summaryrefslogtreecommitdiff
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/cmake/APKBUILD4
-rw-r--r--system/console-setup/APKBUILD6
-rw-r--r--system/debianutils/APKBUILD5
-rw-r--r--system/libarchive/APKBUILD4
-rw-r--r--system/python3/APKBUILD19
-rw-r--r--system/python3/CVE-2019-9636.patch150
-rw-r--r--system/python3/CVE-2019-9740-and-9947.patch147
-rw-r--r--system/python3/test-fix-selfsign-cert.patch84
-rw-r--r--system/zstd/APKBUILD27
9 files changed, 46 insertions, 400 deletions
diff --git a/system/cmake/APKBUILD b/system/cmake/APKBUILD
index 8473fb2a6..902db321e 100644
--- a/system/cmake/APKBUILD
+++ b/system/cmake/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=cmake
-pkgver=3.14.5
+pkgver=3.15.1
pkgrel=0
pkgdesc="Cross-platform build system"
url="https://cmake.org"
@@ -51,4 +51,4 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="9acd2de17db86052801194cac570bfc104320c249b83058aa59554b42c3d5af9c9293d1c069f3fe8512a80103d511186d840168cbc190ce9584ca99cb9b11e46 cmake-3.14.5.tar.gz"
+sha512sums="6900a84c7764034331fb6f00801841a7a3e667ac39813c35ceb3db983b33a5bf6addbbc8539c39a0c0be9e10204c79d6236886a9d50ce901a56275b53619ec73 cmake-3.15.1.tar.gz"
diff --git a/system/console-setup/APKBUILD b/system/console-setup/APKBUILD
index 519d9cffb..9dcff6162 100644
--- a/system/console-setup/APKBUILD
+++ b/system/console-setup/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: A. Wilcox <awilfox@adelielinux.org>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=console-setup
-pkgver=1.191
-pkgrel=1
+pkgver=1.193
+pkgrel=0
pkgdesc="Set up console font and keyboard layout"
url="https://salsa.debian.org/installer-team/console-setup"
arch="noarch"
@@ -44,5 +44,5 @@ ckbcomp() {
mv "$pkgdir"/usr/bin/ckbcomp "$subpkgdir"/usr/bin/
}
-sha512sums="a56a6db65a5603832770f7175db95468a213f39f324d78235cb8f4d88aaa94cd8eda1aae22a87082aa9ef76466c8bc7b113c43583fb74134013abb7ee6d83389 console-setup_1.191.tar.xz
+sha512sums="ed463c1a660931a133f933dd6505a1d3d2219756d230b1a3cddbb44e15c19b18235e846927e5d0fb9cf4141359bd9f029c66296601fd517b72b99b5d0850f44e console-setup_1.193.tar.xz
3b8e2c9d8551f9a51bcd33e58771a4f55ff2840f8fe392e0070bd2b6a3911cd9ed9377873538f6904fd99836ac4e0280c712be69d275aae9183dd12ff7efddae console-setup.initd"
diff --git a/system/debianutils/APKBUILD b/system/debianutils/APKBUILD
index 01a665967..5a6be29d4 100644
--- a/system/debianutils/APKBUILD
+++ b/system/debianutils/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: A. Wilcox <awilfox@adelielinux.org>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=debianutils
-pkgver=4.8.6.1
+pkgver=4.8.6.3
pkgrel=0
pkgdesc="Useful utilities from Debian"
url="https://packages.qa.debian.org/d/debianutils.html"
@@ -12,7 +12,6 @@ depends="coreutils mawk" # awk, cat, and rm are required by add-shell
makedepends="grep" # early package, declare these
subpackages="$pkgname-doc $pkgname-which::noarch"
source="http://ftp.debian.org/debian/pool/main/d/$pkgname/${pkgname}_${pkgver}.tar.xz"
-builddir="$srcdir/$pkgname"
build() {
./configure \
@@ -38,4 +37,4 @@ which() {
mv "${pkgdir}-doc"/usr/share/man/man1/which* "$subpkgdir"/usr/share/man/man1/
}
-sha512sums="158f024311b3de292bd20df966c0f61285c748597101cee61e81883e0032c1e6a4baccb5c231b28f00ce3afc58a4aaedd64a65641351974c37fdb5f4952b0d2a debianutils_4.8.6.1.tar.xz"
+sha512sums="c38d1d351de69f270924f05755501d90cb7245c8a3154f91ea8e38978052ffe2ec016d4400c55e2f7d31358cfe134a40c5843a33836900d7e69cce9ee8ace98e debianutils_4.8.6.3.tar.xz"
diff --git a/system/libarchive/APKBUILD b/system/libarchive/APKBUILD
index 6679a3a6a..18017ee7c 100644
--- a/system/libarchive/APKBUILD
+++ b/system/libarchive/APKBUILD
