|
|
|
|
Changelog for libpython2_7-1_0-32bit-2.7.18-5.24.x86_64.rpm :
* Mon Jan 08 2024 Daniel Garcia - Add CVE-2023-27043-email-parsing-errors.patch to gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). * Mon Nov 27 2023 Matej Cepl - Add CVE-2022-48560-after-free-heappushpop.patch fixing use-after-free in Python via heappushpop in heapq (bsc#1214675, CVE-2022-48560).- switch from %patchN style to the %patch -P N one. * Sat Sep 16 2023 Matej Cepl - (bsc#1214691, CVE-2022-48566) Add CVE-2022-48566-compare_digest-more-constant.patch to make compare_digest more constant-time.- Allow nis.so for SLE-12. * Thu Sep 14 2023 Matej Cepl - (bsc#1214685, CVE-2022-48565) Add CVE-2022-48565-plistlib-XML-vulns.patch (from gh#python/cpython#86217) reject XML entity declarations in plist files.- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and Revert-gh105127-left-tests.patch (as per discussion on bsc#1210638). * Tue Sep 12 2023 Daniel Garcia - Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing gh#python/cpython#108310, backport from upstream patch gh#python/cpython#108315 (bsc#1214692, CVE-2023-40217) * Thu Aug 03 2023 Matej Cepl - IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941) partially reverting CVE-2023-27043-email-parsing-errors.patch, because of the regression in gh#python/cpython#106669. * Tue Jul 11 2023 Matej Cepl - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). * Wed Jun 07 2023 Matej Cepl - Fix the application of the python-2.7.17-switch-off-failing-SSL-tests.patch. * Tue May 30 2023 Andreas Schwab - python-2.7.5-multilib.patch: Update for riscv64- Don\'t fail if _ctypes or dl extension was not built * Mon May 29 2023 Matej Cepl - The condition around libnsl-devel BuildRequires is NOT switching off NIS support on SLE < 15, support for NIS used to be in the glibc itself. Partial revert of sr#1061583. * Wed May 24 2023 Matej Cepl - Add PygmentsBridge-trime_doctest_flags.patch to allow build of the documentation even with the current Sphinx. (SUSE-ONLY PATCH, DO NOT SEND UPSTREAM!) * Wed Mar 08 2023 Matej Cepl - Enable --with-system-ffi for non-standard architectures. * Mon Mar 06 2023 Matej Cepl - SLE-12 builds nis.so as well. * Wed Mar 01 2023 Matej Cepl - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters * Fri Jan 27 2023 Thorsten Kukuk - Disable NIS for new products, it\'s deprecated and gets removed * Thu Jan 19 2023 Matej Cepl - Add skip_unverified_test.patch because apparently switching off SSL verification doesn\'t work on older SLE. * Tue Nov 22 2022 Matej Cepl - Restore python-2.7.9-sles-disable-verification-by-default.patch for SLE-12. * Wed Nov 09 2022 Matej Cepl - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding extremely long domain names. * Tue Sep 13 2022 Bernhard Wiedemann - Add bpo34990-2038-problem-compileall.patch making compileall.py compliant with year 2038 (bsc#1202666, gh#python/cpython#79171), backport of fix to Python 2.7. * Wed Sep 07 2022 Steve Kowalik - Add patch CVE-2021-28861-double-slash-path.patch: * BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. (bsc#1202624, CVE-2021-28861) * Thu Jun 09 2022 Matej Cepl - Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the command injection in the mailcap module. * Tue May 24 2022 Martin Liška - Filter out executable-stack error that is triggered for i586 target. * Sat Feb 26 2022 Matej Cepl - Update bundled pip wheel to the latest SLE version patched against bsc#1186819 (CVE-2021-3572).- Recover again proper value of %python2_package_prefix (bsc#1175619). * Fri Feb 18 2022 Matej Cepl - BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation. * Fri Feb 18 2022 Matej Cepl - Older SLE versions should use old OpenSSL. * Wed Feb 09 2022 Matej Cepl - Add CVE-2022-0391-urllib_parse-newline-parsing.patch (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs containing ASCII newline and tabs in urlparse. * Sun Feb 06 2022 Matej Cepl - Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146, bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib not trust the PASV response. * Mon Dec 06 2021 Dirk Müller - build against openssl 1.1.x (incompatible with openssl 3.0x) for now. * Tue Nov 02 2021 Marcus Meissner - on sle12, python2 modules will still be called python-xxxx until EOL, for newer SLE versions they will be python2-xxxx * Fri Oct 15 2021 Dominique Leuenberger - BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation. * Tue Sep 21 2021 Matej Cepl - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 (CVE-2019-20907, bpo#39017) avoiding possible infinite loop in specifically crafted tarball. Add recursion.tar as a testing tarball for the patch.- Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686).- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211 (CVE-2020-26116, bpo#39603) no longer allowing special characters in the method parameter of HTTPConnection.putrequest in httplib, stopping injection of headers. Such characters now raise ValueError. * Thu Aug 26 2021 Fusion Future - Renamed patch for assigned CVE: * bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch -> CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch (boo#1189241, CVE-2021-3737) * Mon Aug 23 2021 Fusion Future - Renamed patch for assigned CVE: * bpo43075-fix-ReDoS-in-request.patch -> CVE-2021-3733-fix-ReDoS-in-request.patch (boo#1189287, CVE-2021-3733)- Fix python-doc build (bpo#35293): * sphinx-update-removed-function.patch- Update documentation formatting for Sphinx 3.0 (bpo#40204). * Tue Aug 10 2021 Fusion Future - Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in request (bpo#43075, boo#1189287).- Add missing security announcement to bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch. * Mon Aug 09 2021 Fusion Future - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch which fixes http client infinite line reading (DoS) after a http 100 (bpo#44022, boo#1189241). * Fri Jul 16 2021 Matej Cepl - Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668). * Fri Feb 26 2021 Matej Cepl - Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids use of semicolon as a query string separator (bpo#42967, bsc#1182379, CVE-2021-23336). * Mon Jan 25 2021 Matej Cepl - Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution. * Tue Jan 05 2021 Matej Cepl - (bsc#1180125) We really don\'t Require python-rpm-macros package. Unnecessary dependency. * Sat May 30 2020 Matej Cepl - Add patch configure_PYTHON_FOR_REGEN.patch which makes configure.ac to consider the correct version of PYTHON_FO_REGEN (bsc#1078326). * Mon Apr 27 2020 Matej Cepl - Use python3-Sphinx on anything more recent than SLE-15 (inclusive). * Thu Apr 23 2020 Matej Cepl - Update to 2.7.18, final release of Python 2. Ever.: - Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process. - Fixes a ReDoS vulnerability in `http.cookiejar`. Patch by Ben Caller. - Fixed line numbers and column offsets for AST nodes for calls without arguments in decorators. - bsc#1155094 (CVE-2019-18348) Disallow control characters in hostnames in http.client. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. - Fix urllib.urlretrieve failing on subsequent ftp transfers from the same host. - Fix problems identified by GCC\'s -Wstringop-truncation warning. - AddRefActCtx() was needlessly being checked for failure in PC/dl_nt.c. - Prevent failure of test_relative_path in test_py_compile on macOS Catalina. - Fixed possible leak in `PyArg_Parse` and similar functions for format units \"es#\" and \"et#\" when the macro `PY_SSIZE_T_CLEAN` is not defined.- Remove upstreamed patches: - CVE-2019-18348-CRLF_injection_via_host_part.patch - python-2.7.14-CVE-2017-1000158.patch - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch - CVE-2018-1061-DOS-via-regexp-difflib.patch - CVE-2019-10160-netloc-port-regression.patch - CVE-2019-16056-email-parse-addr.patch * Sat Feb 08 2020 Matej Cepl - Add CVE-2019-9674-zip-bomb.patch to improve documentation warning about dangers of zip-bombs and other security problems with zipfile library. (bsc#1162825 CVE-2019-9674) * Sat Feb 08 2020 Matej Cepl - Change to Requires: libpython%{so_version} == %{version}-%{release} to python-base to keep both packages always synchronized (add %{so_version}) (bsc#1162224). * Thu Feb 06 2020 Matej Cepl - Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug \"Python urrlib allowed an HTTP server to conduct Regular Expression Denial of Service (ReDoS)\" (bsc#1162367) * Mon Feb 03 2020 Tomáš Chvátal - Provide python-testsuite from devel subkg to ease py2->py3 dependencies * Mon Jan 27 2020 Matej Cepl - Add python-2.7.17-switch-off-failing-SSL-tests.patch to switch off tests coliding with the combination of modern Python and ancient OpenSSL on SLE-12. * Fri Jan 10 2020 Matej Cepl - libnsl is required only on more recent SLEs and openSUSE, older glibc supported NIS on its own. * Thu Jan 02 2020 Tomáš Chvátal - Add provides in gdbm subpackage to provide dbm symbols. This allows us to use %%{python_module dbm} as a dependency and have it properly resolved for both python2 and python3
|
|
|