------------------------------------------------------------------- Mon Mar 18 12:16:46 UTC 2024 - jsilva@suse.com - Fix for SG#67850, bsc#1221582: * CVE-2023-40217-avoid-ssl-pre-close.patch: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (CVE-2023-40217). ------------------------------------------------------------------- Tue Aug 1 08:43:08 UTC 2023 - jsilva@suse.com - Fix for SG#66429, bsc#1213839: * CVE-2023-24329-blank-URL-bypass.patch: Fix bug in urllib.parse.urlparse that causes URL schemes that begin with a digit, a plus sign, or a minus sign to be parsed incorrectly (CVE-2023-24329). ------------------------------------------------------------------- Thu Nov 10 03:18:21 UTC 2022 - Chao Xiong - build for bsc#1205075 and bsc#1205068 ------------------------------------------------------------------- Thu Nov 10 03:11:13 UTC 2022 - cxiong@suse.com - LEVEL 3 SUPPORT STARTS HERE - All changes above this marker are made by SUSE L3 Team. =================================================================== ------------------------------------------------------------------- Thu Sep 8 03:33:09 UTC 2022 - Steve Kowalik - Add patch CVE-2021-28861-double-slash-path.patch: * BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. (bsc#1202624, CVE-2021-28861) ------------------------------------------------------------------- Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl - Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the command injection in the mailcap module. ------------------------------------------------------------------- Wed Feb 9 16:49:52 UTC 2022 - Matej Cepl - Add CVE-2022-0391-urllib_parse-newline-parsing.patch (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs containing ASCII newline and tabs in urlparse. ------------------------------------------------------------------- Mon Oct 4 08:45:14 UTC 2021 - Matej Cepl - Add CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch which fixes http client infinite line reading (DoS) after a http 100 status (CVE-2021-3737, bsc#1189241) - Add patch CVE-2019-9947-no-ctrl-char-http.patch (bsc#1130840, CVE-2019-9947). ------------------------------------------------------------------- Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl - Add CVE-2021-3733-fix-ReDoS-in-request.patch which fixes ReDoS in request (bpo#43075, bsc#1189287, CVE-2021-3733). ------------------------------------------------------------------- Thu Jul 29 15:39:27 UTC 2021 - Matej Cepl - Recomment out python-2.5.1-sqlite.patch and describe it a bit more. ------------------------------------------------------------------- Wed Mar 3 18:05:54 UTC 2021 - Matej Cepl - Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids use of semicolon as a query string separator (bpo#42967, bsc#1182379, CVE-2021-23336). - Switch off -O0 non-optimization. ------------------------------------------------------------------- Mon Jan 25 23:35:49 UTC 2021 - Matej Cepl - Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution. ------------------------------------------------------------------- Mon Oct 19 01:49:43 UTC 2020 - Steve Kowalik - Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211 (CVE-2020-26116, bpo#39603) no longer allowing special characters in the method parameter of HTTPConnection.putrequest in httplib, stopping injection of headers. Such characters now raise ValueError. ------------------------------------------------------------------- Mon Jul 20 12:06:41 UTC 2020 - Matej Cepl - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 (CVE-2019-20907, bpo#39017) avoiding possible infinite loop in specifically crafted tarball. Add recursion.tar as a testing tarball for the patch. ------------------------------------------------------------------- Thu Apr 30 21:46:22 UTC 2020 - Matej Cepl - Add CVE-2019-18348-CRLF_injection_via_host_part.patch to disallow control characters in hostnames in httplib, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094) ------------------------------------------------------------------- Thu Apr 30 12:58:07 UTC 2020 - Matej Cepl - Add CVE-2019-9674-zip-bomb.patch to improve documentation warning about dangers of zip-bombs and other security problems with zipfile library. (bsc#1162825 CVE-2019-9674) ------------------------------------------------------------------- Tue Feb 