-
python2.7 (2.7.17-1~18.04ubuntu1.11) bionic-security; urgency=medium
* SECURITY UPDATE: Possible Bypass Blocklisting
- debian/patches/CVE-2023-24329.patch: enforce
that a scheme must begin with an alphabetical ASCII character
in Lib/urlparse.py, Lib/test/test_urlparse.py.
- CVE-2023-24329
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 08 Mar 2023 15:40:28 -0300
-
python2.7 (2.7.17-1~18.04ubuntu1.10) bionic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-45061.patch: fix quadratic time idna
decoding in Lib/encodings/idna.py.
- CVE-2022-45061
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 28 Nov 2022 15:51:39 -0300
-
python2.7 (2.7.17-1~18.04ubuntu1.8) bionic-security; urgency=medium
* SECURITY UPDATE: Injection Attack
- debian/patches/CVE-2015-20107.patch: Make mailcap refuse to match unsafe
filenames/types/param in Lib/mailcap.py.
- CVE-2015-20107
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 01 Jul 2022 12:56:32 -0300
-
python2.7 (2.7.17-1~18.04ubuntu1.7) bionic-security; urgency=medium
* SECURITY UPDATE: Expose sensitive information
- debian/patches/CVE-2021-4189.patch: alters ftplib.FTP class
behavior to not trust the IPv4 address sent from the remote
server when setting up a passive data channel in
resposne in Lib/ftplib.py, Lib/test/test_ftplib.py.
- CVE-2021-4189
* SECURITY UPDATE: Injection Attack
- debian/patches/CVE-2022-0391.patch: sanitize urls in urlparse
when it containing ASCII newline and tabs in
Lib/test/test_urlparse.py,
Lib/urlparse.py.
- CVE-2022-0391
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 18 Mar 2022 10:21:42 -0300
-
python2.7 (2.7.17-1~18.04ubuntu1.6) bionic-security; urgency=medium
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2021-3177.patch: use improved patch backport.
- CVE-2021-3177
-- Marc Deslauriers <email address hidden> Sat, 27 Feb 2021 10:10:58 -0500
-
python2.7 (2.7.17-1~18.04ubuntu1.5) bionic-security; urgency=medium
* SECURITY REGRESSION: previous update caused a regression that causes it
pending further investigation this update reverts it
- debian/patches/CVE-2021-3177.patch: was removed.
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 25 Feb 2021 11:02:55 -0300
-
python2.7 (2.7.17-1~18.04ubuntu1.3) bionic-security; urgency=medium
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2021-3177.patch: replace snprintf with Python unicode
formatting in ctypes param reprs in Lib/ctypes/test/test_parameters.py,
Modules/_ctypes/callproc.c.
- CVE-2021-3177
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 29 Jan 2021 12:18:18 -0300
-
python2.7 (2.7.17-1~18.04ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: CRLF injection
- debian/patches/CVE-2020-26116.patch: prevent header injection
in http methods in Lib/httplib.py, Lib/test/test_httlib.py.
- CVE-2020-26116
* debian/patches/issue9146.patch: re-adding fix FIPS mode environments where MD5
isn't available in Modules/_hashopenssl.c. (LP: #1898078)
-- <email address hidden> (Leonidas S. Barbosa) Wed, 30 Sep 2020 10:38:04 -0300
-
python2.7 (2.7.17-1~18.04ubuntu1.1) bionic-security; urgency=medium
* SECURITY UPDATE: Misleading information
- debian/patches/CVE-2019-17514.patch: explain that the orderness of the
of the result is system-dependant in Doc/library/glob.rst.
- CVE-2019-17514
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-9674.patch: add pitfalls to
zipfile module doc in Doc/library/zipfile.rst,
Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst.
- CVE-2019-9674
* SECURITY UPDATE: Infinite loop
- debian/patches/CVE-2019-20907.patch: avoid infinite loop in the
tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py.
- CVE-2019-20907
-- <email address hidden> (Leonidas S. Barbosa) Mon, 20 Jul 2020 12:37:01 -0300
-
python2.7 (2.7.17-1~18.04ubuntu1) bionic-security; urgency=medium
* SECURITY UPDATE: CRLF injection
- debian/patches/CVE-2019-18348.patch: disallow control characters
in hostnames in http.client in Lib/httplib.py, Lib/test/test_urllib2.py.
- CVE-2019-18348
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2020-8492.patch: fix the regex to prevent
the regex denial of service in Lib/urllib2.py.
- CVE-2020-8492
-- <email address hidden> (Leonidas S. Barbosa) Wed, 15 Apr 2020 14:20:14 -0300
-
python2.7 (2.7.17-1~18.04) bionic-proposed; urgency=medium
* SRU: LP: #1855133.
