-
python2.7 (2.7.3-0ubuntu3.19) precise-security; urgency=medium
* SECURITY UPDATE: CRLF injection
- debian/patches/CVE-2020-26116.patch: prevent header injection
in http methods in Lib/httplib.py, Lib/test/test_httlib.py.
- CVE-2020-26116
-- <email address hidden> (Leonidas S. Barbosa) Tue, 06 Oct 2020 09:11:11 -0300
-
python2.7 (2.7.3-0ubuntu3.9) precise-security; urgency=medium
* SECURITY UPDATE: StartTLS stripping attack
- debian/patches/CVE-2016-0772.patch: raise an error when
STARTTLS fails in Lib/smtplib.py.
- CVE-2016-0772
* SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
scripts (aka HTTPOXY attack)
- debian/patches/CVE-2016-1000110-pre.patch: prefer lower_case
proxy environment variables over UPPER_CASE or Mixed_Case ones.
- debian/patches/CVE-2016-1000110.patch: if running as CGI
script, forget HTTP_PROXY in Lib/urllib.py, add test to
Lib/test/test_urllib.py, add documentation.
- CVE-2016-1000110
* SECURITY UPDATE: Integer overflow when handling zipfiles
- debian/patches/CVE-2016-5636-pre.patch: check for negative size in
Modules/zipimport.c
- debian/patches/CVE-2016-5636.patch: check for too large value in
Modules/zipimport.c
- CVE-2016-5636
* SECURITY UPDATE: CRLF injection vulnerability in the
HTTPConnection.putheader
- debian/patches/CVE-2016-5699.patch: disallow newlines in
putheader() arguments when not followed by spaces or tabs in
Lib/httplib.py, add tests in Lib/test/test_httplib.py
- CVE-2016-5699
-- Steve Beattie <email address hidden> Tue, 25 Oct 2016 15:38:47 -0700
-
python2.7 (2.7.3-0ubuntu3.8) precise-security; urgency=medium
* SECURITY UPDATE: denial of service in multiple servers
- debian/patches/CVE-2013-1752-ftplib.patch: limit amount of data read
in Lib/ftplib.py, added test to Lib/test/test_ftplib.py.
- debian/patches/CVE-2013-1752-httplib-1.patch: limit long lines in
Lib/httplib.py.
- debian/patches/CVE-2013-1752-httplib-2.patch: limit amount of headers
in Lib/httplib.py, added test to Lib/test/test_httplib.py.
- debian/patches/CVE-2013-1752-imaplib-1.patch: limit line length in
Lib/imaplib.py, added test to Lib/test/test_imaplib.py.
- debian/patches/CVE-2013-1752-imaplib-2.patch: disable broken test in
Lib/test/test_imaplib.py.
- debian/patches/CVE-2013-1752-nntplib.patch: limit line length in
Lib/nntplib.py, added test to Lib/test/test_nntplib.py.
- debian/patches/CVE-2013-1752-poplib.patch: limit maximum line length
in Lib/poplib.py, added test to Lib/test/test_poplib.py.
- debian/patches/CVE-2013-1752-smtplib.patch: limit amount read from
the network in Lib/smtplib.py, added test to
Lib/test/test_smtplib.py.
- CVE-2013-1752
* SECURITY UPDATE: denial of service via xmlrpc gzip-compressed
HTTP bodies
- debian/patches/CVE-2013-1753.patch: add default limit in
Lib/xmlrpclib.py, added test to Lib/test/test_xmlrpc.py.
- CVE-2013-1753
* SECURITY UPDATE: arbitrary memory read via idx argument
- debian/patches/CVE-2014-4616.patch: reject negative idx values in
Modules/_json.c, added test to Lib/json/tests/test_decode.py.
- CVE-2014-4616
* SECURITY UPDATE: code execution or file disclosure via CGIHTTPServer
- debian/patches/CVE-2014-4650.patch: url unquote path in
Lib/CGIHTTPServer.py, added test to Lib/test/test_httpservers.py.
- CVE-2014-4650
* SECURITY UPDATE: information disclosure via buffer function
- debian/patches/CVE-2014-7185.patch: avoid overflow in
Objects/bufferobject.c, added test to Lib/test/test_buffer.py.
