SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for python-xml-2.7.13-27.12.1.x86_64.rpm :
Fri Jan 25 13:00:00 2019 mceplAATTsuse.com
- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
fixing bpo-34623.

Fri Jan 25 13:00:00 2019 mceplAATTsuse.com
- bsc#1073748: add bpo-29347-dereferencing-undefined-pointers.patch
PyWeakref_NewProxyAATTObjects/weakrefobject.c creates new isntance
of PyWeakReference struct and does not intialize wr_prev and
wr_next of new isntance. These pointers can have garbage and
point to random memory locations.
Python should not crash while destroying the isntance created
in the same interpreter function. As per my understanding, both
wr_prev and wr_next of PyWeakReference instance should be
initialized to NULL to avoid segfault.

Sat Jan 19 13:00:00 2019 mceplAATTsuse.com
- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
fixing bpo-35746.
An exploitable denial-of-service vulnerability exists in the
X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
A specially crafted X509 certificate can cause a NULL pointer
dereference, resulting in a denial of service. An attacker can
initiate or accept TLS connections using crafted certificates
to trigger this vulnerability.

Tue Sep 25 14:00:00 2018 Matěj Cepl
- Apply \"CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch\" which
converts shutil._call_external_zip to use subprocess rather than
distutils.spawn. [bsc#1109663, CVE-2018-1000802]

Fri Jun 29 14:00:00 2018 mceplAATTsuse.com
- Apply \"CVE-2018-1061-DOS-via-regexp-difflib.patch\" to prevent
low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS
(CVE-2018-1061). Prior to this patch mail server\'s timestamp was
susceptible to catastrophic backtracking on long evil response from
the server. Also, it was susceptible to catastrophic backtracking,
which was a potential DOS vector.
[bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060]

Thu Jun 7 14:00:00 2018 psimonsAATTsuse.com
- Apply \"CVE-2017-18207.patch\" to add a check to Lib/wave.py that
verifies that at least one channel is provided. Prior to this
check, attackers could cause a denial of service (divide-by-zero
error and application crash) via a crafted wav format audio file.
[bsc#1083507, CVE-2017-18207]

Tue May 29 14:00:00 2018 mceplAATTsuse.com
- Apply \"python-sorted_tar.patch\" (bsc#1086001)
sort tarfile output directory listing

Tue Mar 13 13:00:00 2018 psimonsAATTsuse.com
- Apply \"python-2.7.14-CVE-2017-1000158.patch\" to prevent integer
overflows in PyString_DecodeEscape that could have resulted in
heap-based buffer overflow attacks and possible arbitrary code
execution. [bsc#1068664, CVE-2017-1000158]
- Apply \"python-2.7.14-CVE-2018-1000030-1.patch\" and
\"python-2.7.14-CVE-2018-1000030-2.patch\" to remedy a bug that
would crash the Python interpreter when multiple threads used the
same I/O stream concurrently. This issue is not classified as a
security vulnerability due to the fact that an attacker must be
able to run code, however in some situations -- such as function
as a service -- this vulnerability can potentially be used by an
attacker to violate a trust boundary. [bsc#1079300,
CVE-2018-1000030]

Tue Feb 28 13:00:00 2017 jmatejekAATTsuse.com
- SLE package update (bsc#1027282)
- refresh python-2.7.5-multilib.patch
- dropped upstreamed patches:
python-fix-short-dh.patch
python-2.7.7-mhlib-linkcount.patch
python-2.7-urllib2-localnet-ssl.patch
CVE-2016-0772-smtplib-starttls.patch
CVE-2016-5699-http-header-injection.patch
CVE-2016-5636-zipimporter-overflow.patch
python-2.7-httpoxy.patch
- Add python-ncurses-6.0-accessors.patch: Fix build with
NCurses 6.0 and OPAQUE_WINDOW set to 1.
(dimstarAATTopensuse.org)

Tue Jan 3 13:00:00 2017 jmatejekAATTsuse.com
- update to 2.7.13

* dozens of bugfixes, see NEWS for details

* updated cipher lists for openssl wrapper, support openssl >= 1.1.0

* properly fix HTTPoxy (CVE-2016-1000110)

