-
python2.7 (2.7.12-1ubuntu0~16.04.18) xenial-security; urgency=medium
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2021-3177.patch: use improved patch backport.
- CVE-2021-3177
* Fix autopkgtests due to expired certificates
- debian/patches/ssl-certs-1.patch: Refresh expired SSL test certs
- debian/patches/ssl-certs-2.patch: Refresh expired SSL test certs
- debian/patches/test-ssl.patch: backport test changes and more ssl
certs from python2.7 in bionic.
-- Marc Deslauriers <email address hidden> Mon, 01 Mar 2021 06:38:31 -0500
-
python2.7 (2.7.12-1ubuntu0~16.04.16) xenial-security; urgency=medium
* SECURITY REGRESSION: previous update caused a regression that causes it
pending further investigation this update reverts it
- debian/patches/CVE-2021-3177.patch: was removed.
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 25 Feb 2021 11:00:40 -0300
-
python2.7 (2.7.12-1ubuntu0~16.04.14) xenial-security; urgency=medium
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2021-3177.patch: replace snprintf with Python unicode
formatting in ctypes param reprs in Lib/ctypes/test/test_parameters.py,
Modules/_ctypes/callproc.c.
- CVE-2021-3177
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 01 Feb 2021 16:20:16 -0300
-
python2.7 (2.7.12-1ubuntu0~16.04.13) xenial-security; urgency=medium
* SECURITY UPDATE: CRLF injection
- debian/patches/CVE-2020-26116.patch: prevent header injection
in http methods in Lib/httplib.py, Lib/test/test_httlib.py.
- CVE-2020-26116
-- <email address hidden> (Leonidas S. Barbosa) Mon, 05 Oct 2020 10:56:01 -0300
-
python2.7 (2.7.12-1ubuntu0~16.04.12) xenial-security; urgency=medium
* SECURITY UPDATE: Misleading information
- debian/patches/CVE-2019-17514.patch: explain that the orderness of the
of the result is system-dependant in Doc/library/glob.rst.
- CVE-2019-17514
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-9674.patch: add pitfalls to
zipfile module doc in Doc/library/zipfile.rst,
Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst.
- CVE-2019-9674
* SECURITY UPDATE: Infinite loop
- debian/patches/CVE-2019-20907.patch: avoid infinite loop in the
tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py.
- CVE-2019-20907
-- <email address hidden> (Leonidas S. Barbosa) Tue, 21 Jul 2020 12:19:50 -0300
-
python2.7 (2.7.12-1ubuntu0~16.04.11) xenial-security; urgency=medium
* SECURITY UPDATE: CRLF injection
- debian/patches/CVE-2019-18348.patch: disallow control characters
in hostnames in http.client in Lib/httplib.py, Lib/test/test_urllib2.py.
- CVE-2019-18348
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2020-8492.patch: fix the regex to prevent
the regex denial of service in Lib/urllib2.py.
- CVE-2020-8492
-- <email address hidden> (Leonidas S. Barbosa) Wed, 15 Apr 2020 14:07:12 -0300
-
python2.7 (2.7.12-1ubuntu0~16.04.9) xenial-security; urgency=medium
* SECURITY UPDATE: incorrect email address parsing
- debian/patches/CVE-2019-16056.patch: don't parse domains containing @
in Lib/email/_parseaddr.py, Lib/test/test_email/test_email.py.
- CVE-2019-16056
* SECURITY UPDATE: XSS in documentation XML-RPC server
- debian/patches/CVE-2019-16935.patch: escape the server_title in
Lib/DocXMLRPCServer.py, Lib/test/test_docxmlrpc.py.
- CVE-2019-16935
* debian/patches/avoid_test_docxmlrpc_race.patch: avoid race in
test_docxmlrpc server setup in Lib/test/test_docxmlrpc.py.