@@ -2,14 +2,14 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=libarchive
pkgver=3.4.0
-pkgrel=0
+pkgrel=1
pkgdesc="Library for creating and reading streaming archives"
url="https://libarchive.org/"
arch="all"
options="!check" # needs EUC-JP and KOI8R support in iconv
license="BSD-2-Clause AND BSD-3-Clause AND Public-Domain"
makedepends="zlib-dev bzip2-dev xz-dev lz4-dev acl-dev openssl-dev expat-dev
- attr-dev"
+ attr-dev zstd-dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-tools"
source="https://github.com/libarchive/libarchive/releases/download/v$pkgver/$pkgname-$pkgver.tar.gz
seek-error.patch
diff --git a/system/python3/APKBUILD b/system/python3/APKBUILD
index 0bb9db2a2..f14f72b1c 100644
--- a/system/python3/APKBUILD
+++ b/system/python3/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Kiyoshi Aman <kiyoshi.aman@gmail.com>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=python3
-pkgver=3.6.8
+pkgver=3.6.9
_basever="${pkgver%.*}"
pkgrel=0
pkgdesc="A high-level scripting language"
@@ -40,19 +40,23 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev xz-dev
source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
musl-find_library.patch
fix-xattrs-glibc.patch
- CVE-2019-9636.patch
- CVE-2019-9740-and-9947.patch
- test-fix-selfsign-cert.patch
"
builddir="$srcdir/Python-$pkgver"
# secfixes: python
+# 3.6.5-r0:
+# - CVE-2018-1060
+# - CVE-2018-1061
# 3.6.8-r0:
# - CVE-2018-14647
# - CVE-2018-20406
# - CVE-2019-9636
# - CVE-2019-9740
# - CVE-2019-9947
+# 3.6.9-r0:
+# - CVE-2018-20852
+# - CVE-2019-5010
+# - CVE-2019-9948
prepare() {
default_prepare
@@ -172,9 +176,6 @@ wininst() {
"$subpkgdir"/usr/lib/python$_basever/distutils/command
}
-sha512sums="b17867e451ebe662f50df83ed112d3656c089e7d750651ea640052b01b713b58e66aac9e082f71fd16f5b5510bc9b797f5ccd30f5399581e9aa406197f02938a Python-3.6.8.tar.xz
+sha512sums="05de9c6f44d96a52bfce10ede4312de892573edaf8bece65926d19973a3a800d65eed7a857af945f69efcfb25efa3788e7a54016b03d80b611eb51c3ea074819 Python-3.6.9.tar.xz
ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch
-37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch
-bf2ec0bdba63b714f99aa9783a31ab935b234cabe4dc482769462a55bd572c74e03f192fbc5e8a7e2b9a887a5eef7dc0c3819fb464b656f73b500d1b65b591ad CVE-2019-9636.patch
-daae79c8d914f0afe3c09ef15fa2838958e3d9a45e37bb7ebf84ce431b3635f48744011c640e0f6696922db76da199a55befb3754e335660b6d25f3dad2a8c4e CVE-2019-9740-and-9947.patch
-34bb7353e93f74a0f70d9b44f9bb9a6561c47a6d2169e08390818113bcb8b25c6660dfab2c2ef2aba6c08805e71719227baf01285da7f8276c61fba422a1bad2 test-fix-selfsign-cert.patch"
+37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch"
diff --git a/system/python3/CVE-2019-9636.patch b/system/python3/CVE-2019-9636.patch
deleted file mode 100644
index 45a2c8e97..000000000
--- a/system/python3/CVE-2019-9636.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From 23fc0416454c4ad5b9b23d520fbe6d89be3efc24 Mon Sep 17 00:00:00 2001
-From: Steve Dower <steve.dower@microsoft.com>
-Date: Mon, 11 Mar 2019 21:34:03 -0700
-Subject: [PATCH] [3.6] bpo-36216: Add check for characters in netloc that
- normalize to separators (GH-12201) (GH-12215)
-
----
- Doc/library/urllib.parse.rst | 18 +++++++++++++++
- Lib/test/test_urlparse.py | 23 +++++++++++++++++++
- Lib/urllib/parse.py | 17 ++++++++++++++
- .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++
- 4 files changed, 61 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-
-diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
-index d991254d5ca1..647af613a315 100644
---- a/Doc/library/urllib.parse.rst
-+++ b/Doc/library/urllib.parse.rst
-@@ -121,6 +121,11 @@ or on combining URL components into a URL string.