- CVE-2014-7185
-- Marc Deslauriers <email address hidden> Mon, 22 Jun 2015 10:55:41 -0400
-
python2.7 (2.7.3-0ubuntu3.6) precise-proposed; urgency=medium
* Ensure failed connections to /dev/log are full closed, preventing
infinite loop on logging applications due to socket state (LP: #1081022):
- d/p/syslog.diff: Cherry picked fix from upstream bugtracker.
-- James Page <email address hidden> Thu, 18 Dec 2014 12:05:28 +0000
-
python2.7 (2.7.3-0ubuntu3.5) precise-security; urgency=medium
* SECURITY UPDATE: denial of service and possible code execution via
buffer overflow in socket.recvfrom_into
- debian/patches/CVE-2014-1912.diff: check buffer length in
Modules/socketmodule.c, added tests to Lib/test/test_socket.py.
- CVE-2014-1912
-- Marc Deslauriers <email address hidden> Thu, 27 Feb 2014 09:17:26 -0500
-
python2.7 (2.7.3-0ubuntu3.4) precise-security; urgency=low
* SECURITY UPDATE: incorrect ssl hostname verification
- debian/patches/CVE-2013-4238.diff: correctly handle NULL bytes in
the subjectAltName in Modules/_ssl.c, add test to
Lib/test/test_ssl.py, Lib/test/nullbytecert.pem.
- CVE-2013-4238
* debian/patches/disable-ssl-cert-tests.diff: disable patch to re-enable
ssl cert tests.
* debian/patches/fix_expired_certs.diff: update expired ssl certs to fix
ssl tests.
* debian/patches/disable_ssl_test_algorithms.diff: disable a test that
requires SNI support.
* This package does _not_ contain the changes from 2.7.3-0ubuntu3.3 in
precise-proposed.
-- Marc Deslauriers <email address hidden> Thu, 26 Sep 2013 10:22:03 -0400
-
python2.7 (2.7.3-0ubuntu3.3) precise-proposed; urgency=low
* debian/patches/atomic-pyc-rename.diff: Add patch to fix possible race
conditions when writing .pyc/.pyo files in py_compile.py.
Issue #13146. LP: #1058884
-- Barry Warsaw <email address hidden> Fri, 07 Jun 2013 11:24:48 -0400
-
python2.7 (2.7.3-0ubuntu3.2) precise-proposed; urgency=low
* Backport fix for issue #14308. Fix an exception when a "dummy" thread is
in the threading module's active list after a fork(). LP: #1100343.
* Remove dangling symlink in pkgconfig. LP: #1088771.
* Make python2.7{,-minimal,-dbg} Multi-Arch: allowed. LP: #1130709.
-- Matthias Klose <email address hidden> Thu, 28 Mar 2013 12:40:39 +0100
-
python2.7 (2.7.3-0ubuntu3.1) precise-proposed; urgency=low
* Cherry pick af46a001d5ec to remove Python syslog BOM insertion code that
was causing corrupt log messages in syslog. LP: #1029640
-- Scott Kitterman <email address hidden> Fri, 27 Jul 2012 22:54:14 -0400
-
python2.7 (2.7.3-0ubuntu3) precise-proposed; urgency=low
* python2.7-minimal needs a versioned depends on python-minimal, not a
Conflicts. Conflicts with essential packages, versioned or otherwise,
are a serious problem for upgrades, as the previous upload demonstrated.
Instead, we allow a circular dependency between python2.7-minimal and
python-minimal, and rely on the fact that the package manager ensures
new versions of both packages will be unpacked before running the
maintainer script from python2.7-minimal. LP: #986374.
* Our versioned dependency on python-minimal is 2.6.6-3+squeeze1, which is
the first version shipping a pycompile that supports passing a -V option
referring to a version python-minimal doesn't already know about.
-- Steve Langasek <email address hidden> Fri, 20 Apr 2012 14:19:23 -0700
-
python2.7 (2.7.3-0ubuntu2) precise-proposed; urgency=low
* python2.7-minimal: Conflict with python-minimal (<< 2.7.3). LP: #983981.
-- Matthias Klose <email address hidden> Thu, 19 Apr 2012 16:07:47 +0200
-
python2.7 (2.7.3-0ubuntu1) precise; urgency=low
* Python 2.7.3 release.
-- Matthias Klose <email address hidden> Tue, 10 Apr 2012 12:15:03 +0200
-
python2.7 (2.7.3~rc2-2ubuntu1) precise; urgency=low
* Merge with Debian; remaining changes:
python2.7 (2.7.3~rc2-2) unstable; urgency=low
* Use xdg-open/gvfs-open in Lib/webbrowser.py (Michael Vogt).