* Backport Python 2.7.17 to 18.04 LTS.
* Don't run the test_ttk_guionly test, hangs on the buildds.
python2.7 (2.7.17-1) unstable; urgency=medium
* Python 2.7.17 release.
python2.7 (2.7.17~rc1-1) unstable; urgency=medium
* Python 2.7.17 release candidate 1.
- CVE-2019-16056, don't parse domains containing @. Closes: #940901.
* Bump standards version.
python2.7 (2.7.16-4) unstable; urgency=medium
* Update to 20190904 from the 2.7 branch.
* Refresh patches.
* Drop build dependency on python:any. Addresses: #937569.
* Annotate Build-Depends: xvfb and xauth with <!nocheck>. Closes: #928514.
python2.7 (2.7.16-3) unstable; urgency=medium
* Update to 20190708 from the 2.7 branch.
* Bump standards version.
python2.7 (2.7.16-2) unstable; urgency=high
[ Matthias Klose ]
* CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
normalize to separators. Closes: #924073.
* CVE-2019-9948. Fix issue #35907: Stop urllib exposing the local_file schema
(file://).
[ Dimitri John Ledkov ]
* Bump Build-Depedency and Dependency of libssl-dev and libss1.1 to
1.1.1 or higher. As TLS1.3 constants leak into ssl module, thus one
shouldn't mix and match python2.7 & libssl1.1. LP: #1808476
python2.7 (2.7.16-1) unstable; urgency=medium
* Python 2.7.16 release.
- Now has a version without a trailing '+'. Closes: #914072.
python2.7 (2.7.16~rc1-1) unstable; urgency=medium
* Python 2.7.16 release candidate 1.
python2.7 (2.7.15-9) unstable; urgency=medium
* Update to 20190216 from the 2.7 branch.
- Backport of TLS 1.3 related fixes from 3.7.
* Drop the local TLS 1.3 backports.
python2.7 (2.7.15-8) unstable; urgency=medium
* Fix typo in autopkg test.
python2.7 (2.7.15-7) unstable; urgency=medium
* Expect the test_site test failing as in 3.7.
python2.7 (2.7.15-6) unstable; urgency=medium
* Update to 20190201 from the 2.7 branch.
- CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline().
- CVE-2018-14647: _elementtree.c doesn't call XML_SetHashSalt().
Closes: #921039.
- CVE-2019-5010: DsO vulnerability exists in the X509 certificate parser.
Closes: #921040.
* Bump standards version.
* Update symbols file.
python2.7 (2.7.15-5) unstable; urgency=medium
* Update to 20181127 from the 2.7 branch.
- Fix issue #20744, running an external 'zip' in shutil.make_archive().
CVE-2018-1000802. Closes: #909673.
* Cherrypick in-progress backports to 2.7 branch from 3.6 branch to fix
test_ssl assertions with openssl 1.1.1. Resolves autopkgtest failure
of the 2.7 with openssl 1.1.1 (Dimitri John Ledkov).
* Don't hard code location of netinet/in.h. Closes: #912422.
* Update VCS attributes.
-- Matthias Klose <email address hidden> Thu, 07 Nov 2019 11:07:09 +0100
-
python2.7 (2.7.15-4ubuntu4~18.04.2) bionic-security; urgency=medium
* SECURITY UPDATE: incorrect email address parsing
- debian/patches/CVE-2019-16056.patch: don't parse domains containing @
in Lib/email/_parseaddr.py, Lib/test/test_email/test_email.py.
- CVE-2019-16056
* SECURITY UPDATE: XSS in documentation XML-RPC server
- debian/patches/CVE-2019-16935.patch: escape the server_title in
Lib/DocXMLRPCServer.py, Lib/test/test_docxmlrpc.py.
- CVE-2019-16935
-- Marc Deslauriers <email address hidden> Mon, 07 Oct 2019 13:39:04 -0400
-
python2.7 (2.7.15-4ubuntu4~18.04.1) bionic-security; urgency=medium
* SECURITY UPDATE: incorrect cookie domain check
- debian/patches/CVE-2018-20852.patch: prefix dot in domain for proper
subdomain validation in Lib/cookielib.py, Lib/test/test_cookielib.py.
- CVE-2018-20852
* SECURITY UPDATE: NULL pointer dereference via X509 certificate
- debian/patches/CVE-2019-5010.patch: fix segfault in ssl cert parser
in Lib/test/talos-2019-0758.pem, Lib/test/test_ssl.py,
Modules/_ssl.c.
- CVE-2019-5010
* SECURITY UPDATE: improper handling of unicode encoding
- debian/patches/CVE-2019-9636-1.patch: add check for characters in
netloc that normalize to separators in Doc/library/urlparse.rst,
Lib/test/test_urlparse.py, Lib/urlparse.py.