-- Marc Deslauriers <email address hidden> Tue, 08 Oct 2019 10:14:10 -0400
-
python2.7 (2.7.12-1ubuntu0~16.04.8) xenial-security; urgency=medium
* SECURITY UPDATE: incorrect cookie domain check
- debian/patches/CVE-2018-20852.patch: prefix dot in domain for proper
subdomain validation in Lib/cookielib.py, Lib/test/test_cookielib.py.
- CVE-2018-20852
* SECURITY UPDATE: NULL pointer dereference via X509 certificate
- debian/patches/CVE-2019-5010.patch: fix segfault in ssl cert parser
in Lib/test/talos-2019-0758.pem, Lib/test/test_ssl.py,
Modules/_ssl.c.
- CVE-2019-5010
* SECURITY UPDATE: improper handling of unicode encoding
- debian/patches/CVE-2019-9636-1.patch: add check for characters in
netloc that normalize to separators in Doc/library/urlparse.rst,
Lib/test/test_urlparse.py, Lib/urlparse.py.
- debian/patches/CVE-2019-9636-2.patch: only print test messages when
verbose in Lib/test/test_urlparse.py.
- CVE-2019-9636
* SECURITY UPDATE: HTTP header injection
- debian/patches/bpo30500.patch: simplify splithost by calling into
urlparse in Lib/test/test_urllib.py, Lib/urllib.py.
- debian/patches/CVE-2019-9740.patch: disallow control chars in http
URLs in Lib/httplib.py, Lib/test/test_urllib.py,
Lib/test/test_urllib2.py, Lib/test/test_xmlrpc.py.
- CVE-2019-9740
- CVE-2019-9947
* SECURITY UPDATE: urllib support the local_file: scheme
- debian/patches/CVE-2019-9948.patch: disallow file reading in
Lib/urllib.py, Lib/test/test_urllib.py.
- CVE-2019-9948
* SECURITY UPDATE: incomplete fix for CVE-2019-9636
- debian/patches/CVE-2019-10160-1.patch: fix handling of
pre-normalization characters in urlsplit() in
Lib/test/test_urlparse.py, Lib/urlparse.py.
- debian/patches/CVE-2019-10160-2.patch: correct fix to handle
decomposition in usernames in Lib/test/test_urlparse.py,
Lib/urlparse.py.
- debian/patches/CVE-2019-10160-3.patch: fix urlparse.urlsplit() error
message for Unicode URL in Lib/test/test_urlparse.py,
Lib/urlparse.py.
- CVE-2019-10160
* debian/patches/issue9146.diff: fix FIPS mode environments where MD5
isn't available in Modules/_hashopenssl.c. (LP: #1835135)
-- Marc Deslauriers <email address hidden> Thu, 22 Aug 2019 12:36:40 -0400
-
python2.7 (2.7.12-1ubuntu0~16.04.4) xenial-security; urgency=medium
* SECURITY UPDATE: heap buffer overflow via race condition
- debian/patches/CVE-2018-1000030-1.patch: stop crashes when iterating
over a file on multiple threads in Lib/test/test_file2k.py,
Objects/fileobject.c.
- debian/patches/CVE-2018-1000030-2.patch: fix crash when multiple
threads iterate over a file in Lib/test/test_file2k.py,
Objects/fileobject.c.
- CVE-2018-1000030
* SECURITY UPDATE: command injection in shutil module
- debian/patches/CVE-2018-1000802.patch: use subprocess rather than
distutils.spawn in Lib/shutil.py.
- CVE-2018-1000802
* SECURITY UPDATE: DoS via catastrophic backtracking
- debian/patches/CVE-2018-106x.patch: fix expressions in
Lib/difflib.py, Lib/poplib.py. Added tests to
Lib/test/test_difflib.py, Lib/test/test_poplib.py.
- CVE-2018-1060
- CVE-2018-1061
* SECURITY UPDATE: incorrect Expat hash salt initialization
- debian/patches/CVE-2018-14647.patch: call SetHashSalt in
Include/pyexpat.h, Modules/_elementtree.c, Modules/pyexpat.c.