- Unmatched square brackets in the :attr:`netloc` attribute will raise a
- :exc:`ValueError`.
-
-+ Characters in the :attr:`netloc` attribute that decompose under NFKC
-+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
-+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
-+ decomposed before parsing, no error will be raised.
-+
- .. versionchanged:: 3.2
- Added IPv6 URL parsing capabilities.
-
-@@ -133,6 +138,10 @@ or on combining URL components into a URL string.
- Out-of-range port numbers now raise :exc:`ValueError`, instead of
- returning :const:`None`.
-
-+ .. versionchanged:: 3.6.9
-+ Characters that affect netloc parsing under NFKC normalization will
-+ now raise :exc:`ValueError`.
-+
-
- .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
-
-@@ -256,10 +265,19 @@ or on combining URL components into a URL string.
- Unmatched square brackets in the :attr:`netloc` attribute will raise a
- :exc:`ValueError`.
-
-+ Characters in the :attr:`netloc` attribute that decompose under NFKC
-+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
-+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
-+ decomposed before parsing, no error will be raised.
-+
- .. versionchanged:: 3.6
- Out-of-range port numbers now raise :exc:`ValueError`, instead of
- returning :const:`None`.
-
-+ .. versionchanged:: 3.6.9
-+ Characters that affect netloc parsing under NFKC normalization will
-+ now raise :exc:`ValueError`.
-+
-
- .. function:: urlunsplit(parts)
-
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index be50b47603aa..e6638aee2244 100644
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -1,3 +1,5 @@
-+import sys
-+import unicodedata
- import unittest
- import urllib.parse
-
-@@ -984,6 +986,27 @@ def test_all(self):
- expected.append(name)
- self.assertCountEqual(urllib.parse.__all__, expected)
-
-+ def test_urlsplit_normalization(self):
-+ # Certain characters should never occur in the netloc,
-+ # including under normalization.
-+ # Ensure that ALL of them are detected and cause an error
-+ illegal_chars = '/:#?@'
-+ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
-+ denorm_chars = [
-+ c for c in map(chr, range(128, sys.maxunicode))
-+ if (hex_chars & set(unicodedata.decomposition(c).split()))
-+ and c not in illegal_chars
-+ ]
-+ # Sanity check that we found at least one such character
-+ self.assertIn('\u2100', denorm_chars)
-+ self.assertIn('\uFF03', denorm_chars)
-+
-+ for scheme in ["http", "https", "ftp"]:
-+ for c in denorm_chars:
-+ url = "{}://netloc{}false.netloc/path".format(scheme, c)
-+ with self.subTest(url=url, char='{:04X}'.format(ord(c))):
-+ with self.assertRaises(ValueError):
-+ urllib.parse.urlsplit(url)
-
- class Utility_Tests(unittest.TestCase):
- """Testcase to test the various utility functions in the urllib."""
-diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
-index 85e68c8b42c7..7b06f4d71d67 100644
---- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -391,6 +391,21 @@ def _splitnetloc(url, start=0):
- delim = min(delim, wdelim) # use earliest delim position
- return url[start:delim], url[delim:] # return (domain, rest)
-
-+def _checknetloc(netloc):
-+ if not netloc or not any(ord(c) > 127 for c in netloc):
-+ return
-+ # looking for characters like \u2100 that expand to 'a/c'
-+ # IDNA uses NFKC equivalence, so normalize for this check
-+ import unicodedata
-+ netloc2 = unicodedata.normalize('NFKC', netloc)
-+ if netloc == netloc2:
-+ return
-+ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
-+ for c in '/?#@:':
-+ if c in netloc2:
-+ raise ValueError("netloc '" + netloc2 + "' contains invalid " +
-+ "characters under NFKC normalization")
-+
- def urlsplit(url, scheme='', allow_fragments=True):
- """Parse a URL into 5 components:
- <scheme>://<netloc>/<path>?<query>#<fragment>
-@@ -420,6 +435,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
- url, fragment = url.split('#', 1)
- if '?' in url:
- url, query = url.split('?', 1)
-+ _checknetloc(netloc)
- v = SplitResult(scheme, netloc, url, query, fragment)
- _parse_cache[key] = v
- return _coerce_result(v)
-@@ -443,6 +459,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
- url, fragment = url.split('#', 1)
- if '?' in url:
- url, query = url.split('?', 1)
-+ _checknetloc(netloc)
- v = SplitResult(scheme, netloc, url, query, fragment)
- _parse_cache[key] = v
- return _coerce_result(v)
-diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-new file mode 100644
-index 000000000000..5546394157f9
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-@@ -0,0 +1,3 @@
-+Changes urlsplit() to raise ValueError when the URL contains characters that
-+decompose under IDNA encoding (NFKC-normalization) into characters that
-+affect how the URL is parsed.
