|
|
|
|
Changelog for python-32bit-2.7.18-7.1.x86_64.rpm :
* Fri Feb 26 2021 Matej Cepl - Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids use of semicolon as a query string separator (bpo#42967, bsc#1182379, CVE-2021-23336). * Mon Jan 25 2021 Matej Cepl - Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution. * Tue Jan 05 2021 Matej Cepl - (bsc#1180125) We really don\'t Require python-rpm-macros package. Unnecessary dependency. * Sat May 30 2020 Matej Cepl - Add patch configure_PYTHON_FOR_REGEN.patch which makes configure.ac to consider the correct version of PYTHON_FO_REGEN (bsc#1078326). * Mon Apr 27 2020 Matej Cepl - Use python3-Sphinx on anything more recent than SLE-15 (inclusive). * Thu Apr 23 2020 Matej Cepl - Update to 2.7.18, final release of Python 2. Ever.: - Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process. - Fixes a ReDoS vulnerability in :mod:`http.cookiejar`. Patch by Ben Caller. - Fixed line numbers and column offsets for AST nodes for calls without arguments in decorators. - Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. - Fix urllib.urlretrieve failing on subsequent ftp transfers from the same host. - Fix problems identified by GCC\'s -Wstringop-truncation warning. - AddRefActCtx() was needlessly being checked for failure in PC/dl_nt.c. - Prevent failure of test_relative_path in test_py_compile on macOS Catalina. - Fixed possible leak in :c:func:`PyArg_Parse` and similar functions for format units \"es#\" and \"et#\" when the macro :c:macro:`PY_SSIZE_T_CLEAN` is not defined. * Sat Feb 08 2020 Matej Cepl - Add CVE-2019-9674-zip-bomb.patch to improve documentation warning about dangers of zip-bombs and other security problems with zipfile library. (bsc#1162825 CVE-2019-9674) * Sat Feb 08 2020 Matej Cepl - Change to Requires: libpython%{so_version} == %{version}-%{release} to python-base to keep both packages always synchronized (add %{so_version}) (bsc#1162224). * Thu Feb 06 2020 Matej Cepl - Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug \"Python urrlib allowed an HTTP server to conduct Regular Expression Denial of Service (ReDoS)\" (bsc#1162367) * Mon Feb 03 2020 Tomáš Chvátal - Provide python-testsuite from devel subkg to ease py2->py3 dependencies * Mon Jan 27 2020 Matej Cepl - Add python-2.7.17-switch-off-failing-SSL-tests.patch to switch off tests coliding with the combination of modern Python and ancient OpenSSL on SLE-12. * Fri Jan 10 2020 Matej Cepl - libnsl is required only on more recent SLEs and openSUSE, older glibc supported NIS on its own. * Thu Jan 02 2020 Tomáš Chvátal - Add provides in gdbm subpackage to provide dbm symbols. This allows us to use %%{python_module dbm} as a dependency and have it properly resolved for both python2 and python3 * Thu Dec 19 2019 Dominique Leuenberger - Drop appstream-glib BuildRequires and no longer call appstream-util validate-relax: eliminate a build cycle between as-glib and python. The only thing would would gain by calling as-uril is catching if upstream breaks the appdata.xml file in a future release. Considering py2 is dying, chances for a new release, let alone one breaking the xml file, are slim. * Wed Dec 11 2019 Matej Cepl - Unify packages among openSUSE:Factory and SLE versions. (bsc#1159035) ; add missing records to this changelog.- Add idle.desktop and idle.appdata.xml to provide IDLE in menus (bsc#1153830) * Wed Dec 04 2019 Matej Cepl - Add python2_split_startup Provide to make it possible to conflict older packages by shared-python-startup. * Fri Nov 22 2019 Matej Cepl - Move /etc/pythonstart script to shared-python-startup package. * Tue Nov 05 2019 Matej Cepl - Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes bsc#1149792 * Tue Nov 05 2019 Steve Kowalik - Add adapted-from-F00251-change-user-install-location.patch fixing pip/distutils to install into /usr/local. * Thu Oct 24 2019 Matej Cepl - Update to 2.7.17: - a bug fix release in the Python 2.7.x series. It is expected to be the penultimate release for Python 2.7.- Removed patches included upstream: - CVE-2018-20852-cookie-domain-check.patch - CVE-2019-16935-xmlrpc-doc-server_title.patch - CVE-2019-9636-netloc-no-decompose-characters.patch - CVE-2019-9947-no-ctrl-char-http.patch - CVE-2019-9948-avoid_local-file.patch - python-2.7.14-CVE-2018-1000030-1.patch - python-2.7.14-CVE-2018-1000030-2.patch- Renamed remove-static-libpython.diff and python-bsddb6.diff to remove-static-libpython.patch and python-bsddb6.patch to unify filenames. * Tue Oct 08 2019 Matej Cepl - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py * Wed Sep 25 2019 Bernhard Wiedemann - Add bpo36302-sort-module-sources.patch (boo#1041090) * Mon Sep 16 2019 Matej Cepl - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, CVE-2019-16056] * Thu Jul 25 2019 Matej Cepl - boo#1141853 (CVE-2018-20852) add CVE-2018-20852-cookie-domain-check.patch fixing http.cookiejar.DefaultPolicy.domain_return_ok