Lib/http/client.py
-index baabfeb2ea8c..1a6bd8ac42eb 100644
---- a/Lib/http/client.py
-+++ b/Lib/http/client.py
-@@ -141,6 +141,16 @@
- _is_legal_header_name = re.compile(rb'[^:\s][^:\r\n]*').fullmatch
- _is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search
- 
-+# These characters are not allowed within HTTP URL paths.
-+#  See https://tools.ietf.org/html/rfc3986#section-3.3 and the
-+#  https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
-+# Prevents CVE-2019-9740.  Includes control characters such as \r\n.
-+# We don't restrict chars above \x7f as putrequest() limits us to ASCII.
-+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
-+# Arguably only these _should_ allowed:
-+#  _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
-+# We are more lenient for assumed real world compatibility purposes.
-+
- # We always set the Content-Length header for these methods because some
- # servers will otherwise respond with a 411
- _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
-@@ -1111,6 +1121,11 @@ def putrequest(self, method, url, skip_host=False,
-         self._method = method
-         if not url:
-             url = '/'
-+        # Prevent CVE-2019-9740.
-+        match = _contains_disallowed_url_pchar_re.search(url)
-+        if match:
-+            raise InvalidURL(f"URL can't contain control characters. {url!r} "
-+                             f"(found at least {match.group()!r})")
-         request = '%s %s %s' % (method, url, self._http_vsn_str)
- 
-         # Non-ASCII characters should have been eliminated earlier
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
-index fa3757cc94be..649a5b81575b 100644
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -329,6 +329,59 @@ def test_willclose(self):
-         finally:
-             self.unfakehttp()
- 
-+    @unittest.skipUnless(ssl, "ssl module required")
-+    def test_url_with_control_char_rejected(self):
-+        for char_no in list(range(0, 0x21)) + [0x7f]:
-+            char = chr(char_no)
-+            schemeless_url = f"//localhost:7777/test{char}/"
-+            self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+            try:
-+                # We explicitly test urllib.request.urlopen() instead of the top
-+                # level 'def urlopen()' function defined in this... (quite ugly)
-+                # test suite.  They use different url opening codepaths.  Plain
-+                # urlopen uses FancyURLOpener which goes via a codepath that
-+                # calls urllib.parse.quote() on the URL which makes all of the
-+                # above attempts at injection within the url _path_ safe.
-+                escaped_char_repr = repr(char).replace('\\', r'\\')
-+                InvalidURL = http.client.InvalidURL
-+                with self.assertRaisesRegex(
-+                    InvalidURL, f"contain control.*{escaped_char_repr}"):
-+                    urllib.request.urlopen(f"http:{schemeless_url}")
-+                with self.assertRaisesRegex(
-+                    InvalidURL, f"contain control.*{escaped_char_repr}"):
-+                    urllib.request.urlopen(f"https:{schemeless_url}")
-+                # This code path quotes the URL so there is no injection.
-+                resp = urlopen(f"http:{schemeless_url}")
-+                self.assertNotIn(char, resp.geturl())
-+            finally:
-+                self.unfakehttp()
-+
-+    @unittest.skipUnless(ssl, "ssl module required")
-+    def test_url_with_newline_header_injection_rejected(self):
-+        self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+        host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
-+        schemeless_url = "//" + host + ":8080/test/?test=a"
-+        try:
-+            # We explicitly test urllib.request.urlopen() instead of the top
-+            # level 'def urlopen()' function defined in this... (quite ugly)
-+            # test suite.  They use different url opening codepaths.  Plain
-+            # urlopen uses FancyURLOpener which goes via a codepath that
-+            # calls urllib.parse.quote() on the URL which makes all of the
-+            # above attempts at injection within the url _path_ safe.
-+            InvalidURL = http.client.InvalidURL
-+            with self.assertRaisesRegex(
-+                InvalidURL, r"contain control.*\\r.*(found at least . .)"):
-+                urllib.request.urlopen(f"http:{schemeless_url}")
-+            with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"):
-+                urllib.request.urlopen(f"https:{schemeless_url}")
-+            # This code path quotes the URL so there is no injection.