diff --git a/system/python3/CVE-2019-9740-and-9947.patch b/system/python3/CVE-2019-9740-and-9947.patch
deleted file mode 100644
index d387dd599..000000000
--- a/system/python3/CVE-2019-9740-and-9947.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From c50d437e942d4c4c45c8cd76329b05340c02eb31 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
-Date: Wed, 8 May 2019 18:33:24 +0200
-Subject: [PATCH] bpo-30458: Disallow control chars in http URLs. (GH-12755)
- (GH-13155)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
-
-Disable https related urllib tests on a build without ssl (GH-13032)
-These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
-
-Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
-
-Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
----
- Lib/http/client.py | 15 ++++++
- Lib/test/test_urllib.py | 53 +++++++++++++++++++
- Lib/test/test_xmlrpc.py | 7 ++-
- .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst | 1 +
- 4 files changed, 75 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-
-diff --git a/Lib/http/client.py b/Lib/http/client.py
-index baabfeb2ea8c..1a6bd8ac42eb 100644
---- a/Lib/http/client.py
-+++ b/Lib/http/client.py
-@@ -141,6 +141,16 @@
- _is_legal_header_name = re.compile(rb'[^:\s][^:\r\n]*').fullmatch
- _is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search
-
-+# These characters are not allowed within HTTP URL paths.
-+# See https://tools.ietf.org/html/rfc3986#section-3.3 and the
-+# https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
-+# Prevents CVE-2019-9740. Includes control characters such as \r\n.
-+# We don't restrict chars above \x7f as putrequest() limits us to ASCII.
-+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
-+# Arguably only these _should_ allowed:
-+# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
-+# We are more lenient for assumed real world compatibility purposes.
-+
- # We always set the Content-Length header for these methods because some
- # servers will otherwise respond with a 411
- _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
-@@ -1111,6 +1121,11 @@ def putrequest(self, method, url, skip_host=False,
- self._method = method
- if not url:
- url = '/'
-+ # Prevent CVE-2019-9740.
-+ match = _contains_disallowed_url_pchar_re.search(url)
-+ if match:
-+ raise InvalidURL(f"URL can't contain control characters. {url!r} "
-+ f"(found at least {match.group()!r})")
- request = '%s %s %s' % (method, url, self._http_vsn_str)
-
- # Non-ASCII characters should have been eliminated earlier
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
-index fa3757cc94be..649a5b81575b 100644
---- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -329,6 +329,59 @@ def test_willclose(self):
- finally:
- self.unfakehttp()
-
-+ @unittest.skipUnless(ssl, "ssl module required")
-+ def test_url_with_control_char_rejected(self):
-+ for char_no in list(range(0, 0x21)) + [0x7f]:
-+ char = chr(char_no)
-+ schemeless_url = f"//localhost:7777/test{char}/"
-+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+ try:
-+ # We explicitly test urllib.request.urlopen() instead of the top
-+ # level 'def urlopen()' function defined in this... (quite ugly)
-+ # test suite. They use different url opening codepaths. Plain
-+ # urlopen uses FancyURLOpener which goes via a codepath that
-+ # calls urllib.parse.quote() on the URL which makes all of the
-+ # above attempts at injection within the url _path_ safe.