which did not correctly validate the domain: it could be tricked into sending cookies to the wrong server. * Fri Jul 19 2019 Tomáš Chvátal - Skip test_urllib2_localnet that randomly fails in OBS * Wed Jul 03 2019 Matej Cepl - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch which fixes regression introduced by the previous patch. (CVE-2019-10160) Upstream gh#python/cpython#13812 * Wed May 29 2019 Martin Liška - Set _lto_cflags to nil as it will prevent to propage LTO for Python modules that are built in a separate package. * Thu May 02 2019 Matej Cepl - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. * Mon Apr 08 2019 Matej Cepl - bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch removing unnecessary (and potentially harmful) URL scheme local-file://. * Mon Apr 08 2019 Matej Cepl - bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``AATT``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, no error will be raised (CVE-2019-9636). Upstream commits e37ef41 and 507bd8c. * Thu Apr 04 2019 Matej Cepl - (bsc#1111793) Update to 2.7.16: * bugfix-only release: complete list of changes on https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.16rc1.rst * Removed openssl-111.patch and CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch which are fully included in the tarball. * Updated patches to apply cleanly: CVE-2019-5010-null-defer-x509-cert-DOS.patch bpo36160-init-sysconfig_vars.patch do-not-use-non-ascii-in-test_ssl.patch openssl-111-middlebox-compat.patch openssl-111-ssl_options.patch python-2.5.1-sqlite.patch python-2.6-gettext-plurals.patch python-2.7-dirs.patch python-2.7.2-fix_date_time_compiler.patch python-2.7.4-canonicalize2.patch python-2.7.5-multilib.patch python-2.7.9-ssl_ca_path.patch python-bsddb6.diff remove-static-libpython.patch * Update python-2.7.5-multilib.patch to pass with new platlib regime. * Fri Jan 25 2019 mceplAATTsuse.com- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo-34623. * Fri Jan 25 2019 mceplAATTsuse.com- bsc#1073748: add bpo-29347-dereferencing-undefined-pointers.patch PyWeakref_NewProxyAATTObjects/weakrefobject.c creates new isntance of PyWeakReference struct and does not intialize wr_prev and wr_next of new isntance. These pointers can have garbage and point to random memory locations. Python should not crash while destroying the isntance created in the same interpreter function. As per my understanding, both wr_prev and wr_next of PyWeakReference instance should be initialized to NULL to avoid segfault. * Sat Jan 19 2019 mceplAATTsuse.com- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch fixing bpo-35746. An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. * Wed Dec 19 2018 Todd R - Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros. * Fri Oct 26 2018 Tomáš Chvátal - Add patch openssl-111.patch to work with openssl-1.1.1 (bsc#1113755) * Tue Sep 25 2018 Matěj Cepl - Apply \"CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch\" which converts shutil._call_external_zip to use subprocess rather than distutils.spawn. [bsc#1109663, CVE-2018-1000802] * Fri Jun 29 2018 mceplAATTsuse.com- Apply \"CVE-2018-1061-DOS-via-regexp-difflib.patch\" to prevent low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS (CVE-2018-1061). Prior to this patch mail server\'s timestamp was susceptible to catastrophic backtracking on long evil response from the server. Also, it was susceptible to catastrophic backtracking, which was a potential DOS vector. [bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060] * Thu Jun 07 2018 psimonsAATTsuse.com- Apply \"CVE-2017-18207.patch\" to add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this check, attackers could cause a denial of service (divide-by-zero error and application crash) via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] * Tue May 29 2018 mceplAATTsuse.com- Apply \"python-sorted_tar.patch\" (bsc#1086001, boo#1081750) sort tarfile output directory listing * Mon May 21 2018 michaelAATTstroeder.com- update to 2.7.15 * dozens of bugfixes, see NEWS for details- removed obsolete patches: * python-ncurses-6.0-accessors.patch * python-fix-shebang.patch * gcc8-miscompilation-fix.patch- add patch from upstream: * do-not-use-non-ascii-in-test_ssl.patch * Fri Apr 06 2018 mliskaAATTsuse.cz- Add gcc8-miscompilation-fix.patch (boo#1084650). * Tue Mar 13 2018 psimonsAATTsuse.com- Apply \"python-2.7.14-CVE-2017-1000158.patch\" to prevent integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution. [bsc#1068664, CVE-2017-1000158] * Mon Feb 05 2018 normandAATTlinux.vnet.ibm.com- exclude test_socket & test_subprocess for PowerPC boo#1078485 (same ref as previous change) * Fri Feb 02 2018 normandAATTlinux.vnet.ibm.com- Add python-skip_random_failing_tests.patch bypass boo#1078485 and exclude many tests for PowerPC * Tue Jan 30 2018 tchvatalAATTsuse.com- Add patch python-fix-shebang.patch to fix bsc#1078326
|
|
|