* profile-opt build now applies PGO to modules as well
- add python-2.7.13-overflow_check.patch, incorporating upstream changes
(bnc#964182)
- add \"-fwrapv\" to optflags explicitly because upstream code still
relies on it in many places

Fri Dec 2 13:00:00 2016 jmatejekAATTsuse.com
- provide python2-
* symbols, for support of new packages built as
python2-foo
- rename macros.python to macros.python2 accordingly
- require python-rpm-macros package, drop macro definitions from
macros.python2

Thu Jun 30 14:00:00 2016 jmatejekAATTsuse.com
- update to 2.7.12

* dozens of bugfixes, see NEWS for details

* fixes multiple security issues:
CVE-2016-0772 TLS stripping attack on smtplib (bsc#984751)
CVE-2016-5636 zipimporter heap overflow (bsc#985177)
CVE-2016-5699 httplib header injection (bsc#985348)
(this one is actually fixed since 2.7.10)
- removed upstreamed python-2.7.7-mhlib-linkcount.patch
- refreshed multilib patch
- python-2.7.12-makeopcode.patch - run newly-built python interpreter
to make opcodes, in order not to require pre-built python
- update LD_LIBRARY_PATH to use $PWD instead of \".\" because the test
process escapes to its own directory
- modify shebang-fixing scriptlet to ignore makeopcodetargets.py

Fri Jun 17 14:00:00 2016 jmatejekAATTsuse.com
- CVE-2016-0772-smtplib-starttls.patch:
smtplib vulnerability opens startTLS stripping attack
(CVE-2016-0772, bsc#984751)
- CVE-2016-5636-zipimporter-overflow.patch:
heap overflow when importing malformed zip files
(CVE-2016-5636, bsc#985177)
- CVE-2016-5699-http-header-injection.patch:
incorrect validation of HTTP headers allow header injection
(CVE-2016-5699, bsc#985348)
- python-2.7-httpoxy.patch:
HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY
when REQUEST_METHOD is also set
(CVE-2016-1000110, bsc#989523)

Mon Sep 14 14:00:00 2015 jmatejekAATTsuse.com
- exclude tsl_check files from python-base to prevent file conflict
with python-strict-tls-checks package (bnc#945401)
- update SLE check to exclude Leap which also has version 1315,
just to be sure

Mon Jun 29 14:00:00 2015 meissnerAATTsuse.com
- python-fix-short-dh.patch: Bump DH parameters to 2048 bit
to fix logjam security issue. bsc#935856

Wed Jun 10 14:00:00 2015 dmuellerAATTsuse.com
- add __python2 compatibility macro (used by Fedora) (fate#318838)

Tue May 19 14:00:00 2015 schwabAATTsuse.de
- Reenable test_posix on aarch64

Sun Dec 21 13:00:00 2014 schwabAATTsuse.de
- python-2.7.4-aarch64.patch: Remove obsolete patch
- python-2.7-libffi-aarch64.patch: Fix argument passing in libffi for
aarch64

Fri Dec 12 13:00:00 2014 jmatejekAATTsuse.com
- update to 2.7.9

* contains full backport of ssl module from Python 3.4 (PEP466)

* HTTPS certificate validation enabled by default (PEP476)

* SSLv3 disabled by default (bnc#901715)

* backported ensurepip module (PEP477)

* fixes several missing CVEs from last release: CVE-2013-1752,
CVE-2013-1753

* dozens of minor bugfixes
- dropped upstreamed patches: python-2.7.6-poplib.patch,
smtplib_maxline-2.7.patch, xmlrpc_gzip_27.patch
- dropped patch python-2.7.3-ssl_ca_path.patch because we don\'t need it
with ssl module from Python 3
- libffi was upgraded upstream, seems to contain our changes,
so dropping libffi-ppc64le.diff as well
- python-2.7-urllib2-localnet-ssl.patch - properly remove unconditional
\"import ssl\" from test_urllib2_localnet that caused it to fail without ssl

Wed Oct 22 14:00:00 2014 dmuellerAATTsuse.com
- skip test_thread in qemu_linux_user mode

