-
python2.7 (2.7.6-8ubuntu0.5) trusty-security; urgency=medium
* SECURITY UPDATE: heap buffer overflow via race condition
- debian/patches/CVE-2018-1000030-1.patch: stop crashes when iterating
over a file on multiple threads in Lib/test/test_file2k.py,
Objects/fileobject.c.
- debian/patches/CVE-2018-1000030-2.patch: fix crash when multiple
threads iterate over a file in Lib/test/test_file2k.py,
Objects/fileobject.c.
- CVE-2018-1000030
* SECURITY UPDATE: command injection in shutil module
- debian/patches/CVE-2018-1000802.patch: use subprocess rather than
distutils.spawn in Lib/shutil.py.
- CVE-2018-1000802
* SECURITY UPDATE: DoS via catastrophic backtracking
- debian/patches/CVE-2018-106x.patch: fix expressions in
Lib/difflib.py, Lib/poplib.py. Added tests to
Lib/test/test_difflib.py, Lib/test/test_poplib.py.
- CVE-2018-1060
- CVE-2018-1061
* SECURITY UPDATE: incorrect Expat hash salt initialization
- debian/patches/CVE-2018-14647.patch: call SetHashSalt in
Include/pyexpat.h, Modules/_elementtree.c, Modules/pyexpat.c.
- CVE-2018-14647
-- Marc Deslauriers <email address hidden> Mon, 12 Nov 2018 11:49:11 -0500
-
python2.7 (2.7.6-8ubuntu0.4) trusty-security; urgency=medium
* SECURITY UPDATE: integer overflow in the PyString_DecodeEscape
function
- debian/patches/CVE-2017-1000158.patch: fix this integer overflow
in Objects/stringobject.c.
- CVE-2017-1000158
-- <email address hidden> (Leonidas S. Barbosa) Mon, 20 Nov 2017 12:39:42 -0300
-
python2.7 (2.7.6-8ubuntu0.3) trusty-security; urgency=medium
* SECURITY UPDATE: StartTLS stripping attack
- debian/patches/CVE-2016-0772.patch: raise an error when
STARTTLS fails in Lib/smtplib.py.
- CVE-2016-0772
* SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
scripts (aka HTTPOXY attack)
- debian/patches/CVE-2016-1000110-pre.patch: prefer lower_case
proxy environment variables over UPPER_CASE or Mixed_Case ones.
- debian/patches/CVE-2016-1000110.patch: if running as CGI
script, forget HTTP_PROXY in Lib/urllib.py, add test to
Lib/test/test_urllib.py, add documentation.
- CVE-2016-1000110
* SECURITY UPDATE: Integer overflow when handling zipfiles
- debian/patches/CVE-2016-5636-pre.patch: check for negative size
in Modules/zipimport.c
- debian/patches/CVE-2016-5636.patch: check for too large value in
Modules/zipimport.c
- CVE-2016-5636
* SECURITY UPDATE: CRLF injection vulnerability in the
HTTPConnection.putheader
- debian/patches/CVE-2016-5699.patch: disallow newlines in
putheader() arguments when not followed by spaces or tabs in
Lib/httplib.py, add tests in Lib/test/test_httplib.py
- CVE-2016-5699
-- Steve Beattie <email address hidden> Tue, 25 Oct 2016 15:38:32 -0700
-
python2.7 (2.7.6-8ubuntu0.2) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service in multiple servers
- debian/patches/CVE-2013-1752-httplib-2.patch: limit amount of headers
in Lib/httplib.py, added test to Lib/test/test_httplib.py.
- debian/patches/CVE-2013-1752-poplib.patch: limit maximum line length
in Lib/poplib.py, added test to Lib/test/test_poplib.py.
- debian/patches/CVE-2013-1752-smtplib.patch: limit amount read from
the network in Lib/smtplib.py, added test to
Lib/test/test_smtplib.py.
- CVE-2013-1752
* SECURITY UPDATE: denial of service via xmlrpc gzip-compressed
HTTP bodies
- debian/patches/CVE-2013-1753.patch: add default limit in
Lib/xmlrpclib.py, added test to Lib/test/test_xmlrpc.py.
- CVE-2013-1753
* SECURITY UPDATE: arbitrary memory read via idx argument
- debian/patches/CVE-2014-4616.patch: reject negative idx values in
Modules/_json.c, added test to Lib/json/tests/test_decode.py.
- CVE-2014-4616
* SECURITY UPDATE: code execution or file disclosure via CGIHTTPServer
- debian/patches/CVE-2014-4650.patch: url unquote path in
Lib/CGIHTTPServer.py, added test to Lib/test/test_httpservers.py.
- CVE-2014-4650
* SECURITY UPDATE: information disclosure via buffer function
- debian/patches/CVE-2014-7185.patch: avoid overflow in
Objects/bufferobject.c, added test to Lib/test/test_buffer.py.
- CVE-2014-7185
-- Marc Deslauriers <email address hidden> Mon, 22 Jun 2015 10:51:39 -0400
-
python2.7 (2.7.6-8) unstable; urgency=medium
* Update to 20140322, taken from the 2.7 branch.
