python2.7 (2.7.3-0ubuntu3.19) precise-security; urgency=medium
* SECURITY UPDATE: CRLF injection
- debian/patches/CVE-2020-26116.patch: prevent header injection
in http methods in Lib/httplib.py, Lib/test/test_httlib.py.
- CVE-2020-26116
python2.7 (2.7.3-0ubuntu3.18) precise-security; urgency=medium
* SECURITY UPDATE: Misleading information
- debian/patches/CVE-2019-17514.patch: explain that the orderness of the
of the result is system-dependant in Doc/library/glob.rst.
- CVE-2019-17514
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-9674.patch: add pitfalls to
zipfile module doc in Doc/library/zipfile.rst,
Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst.
- CVE-2019-9674
* SECURITY UPDATE: Infinite loop
- debian/patches/CVE-2019-20907.patch: avoid infinite loop in the
tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py.
- CVE-2019-20907
python2.7 (2.7.3-0ubuntu3.17) precise-security; urgency=medium
* SECURITY UPDATE: CRLF injection
- debian/patches/CVE-2019-18348.patch: disallow control characters
in hostnames in http.client in Lib/httplib.py, Lib/test/test_urllib2.py.
- CVE-2019-18348
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2020-8492.patch: fix the regex to prevent
the regex denial of service in Lib/urllib2.py.
- CVE-2020-8492
python2.7 (2.7.3-0ubuntu3.15) precise-security; urgency=medium
* SECURITY UPDATE: Email module wrongly parse email addresses
- debian/patches/CVE-2019-16056.patch: skips parsing of email addresses
where domains include a "@" character in Lib/email/_parseaddr.py,
Lib/email/test/test_email.py.
- CVE-2019-16056
* SECURITY UPDATE: XSS vulnerability
- debian/patches/CVE-2019-16935.patch: Escape the server title of
DocXMLRPCServer in Lib/DocXMLRPCServer.py, Lib/test/test_docxmlrpc.py.
- CVE-2019-16935
* Adding patch to avoid race in test_docxmlrpc server setup
- debian/patches/docxmlrpc_test_hang_issue.patch: in
Lib/test/test_docxmlrpc.py.
python2.7 (2.7.3-0ubuntu3.14) precise-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: incorrect cookie domain check
- debian/patches/CVE-2018-20852.patch: prefix dot in domain for proper
subdomain validation in Lib/cookielib.py, Lib/test/test_cookielib.py.
- CVE-2018-20852
* SECURITY UPDATE: improper handling of unicode encoding
- debian/patches/CVE-2019-9636-1.patch: add check for characters in
netloc that normalize to separators in Doc/library/urlparse.rst,
Lib/test/test_urlparse.py, Lib/urlparse.py.
- debian/patches/CVE-2019-9636-2.patch: only print test messages when
verbose in Lib/test/test_urlparse.py.
- CVE-2019-9636
* SECURITY UPDATE: urllib support the local_file: scheme
- debian/patches/CVE-2019-9948.patch: disallow file reading in
Lib/urllib.py, Lib/test/test_urllib.py.
- CVE-2019-9948
* SECURITY UPDATE: incomplete fix for CVE-2019-9636
- debian/patches/CVE-2019-10160-1.patch: fix handling of
pre-normalization characters in urlsplit() in
Lib/test/test_urlparse.py, Lib/urlparse.py.
- debian/patches/CVE-2019-10160-2.patch: correct fix to handle
decomposition in usernames in Lib/test/test_urlparse.py,
Lib/urlparse.py.
- debian/patches/CVE-2019-10160-3.patch: fix urlparse.urlsplit() error
message for Unicode URL in Lib/test/test_urlparse.py,
Lib/urlparse.py.
- CVE-2019-10160
* SECURITY UPDATE: HTTP header injection
- debian/patches/bpo30500.patch: simplify splithost by calling into
urlparse in Lib/test/test_urllib.py, Lib/urllib.py.
- debian/patches/CVE-2019-9740.patch: disallow control chars in http
URLs in Lib/httplib.py, Lib/test/test_urllib.py,
Lib/test/test_urllib2.py, Lib/test/test_xmlrpc.py.
- CVE-2019-9740
- CVE-2019-9947
python2.7 (2.7.3-0ubuntu3.11) precise-security; urgency=medium
* SECURITY UPDATE: heap buffer overflow via race condition
- debian/patches/CVE-2018-1000030-1.patch: stop crashes when iterating
over a file on multiple threads in Lib/test/test_file2k.py,
Objects/fileobject.c.
- debian/patches/CVE-2018-1000030-2.patch: fix crash when multiple
threads iterate over a file in Lib/test/test_file2k.py,
Objects/fileobject.c.
- CVE-2018-1000030
* SECURITY UPDATE: command injection in shutil module
- debian/patches/CVE-2018-1000802.patch: use subprocess rather than
distutils.spawn in Lib/shutil.py.
- CVE-2018-1000802
* SECURITY UPDATE: DoS via catastrophic backtracking
- debian/patches/CVE-2018-106x.patch: fix expressions in
Lib/difflib.py, Lib/poplib.py. Added tests to
Lib/test/test_difflib.py, Lib/test/test_poplib.py.
- CVE-2018-1060
- CVE-2018-1061
* SECURITY UPDATE: incorrect Expat hash salt initialization
- debian/patches/CVE-2018-14647.patch: call SetHashSalt in
Include/pyexpat.h, Modules/_elementtree.c, Modules/pyexpat.c.
- CVE-2018-14647
* Added swap_attr definition for test
- debian/patches/0001-Adding-swap_attr-for-test.patch
python2.7 (2.7.3-0ubuntu3.10) precise-security; urgency=medium
* SECURITY UPDATE: integer overflow in the PyString_DecodeEscape
function
- debian/patches/CVE-2017-1000158.patch: fix this integer overflow
in Objects/stringobject.c.
- CVE-2017-1000158
Date: 2020-10-06 15:15:19.433796+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Steve Langasek <steve.langa...@canonical.com>
https://launchpad.net/ubuntu/+source/python2.7/2.7.3-0ubuntu3.19
Sorry, changesfile not available.
--
Precise-changes mailing list
Precise-changes@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/precise-changes