------------------------------------------------------------------- Wed Jul 23 16:48:38 UTC 2014 - jmatejek@suse.com - CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file disclosure and directory traversal through URL-encoded characters (CVE-2014-4650, bnc#885882) - python-2.7.7-mhlib-linkcount.patch: remove link count optimizations that are incorrect on btrfs (and possibly other filesystems) - explicitly enable IPv6 support in python-base as well as python ------------------------------------------------------------------- Fri May 2 13:20:53 UTC 2014 - jmatejek@suse.com - updated `urlparse` module to correctly parse IPv6 addresses (bnc#872848) ------------------------------------------------------------------- Fri Mar 28 11:58:40 UTC 2014 - jmatejek@suse.com - CVE-2014-1912-recvfrom_into.patch - potential buffer overflow in socket.recvfrom_into (CVE-2014-1912, bnc#863741) ------------------------------------------------------------------- Thu Feb 6 13:08:13 UTC 2014 - jmatejek@suse.com - update to 2.6.9 - *only contains* the following security fixes: * CVE-2013-4238 (NULL bytes in SSL certs, bnc#834601) * CVE-2013-1752 (read limits in stdlib, bnc#856836) * enforce security of .netrc reads (issue14984) http://bugs.python.org/issue14984 * execution of untrusted Python code in tkinter (issue16248) http://bugs.python.org/issue16248 - python-2.6.8-fips-mode.patch - fix usage of MD5 in hmac module when the cipher is not available (bnc#847135) ------------------------------------------------------------------- Fri Jul 26 17:11:57 CEST 2013 - lchiquitto@suse.de - revert "obsolete/provide pyxml in python-xml", some external packages depend on pyxml. (bnc#824713) ------------------------------------------------------------------- Tue Jun 18 16:46:06 UTC 2013 - jmatejek@suse.com - obsolete/provide pyxml in python-xml (bnc#824713) ------------------------------------------------------------------- Tue May 29 21:25:10 UTC 2012 - dmueller@suse.com - fix retry counter regression (bnc#764555) ------------------------------------------------------------------- Tue May 15 15:00:14 UTC 2012 - jmatejek@suse.com - fix insecure creation of .pypirc (CVE-2011-4944, bnc#754447) ------------------------------------------------------------------- Tue Apr 17 16:15:06 UTC 2012 - jmatejek@suse.com - update to 2.6.8 * no changes * fixes the following bugs, among others: * XMLRPC Server DoS (CVE-2012-0845, bnc#747125) * hash randomization issues (CVE-2012-1150, bnc#751718) * SimpleHTTPServer XSS (CVE-2011-1015, bnc#752375) * functions can accept unicode kwargs (bnc#744287) * python MainThread lacks ident (bnc#754547) * TypeError: waitpid() takes no keyword arguments (bnc#751714) - do not build static library - explicit require for the same version of libpython ------------------------------------------------------------------- Thu Mar 22 14:57:34 UTC 2012 - jmatejek@suse.com - update to 2.6.8rc2 * bugfix-only update for fate#313238, bnc#748079 - refreshed patches: -dirs.patch for correct --libdir and --include dir in ./configure -multilib.patch for support of sys.lib -fwrapv.patch for forcing -fwrapv compiler option CVE-2011-1015 fix -canonicalize2.patch for using canonicalize_file_name in place of unsafe realpath/readlink - dropped patches (fixes already included): expat CVEs audioop vulnerabilities -configparser.patch -urrlib2-respect-no_proxy.patch -ssl-compat.patch smtpd-dos.patch -https-proxy.patch CVE-2011-1521 fix ------------------------------------------------------------------- Tue Jan 31 16:13:01 UTC 2012 - jmatejek@suse.com - fixed configparser issue with "%%" sequence (upstream issue5741, bnc#742525) - disabled test_math because it fails in SP2 through no fault of Python ------------------------------------------------------------------- Mon May 2 16:04:49 UTC 2011 - jmatejek@novell.com - fixed a security flaw where malicious sites could redirect Python application from http to a local file (CVE-2011-1521, bnc#682554) ------------------------------------------------------------------- Thu