-+            resp = urlopen(f"http:{schemeless_url}")
-+            self.assertNotIn(' ', resp.geturl())
-+            self.assertNotIn('\r', resp.geturl())
-+            self.assertNotIn('\n', resp.geturl())
-+        finally:
-+            self.unfakehttp()
-+
-     def test_read_0_9(self):
-         # "0.9" response accepted (but not "simple responses" without
-         # a status line)
-diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
-index 07f7ba0f00b5..fc601d455224 100644
---- a/Lib/test/test_xmlrpc.py
-+++ b/Lib/test/test_xmlrpc.py
-@@ -950,7 +950,12 @@ def test_unicode_host(self):
-     def test_partial_post(self):
-         # Check that a partial POST doesn't make the server loop: issue #14001.
-         conn = http.client.HTTPConnection(ADDR, PORT)
--        conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
-+        conn.send('POST /RPC2 HTTP/1.0\r\n'
-+                  'Content-Length: 100\r\n\r\n'
-+                  'bye HTTP/1.1\r\n'
-+                  f'Host: {ADDR}:{PORT}\r\n'
-+                  'Accept-Encoding: identity\r\n'
-+                  'Content-Length: 0\r\n\r\n'.encode('ascii'))
-         conn.close()
- 
-     def test_context_manager(self):
-diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-new file mode 100644
-index 000000000000..ed8027fb4d64
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-@@ -0,0 +1 @@
-+Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request.  Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.
diff --git a/system/python3/test-fix-selfsign-cert.patch b/system/python3/test-fix-selfsign-cert.patch
deleted file mode 100644
index eb6c9f355..000000000
--- a/system/python3/test-fix-selfsign-cert.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 2b9d7abdbd4b41e2c624858f5bc80da59d8a681d Mon Sep 17 00:00:00 2001
-From: "Gregory P. Smith" <greg@krypto.org>
-Date: Wed, 8 May 2019 14:20:59 -0500
-Subject: [PATCH] [3.6] bpo-36816: Update the self-signed.pythontest.net cert
- (GH-13192) (GH-13198)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We updated the server, our testsuite must match.
-
-https://bugs.python.org/issue36816
-
-✈️ CLE -> DEN ✈️ GH-pycon2019
-(cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1)
-
-Co-authored-by: Gregory P. Smith <greg@krypto.org>
----
- Lib/test/selfsigned_pythontestdotnet.pem      | 46 +++++++++++++------
- .../2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst  |  1 +
- 2 files changed, 33 insertions(+), 14 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst
-
-diff --git a/Lib/test/selfsigned_pythontestdotnet.pem b/Lib/test/selfsigned_pythontestdotnet.pem
-index b6d259bcb236..2b1760747bce 100644
---- a/Lib/test/selfsigned_pythontestdotnet.pem
-+++ b/Lib/test/selfsigned_pythontestdotnet.pem
-@@ -1,16 +1,34 @@
- -----BEGIN CERTIFICATE-----
--MIIClTCCAf6gAwIBAgIJAKGU95wKR8pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
--BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u
--IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv
--bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG
--A1UEBhMCWFkxFzAVBgNVBAcMDkNhc3RsZSBBbnRocmF4MSMwIQYDVQQKDBpQeXRo