Wed Oct 1 14:00:00 2014 jmatejekAATTsuse.com
- update to 2.7.8

* bugfix-only release, dozens of bugs fixed

* fixes CVE-2014-4650 directory traversal in CGIHTTPServer

* fixes CVE-2014-7185 (bnc#898572) potential buffer overflow in buffer()
- dropped upstreamed CVE-2014-4650-CGIHTTPserver-traversal.patch
- dropped upstreamed CVE-2014-7185-buffer-wraparound.patch

Wed Oct 1 14:00:00 2014 jmatejekAATTsuse.com
- CVE-2014-7185-buffer-wraparound.patch: potential wraparound/overflow
in buffer()
(CVE-2014-7185, bnc#898572)

Wed Jul 23 14:00:00 2014 jmatejekAATTsuse.com
- CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file
disclosure and directory traversal through URL-encoded characters
(CVE-2014-4650, bnc#885882)
- python-2.7.7-mhlib-linkcount.patch: remove link count optimizations
that are incorrect on btrfs (and possibly other filesystems)

Fri Jun 20 14:00:00 2014 jmatejekAATTsuse.com
- update to 2.7.7

* bugfix-only release, over a hundred bugs fixed

* backported hmac.compare_digest from python3, first step of PEP 466
- drop upstreamed patches:

* CVE-2014-1912-recvfrom_into.patch

* python-2.7.4-no-REUSEPORT.patch

* python-2.7.6-bdist-rpm.patch

* python-2.7.6-imaplib.patch

* python-2.7.6-sqlite-3.8.4-tests.patch
- refresh patches:

* python-2.7.3-ssl_ca_path.patch

* python-2.7.4-canonicalize2.patch

* xmlrpc_gzip_27.patch
- added python keyring and signature for the main tarball

Sat Mar 15 13:00:00 2014 schwabAATTsuse.de
- Use profile-opt only when profiling is enabled
- python-2.7.2-disable-tests-in-test_io.patch: removed, no longer needed
- update testsuite exclusion list:

* test_signal and test_posix fail due to qemu bugs

Fri Mar 14 13:00:00 2014 andreas.stiegerAATTgmx.de
- Fix build with SQLite 3.8.4 [bnc#867887], fixing SQLite tests,
adding python-2.7.6-sqlite-3.8.4-tests.patch

Mon Feb 10 13:00:00 2014 jmatejekAATTsuse.com
- added patches for CVE-2013-1752 (bnc#856836) issues that are
missing in 2.7.6:
python-2.7.6-imaplib.patch
python-2.7.6-poplib.patch
smtplib_maxline-2.7.patch
- CVE-2013-1753 (bnc#856835) gzip decompression bomb in xmlrpc client:
xmlrpc_gzip_27.patch
- python-2.7.6-bdist-rpm.patch: fix broken \"setup.py bdist_rpm\" command
(bnc#857470, issue18045)
- multilib patch: add \"~/.local/lib64\" paths to search path
(bnc#637176)
- CVE-2014-1912-recvfrom_into.patch: fix potential buffer overflow
in socket.recvfrom_into (CVE-2014-1912, bnc#863741)

Tue Dec 10 13:00:00 2013 uweigandAATTde.ibm.com
- Add Obsoletes/Provides for python-ctypes.

Sat Dec 7 13:00:00 2013 matzAATTsuse.de
- Ignore uuid testcase in the testsuite, it relies on unreliable
ifconfig output.

Tue Dec 3 13:00:00 2013 mlsAATTsuse.de
- adapt python-2.7.5-multilib.patch for ppc64le

Tue Dec 3 13:00:00 2013 dvaleevAATTsuse.com
- adjust %files for ppc64le

Tue Dec 3 13:00:00 2013 matzAATTsuse.de
- Support for ppc64le in _ctypes libffi copy.
- added patches:

* libffi-ppc64le.diff

Tue Dec 3 13:00:00 2013 adrianAATTsuse.de
- add ppc64le rules
- avoid errors from source-validator