-+ escaped_char_repr = repr(char).replace('\\', r'\\')
-+ InvalidURL = http.client.InvalidURL
-+ with self.assertRaisesRegex(
-+ InvalidURL, f"contain control.*{escaped_char_repr}"):
-+ urllib.request.urlopen(f"http:{schemeless_url}")
-+ with self.assertRaisesRegex(
-+ InvalidURL, f"contain control.*{escaped_char_repr}"):
-+ urllib.request.urlopen(f"https:{schemeless_url}")
-+ # This code path quotes the URL so there is no injection.
-+ resp = urlopen(f"http:{schemeless_url}")
-+ self.assertNotIn(char, resp.geturl())
-+ finally:
-+ self.unfakehttp()
-+
-+ @unittest.skipUnless(ssl, "ssl module required")
-+ def test_url_with_newline_header_injection_rejected(self):
-+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
-+ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
-+ schemeless_url = "//" + host + ":8080/test/?test=a"
-+ try:
-+ # We explicitly test urllib.request.urlopen() instead of the top
-+ # level 'def urlopen()' function defined in this... (quite ugly)
-+ # test suite. They use different url opening codepaths. Plain
-+ # urlopen uses FancyURLOpener which goes via a codepath that
-+ # calls urllib.parse.quote() on the URL which makes all of the
-+ # above attempts at injection within the url _path_ safe.
-+ InvalidURL = http.client.InvalidURL
-+ with self.assertRaisesRegex(
-+ InvalidURL, r"contain control.*\\r.*(found at least . .)"):
-+ urllib.request.urlopen(f"http:{schemeless_url}")
-+ with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"):
-+ urllib.request.urlopen(f"https:{schemeless_url}")
-+ # This code path quotes the URL so there is no injection.
-+ resp = urlopen(f"http:{schemeless_url}")
-+ self.assertNotIn(' ', resp.geturl())
-+ self.assertNotIn('\r', resp.geturl())
-+ self.assertNotIn('\n', resp.geturl())
-+ finally:
-+ self.unfakehttp()
-+
- def test_read_0_9(self):
- # "0.9" response accepted (but not "simple responses" without
- # a status line)
-diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
-index 07f7ba0f00b5..fc601d455224 100644
---- a/Lib/test/test_xmlrpc.py
-+++ b/Lib/test/test_xmlrpc.py
-@@ -950,7 +950,12 @@ def test_unicode_host(self):
- def test_partial_post(self):
- # Check that a partial POST doesn't make the server loop: issue #14001.
- conn = http.client.HTTPConnection(ADDR, PORT)
-- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
-+ conn.send('POST /RPC2 HTTP/1.0\r\n'
-+ 'Content-Length: 100\r\n\r\n'
-+ 'bye HTTP/1.1\r\n'
-+ f'Host: {ADDR}:{PORT}\r\n'
-+ 'Accept-Encoding: identity\r\n'
-+ 'Content-Length: 0\r\n\r\n'.encode('ascii'))
- conn.close()
-
- def test_context_manager(self):
-diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-new file mode 100644
-index 000000000000..ed8027fb4d64
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
-@@ -0,0 +1 @@
-+Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.
diff --git a/system/python3/test-fix-selfsign-cert.patch b/system/python3/test-fix-selfsign-cert.patch
deleted file mode 100644
index eb6c9f355..000000000
--- a/system/python3/test-fix-selfsign-cert.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 2b9d7abdbd4b41e2c624858f5bc80da59d8a681d Mon Sep 17 00:00:00 2001
-From: "Gregory P. Smith" <greg@krypto.org>
-Date: Wed, 8 May 2019 14:20:59 -0500
-Subject: [PATCH] [3.6] bpo-36816: Update the self-signed.pythontest.net cert
- (GH-13192) (GH-13198)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We updated the server, our testsuite must match.