- CVE-2018-14647
-- Marc Deslauriers <email address hidden> Mon, 12 Nov 2018 09:36:49 -0500
-
python2.7 (2.7.12-1ubuntu0~16.04.3) xenial-proposed; urgency=medium
* Some performance improvements: LP: #1638695.
- Build the _math.o object file without -fPIC for static builds.
* Rename md5_* functions to _Py_md5_*. Closes: #868366. LP: #1734109.
* Explicitly use the system python for byte compilation in postinst scripts.
LP: #1682934.
* Fix issue #22636: Avoid shell injection problems with
ctypes.util.find_library(). LP: #1512068.
-- Matthias Klose <email address hidden> Mon, 04 Dec 2017 15:50:18 +0100
-
python2.7 (2.7.12-1ubuntu0~16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: integer overflow in the PyString_DecodeEscape
function
- debian/patches/CVE-2017-1000158.patch: fix this integer overflow
in Objects/stringobject.c.
- CVE-2017-1000158
-- <email address hidden> (Leonidas S. Barbosa) Mon, 20 Nov 2017 15:23:56 -0300
-
python2.7 (2.7.12-1ubuntu0~16.04.1) xenial-security; urgency=medium
* SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
scripts (aka HTTPOXY attack)
- debian/patches/CVE-2016-1000110.patch: if running as CGI
script, forget HTTP_PROXY in Lib/urllib.py, add test to
Lib/test/test_urllib.py, add documentation.
- CVE-2016-1000110
* NOTE: backport of 2.7.12 to Ubuntu 16.04 LTS also addresses:
- CVE-2016-0772: StartTLS stripping attack
- CVE-2016-5636: Integer overflow when handling zipfiles
python2.7 (2.7.12-1~16.04) xenial-proposed; urgency=medium
* SRU: LP: #1591895. Backport 2.7.12 to 16.04 LTS.
-- Steve Beattie <email address hidden> Fri, 18 Nov 2016 22:48:10 -0800
-
python2.7 (2.7.12-1~16.04) xenial-proposed; urgency=medium
* SRU: LP: #1591895. Backport 2.7.12 to 16.04 LTS.
python2.7 (2.7.12-1) unstable; urgency=medium
* Python 2.7.12 release.
python2.7 (2.7.12~rc1-2) unstable; urgency=medium
* Extend debian/copyright to the files shipped in the wheel files.
python2.7 (2.7.12~rc1-1) unstable; urgency=medium
* Python 2.7.12 release candidate 1.
- Issue #20041: Fixed TypeError when frame.f_trace is set to None.
- Issue #25702: A --with-lto configure option has been added that will
enable link time optimizations at build time during a make profile-opt.
Some compilers and toolchains are known to not produce stable code when
using LTO, be sure to test things thoroughly before relying on it.
It can provide a few % speed up over profile-opt alone.
- Issue #26556: Update expat to 2.1.1, fixes CVE-2015-1283.
- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772.
- Issue #7356: ctypes.util: Make parsing of ldconfig output independent of
the locale.
- Issue #25738: Stop BaseHTTPServer.BaseHTTPRequestHandler.send_error()
from sending a message body for 205 Reset Content. Also, don't send the
Content-Type header field in responses that don't have a body.
- Issue #21313: Fix the "platform" module to tolerate when sys.version
contains truncated build information.
- Issue #27211: Fix possible memory corruption in io.IOBase.readline().
- Issue #5124: Paste with text selected now replaces the selection on X11.
This matches how paste works on Windows, Mac, most modern Linux apps,
and ttk widgets.
- Issue #24759: Make clear in idlelib.idle_test.__init__ that the directory
is a private implementation of test.test_idle and tool for maintainers.
- Issue #21916: Added tests for the turtle module.