- debian/patches/CVE-2019-9636-2.patch: only print test messages when
verbose in Lib/test/test_urlparse.py.
- CVE-2019-9636
* SECURITY UPDATE: HTTP header injection
- debian/patches/CVE-2019-9740.patch: disallow control chars in http
URLs in Lib/httplib.py, Lib/test/test_urllib.py,
Lib/test/test_urllib2.py, Lib/test/test_xmlrpc.py.
- CVE-2019-9740
- CVE-2019-9947
* SECURITY UPDATE: urllib support the local_file: scheme
- debian/patches/CVE-2019-9948.patch: disallow file reading in
Lib/urllib.py, Lib/test/test_urllib.py.
- CVE-2019-9948
* SECURITY UPDATE: incomplete fix for CVE-2019-9636
- debian/patches/CVE-2019-10160-1.patch: fix handling of
pre-normalization characters in urlsplit() in
Lib/test/test_urlparse.py, Lib/urlparse.py.
- debian/patches/CVE-2019-10160-2.patch: correct fix to handle
decomposition in usernames in Lib/test/test_urlparse.py,
Lib/urlparse.py.
- debian/patches/CVE-2019-10160-3.patch: fix urlparse.urlsplit() error
message for Unicode URL in Lib/test/test_urlparse.py,
Lib/urlparse.py.
- CVE-2019-10160
* debian/patches/issue9146.diff: fix FIPS mode environments where MD5
isn't available in Modules/_hashopenssl.c. (LP: #1835135)
-- Marc Deslauriers <email address hidden> Tue, 09 Jul 2019 12:51:35 -0400
-
python2.7 (2.7.15-4ubuntu4~18.04) bionic; urgency=medium
* Rebuild against OpenSSL 1.1.1. LP: #1797386
* Update to 2.7.15 final.
-- Dimitri John Ledkov <email address hidden> Tue, 27 Nov 2018 23:36:35 +0000
-
python2.7 (2.7.15~rc1-1ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: command injection in shutil module
- debian/patches/CVE-2018-1000802.patch: use subprocess rather than
distutils.spawn in Lib/shutil.py.
- CVE-2018-1000802
* SECURITY UPDATE: incorrect Expat hash salt initialization
- debian/patches/CVE-2018-14647.patch: call SetHashSalt in
Include/pyexpat.h, Modules/_elementtree.c, Modules/pyexpat.c.
- CVE-2018-14647
-- Marc Deslauriers <email address hidden> Mon, 12 Nov 2018 09:31:15 -0500
-
python2.7 (2.7.15~rc1-1) unstable; urgency=medium
* Python 2.7.15 release candidate 1.
-- Matthias Klose <email address hidden> Sun, 15 Apr 2018 23:51:34 +0200
-
python2.7 (2.7.14-8) unstable; urgency=medium
* Update to 20180402 from the 2.7 branch.
-- Matthias Klose <email address hidden> Mon, 02 Apr 2018 06:16:25 +0200
-
python2.7 (2.7.14-7) unstable; urgency=medium
* Update to 20180313 from the 2.7 branch.
- Fix issue #32185: The SSL module no longer sends IP addresses in SNI TLS
extension on platforms with OpenSSL 1.0.2+ or inet_pton. See #892814.
* Add support for riscv64 (Aurelien Jarno). Closes: #892329.
-- Matthias Klose <email address hidden> Tue, 13 Mar 2018 16:23:44 +0100
-
python2.7 (2.7.14-6) unstable; urgency=medium
* Don't run lib2to3 tests which rely on the pickled grammar files.
-- Matthias Klose <email address hidden> Tue, 06 Feb 2018 20:12:18 +0100
-
python2.7 (2.7.14-5) unstable; urgency=medium
* Update to 20180204 from the 2.7 branch.
- Fix issue #31530. Closes: #889280.
* python2.7-minimal: Pre-Depend on zlib1g. Closes: #887629.
-- Matthias Klose <email address hidden> Sun, 04 Feb 2018 09:35:17 +0100
-
python2.7 (2.7.14-4build1) bionic; urgency=high
* No change rebuild against openssl1.1.
-- Dimitri John Ledkov <email address hidden> Mon, 05 Feb 2018 16:52:34 +0000
-
python2.7 (2.7.14-4) unstable; urgency=medium
* Fix applying the m-i-p-s-r6 patch.
-- Matthias Klose <email address hidden> Tue, 05 Dec 2017 16:17:02 +0100
-
python2.7 (2.7.14-2ubuntu2) artful; urgency=medium
* Build with -fstack-protector instead of -fstack-protector-strong.
Performance improvements of around 1-2% according to LP #1638695.
-- Matthias Klose <email address hidden> Sun, 24 Sep 2017 00:06:14 +0200