-
-https://bugs.python.org/issue36816
-
-✈️ CLE -> DEN ✈️ GH-pycon2019
-(cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1)
-
-Co-authored-by: Gregory P. Smith <greg@krypto.org>
----
- Lib/test/selfsigned_pythontestdotnet.pem | 46 +++++++++++++------
- .../2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst | 1 +
- 2 files changed, 33 insertions(+), 14 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst
-
-diff --git a/Lib/test/selfsigned_pythontestdotnet.pem b/Lib/test/selfsigned_pythontestdotnet.pem
-index b6d259bcb236..2b1760747bce 100644
---- a/Lib/test/selfsigned_pythontestdotnet.pem
-+++ b/Lib/test/selfsigned_pythontestdotnet.pem
-@@ -1,16 +1,34 @@
- -----BEGIN CERTIFICATE-----
--MIIClTCCAf6gAwIBAgIJAKGU95wKR8pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
--BAYTAlhZMRcwFQYDVQQHDA5DYXN0bGUgQW50aHJheDEjMCEGA1UECgwaUHl0aG9u
--IFNvZnR3YXJlIEZvdW5kYXRpb24xIzAhBgNVBAMMGnNlbGYtc2lnbmVkLnB5dGhv
--bnRlc3QubmV0MB4XDTE0MTEwMjE4MDkyOVoXDTI0MTAzMDE4MDkyOVowcDELMAkG
--A1UEBhMCWFkxFzAVBgNVBAcMDkNhc3RsZSBBbnRocmF4MSMwIQYDVQQKDBpQeXRo
--b24gU29mdHdhcmUgRm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0
--aG9udGVzdC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANDXQXW9tjyZ
--Xt0Iv2tLL1+jinr4wGg36ioLDLFkMf+2Y1GL0v0BnKYG4N1OKlAU15LXGeGer8vm
--Sv/yIvmdrELvhAbbo3w4a9TMYQA4XkIVLdvu3mvNOAet+8PMJxn26dbDhG809ALv
--EHY57lQsBS3G59RZyBPVqAqmImWNJnVzAgMBAAGjNzA1MCUGA1UdEQQeMByCGnNl
--bGYtc2lnbmVkLnB5dGhvbnRlc3QubmV0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
--AQEFBQADgYEAIuzAhgMouJpNdf3URCHIineyoSt6WK/9+eyUcjlKOrDoXNZaD72h
--TXMeKYoWvJyVcSLKL8ckPtDobgP2OTt0UkyAaj0n+ZHaqq1lH2yVfGUA1ILJv515
--C8BqbvVZuqm3i7ygmw3bqE/lYMgOrYtXXnqOrz6nvsE6Yc9V9rFflOM=
-+MIIF9zCCA9+gAwIBAgIUH98b4Fw/DyugC9cV7VK7ZODzHsIwDQYJKoZIhvcNAQEL
-+BQAwgYoxCzAJBgNVBAYTAlhZMRcwFQYDVQQIDA5DYXN0bGUgQW50aHJheDEYMBYG
-+A1UEBwwPQXJndW1lbnQgQ2xpbmljMSMwIQYDVQQKDBpQeXRob24gU29mdHdhcmUg
-+Rm91bmRhdGlvbjEjMCEGA1UEAwwac2VsZi1zaWduZWQucHl0aG9udGVzdC5uZXQw
-+HhcNMTkwNTA4MDEwMjQzWhcNMjcwNzI0MDEwMjQzWjCBijELMAkGA1UEBhMCWFkx
-+FzAVBgNVBAgMDkNhc3RsZSBBbnRocmF4MRgwFgYDVQQHDA9Bcmd1bWVudCBDbGlu
-+aWMxIzAhBgNVBAoMGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMSMwIQYDVQQD
-+DBpzZWxmLXNpZ25lZC5weXRob250ZXN0Lm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
-+ggIPADCCAgoCggIBAMKdJlyCThkahwoBb7pl5q64Pe9Fn5jrIvzsveHTc97TpjV2
-+RLfICnXKrltPk/ohkVl6K5SUZQZwMVzFubkyxE0nZPHYHlpiKWQxbsYVkYv01rix
-+IFdLvaxxbGYke2jwQao31s4o61AdlsfK1SdpHQUynBBMssqI3SB4XPmcA7e+wEEx
-+jxjVish4ixA1vuIZOx8yibu+CFCf/geEjoBMF3QPdzULzlrCSw8k/45iZCSoNbvK
-+DoL4TVV07PHOxpheDh8ZQmepGvU6pVqhb9m4lgmV0OGWHgozd5Ur9CbTVDmxIEz3