--b24gU29mdHdhcmUgRm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0
--aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ
--Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm
--Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv
--EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjNzA1MCUGA1UdEQQeMByCGnNl
--bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
--AQEFBQADgYEAIuzAhgMouJpNdf3URCHIineyoSt6WK/9+eyUcjlKOrDoXNZaD72h
--TXMeKYoWvJyVcSLKL8ckPtDobgP2OTt0UkyAaj0n+ZHaqq1lH2yVfGUA1ILJv515
--C8BqbvVZuqm3i7ygmw3bqE/lYMgOrYtXXnqOrz6nvsE6Yc9V9rFflOM=
-+MIIF9zCCA9+gAwIBAgIUH98b4Fw/DyugC9cV7VK7ZODzHsIwDQYJKoZIhvcNAQEL
-+BQAwgYoxCzAJBgNVBAYTAlhZMRcwFQYDVQQIDA5DYXN0bGUgQW50aHJheDEYMBYG
-+A1UEBwwPQXJndW1lbnQgQ2xpbmljMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUg
-+Rm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0aG9udGVzdC5uZXQw
-+HhcNMTkwNTA4MDEwMjQzWhcNMjcwNzI0MDEwMjQzWjCBijELMAkGA1UEBhMCWFkx
-+FzAVBgNVBAgMDkNhc3RsZSBBbnRocmF4MRgwFgYDVQQHDA9Bcmd1bWVudCBDbGlu
-+aWMxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMSMwIQYDVQQD
-+DBpzZWxmLXNpZ25lZC5weXRob250ZXN0Lm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
-+ggIPADCCAgoCggIBAMKdJlyCThkahwoBb7pl5q64Pe9Fn5jrIvzsveHTc97TpjV2
-+RLfICnXKrltPk/ohkVl6K5SUZQZwMVzFubkyxE0nZPHYHlpiKWQxbsYVkYv01rix
-+IFdLvaxxbGYke2jwQao31s4o61AdlsfK1SdpHQUynBBMssqI3SB4XPmcA7e+wEEx
-+jxjVish4ixA1vuIZOx8yibu+CFCf/geEjoBMF3QPdzULzlrCSw8k/45iZCSoNbvK
-+DoL4TVV07PHOxpheDh8ZQmepGvU6pVqhb9m4lgmV0OGWHgozd5Ur9CbTVDmxIEz3
-+TSoRtNJK7qtyZdGNqwjksQxgZTjM/d/Lm/BJG99AiOmYOjsl9gbQMZgvQmMAtUsI
-+aMJnQuZ6R+KEpW/TR5qSKLWZSG45z/op+tzI2m+cE6HwTRVAWbcuJxcAA55MZjqU
-+OOOu3BBYMjS5nf2sQ9uoXsVBFH7i0mQqoW1SLzr9opI8KsWwFxQmO2vBxWYaN+lH
-+OmwBZBwyODIsmI1YGXmTp09NxRYz3Qe5GCgFzYowpMrcxUC24iduIdMwwhRM7rKg
-+7GtIWMSrFfuI1XCLRmSlhDbhNN6fVg2f8Bo9PdH9ihiIyxSrc+FOUasUYCCJvlSZ
-+8hFUlLvcmrZlWuazohm0lsXuMK1JflmQr/DA/uXxP9xzFfRy+RU3jDyxJbRHAgMB
-+AAGjUzBRMB0GA1UdDgQWBBSQJyxiPMRK01i+0BsV9zUwDiBaHzAfBgNVHSMEGDAW
-+gBSQJyxiPMRK01i+0BsV9zUwDiBaHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-+DQEBCwUAA4ICAQCR+7a7N/m+WLkxPPIA/CB4MOr2Uf8ixTv435Nyv6rXOun0+lTP
-+ExSZ0uYQ+L0WylItI3cQHULldDueD+s8TGzxf5woaLKf6tqyr0NYhKs+UeNEzDnN
-+9PHQIhX0SZw3XyXGUgPNBfRCg2ZDdtMMdOU4XlQN/IN/9hbYTrueyY7eXq9hmtI9
-+1srftAMqr9SR1JP7aHI6DVgrEsZVMTDnfT8WmLSGLlY1HmGfdEn1Ip5sbo9uSkiH
-+AEPgPfjYIvR5LqTOMn4KsrlZyBbFIDh9Sl99M1kZzgH6zUGVLCDg1y6Cms69fx/e
-+W1HoIeVkY4b4TY7Bk7JsqyNhIuqu7ARaxkdaZWhYaA2YyknwANdFfNpfH+elCLIk
-+BUt5S3f4i7DaUePTvKukCZiCq4Oyln7RcOn5If73wCeLB/ZM9Ei1HforyLWP1CN8
-+XLfpHaoeoPSWIveI0XHUl65LsPN2UbMbul/F23hwl+h8+BLmyAS680Yhn4zEN6Ku
-+B7Po90HoFa1Du3bmx4jsN73UkT/dwMTi6K072FbipnC1904oGlWmLwvAHvrtxxmL
-+Pl3pvEaZIu8wa/PNF6Y7J7VIewikIJq6Ta6FrWeFfzMWOj2qA1ZZi6fUaDSNYvuV
-+J5quYKCc/O+I/yDDf8wyBbZ/gvUXzUHTMYGG+bFrn1p7XDbYYeEJ6R/xEg==
- -----END CERTIFICATE-----
-diff --git a/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst b/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst
-new file mode 100644
-index 000000000000..420dfe832366
---- /dev/null
-+++ b/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst
-@@ -0,0 +1 @@
-+Update Lib/test/selfsigned_pythontestdotnet.pem to match self-signed.pythontest.net's new TLS certificate.
