head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.4
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2012Q1:1.1.0.2
	pkgsrc-2012Q1-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2012.04.14.10.47.18;	author obache;	state dead;
branches;
next	1.1;

1.1
date	2012.03.25.09.09.05;	author tron;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update python26 to 2.6.8.
(CVE-2012-0845, CVE-2012-1150 are alredy fixed in pkgsrc,
 CVE-2012-0876 is not affect to pkgsrc, using external expat)

What's New in Python 2.6.8?
===========================

*Release date: 2012-04-10*

No changes since 2.6.8rc2.


What's New in Python 2.6.8 rc 2?
================================

*Release date: 2012-03-17*

Library
-------

- Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes in the hash
  table internal to the pyexpat module's copy of the expat library to avoid a
  denial of service due to hash collisions.  Patch by David Malcolm with some
  modifications by the expat project.


What's New in Python 2.6.8 rc 1?
================================

*Release date: 2012-02-23*

Core and Builtins
-----------------

- Issue #13703: oCERT-2011-003 CVE-2012-1150: add -R command-line
  option and PYTHONHASHSEED environment variable, to provide an opt-in
  way to protect against denial of service attacks due to hash
  collisions within the dict and set types.  Patch by David Malcolm,
  based on work by Victor Stinner.

Library
-------

- Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in
  SimpleXMLRPCServer upon malformed POST request.

- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
  IV attack countermeasure.
@
text
@$NetBSD: patch-CVE-2012-1150-Misc_NEWS,v 1.1 2012/03/25 09:09:05 tron Exp $

Fix for CVE-2012-1150 taken from here:

http://hg.python.org/cpython/rev/6b7704fe1be1

--- Misc/NEWS.orig	2011-06-03 22:55:45.000000000 +0100
+++ Misc/NEWS	2012-03-25 09:51:50.000000000 +0100
@@@@ -901,6 +901,11 @@@@
 Core and Builtins
 -----------------
 
+- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED
+  environment variable, to provide an opt-in way to protect against denial of
+  service attacks due to hash collisions within the dict and set types.  Patch
+  by David Malcolm, based on work by Victor Stinner.
+
 Library
 -------
 
@


1.1
log
@Add a fix for the DoS vulnerability reported in CVE-2012-1150 taken
from the Python Mercurial repository.
@
text
@d1 1
a1 1
$NetBSD$
@