Package Release Info

python-2.7.18-150000.51.1

Update Info: SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-3004
Available in Package Hub : 15 SP5 Subpackages Updates

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

python

python-curses

python-gdbm

Change Logs

* Wed Jun 07 2023 mcepl@suse.com

- Fix the application of the python-2.7.17-switch-off-failing-SSL-tests.patch.

* Tue May 30 2023 schwab@suse.de

- python-2.7.5-multilib.patch: Update for riscv64
- Don't fail if _ctypes or dl extension was not built

* Mon May 29 2023 mcepl@suse.com

- The condition around libnsl-devel BuildRequires is NOT
  switching off NIS support on SLE < 15, support for NIS used to
  be in the glibc itself. Partial revert of sr#1061583.

* Wed May 24 2023 mcepl@suse.com

- Add PygmentsBridge-trime_doctest_flags.patch to allow build of
  the documentation even with the current Sphinx. (SUSE-ONLY
  PATCH, DO NOT SEND UPSTREAM!)

* Wed Mar 08 2023 mcepl@suse.com

- Enable --with-system-ffi for non-standard architectures.

* Mon Mar 06 2023 mcepl@suse.com

- SLE-12 builds nis.so as well.

* Wed Mar 01 2023 mcepl@suse.com

- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
  bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

* Fri Jan 27 2023 kukuk@suse.com

- Disable NIS for new products, it's deprecated and gets removed

* Thu Jan 19 2023 mcepl@suse.com

- Add skip_unverified_test.patch because apparently switching off
  SSL verification doesn't work on older SLE.

* Tue Nov 22 2022 mcepl@suse.com

- Restore python-2.7.9-sles-disable-verification-by-default.patch
  for SLE-12.

* Wed Nov 09 2022 mcepl@suse.com

- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
  CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
  extremely long domain names.

* Tue Sep 13 2022 bwiedemann@suse.com

- Add bpo34990-2038-problem-compileall.patch making compileall.py
  compliant with year 2038 (bsc#1202666, gh#python/cpython#79171),
  backport of fix to Python 2.7.

* Wed Sep 07 2022 steven.kowalik@suse.com

- Add patch CVE-2021-28861-double-slash-path.patch:
  * BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)

* Thu Jun 09 2022 mcepl@suse.com

- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.

* Tue May 24 2022 mliska@suse.cz

- Filter out executable-stack error that is triggered for i586
  target.

* Sat Feb 26 2022 mcepl@suse.com

- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
  (bsc#1175619).

* Fri Feb 18 2022 mcepl@suse.com

- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.

* Fri Feb 18 2022 mcepl@suse.com

- Older SLE versions should use old OpenSSL.

* Wed Feb 09 2022 mcepl@suse.com

- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.

* Sun Feb 06 2022 mcepl@suse.com

- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.

Version: 2.7.18-150000.105.1

* Wed Feb 25 2026 mcepl@suse.com

- Add CVE-2024-7592-quad-complex-cookies.patch (bsc#1229596,
  CVE-2024-7592), which fixes quadratic complexity in parsing
  "-quoted cookie values with backslashes by http.cookies.

* Sat Feb 14 2026 mcepl@suse.com

- CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch

* Fri Nov 14 2025 mcepl@suse.com

- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
  quadratic complexity vulnerabilities of os.path.expandvars()
  (CVE-2025-6075, bsc#1252974).

Version: 2.7.18-150000.102.1

* Fri Feb 13 2026 mcepl@suse.com

- CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch

* Fri Feb 13 2026 nico.krapp@suse.com

- Add add-zlib-eof-attribute.patch, needed for python-urllib3
  CVE fix (bsc#1254867)