-\ No newline at end of file
diff --git a/user/exiv2/APKBUILD b/user/exiv2/APKBUILD
index 963fe871c..791fcb610 100644
--- a/user/exiv2/APKBUILD
+++ b/user/exiv2/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=exiv2
-pkgver=0.27.1
+pkgver=0.27.2
 pkgrel=0
 pkgdesc="Exif, IPTC and XMP metadata library and tools"
 url="https://www.exiv2.org/"
@@ -74,6 +74,14 @@ builddir="$srcdir/$pkgname-$pkgver-Source"
 #     - CVE-2018-17581
 #     - CVE-2018-19107
 #     - CVE-2018-19108
+#   0.27.2-r0:
+#     - CVE-2019-13108
+#     - CVE-2019-13109
+#     - CVE-2019-13110
+#     - CVE-2019-13111
+#     - CVE-2019-13112
+#     - CVE-2019-13113
+#     - CVE-2019-13114
 
 prepare() {
 	default_prepare
@@ -98,4 +106,4 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="038b51241f5bfb323eb298695b5397a7d88d5c7d7303828e5e20b3f82c3df2615cee3e7e3426ea17438ca05d5abea10984cfd41f0649ddab72df1d1415bf3529  exiv2-0.27.1-Source.tar.gz"
+sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721  exiv2-0.27.2-Source.tar.gz"
diff --git a/user/glib/APKBUILD b/user/glib/APKBUILD
index 818172fd7..8640fcf1b 100644
--- a/user/glib/APKBUILD
+++ b/user/glib/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=glib
-pkgver=2.60.4
+pkgver=2.60.6
 pkgrel=0
 pkgdesc="Common C routines used by Gtk+ and other libs"
 url="https://developer.gnome.org/glib/"
@@ -75,7 +75,7 @@ bashcomp() {
 	[ "$(ls -A "$pkgdir"/usr/share)" ] || rmdir "$pkgdir"/usr/share
 }
 
-sha512sums="614d25652ec9e8387f7865777e128b7f6fd68ff4a1a000868117cbcf5210b5f6aa476eb2b795a6dde56b997906aeb2157c83308f1421a27c4e379522d0ed0afc  glib-2.60.4.tar.xz
+sha512sums="2e079d2268e0cd4dd234501c03e7784a69258ea2303e62baa4869ff7a442d121c2ffdc742467e3b0b46ad953b831962e1dd847463d66b2b28745ba0f0bfd28d9  glib-2.60.6.tar.xz
 32e5aca9a315fb985fafa0b4355e4498c1f877fc1f0b58ad4ac261fb9fbced9f026c7756a5f2af7d61ce756b55c8cd02811bb08df397040e93510056f073756b  0001-gquark-fix-initialization-with-c-constructors.patch
 657d3fdf7f8ac7edd5bae572d00497f2236fbe5a91a577f3cb7ceb2ccf067f2944918b2b90308fc1061f45daf3d4910067b98642383ce8761da2a1faff6e9b4f  broken-gio-tests.patch
 0f0a98784aeed92f33cd9239d2f668bdc6c09b84ed020825ae88f6aacf6a922152dc3e1384c40d9f30f54c5ab78fe17e0ee5c42b268b297b595d2a6cde5b8998  fix-spawn.patch
diff --git a/user/py3-lxml/APKBUILD b/user/py3-lxml/APKBUILD
index 8e07f64aa..42039bf3d 100644
--- a/user/py3-lxml/APKBUILD
+++ b/user/py3-lxml/APKBUILD
@@ -5,12 +5,13 @@ pkgname=py3-lxml
 _pkgname=lxml
 _p="${_pkgname#?}"
 _p="${_pkgname%"$_p"}"
-pkgver=4.3.4
+pkgver=4.4.0
 pkgrel=0
 pkgdesc="Python LXML Library"
 url="https://lxml.de/"
 arch="all"
 options="!check"  # No test suite.