25 13:48:57 CET 2020 - Matej Cepl - Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug "Python urrlib allowed an HTTP server to conduct Regular Expression Denial of Service (ReDoS)" (bsc#1162367, CVE-2020-8492) ------------------------------------------------------------------- Mon Sep 16 15:57:54 CEST 2019 - Matej Cepl - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, CVE-2019-16056] ------------------------------------------------------------------- Thu Jul 25 19:46:48 CEST 2019 - Matej Cepl - boo#1141853 (CVE-2018-20852) add CVE-2018-20852-cookie-domain-check.patch fixing http.cookiejar.DefaultPolicy.domain_return_ok which did not correctly validate the domain: it could be tricked into sending cookies to the wrong server. ------------------------------------------------------------------- Wed Jul 3 21:02:00 CEST 2019 - Matej Cepl - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch which fixes regression introduced by the previous patch. (CVE-2019-10160) and getting Lib/urlparse.py and tests in sync with the latest upstream state. Upstream gh#python/cpython#13812 ------------------------------------------------------------------- Mon Apr 8 23:16:54 CEST 2019 - Matej Cepl - bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch removing unnecessary (and potentially harmful) URL scheme local-file://. ------------------------------------------------------------------- Wed Apr 3 17:24:37 CEST 2019 - Matej Cepl - bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, no error will be raised (CVE-2019-9636). Upstream commits e37ef41 and 507bd8c. ------------------------------------------------------------------- Thu Sep 27 17:37:33 CEST 2018 - mcepl@suse.com - bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo-34623. ------------------------------------------------------------------- Thu Sep 13 14:53:29 UTC 2018 - Matěj Cepl - bsc#1108253: Revert move of pyconfig.h from python-base to python-devel. ------------------------------------------------------------------- Mon Aug 6 14:58:43 UTC 2018 - mcepl@suse.com - bsc#985177 Apply "CVE-2016-5636-zipimport.patch" to avoid heap overflow in zipimporter module. Upstream bug https://bugs.python.org/issue26171 Also, added another patches fixing various other bugs in zipimport module: - bgo5897-zipimport-doesnt-check-retval-fseek.patch - zipimport-fix-refleak.patch - bgo12124-zipimport-ref-zlibdecompress.patch - bgo19883-int-overflow-zipimport.patch - bgo19883-inf-loop-zipimport-bcof-cebcd2fd3e1f.patch ------------------------------------------------------------------- Fri Jun 29 10:24:27 UTC 2018 - mcepl@suse.com - Apply "CVE-2018-1061-DOS-via-regexp-difflib.patch" to prevent low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS (CVE-2018-1061). Prior to this patch mail server's timestamp was susceptible to catastrophic backtracking on long evil response from the server. Also, it was susceptible to catastrophic backtracking, which was a potential DOS vector. [bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060] - Apply "python-sorted_tar.patch" (bsc#1086001) sort tarfile output directory listing ------------------------------------------------------------------- Thu Jun 7 17:04:40 UTC 2018 - psimons@suse.com - Apply "CVE-2017-18207.patch" to add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this check, attackers could cause a denial of service (divide-by-zero error and application crash) via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ------------------------------------------------------------------- Tue Mar 13 15:22:47 UTC 2018 - psimons@suse.com - Apply "python-2.7.14-CVE-2017-1000158.patch" to prevent integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution. [bsc#1068664, CVE-2017-1000158] ------------------------------------------------------------------- Fri Jun 17 12:33:23 UTC 2016 - jmatejek@suse.com - CVE-2016-0772-smtplib-starttls.patch: smtplib vulnerability opens startTLS stripping attack (CVE-2016-0772, bsc#984751) - CVE-2016-5699-http-header-injection.patch: incorrect validation of HTTP headers allow header injection (CVE-2016-5699, bsc#985348) - python-2.7-httpoxy.patch: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (CVE-2016-1000110, bsc#989523) ------------------------------------------------------------------- Wed Feb 18 14:51:43 