Mar 17 18:48:57 UTC 2011 - jmatejek@novell.com - fixed information disclosure in CGIHTTPServer (CVE-2011-1015, bnc#674646) - fixed race condition in Makefile which randomly failed parallel builds ( http://bugs.python.org/issue10013 ) ------------------------------------------------------------------- Tue Oct 26 17:59:55 UTC 2010 - jmatejek@novell.com - fixed a DoS vulnerability in smtpd.py (CVE-2010-3493, bnc#638233) - fixed various vulnerabilities in audioop, tracked in bnc#603255 and bnc#609761 ------------------------------------------------------------------- Thu Mar 4 14:43:50 CET 2010 - matejcik@suse.cz - fixed expat's CVE-2009-3560 and CVE-2009-3720 (bnc#581765, SWAMPID 31364) - urllib2 now respects no_proxy (bnc#421159 and bnc#581949) ------------------------------------------------------------------- Fri Feb 6 16:10:31 CET 2009 - matejcik@suse.cz - excluded pyconfig.h and Makefile and Setup from -devel subpackage to prevent file conflicts of python-base and python-devel ------------------------------------------------------------------- Thu Jan 15 16:00:02 CET 2009 - matejcik@suse.cz - fixed gettext.py problem with empty plurals line (bnc#462375) ------------------------------------------------------------------- Wed Jan 7 12:34:56 CET 2009 - olh@suse.de - obsolete old -XXbit packages (bnc#437293) ------------------------------------------------------------------- Mon Dec 15 17:10:17 CET 2008 - matejcik@suse.cz - removed bsddb directory from python-base, reenabled in python ------------------------------------------------------------------- Mon Oct 20 15:18:30 CEST 2008 - matejcik@suse.cz - added libpython and python-base to baselibs.conf (bnc#432677) - disabled test_smtplib for ia64 so that the package actually gets built (bnc#436966) ------------------------------------------------------------------- Thu Oct 9 18:56:33 CEST 2008 - matejcik@suse.cz - update to 2.6 final (version name is 2.6.0 to make upgrade from 2.6rc2 possible) - replaced site.py hack with a .pth file to do the same thing (cleaner solution that doesn't mess up documented behavior and also fixes virtualenv, bnc#430761) - enabled profile optimized build - fixed %py_requires macro (bnc#346490) - provide %name = 2.6 ------------------------------------------------------------------- Fri Sep 19 20:09:50 CEST 2008 - matejcik@suse.cz - moved tests to %check section - update to 2.6rc2 - included patch for https proxy support that resolves bnc#214983 (in a proper way) and bnc#298378 ------------------------------------------------------------------- Wed Sep 17 22:09:12 CEST 2008 - matejcik@suse.cz - included /etc/rpm/macros.python to fix the split-caused breakage ------------------------------------------------------------------- Tue Sep 16 18:12:10 CEST 2008 - matejcik@suse.cz - applied bug-no-proxy patch from python#3879, which should improve backwards compatibility (important i.e. for bzr) - moved python-xml to a subpackage of this (brings no additional dependencies, so it can as well stay) - moved Makefile and pyconfig.h to python-base, removing the need to have python-devel for installation - improved compatibility with older distros for 11.0 - moved ssl.py and sqlite3 module to python package - they won't work without their respective binary modules anyway ------------------------------------------------------------------- Mon Sep 15 18:34:27 CEST 2008 - matejcik@suse.cz - updated to 2.6rc1 - bugfix-only pre-stable release - renamed python-base-devel to python-devel as it should be - removed macros from libpython package name ------------------------------------------------------------------- Fri Sep 12 14:46:00 CEST 2008 - matejcik@suse.cz - moved python-devel to a subpackage of this - created libpython subpackage - moved essential files from -devel to -base, so that distutils should now be able to install without -devel package ------------------------------------------------------------------- Tue Sep 9 20:30:11 CEST 2008 - matejcik@suse.cz - initial release of python-base