* Sat May 18 2024 mcepl@suse.com
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
* Sat May 11 2024 mcepl@cepl.eu
- Switch to using the system libexpat (bsc#1219559,
CVE-2023-52425)
- Make sure to remove all embedded versions of other packages
(including expat).
- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
removing failing test fixing bpo#3151, which we just not
support.
- Remove patches over those embedded packages (cffi):
- python-2.7-libffi-aarch64.patch
- sparc_longdouble.patch
* Tue Apr 16 2024 mcepl@cepl.eu
- Modify CVE-2023-27043-email-parsing-errors.patch to fix the
unicode string handling in email.utils.parseaddr()
(bsc#1222537).
- Revert CVE-2022-48560-after-free-heappushpop.patch, the fix was
unneeded.
* Mon Mar 18 2024 mcepl@cepl.eu
- Switch off tests. ONLY FOR FACTORY!!! (bsc#1219306)
* Tue Mar 05 2024 daniel.garcia@suse.com
- Build with -std=gnu89 to build correctly with gcc14, bsc#1220970
* Mon Nov 27 2023 mcepl@cepl.eu
- Add CVE-2022-48560-after-free-heappushpop.patch fixing
use-after-free in Python via heappushpop in heapq (bsc#1214675,
CVE-2022-48560).
- switch from %patchN style to the %patch -P N one.
* Sat Sep 16 2023 mcepl@suse.com
- (bsc#1214691, CVE-2022-48566) Add
CVE-2022-48566-compare_digest-more-constant.patch to make
compare_digest more constant-time.
- Allow nis.so for SLE-12.
Version: 2.7.18-150000.57.1
* Sat Sep 30 2023 mcepl@suse.com
- (bsc#1214691, CVE-2022-48566) Add
CVE-2022-48566-compare_digest-more-constant.patch to make
compare_digest more constant-time.
- Allow nis.so for SLE-12.
* Thu Sep 14 2023 mcepl@suse.com
- (bsc#1214685, CVE-2022-48565) Add
CVE-2022-48565-plistlib-XML-vulns.patch (from
gh#python/cpython#86217) reject XML entity declarations in
plist files.
- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
Revert-gh105127-left-tests.patch (as per discussion on
bsc#1210638).
* Thu Aug 03 2023 mcepl@suse.com
- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
partially reverting CVE-2023-27043-email-parsing-errors.patch,
because of the regression in gh#python/cpython#106669.
* Tue Jul 11 2023 mcepl@suse.com
- (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
address parsing errors and returns empty tuple to indicate the
parsing error (old API).
Version: 2.7.18-150000.51.1
* Wed Jun 07 2023 mcepl@suse.com
- Fix the application of the python-2.7.17-switch-off-failing-SSL-tests.patch.
* Tue May 30 2023 schwab@suse.de
- python-2.7.5-multilib.patch: Update for riscv64
- Don't fail if _ctypes or dl extension was not built
* Mon May 29 2023 mcepl@suse.com
- The condition around libnsl-devel BuildRequires is NOT
switching off NIS support on SLE < 15, support for NIS used to
be in the glibc itself. Partial revert of sr#1061583.
* Wed May 24 2023 mcepl@suse.com
- Add PygmentsBridge-trime_doctest_flags.patch to allow build of
the documentation even with the current Sphinx. (SUSE-ONLY
PATCH, DO NOT SEND UPSTREAM!)
* Wed Mar 08 2023 mcepl@suse.com
- Enable --with-system-ffi for non-standard architectures.
* Mon Mar 06 2023 mcepl@suse.com
- SLE-12 builds nis.so as well.
* Wed Mar 01 2023 mcepl@suse.com
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
* Fri Jan 27 2023 kukuk@suse.com
- Disable NIS for new products, it's deprecated and gets removed
* Thu Jan 19 2023 mcepl@suse.com
- Add skip_unverified_test.patch because apparently switching off
SSL verification doesn't work on older SLE.
* Tue Nov 22 2022 mcepl@suse.com
- Restore python-2.7.9-sles-disable-verification-by-default.patch
for SLE-12.
* Wed Nov 09 2022 mcepl@suse.com
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
extremely long domain names.
* Tue Sep 13 2022 bwiedemann@suse.com
- Add bpo34990-2038-problem-compileall.patch making compileall.py
compliant with year 2038 (bsc#1202666, gh#python/cpython#79171),
backport of fix to Python 2.7.
* Wed Sep 07 2022 steven.kowalik@suse.com
- Add patch CVE-2021-28861-double-slash-path.patch:
* BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
* Thu Jun 09 2022 mcepl@suse.com
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
* Tue May 24 2022 mliska@suse.cz
- Filter out executable-stack error that is triggered for i586
target.
* Sat Feb 26 2022 mcepl@suse.com
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
(bsc#1175619).
* Fri Feb 18 2022 mcepl@suse.com
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
* Fri Feb 18 2022 mcepl@suse.com
- Older SLE versions should use old OpenSSL.
* Wed Feb 09 2022 mcepl@suse.com
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
containing ASCII newline and tabs in urlparse.
* Sun Feb 06 2022 mcepl@suse.com
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.