LP: #971311.
* Add a paragraph about python-foo-dbg packages to README.debug.
LP: #872050.
* Disable some tests (no feedback from porters):
- test_socket on hurd-i386.
- test_io on amd64.
- test_signal on kfreebsd-*. Closes: #654783.
- test_threading on sparc.
* Tighten build dependency on libexpat-dev. Closes: #665346.
* Build-depend on db-5.1, don't care about testsuite regressions on
some esoteric ports. If packages rely on threaded applications or
transactions, please use the python-bsddb3 package.
Closes: #621374.
* Don't ship the python2 and python2-config symlinks, move these
to the python-minimal and python-dev packages. Closes: #663874.
* Remove PVER-doc.doc-base.PVER-doc.in. Closes: #656763.
* Update symbols files.
* Avoid runtime path for the sqlite extension.
* CVE-2011-4944, distutils creates ~/.pypirc insecurely. Closes: #650555.
* Fix issue #14505, file descriptor leak when deallocating file objects
created with PyFile_FromString(). Closes: #664529.
-- Matthias Klose <email address hidden> Fri, 06 Apr 2012 20:54:29 +0200
-
python2.7 (2.7.3~rc2-1ubuntu1) precise; urgency=low
* Loosen build dependency on expat (the version in precise has the
security fixes applied).
* Add safety check to ensure that the _bsddb extension is built.
python2.7 (2.7.3~rc2-1) unstable; urgency=low
* Python 2.7.3 release candidate 2.
* Build-depend on expat >= 2.1~.
-- Matthias Klose <email address hidden> Wed, 21 Mar 2012 19:57:41 +0100
-
python2.7 (2.7.3~rc1-1ubuntu2) precise; urgency=low
* Re-enable the db5.1 patch again. LP: #440889.
-- Steve Langasek <email address hidden> Fri, 09 Mar 2012 23:58:13 -0800
-
python2.7 (2.7.3~rc1-1ubuntu1) precise; urgency=low
* Merge with Debian; remaining changes:
- Build-depend on libdb5.1-dev.
python2.7 (2.7.3~rc1-1) unstable; urgency=low
* Python 2.7.3 release candidate 1.
* Update to 20120309, taken from the 2.7 branch.
* Fix dangling libpython.a symlink. Closes: #660231.
-- Matthias Klose <email address hidden> Fri, 09 Mar 2012 23:23:55 +0100
-
python2.7 (2.7.2-13ubuntu5) precise; urgency=low
* Update to 20120216, taken from the 2.7 branch.
* Install an egg-info file for arparse.
-- Matthias Klose <email address hidden> Thu, 16 Feb 2012 17:33:01 +0100
-
python2.7 (2.7.2-13ubuntu4) precise; urgency=low
* Really apply the db5.1 patch. LP: #440889 (why is such an old and
unrelated issue number used?).
-- Matthias Klose <email address hidden> Sat, 21 Jan 2012 23:09:45 +0100
-
python2.7 (2.7.2-13ubuntu3) precise; urgency=low
* Really apply the db5.1 patch. LP: #440889 (why is such an old and
unrelated issue number used?).
-- Matthias Klose <email address hidden> Sat, 21 Jan 2012 23:09:45 +0100
-
python2.7 (2.7.2-13ubuntu2) precise; urgency=low
* Stop providing python-argparse. LP: #916188.
-- Matthias Klose <email address hidden> Fri, 20 Jan 2012 19:13:15 +0100
-
python2.7 (2.7.2-13ubuntu1) precise; urgency=low
* Build using libdb5.1.
python2.7 (2.7.2-13) unstable; urgency=low
* Update to 20120120, taken from the 2.7 branch.
* Remove patch integrated upstream (issue9054.diff).
* Backport Issue #9189 to distutils/sysconfig.py as well.
Closes: #656118.
* Disable test_io on kfreebsd again. Closes: #654783.
* Disable test_bsddb3 tests on kfreebsd again.
python2.7 (2.7.2-12) unstable; urgency=low
* Run the tests with a script command which doesn't exit immediatly
when stdin is /dev/null (Colin Watson).