- Issue #27229: Fix the cross-compiling pgen rule for in-tree builds.
- Issue #17500, and https://github.com/python/pythondotorg/issues/945: Remove
unused and outdated icons.
python2.7 (2.7.11-11) unstable; urgency=medium
* Update to 20160602 from the 2.7 branch.
- Issue #26168: Fixed possible refleaks in failing Py_BuildValue() with
the "N" format unit.
- Issue #27114: Fix SSLContext._load_windows_store_certs fails with
PermissionError.
- Issue #26673: When tk reports font size as 0, change to size 10.
Such fonts on Linux prevented the configuration dialog from opening.
- Issue #27044: Add ConfigDialog.remove_var_callbacks to stop memory leaks.
- In the 'IDLE-console differences' section of the IDLE doc, clarify
how running with IDLE affects sys.modules and the standard streams.
- Issue #25507: Fix incorrect change in IOBinding that prevented printing.
Change also prevented saving shell window with non-ascii characters.
Augment IOBinding htest to include all major IOBinding functions.
- Issue #25905: Revert unwanted conversion of ' to ’ RIGHT SINGLE QUOTATION
MARK in README.txt and open this and NEWS.txt with 'ascii'.
Re-encode CREDITS.txt to utf-8 and open it with 'utf-8'.
* Rebuild to pick up the GNU triplet change on i386 archs. Closes: #826128.
python2.7 (2.7.11-10) unstable; urgency=medium
* Update to 20160518 from the 2.7 branch.
- Issue #27039: Fixed bytearray.remove() for values greater than 127.
- Issue #14132: Fix urllib.request redirect handling when the target only
has a query string.
- Removed the requirements for the ctypes and modulefinder modules to be
compatible with earlier Python versions.
- Issue #22274: In the subprocess module, allow stderr to be redirected to
stdout even when stdout is not redirected.
- Issue #12045: Avoid duplicate execution of command in
ctypes.util._get_soname().
- Issue #26960: Backported #16270 from Python 3 to Python 2, to prevent
urllib from hanging when retrieving certain FTP files.
python2.7 (2.7.11-9) unstable; urgency=medium
* Update to 20160509 from the 2.7 branch.
- Issue #25745: Fixed leaking a userptr in curses panel destructor.
- Issue #17765: weakref.ref() no longer silently ignores keyword arguments.
- Issue #26873: xmlrpclib now raises ResponseError on unsupported type tags
instead of silently return incorrect result.
- Issue #24114: Fix an uninitialized variable in `ctypes.util`.
- Issue #26864: In urllib, change the proxy bypass host checking against
no_proxy to be case-insensitive, and to not match unrelated host names
that happen to have a bypassed hostname as a suffix.
- Issue #26804: urllib will prefer lower_case proxy environment variables
over UPPER_CASE or Mixed_Case ones.
- Issue #26837: assertSequenceEqual() now correctly outputs non-stringified
differing items. This affects assertListEqual() and assertTupleEqual().
- Issue #26822: itemgetter, attrgetter and methodcaller objects no longer
silently ignore keyword arguments.
- Issue #26657: Fix directory traversal vulnerability with SimpleHTTPServer
on Windows. This fixes a regression that was introduced in 2.7.7.
- Issue #26736: Used HTTPS for external links in the documentation if
possible.
- Issue #22359: Avoid incorrect recursive $(MAKE), and disable the rules for
running pgen when cross-compiling.
- Issue #26799: Fix python-gdb.py: don't get C types once when the Python
code is loaded, but get C types on demand. The C types can change if
python-gdb.py is loaded before the Python executable.
* Fix issue #26673, runtime error in idle3. LP: #1578927.
python2.7 (2.7.11-8) unstable; urgency=medium
* Update to 20160417 from the 2.7 branch.
- Issue #4806: Avoid masking the original TypeError exception when using
star (*) unpacking and the exception was raised from a generator.