-+TSoRtNJK7qtyZdGNqwjksQxgZTjM/d/Lm/BJG99AiOmYOjsl9gbQMZgvQmMAtUsI
-+aMJnQuZ6R+KEpW/TR5qSKLWZSG45z/op+tzI2m+cE6HwTRVAWbcuJxcAA55MZjqU
-+OOOu3BBYMjS5nf2sQ9uoXsVBFH7i0mQqoW1SLzr9opI8KsWwFxQmO2vBxWYaN+lH
-+OmwBZBwyODIsmI1YGXmTp09NxRYz3Qe5GCgFzYowpMrcxUC24iduIdMwwhRM7rKg
-+7GtIWMSrFfuI1XCLRmSlhDbhNN6fVg2f8Bo9PdH9ihiIyxSrc+FOUasUYCCJvlSZ
-+8hFUlLvcmrZlWuazohm0lsXuMK1JflmQr/DA/uXxP9xzFfRy+RU3jDyxJbRHAgMB
-+AAGjUzBRMB0GA1UdDgQWBBSQJyxiPMRK01i+0BsV9zUwDiBaHzAfBgNVHSMEGDAW
-+gBSQJyxiPMRK01i+0BsV9zUwDiBaHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-+DQEBCwUAA4ICAQCR+7a7N/m+WLkxPPIA/CB4MOr2Uf8ixTv435Nyv6rXOun0+lTP
-+ExSZ0uYQ+L0WylItI3cQHULldDueD+s8TGzxf5woaLKf6tqyr0NYhKs+UeNEzDnN
-+9PHQIhX0SZw3XyXGUgPNBfRCg2ZDdtMMdOU4XlQN/IN/9hbYTrueyY7eXq9hmtI9
-+1srftAMqr9SR1JP7aHI6DVgrEsZVMTDnfT8WmLSGLlY1HmGfdEn1Ip5sbo9uSkiH
-+AEPgPfjYIvR5LqTOMn4KsrlZyBbFIDh9Sl99M1kZzgH6zUGVLCDg1y6Cms69fx/e
-+W1HoIeVkY4b4TY7Bk7JsqyNhIuqu7ARaxkdaZWhYaA2YyknwANdFfNpfH+elCLIk
-+BUt5S3f4i7DaUePTvKukCZiCq4Oyln7RcOn5If73wCeLB/ZM9Ei1HforyLWP1CN8
-+XLfpHaoeoPSWIveI0XHUl65LsPN2UbMbul/F23hwl+h8+BLmyAS680Yhn4zEN6Ku
-+B7Po90HoFa1Du3bmx4jsN73UkT/dwMTi6K072FbipnC1904oGlWmLwvAHvrtxxmL
-+Pl3pvEaZIu8wa/PNF6Y7J7VIewikIJq6Ta6FrWeFfzMWOj2qA1ZZi6fUaDSNYvuV
-+J5quYKCc/O+I/yDDf8wyBbZ/gvUXzUHTMYGG+bFrn1p7XDbYYeEJ6R/xEg==
- -----END CERTIFICATE-----
-diff --git a/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst b/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst
-new file mode 100644
-index 000000000000..420dfe832366
---- /dev/null
-+++ b/Misc/NEWS.d/next/Tests/2019-05-08-15-55-46.bpo-36816.WBKRGZ.rst
-@@ -0,0 +1 @@
-+Update Lib/test/selfsigned_pythontestdotnet.pem to match self-signed.pythontest.net's new TLS certificate.
-\ No newline at end of file
diff --git a/system/zstd/APKBUILD b/system/zstd/APKBUILD
new file mode 100644
index 000000000..de125ca8d
--- /dev/null
+++ b/system/zstd/APKBUILD
@@ -0,0 +1,27 @@
+# Contributor: A. Wilcox <awilfox@adelielinux.org>
+# Maintainer: A. Wilcox <awilfox@adelielinux.org>
+pkgname=zstd
+pkgver=1.4.2
+pkgrel=0
+pkgdesc="Fast real-time compression algorithm"
+url="https://facebook.github.io/zstd/"
+arch="all"
+license="BSD-3-Clause AND GPL-2.0-only"
+depends=""
+makedepends="lz4-dev xz-dev zlib-dev"
+subpackages="$pkgname-dev $pkgname-doc"
+source="https://github.com/facebook/zstd/releases/download/v$pkgver/zstd-$pkgver.tar.gz"
+
+build() {
+ make PREFIX="/usr"
+}
+
+check() {
+ make PREFIX="/usr" check
+}
+
+package() {
+ make PREFIX="/usr" DESTDIR="$pkgdir" install
+}
+
+sha512sums="b760f201ff8d018c422b030d3f59245b5f1cfd157ba8d6eb9fe9240e23d5739ca7b5a705b2d5e8ace703d041ab77bea66d735b283e51facfb18923794fabe213 zstd-1.4.2.tar.gz"