Thu Nov 21 13:00:00 2013 jmatejekAATTsuse.com
- update to 2.7.6

* bugfix-only release

* SSL-related fixes

* upstream fix for CVE-2013-4238

* upstream fixes for CVE-2013-1752
- removed upstreamed patch CVE-2013-4238_py27.patch
- reintroduce audioop.so as the problems with it seem to be fixed
(bnc#831442)

Thu Oct 10 14:00:00 2013 dmuellerAATTsuse.com
- exclude test_mmap under qemu_linux_user - emulation fails here
as the tests mmap address conflicts with qemu

Tue Jul 9 14:00:00 2013 jengelhAATTinai.de
- Add python-bsddb6.diff to support building against libdb-6.0

Sat Jul 6 14:00:00 2013 cooloAATTsuse.com
- have python-devel require python:
http://lists.opensuse.org/opensuse-factory/2013-06/msg00622.html

Sun Jun 30 14:00:00 2013 schwabAATTsuse.de
- Disable test_multiprocessing in QEmu build

Wed Jun 5 14:00:00 2013 schwabAATTsuse.de
- Disable test_asyncore in QEmu build
- Reenable testsuite on arm

Thu May 30 14:00:00 2013 jmatejekAATTsuse.com
- python-2.7.4-aarch64.patch: add missing bits of aarch64 support
- python-2.7.4-no-REUSEPORT.patch: disable test of
missing kernel functionality
- drop unnecessary patch: python-2.7.1-distutils_test_path.patch
- switch to xz archive

Tue May 28 14:00:00 2013 speilickeAATTsuse.com
- Update to version 2.7.5:
+ bugfix-only release
+ fixes several important regressions introduced in 2.7.4
+ Issue #15535: Fixed regression in the pickling of named tuples by
removing the __dict__ property introduced in 2.7.4.
+ Issue #17857: Prevent build failures with pre-3.5.0 versions of sqlite3,
such as was shipped with Centos 5 and Mac OS X 10.4.
+ Issue #17703: Fix a regression where an illegal use of Py_DECREF() after
interpreter finalization can cause a crash.
+ Issue #16447: Fixed potential segmentation fault when setting __name__ on a
class.
+ Issue #17610: Don\'t rely on non-standard behavior of the C qsort() function. 12
See http://hg.python.org/cpython/file/ab05e7dd2788/Misc/NEWS for more
- Drop upstreamed patches:
+ python-2.7.3-fix-dbm-64bit-bigendian.patch
+ python-test_structmembers.patch
- Rebased other patches

Mon May 13 14:00:00 2013 dmuellerAATTsuse.com
- add aarch64 to the list of 64-bit platforms

Thu May 9 14:00:00 2013 jmatejekAATTsuse.com
- update to 2.7.4

* bugfix-only release
- drop upstreamed patches:
pypirc-secure.diff
python-2.7.3-multiprocessing-join.patch
ctypes-libffi-aarch64.patch
- drop python-2.7rc2-configure.patch as it doesn\'t seem necessary anymore

Fri Apr 5 14:00:00 2013 idonmezAATTsuse.com
- Add Source URL, see https://en.opensuse.org/SourceUrls

Wed Feb 27 13:00:00 2013 schwabAATTsuse.de
- Add aarch64 to the list of lib64 platforms

Sat Feb 9 13:00:00 2013 schwabAATTsuse.de
- Add ctypes-libffi-aarch64.patch: import aarch64 support for libffi in
_ctypes module

Fri Feb 8 13:00:00 2013 jmatejekAATTsuse.com
- multiprocessing: thread joining itself (bnc#747794)
- gettext: fix cases where no bundle is found (bnc#794139)

Thu Oct 25 14:00:00 2012 cooloAATTsuse.com
- add explicit buildrequire on libbz2-devel

Mon Oct 15 14:00:00 2012 cooloAATTsuse.com
- buildrequire explicitly netcfg for the test suite

Mon Oct 8 14:00:00 2012 jmatejekAATTsuse.com
- remove distutils.cfg (bnc#658604)

* this changes default prefix for distutils to /usr

* see ML for details:
http://lists.opensuse.org/opensuse-packaging/2012-09/msg00254.html