* Install updated idle icons. LP: #1295969.
* Update the ssl.match_hostname backport: Change behavior of
``ssl.match_hostname()`` to follow RFC 6125, for security reasons.
It now doesn't match multiple wildcards nor wildcards inside IDN fragments.
Closes: #740255.
-- Matthias Klose <email address hidden> Sat, 22 Mar 2014 14:31:54 +0100
-
python2.7 (2.7.6-7) unstable; urgency=medium
* Include test data for test_imghdr test.
-- Matthias Klose <email address hidden> Wed, 26 Feb 2014 01:16:47 +0100
-
python2.7 (2.7.6-6) unstable; urgency=high
* Update to 20140225, taken from the 2.7 branch.
- CVE-2014-1912. Fix issue 20246, buffer overflow in socket.recvfrom_into.
* Build without ffi on or1k. Closes: #738519.
* Allow loading of extensions in the sqlite module. Closes: #739555.
* Update autopkg tests (Martin Pitt):
- Don't fail if apport is not installed.
- Call su with explicit shell, as nobody has nologin as default shell now.
- Only use $SUDO_USER if that user actually exists in the testbed.
- Drop obsolete chowning of $TMPDIR and $ADTTMP; with current autopkgtest
$TMPDIR has appropriate permissions, and $ADTTMP is not being used.
-- Matthias Klose <email address hidden> Tue, 25 Feb 2014 10:51:27 +0100
-
python2.7 (2.7.6-5) unstable; urgency=medium
* Update to 20140111, taken from the 2.7 branch.
* Build-depend on net-tools, required for the test_uuid test.
* Build-depend on the default Tcl/Tk.
* Add two new autopkg tests to run the failing tests.
-- Matthias Klose <email address hidden> Sat, 11 Jan 2014 14:52:11 +0100
-
python2.7 (2.7.6-4ubuntu1) trusty; urgency=medium
* Build for Tcl/Tk 8.6.
-- Matthias Klose <email address hidden> Thu, 02 Jan 2014 18:09:11 +0100
-
python2.7 (2.7.6-4) unstable; urgency=medium
* Update to 20131230, taken from the 2.7 branch.
* Disable sphinx refcounting extension, removed in sphinx-1.2.
Closes: #733404.
-- Matthias Klose <email address hidden> Mon, 30 Dec 2013 15:17:09 +0100
-
python2.7 (2.7.6-3ubuntu1) trusty; urgency=low
* Add powerpc64le support to powerpc64 branch in debian/multiarch.h.in
-- Adam Conrad <email address hidden> Sun, 08 Dec 2013 01:42:58 -0700
-
python2.7 (2.7.6-3) unstable; urgency=low
* Update to 20131206, taken from the 2.7 branch.
* Disable the test_uuid autopkg test, hanging, missing entropy?
* Drop python dependency in libpython2.7-dbg.
* Revert patch from http://bugs.python.org/issue19352 as it completely breaks
unittest discovery on Debian/Ubuntu. LP: #1255505.
-- Matthias Klose <email address hidden> Fri, 06 Dec 2013 20:35:22 +0100
-
python2.7 (2.7.6-2ubuntu1) trusty; urgency=low
* Add debian/patches/revert-unittest-loader-symlinks19352.diff: Revert patch
from http://bugs.python.org/issue19352 as it completely breaks unittest
discovery on Debian/Ubuntu. (LP: #1255505)
-- Martin Pitt <email address hidden> Thu, 28 Nov 2013 17:33:17 +0100
-
python2.7 (2.7.6-2) unstable; urgency=low
* Update to 20131121, taken from the 2.7 branch.
* Fix test support when the running kernel doesn't handle port reuse.
* Build-depend on libdb-dev (<< 1:6.0) instead of a specific db version.
-- Matthias Klose <email address hidden> Fri, 22 Nov 2013 13:06:15 +0100
-
python2.7 (2.7.6-1ubuntu1) trusty; urgency=low
* Build-Depend on libdb-dev instead of libdb5.1-dev. LP: #1253523
-- Barry Warsaw <email address hidden> Fri, 22 Nov 2013 13:12:31 -0500
-
python2.7 (2.7.6-1) unstable; urgency=low
* Python 2.7.6 release.
* Update to 20131119, taken from the 2.7 branch.
* For autopkg tests, only run the separate tests when defined.
* Don't run the curses autopkg test.
* Disable running the testsuite on mipsn32(el) and mips64(el),
requested by YunQiang Su. Closes: #719057.
-- Matthias Klose <email address hidden> Tue, 19 Nov 2013 11:45:31 +0100
-
python2.7 (2.7.5-8ubuntu4) trusty; urgency=low
* Build-depend on libdb-dev, instead of libdb5.1-dev.
-- Dmitrijs Ledkovs <email address hidden> Mon, 04 Nov 2013 07:43:55 +0000
-
python2.7 (2.7.5-8ubuntu3) saucy; urgency=low
* For autopkg tests, only run the separate tests when defined.
-- Matthias Klose <email address hidden> Thu, 19 Sep 2013 15:31:48 +0200