UTC 2015 - jmatejek@suse.com - python-2.6.9-popen-poll.patch - fix race condition when spawning multiple short-lived processes through multiprocessing (bnc#916255) ------------------------------------------------------------------- Wed Nov 5 16:17:27 UTC 2014 - matejcik@suse.cz - disable SSLv2 unless explicitly asked for (bnc#901715) ------------------------------------------------------------------- Wed Oct 1 13:00:59 UTC 2014 - jmatejek@suse.com - CVE-2014-7185-buffer-wraparound.patch: potential wraparound/overflow in buffer() (CVE-2014-7185, bnc#898572) ------------------------------------------------------------------- Wed Jul 23 16:48:38 UTC 2014 - jmatejek@suse.com - CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file disclosure and directory traversal through URL-encoded characters (CVE-2014-4650, bnc#885882) - python-2.7.7-mhlib-linkcount.patch: remove link count optimizations that are incorrect on btrfs (and possibly other filesystems) - explicitly enable IPv6 support in python-base as well as python ------------------------------------------------------------------- Fri May 2 13:20:53 UTC 2014 - jmatejek@suse.com - updated `urlparse` module to correctly parse IPv6 addresses (bnc#872848) ------------------------------------------------------------------- Fri Mar 28 11:58:40 UTC 2014 - jmatejek@suse.com - CVE-2014-1912-recvfrom_into.patch - potential buffer overflow in socket.recvfrom_into (CVE-2014-1912, bnc#863741) ------------------------------------------------------------------- Thu Feb 6 13:08:13 UTC 2014 - jmatejek@suse.com - update to 2.6.9 - *only contains* the following security fixes: * CVE-2013-4238 (NULL bytes in SSL certs, bnc#834601) * CVE-2013-1752 (read limits in stdlib, bnc#856836) * enforce security of .netrc reads (issue14984) http://bugs.python.org/issue14984 * execution of untrusted Python code in tkinter (issue16248) http://bugs.python.org/issue16248 - python-2.6.8-fips-mode.patch - fix usage of MD5 in hmac module when the cipher is not available (bnc#847135) ------------------------------------------------------------------- Fri Jul 26 17:11:57 CEST 2013 - lchiquitto@suse.de - revert "obsolete/provide pyxml in python-xml", some external packages depend on pyxml. (bnc#824713) ------------------------------------------------------------------- Tue Jun 18 16:46:06 UTC 2013 - jmatejek@suse.com - obsolete/provide pyxml in python-xml (bnc#824713) ------------------------------------------------------------------- Tue May 29 21:25:10 UTC 2012 - dmueller@suse.com - fix retry counter regression (bnc#764555) ------------------------------------------------------------------- Tue May 15 15:00:14 UTC 2012 - jmatejek@suse.com - fix insecure creation of .pypirc (CVE-2011-4944, bnc#754447) ------------------------------------------------------------------- Tue Apr 17 16:15:06 UTC 2012 - jmatejek@suse.com - update to 2.6.8 * no changes * fixes the following bugs, among others: * XMLRPC Server DoS (CVE-2012-0845, bnc#747125) * hash randomization issues (CVE-2012-1150, bnc#751718) * SimpleHTTPServer XSS (CVE-2011-1015, bnc#752375) * functions can accept unicode kwargs (bnc#744287) * python MainThread lacks ident (bnc#754547) * TypeError: waitpid() takes no keyword arguments (bnc#751714) - do not build static library - explicit require for the same version of libpython ------------------------------------------------------------------- Thu Mar 22 14:57:34 UTC 2012 - jmatejek@suse.com - update to 2.6.8rc2 * bugfix-only update for fate#313238, bnc#748079 - refreshed patches: -dirs.patch for correct --libdir and --include dir in ./configure -multilib.patch for support of sys.lib -fwrapv.patch for forcing -fwrapv compiler option CVE-2011-1015 fix -canonicalize2.patch for using canonicalize_file_name in place of unsafe realpath/readlink - dropped patches (fixes already included): expat CVEs audioop vulnerabilities -configparser.patch -urrlib2-respect-no_proxy.patch -ssl-compat.patch smtpd-dos.patch -https-proxy.patch CVE-2011-1521 fix ------------------------------------------------------------------- Tue Jan 31 16:13:01 UTC 2012 - jmatejek@suse.com - fixed configparser issue with "%%" sequence (upstream issue5741, bnc#742525) - disabled test_math because it fails in SP2 through no fault of Python ------------------------------------------------------------------- Mon May 2 16:04:49 UTC 2011 - jmatejek@novell.com - fixed a security flaw where malicious sites could redirect Python application from http to a local file (CVE-2011-1521, bnc#682554) ------------------------------------------------------------------- Thu Mar 17 18:48:57 UTC 2011 - jmatejek@novell.com - fixed information disclosure in CGIHTTPServer (CVE-2011-1015, bnc#674646) - fixed race condition in Makefile which randomly failed parallel builds ( http://bugs.python.org/issue10013 ) ------------------------------------------------------------------- Tue Oct 26 17:59:55 UTC 2010 - jmatejek@novell.com - fixed a DoS vulnerability in smtpd.py (CVE-2010-3493, bnc#638233) - fixed various vulnerabilities in audioop, tracked in bnc#603255 and bnc#609761 ------------------------------------------------------------------- Thu Mar 4 14:43:50 CET 2010 - matejcik@suse.cz - fixed expat's CVE-2009-3560 and CVE-2009-3720 (bnc#581765, SWAMPID 31364) - urllib2 now respects no_proxy (bnc#421159 and bnc#581949) ------------------------------------------------------------------- Fri Feb 6 16:10:31 CET 2009 - matejcik@suse.cz - excluded pyconfig.h and Makefile and Setup from -devel subpackage to prevent file conflicts of python-base and python-devel ------------------------------------------------------------------- Thu Jan 15 16:00:02 CET 2009 - matejcik@suse.cz - fixed gettext.py problem with empty plurals line (bnc#462375) ------------------------------------------------------------------- Wed Jan 7 12:34:56 CET 2009 - olh@suse.de - obsolete old -XXbit packages (bnc#437293) ------------------------------------------------------------------- Mon Dec 15 17:10:17 CET 2008 - matejcik@suse.cz - removed bsddb directory from python-base, reenabled in python ------------------------------------------------------------------- Mon Oct 20 15:18:30 CEST 2008 - matejcik@suse.cz - added libpython and python-base to baselibs.conf (bnc#432677) - disabled test_smtplib for ia64 so that the package actually gets built (bnc#436966) ------------------------------------------------------------------- Thu Oct 9 18:56:33 CEST 2008 - matejcik@suse.cz - update to 2.6 final (version name is 2.6.0 to make upgrade from 2.6rc2 possible) - replaced site.py hack with a .pth file to do the same thing (cleaner solution that doesn't mess up documented behavior and also fixes virtualenv, bnc#430761) - enabled profile optimized build - fixed %py_requires macro (bnc#346490) - provide %name = 2.6 ------------------------------------------------------------------- Fri Sep 19 20:09:50 CEST 2008 - matejcik@suse.cz - moved tests to %check section - update to 2.6rc2 - included patch for https proxy support that resolves bnc#214983 (in a proper way) and bnc#298378 ------------------------------------------------------------------- Wed Sep 17 22:09:12 CEST 2008 - matejcik@suse.cz - included /etc/rpm/macros.python to fix the split-caused breakage ------------------------------------------------------------------- Tue Sep 16 18:12:10 CEST 2008 - matejcik@suse.cz - applied bug-no-proxy patch from python#3879, which should improve backwards compatibility (important i.e. for bzr) - moved python-xml to a subpackage of this (brings no additional dependencies, so it can as well stay) - moved Makefile and pyconfig.h to python-base, removing the need to have python-devel for installation - improved compatibility with older distros for 11.0 - moved ssl.py and sqlite3 module to python package - they won't work without their respective binary modules anyway ------------------------------------------------------------------- Mon Sep 15 18:34:27 CEST 2008 - matejcik@suse.cz - updated to 2.6rc1 - bugfix-only pre-stable release - renamed python-base-devel to python-devel as it should be - removed macros from libpython package name ------------------------------------------------------------------- Fri Sep 12 14:46:00 CEST 2008 - matejcik@suse.cz - moved python-devel to a subpackage of this - created libpython subpackage - moved essential files from -devel to -base, so that distutils should now be able to install without -devel package ------------------------------------------------------------------- Tue Sep 9 20:30:11 CEST 2008 - matejcik@suse.cz - initial release of python-base