Fri Aug 3 14:00:00 2012 dimstarAATTopensuse.org
- Add python-bundle-lang.patch: gettext: If bindtextdomain is
instructed to look in the default location of translations, we
check additionally in locale-bundle. Fixes issues like bnc#617751

Tue Jul 31 14:00:00 2012 jmatejekAATTsuse.com
- all subpackages require python-base=%{version}-%{release} explicitly
(fixes bnc#766778 bug and similar that might arise in the future)

Tue Jun 26 14:00:00 2012 dvaleevAATTsuse.com
- Fix failing test_dbm on ppc64

Thu May 17 14:00:00 2012 jfunkAATTfunktronics.ca
- Support directory-based certificate stores with the ca_certs parameter of SSL
functions [bnc#761501]

Sat Apr 14 14:00:00 2012 dmuellerAATTsuse.com
- update to 2.7.3:

* no change
- remove static libpython.a from build to avoid packages
linking it statically

Wed Mar 28 14:00:00 2012 jmatejekAATTsuse.com
- update to 2.7.3rc2

* fixes several security issues:

* CVE-2012-0845, bnc#747125

* CVE-2012-1150, bnc#751718

* CVE-2011-4944, bnc#754447

* CVE-2011-3389
- fix for insecure .pypirc (CVE-2011-4944, bnc#754447)
!!important!!
- disabled test_unicode which segfaults on 64bits.
this should not happen, revisit in next RC!
!!important!!

Thu Feb 16 13:00:00 2012 dvaleevAATTsuse.com
- skip broken test_io test on ppc

Mon Dec 12 13:00:00 2011 toddrme2178AATTgmail.com
- Exclude /usr/bin/2to3 to prevent conflicts with python3-2to3

Thu Dec 8 13:00:00 2011 jmatejekAATTsuse.com
- %python_version now correctly refers to %tarversion

Mon Nov 28 13:00:00 2011 saschpeAATTsuse.de
- Spec file cleanup:

* Run spec-cleaner

* Remove outdated %clean section, AutoReqProv and authors from descr.
- Fix license to Python-2.0 (also SPDX style)

Fri Sep 30 14:00:00 2011 adrianAATTsuse.de
- fix build for arm by removing an old hack for arm, bz2.so is built now

Fri Aug 19 14:00:00 2011 dmuellerAATTsuse.de
- update to 2.7.2:

* Bug fix only release, see
http://hg.python.org/cpython/raw-file/eb3c9b74884c/Misc/NEWS
for details
- introduce a pre_checkin.sh file that synchronizes
patches between python and python-base
- rediff patches for 2.7.2
- replace kernel3 patch with the upstream solution

Fri Jul 22 14:00:00 2011 idonmezAATTnovell.com
- Copy Lib/plat-linux2 to Lix/plat-linux3 so that DLFCN module
is also available for linux3 systems bnc#707667

Mon Jul 11 14:00:00 2011 roAATTsuse.de
- fix build on factory: setup reports linux3 not linux2 now,
adapt checks

Tue May 31 14:00:00 2011 jmatejekAATTnovell.com
- added explicit requires to libpython-%version-%release
to prevent bugs like bnc#697251 reappearing

Tue May 24 14:00:00 2011 jmatejekAATTnovell.com
- update to 2.7.1

* bugfix-only release, see NEWS for details
- refreshed patches, dropped the upstreamed ones
- dropped acrequire patch, replacing it with build-time sed
- improved fix to bnc#673071 by defining the constants
only for files that require it (as is done in python3)

Mon May 2 14:00:00 2011 jmatejekAATTnovell.com
- fixed a security flaw where malicious sites could redirect
Python application from http to a local file
(CVE-2011-1521, bnc#682554)
- fixed race condition in Makefile which randomly failed
parallel builds ( http://bugs.python.org/issue10013 )

Thu Feb 17 13:00:00 2011 pthAATTsuse.de
- Prefix DATE and TIME with PY_BUILD_ and COMPILER with PYTHON_ as
to not break external code (bnc#673071).