+# Certified net clean
 license="BSD-3-Clause"
 depends=""
 makedepends="python3-dev libxml2-dev libxslt-dev"
@@ -25,4 +26,4 @@ package() {
 	python3 setup.py install --prefix=/usr --root="$pkgdir"
 }
 
-sha512sums="7349cb4805e538da5b11edcb79fcd09ddedf0d52e50273a4e587f209e6b147b50737c45dcfc8eb3ee8e7be8f99769046f704c5fc8c35cee74d5d22ef72d503ed  lxml-4.3.4.tar.gz"
+sha512sums="21db932bc0897fec0d8b0d7bc71ff8e8b5d447016691b5d438cb7c835a1dfe5c154da44bbbbde59af35faf11a67055e58160ae810ee75ab0759039396bcf2482  lxml-4.4.0.tar.gz"
diff --git a/user/py3-mako/APKBUILD b/user/py3-mako/APKBUILD
index 0f7a0ab72..00dcf775d 100644
--- a/user/py3-mako/APKBUILD
+++ b/user/py3-mako/APKBUILD
@@ -4,11 +4,12 @@ pkgname=py3-mako
 _pkgname=Mako
 _p="${_pkgname#?}"
 _p="${_pkgname%"$_p"}"
-pkgver=1.0.12
+pkgver=1.1.0
 pkgrel=0
 pkgdesc="Fast templating language for Python"
 url="http://www.makotemplates.org/"
 arch="noarch"
+# Certified net clean
 license="MIT"
 depends="python3"
 makedepends="python3-dev"
@@ -22,11 +23,11 @@ build() {
 }
 
 check() {
-	python3 setup.py test
+	py.test
 }
 
 package() {
 	python3 setup.py install --prefix=/usr --root="$pkgdir"
 }
 
-sha512sums="aa295880c07938425e661b8865fed7cf398ac257d6b84bdbef5a2c542bbae79cd27df363e81c10450c9b6c8e038360166480b06e701d5a5affeb7bd03a7f5d83  Mako-1.0.12.tar.gz"
+sha512sums="acb0f53a22ae152c359c38391f508eca706efcc52916a6e87f2702517dd48b5ffd26eef0f2f9172046f1abd0aea1f47328354ff622938886aa00f950a261e8d4  Mako-1.1.0.tar.gz"
diff --git a/user/py3-websockets/APKBUILD b/user/py3-websockets/APKBUILD
index d3db557cb..2655259cf 100644
--- a/user/py3-websockets/APKBUILD
+++ b/user/py3-websockets/APKBUILD
@@ -4,11 +4,12 @@ pkgname=py3-websockets
 _pkgname=${pkgname#py3-}
 _p="${_pkgname#?}"
 _p="${_pkgname%"$_p"}"
-pkgver=8.0
+pkgver=8.0.2
 pkgrel=0
 pkgdesc="Python implementation of RFCs 6455 and 7692"
 url="https://pypi.org/project/websockets/"
 arch="all"
+# Certified net clean
 license="BSD-3-Clause"
 depends="python3"
 makedepends="python3-dev"
@@ -29,4 +30,4 @@ package() {
 	python3 setup.py install --prefix=/usr --root="$pkgdir"
 }
 
-sha512sums="8ae408224367b4e1fcab4d39758f75902072b15e833ed9db41afc9b69deb8cb6f1c538c200785e260cd890f31562feaeb99bdbcec445c5561714a9f08b936f6f  websockets-8.0.tar.gz"
+sha512sums="d2a1a4c781776ec621e63e020033b1d6a6b35109d7648940a980f01067edc39fbdb49cde6ab606319584cc75d0d5f16c34fec7a308b14eaf672a5730e84c3791  websockets-8.0.2.tar.gz"