SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for python-base-2.7.14-lp151.10.10.2.x86_64.rpm :

* Tue Oct 08 2019 Matej Cepl - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py
* Wed Sep 25 2019 Matej Cepl - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised.
* Mon Sep 16 2019 Matej Cepl - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, CVE-2019-16056]
* Thu Jul 25 2019 Matej Cepl - boo#1141853 (CVE-2018-20852) add CVE-2018-20852-cookie-domain-check.patch fixing http.cookiejar.DefaultPolicy.domain_return_ok which did not correctly validate the domain: it could be tricked into sending cookies to the wrong server.
* Wed Jul 03 2019 Matej Cepl - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch which fixes regression introduced by the previous patch. (CVE-2019-10160) and getting Lib/urlparse.py and tests in sync with the latest upstream state. Upstream gh#python/cpython#13812
* Mon Apr 08 2019 Matej Cepl - bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch removing unnecessary (and potentially harmful) URL scheme local-file://.
* Fri Mar 29 2019 Matej Cepl - bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``AATT``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, no error will be raised. Upstream commits e37ef41 and 507bd8c.
* Sat Jan 19 2019 mceplAATTsuse.com- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch fixing bpo-35746. An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
* Wed Sep 26 2018 Matěj Cepl - Apply \"CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch\" which converts shutil._call_external_zip to use subprocess rather than distutils.spawn. [bsc#1109663, CVE-2018-1000802]
* Tue Feb 20 2018 bwiedemannAATTsuse.com- Add python-sorted_tar.patch (boo#1081750)
* Mon Feb 05 2018 normandAATTlinux.vnet.ibm.com- exclude test_socket & test_subprocess for PowerPC boo#1078485 (same ref as previous change)
* Fri Feb 02 2018 normandAATTlinux.vnet.ibm.com- Add python-skip_random_failing_tests.patch bypass boo#1078485 and exclude many tests for PowerPC
* Tue Jan 30 2018 tchvatalAATTsuse.com- Add patch python-fix-shebang.patch to fix bsc#1078326
* Fri Dec 22 2017 jmatejekAATTsuse.com- exclude test_regrtest for s390, where it does not segfault as it should (fixes bsc#1073269)- fix segfault while creating weakref - bsc#1073748, bpo#29347 (this is actually fixed by the 2.7.14 update; mentioning this for purposes of bugfix tracking)
* Mon Nov 20 2017 jmatejekAATTsuse.com- update to 2.7.14
* dozens of bugfixes, see NEWS for details
* fixed possible integer overflow in PyString_DecodeEscape (CVE-2017-1000158, bsc#1068664)
* fixed segfaults with dict mutated during search
* fixed possible free-after-use problems with buffer objects with custom indexing
* fixed urllib.splithost to correctly parse fragments (bpo-30500)- drop upstreamed python-2.7.13-overflow_check.patch- drop unneeded python-2.7.12-makeopcode.patch- drop upstreamed 0001-2.7-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-3094.patch
* Thu Nov 02 2017 mpluskalAATTsuse.com- Call python2 instead of python in macros
* Thu Aug 17 2017 kukukAATTsuse.de- Add libnsl-devel build requires for glibc obsoleting libnsl
* Mon May 15 2017 jmatejekAATTsuse.com- obsolete/provide python-argparse and provide python2-argparse, because the argparse module is available from python 2.7 up
* Fri Feb 24 2017 bwiedemannAATTsuse.com- Add reproducible.patch to allow reproducible builds of various python packages like python-amqp Upstream: https://github.com/python/cpython/pull/296
* Tue Jan 03 2017 jmatejekAATTsuse.com- update to 2.7.13
* dozens of bugfixes, see NEWS for details
* updated cipher lists for openssl wrapper, support openssl >= 1.1.0
* properly fix HTTPoxy (CVE-2016-1000110)
* profile-opt build now applies PGO to modules as well- update python-2.7.10-overflow_check.patch with python-2.7.13-overflow_check.patch, incorporating upstream changes- add \"-fwrapv\" to optflags explicitly because upstream code still relies on it in many places
* Fri Dec 02 2016 jmatejekAATTsuse.com- provide python2-
* symbols, for support of new packages built as python2-foo- rename macros.python to macros.python2 accordingly- require python-rpm-macros package, drop macro definitions from macros.python2
* Thu Jun 30 2016 jmatejekAATTsuse.com- update to 2.7.12
* dozens of bugfixes, see NEWS for details
* fixes multiple security issues: CVE-2016-0772 TLS stripping attack on smtplib (bsc#984751) CVE-2016-5636 zipimporter heap overflow (bsc#985177) CVE-2016-5699 httplib header injection (bsc#985348) (this one is actually fixed since 2.7.10)- removed upstreamed python-2.7.7-mhlib-linkcount.patch- refreshed multilib patch- python-2.7.12-makeopcode.patch - run newly-built python interpreter to make opcodes, in order not to require pre-built python- update LD_LIBRARY_PATH to use $PWD instead of \".\" because the test process escapes to its own directory- modify shebang-fixing scriptlet to ignore makeopcodetargets.py
* Fri Jan 29 2016 rguentherAATTsuse.com- Add python-2.7.10-overflow_check.patch to fix broken overflow checks. [bnc#964182]
* Mon Sep 14 2015 jmatejekAATTsuse.com- copy strict-tls-checks subpackage from SLE to retain future compatibility (not built in openSUSE)- do this properly to fix bnc#945401
* Wed Sep 09 2015 dimstarAATTopensuse.org- Add python-ncurses-6.0-accessors.patch: Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1.
* Wed Jun 10 2015 dmuellerAATTsuse.com- add __python2 compatibility macro (used by Fedora)
* Sun May 24 2015 michaelAATTstroeder.com- update to 2.7.10- removed obsolete python-2.7-urllib2-localnet-ssl.patch
* Tue May 19 2015 schwabAATTsuse.de- Reenable test_posix on aarch64
* Sun Dec 21 2014 schwabAATTsuse.de- python-2.7.4-aarch64.patch: Remove obsolete patch- python-2.7-libffi-aarch64.patch: Fix argument passing in libffi for aarch64
* Fri Dec 12 2014 jmatejekAATTsuse.com- update to 2.7.9
* contains full backport of ssl module from Python 3.4 (PEP466)
* HTTPS certificate validation enabled by default (PEP476)
* SSLv3 disabled by default (bnc#901715)
* backported ensurepip module (PEP477)
* fixes several missing CVEs from last release: CVE-2013-1752, CVE-2013-1753
* dozens of minor bugfixes- dropped upstreamed patches: python-2.7.6-poplib.patch, smtplib_maxline-2.7.patch, xmlrpc_gzip_27.patch- dropped patch python-2.7.3-ssl_ca_path.patch because we don\'t need it with ssl module from Python 3- libffi was upgraded upstream, seems to contain our changes, so dropping libffi-ppc64le.diff as well- python-2.7-urllib2-localnet-ssl.patch - properly remove unconditional \"import ssl\" from test_urllib2_localnet that caused it to fail without ssl
* Wed Oct 22 2014 dmuellerAATTsuse.com- skip test_thread in qemu_linux_user mode
  
ICM