Mon Jan 17 13:00:00 2011 cooloAATTnovell.com
- provide pyxml to avoid touching tons of packages

Thu Nov 18 13:00:00 2010 cooloAATTnovell.com
- add patch from http://psf.upfronthosting.co.za/roundup/tracker/issue9960
to fix build on ppc64

Fri Oct 1 14:00:00 2010 jmatejekAATTnovell.com
- moved unittest to python-base (it is a testing framework, not a
testsuite, so it clearly belongs into stdlib)
- fixed smtpd.py DoS (bnc#638233, CVE probably not assigned)

Tue Sep 21 14:00:00 2010 cooloAATTnovell.com
- fix baselibs.conf

Thu Aug 26 14:00:00 2010 suse-tuxAATTgmx.de
- fix for urllib2 (http://bugs.python.org/issue9639)

Thu Aug 26 14:00:00 2010 jmatejekAATTnovell.com
- fixed distutils test
- dropped autoconf version requirement (it builds just fine with other versions)

Thu Aug 26 14:00:00 2010 jmatejekAATTnovell.com
- update to version 2.7

* improved handling of numeric types

* deprecation warnings are now silent by default

* new argparse module for command line arguments

* many new features, see http://docs.python.org/dev/whatsnew/2.7.html
for complete list

*
*
* 2.7 is supposed to be the last version from the 2.x series,
so its (upstream) maintenance period will probably be longer than usual.
However, upstream development now focuses on 3.x series.
- cleaned up spec and patches

Fri Jul 2 14:00:00 2010 jengelhAATTmedozas.de
- add patch from http://bugs.python.org/issue6029
- use %_smp_mflags

Mon May 17 14:00:00 2010 matejcikAATTsuse.cz
- dropped audioop.so because of security vulnerabilities
(bnc#603255)

Wed Apr 7 14:00:00 2010 matejcikAATTsuse.cz
- update to 2.6.5 (rpm version 2.6.5)
- patched test_distutils to work

Thu Mar 11 13:00:00 2010 matejcikAATTsuse.cz
- update to 2.6.5rc2 (rpm version is 2.6.4.92)

* bugfix-only release
- removed fwrapv patch - no longer needed
- removed expat patches (this version also fixes expat vulnerabilities
from bnc#581765 )
- removed readline spacing patch - no longer needed
- removed https_proxy patch - no longer needed
- removed test_distutils patch - no longer needed
- disabled test_distutils because of spurious failure,

* TODO reenable at release

Thu Feb 4 13:00:00 2010 matejcikAATTsuse.cz
- removed precompiled exe files (as noted in bnc#577032)

Fri Jan 29 13:00:00 2010 matejcikAATTsuse.cz
- enabled ipv6 in configure (bnc#572673)

Wed Dec 23 13:00:00 2009 ajAATTsuse.de
- Apply patches with fuzz=0

Tue Dec 15 13:00:00 2009 jengelhAATTmedozas.de
- add baselibs.conf as source

Wed Oct 28 13:00:00 2009 crrodriguezAATTopensuse.org
- python-devel Requires glibc-devel

Fri Sep 4 14:00:00 2009 matejcikAATTsuse.cz
- fixed potential DoS in python\'s copy of expat (bnc#534721)

Sun Aug 2 14:00:00 2009 jansimon.moellerAATTopensuse.org
- fix files section for ARM, as bz2.so isn\'t built on ARM.

Fri Jul 31 14:00:00 2009 matejcikAATTsuse.cz
- added /usr/lib/python2.6{,/site-packages} to the package even if
it is on lib64 arch
- added %python_sitelib and %python_sitearch for fedora compatibility

Thu Jul 30 14:00:00 2009 matejcikAATTsuse.cz
- fixed test in test_distutils suite that would generate a warning
when the log threshold was set too low by preceding tests

Wed Jul 29 14:00:00 2009 matejcikAATTsuse.cz
- support noarch python packages (modified multilib patch
to differentiate between purelib and platlib, added /usr/lib
to search path in all cases

Thu Jul 16 14:00:00 2009 cooloAATTnovell.com
- disable as-needed to fix build

Mon Apr 27 14:00:00 2009 matejcikAATTsuse.cz
- update to 2.6.2

* bugfix-only release for 2.6 series


  
ICM