-- Matthias Klose <email address hidden> Fri, 20 Jan 2012 18:05:34 +0100
-
python2.7 (2.7.2-11ubuntu1) precise; urgency=low
* Upload to precise.
python2.7 (2.7.2-11) unstable; urgency=low
* Don't run the test_site tests when $HOME doesn't exist.
python2.7 (2.7.2-10) unstable; urgency=low
* Update to 20120110, taken from the 2.7 branch.
* Overwrite some lintian warnings:
- The -dbg interpreters are not unusual.
- The -gdb.py files don't need a python dependency.
- lintian can't handle a whatis entry starting with one word on the line.
* Fix test failures related to distutils debian installation layout.
* Add build-arch/build-indep targets.
* Regenerate Setup and Makefiles after correcting Setup.local.
* profiled-build.diff: Pass PY_CFLAGS instead of CFLAGS for the profiled
build.
* Pass dpkg-buildflags to the build process, and build third party
extensions with these flags.
* Add support to build using -flto (and -g1) on some architectures.
* Disable pgo builds for some architectures (for now, keep just
amd64 armel armhf i386 powerpc ppc64).
* Build-depend on libgdbm-dev to build and run the gdbm tests.
* Build-depend on xvfb to run the tkinter tests.
* python2.7: Provide python2.7-argparse and python-argparse.
* Don't run test_threading on mips/mipsel.
* Run the test_gdb test for the debug build only.
* Add build conflict to python-cxx-dev (pydoc test failures).
* Disable test_ssl certificate check, certificate expired on python.org.
-- Matthias Klose <email address hidden> Wed, 11 Jan 2012 16:54:55 +0100
-
python2.7 (2.7.2-9ubuntu1) precise; urgency=low
* Update to 20120105, taken from the 2.7 branch.
* Test build using db5.1.
* Overwrite some lintian warnings:
- The -dbg interpreters are not unusual.
- The -gdb.py files don't need a python dependency.
- lintian can't handle a whatis entry starting with one word on the line.
* Fix test failures related to distutils debian installation layout.
* Add build-arch/build-indep targets.
* Regenerate Setup and Makefiles after correcting Setup.local.
* profiled-build.diff: Pass PY_CFLAGS instead of CFLAGS for the profiled
build.
* Pass dpkg-buildflags to the build process, and build third party
extensions with these flags.
* Add support to build using -flto (and -g1) on some architectures.
* Disable pgo builds for some architectures (for now, keep just
amd64 armel armhf i386 powerpc ppc64).
* Build-depend on libgdbm-dev to build and run the gdbm tests.
* Build-depend on xvfb to run the tkinter tests.
* python2.7: Provide python2.7-argparse and python-argparse.
* Don't run test_threading on mips/mipsel.
-- Matthias Klose <email address hidden> Fri, 06 Jan 2012 21:57:07 +0100
-
python2.7 (2.7.2-9) unstable; urgency=low
* Update to 20111217, taken from the 2.7 branch.
-- Matthias Klose <email address hidden> Sun, 18 Dec 2011 15:52:19 +0000
-
python2.7 (2.7.2-8build1) precise; urgency=low
* No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
-- Adam Conrad <email address hidden> Fri, 02 Dec 2011 17:31:30 -0700
-
python2.7 (2.7.2-8) unstable; urgency=low
* Update to 20111130, taken from the 2.7 branch.
* New patch, ctypes-arm, allow for ",hard-float" after libc6 in ldconfig -p
output (Loic Minier). LP: #898172.
* debian/rules: Define DPKG_VARS (Alban Browaeys). Closes: #647419).
* Add python-config man page (Johann Felix Soden). Closes: #650181).
python2.7 (2.7.2-7) unstable; urgency=low
* Adjust patches for removed Lib/plat-linux3.
* Add build conflict to libncurses5-dev, let configure search for
ncurses headers in /usr/include/ncursesw too.
python2.7 (2.7.2-6) unstable; urgency=low
* Update to 20111004, taken from the 2.7 branch.
* Use the ncursesw include directory when linking with ncursesw.
* Rebuild with libreadline not linked with libncurses*. Closes: #643816.
* Fix typos in the multiprocessing module. Closes: #643856.
-- Matthias Klose <email address hidden> Thu, 01 Dec 2011 12:40:07 +0000
-
python2.7 (2.7.2-5ubuntu1) oneiric; urgency=low
* Use the ncursesw include directory when linking with ncursesw.
* Rebuild with libreadline not linked with libncurses*.
-- Matthias Klose <email address hidden> Tue, 04 Oct 2011 16:09:29 +0200