- Issue #26659: Make the builtin slice type support cycle collection.
- Issue #26718: super.__init__ no longer leaks memory if called multiple
times. NOTE: A direct call of super.__init__ is not endorsed!
- Issue #13410: Fixed a bug in PyUnicode_Format where it failed to properly
ignore errors from a __int__() method.
- Issue #19377: Add .svg to mimetypes.types_map.
- Issue #13952: Add .csv to mimetypes.types_map.
- Issue #16329: Add .webm to mimetypes.types_map.
- Issue #23735: Handle terminal resizing with Readline 6.3+ by installing
our own SIGWINCH handler.
- Issue #6953: Rework the Readline module documentation to group related
functions together, and add more details such as what underlying Readline
functions and variables are accessed.
* Fix gdb auto-load symlink for the python2.7 binary. LP: #1571198.
-- Matthias Klose <email address hidden> Fri, 01 Jul 2016 17:12:24 +0200
-
python2.7 (2.7.11-7ubuntu1) xenial; urgency=medium
* Fix gdb auto-load symlink for the python2.7 binary. LP: #1571198.
-- Matthias Klose <email address hidden> Sun, 17 Apr 2016 16:00:29 +0200
-
python2.7 (2.7.11-7) unstable; urgency=medium
* Update to 20160330 from the 2.7 branch.
-- Matthias Klose <email address hidden> Wed, 30 Mar 2016 23:00:42 +0200
-
python2.7 (2.7.11-6) unstable; urgency=medium
* Update to 20160323 from the 3.5 branch.
* Always build _math.o with -fPIC.
-- Matthias Klose <email address hidden> Wed, 23 Mar 2016 12:35:56 +0100
-
python2.7 (2.7.11-5) unstable; urgency=medium
* Update to 20160319, taken from the 2.7 release branch.
* Update symbols files.
* Don't run test_signal on alpha, hanging on the buildd.
-- Matthias Klose <email address hidden> Sat, 19 Mar 2016 13:14:21 +0100
-
python2.7 (2.7.11-4) unstable; urgency=medium
* Update to 20160222, taken from the 2.7 release branch.
-- Matthias Klose <email address hidden> Mon, 22 Feb 2016 17:38:42 +0100
-
python2.7 (2.7.11-3) unstable; urgency=medium
* Revert patches concerning issue #22995.
-- Matthias Klose <email address hidden> Mon, 11 Jan 2016 22:04:40 +0100
-
python2.7 (2.7.11-2) unstable; urgency=medium
* Disable LTO on ppc64, ppc64el and s390x.
* Don't run the test_signal tests on alpha.
-- Matthias Klose <email address hidden> Wed, 09 Dec 2015 01:29:25 +0100
-
python2.7 (2.7.11-1) unstable; urgency=medium
* Python 2.7.11 release.
* Don't run the test_cpickle test, causes other tests to fail.
See issue 25698.
* Fix building architecture independent packages only. Closes: #806868.
* Don't ship menu files anymore, just desktop files.
* d/p/fix-sslv3-test.diff: properly handle Ubuntu's openssl having OP_NO_SSLv3
forced on by default (Marc Deslauriers).
* Update symbols files.
-- Matthias Klose <email address hidden> Mon, 07 Dec 2015 14:27:52 +0100
-
python2.7 (2.7.10-4ubuntu2) xenial; urgency=medium
* debian/patches/fix-sslv3-test.diff: properly handle Ubuntu's openssl
having OP_NO_SSLv3 forced on by default.
-- Marc Deslauriers <email address hidden> Thu, 12 Nov 2015 08:02:13 -0500
-
python2.7 (2.7.10-4ubuntu1) wily; urgency=medium
* Remove /etc/python2.7/cert-verification.conf, to be introduced in a
Python 2.7 SRU for 14.04 LTS.
-- Matthias Klose <email address hidden> Wed, 14 Oct 2015 18:09:02 +0200