head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.4
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2012Q1:1.1.0.4
	pkgsrc-2012Q1-base:1.1
	pkgsrc-2011Q4:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2012.04.14.10.47.17;	author obache;	state dead;
branches;
next	1.1;

1.1
date	2012.02.15.12.21.40;	author drochner;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2012.02.15.12.21.40;	author tron;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2012.02.18.23.35.28;	author tron;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update python26 to 2.6.8.
(CVE-2012-0845, CVE-2012-1150 are alredy fixed in pkgsrc,
 CVE-2012-0876 is not affect to pkgsrc, using external expat)

What's New in Python 2.6.8?
===========================

*Release date: 2012-04-10*

No changes since 2.6.8rc2.


What's New in Python 2.6.8 rc 2?
================================

*Release date: 2012-03-17*

Library
-------

- Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes in the hash
  table internal to the pyexpat module's copy of the expat library to avoid a
  denial of service due to hash collisions.  Patch by David Malcolm with some
  modifications by the expat project.


What's New in Python 2.6.8 rc 1?
================================

*Release date: 2012-02-23*

Core and Builtins
-----------------

- Issue #13703: oCERT-2011-003 CVE-2012-1150: add -R command-line
  option and PYTHONHASHSEED environment variable, to provide an opt-in
  way to protect against denial of service attacks due to hash
  collisions within the dict and set types.  Patch by David Malcolm,
  based on work by Victor Stinner.

Library
-------

- Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in
  SimpleXMLRPCServer upon malformed POST request.

- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
  IV attack countermeasure.
@
text
@$NetBSD: patch-CVE-2012-0845,v 1.1 2012/02/15 12:21:40 drochner Exp $

see python bug #14001

--- Lib/SimpleXMLRPCServer.py.orig	2009-04-05 21:34:15.000000000 +0000
+++ Lib/SimpleXMLRPCServer.py
@@@@ -459,7 +459,10 @@@@ class SimpleXMLRPCRequestHandler(BaseHTT
             L = []
             while size_remaining:
                 chunk_size = min(size_remaining, max_chunk_size)
-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
                 size_remaining -= len(L[-1])
             data = ''.join(L)
 
@


1.1
log
@add patch from Python issue#14001 to fix xmlrpc server endless loop
by malformed request
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-CVE-2012-0845 was added on branch pkgsrc-2011Q4 on 2012-02-18 23:35:28 +0000
@
text
@d1 18
@


1.1.2.2
log
@Pullup ticket #3685 - requested by drochner
lang/python25: security patch
lang/python26: security patch
lang/python27: security patch
lang/python31: security patch

Revisions pulled up:
- lang/python25/Makefile                                        1.37 via patch
- lang/python25/distinfo                                        1.22
- lang/python25/patches/patch-CVE-2012-0845                     1.1
- lang/python26/Makefile                                        1.45 via patch
- lang/python26/distinfo                                        1.43
- lang/python26/patches/patch-CVE-2012-0845                     1.1
- lang/python27/Makefile                                        1.11 via patch
- lang/python27/distinfo                                        1.15
- lang/python27/patches/patch-CVE-2012-0845                     1.1
- lang/python31/Makefile                                        1.6 via patch
- lang/python31/distinfo                                        1.8
- lang/python31/patches/patch-CVE-2012-0845                     1.1

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Wed Feb 15 12:21:41 UTC 2012

   Modified Files:
           pkgsrc/lang/python26: Makefile distinfo
   Added Files:
           pkgsrc/lang/python26/patches: patch-CVE-2012-0845

   Log Message:
   add patch from Python issue#14001 to fix xmlrpc server endless loop
   by malformed request
   bump PKGREV

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Wed Feb 15 16:08:26 UTC 2012

   Modified Files:
           pkgsrc/lang/python25: Makefile distinfo
           pkgsrc/lang/python27: Makefile distinfo
           pkgsrc/lang/python31: Makefile distinfo
   Added Files:
           pkgsrc/lang/python25/patches: patch-CVE-2012-0845
           pkgsrc/lang/python27/patches: patch-CVE-2012-0845
           pkgsrc/lang/python31/patches: patch-CVE-2012-0845

   Log Message:
   apply fix for CVE-2012-0845 to other Python versions too
   (2.4 is not affected)
@
text
@a0 18
$NetBSD$

see python bug #14001

--- Lib/SimpleXMLRPCServer.py.orig	2009-04-05 21:34:15.000000000 +0000
+++ Lib/SimpleXMLRPCServer.py
@@@@ -459,7 +459,10 @@@@ class SimpleXMLRPCRequestHandler(BaseHTT
             L = []
             while size_remaining:
                 chunk_size = min(size_remaining, max_chunk_size)
-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
                 size_remaining -= len(L[-1])
             data = ''.join(L)
 
@