head 1.6; access; symbols pkgsrc-2014Q3:1.4.0.2 pkgsrc-2014Q3-base:1.4 pkgsrc-2014Q2:1.3.0.2 pkgsrc-2014Q2-base:1.3 pkgsrc-2013Q3:1.1.0.4 pkgsrc-2013Q3-base:1.1 pkgsrc-2013Q2:1.1.0.2; locks; strict; comment @# @; 1.6 date 2014.12.16.07.07.32; author chopps; state dead; branches; next 1.5; commitid UUr9JCTnSVDvye2y; 1.5 date 2014.11.02.13.31.11; author spz; state Exp; branches; next 1.4; commitid ZeaVgDKL2bA36CWx; 1.4 date 2014.07.02.08.22.02; author he; state Exp; branches 1.4.2.1; next 1.3; commitid SP12GZncEpzqlMGx; 1.3 date 2014.06.09.17.58.31; author he; state Exp; branches 1.3.2.1; next 1.2; commitid qJc0o95gnOEkgSDx; 1.2 date 2013.11.12.18.57.25; author adam; state dead; branches; next 1.1; commitid Z1Oi774I0PhUj1dx; 1.1 date 2013.08.18.13.42.14; author spz; state Exp; branches 1.1.2.1; next ; commitid f7DVj3zFh0R4lW1x; 1.4.2.1 date 2014.11.03.14.12.52; author tron; state Exp; branches; next ; commitid 2gJxRH5gyrsRiKWx; 1.3.2.1 date 2014.07.05.11.13.52; author tron; state Exp; branches; next ; commitid fztB3BCEpwVAcbHx; 1.1.2.1 date 2013.08.18.13.42.14; author tron; state dead; branches; next 1.1.2.2; commitid TLYOaND6q9rMBj2x; 1.1.2.2 date 2013.08.21.11.47.14; author tron; state Exp; branches; next ; commitid TLYOaND6q9rMBj2x; desc @@ 1.6 log @Update to 2.7.9 removing patches that were incorporated. Significant changes include: - The entirety of Python 3.4's ssl module has been backported for Python 2.7.9. See PEP 466 for justification. - HTTPS certificate validation using the system's certificate store is now enabled by default. See PEP 476 for details. - SSLv3 has been disabled by default in httplib and its reverse dependencies due to the POODLE attack. - The ensurepip module module has been backported, which provides the pip package manager in every Python 2.7 installation. See PEP 477. @ text @$NetBSD: patch-Misc_NEWS,v 1.5 2014/11/02 13:31:11 spz Exp $ Note added fixes. --- Misc/NEWS.orig 2014-06-30 02:05:39.000000000 +0000 +++ Misc/NEWS @@@@ -10,6 +10,11 @@@@ What's New in Python 2.7.8? Core and Builtins ----------------- +- Issue #22518: Fix integer overflow issues in latin-1 encoding. + +- Issue #22470: Fixed integer overflow issues in "backslashreplace" and + "xmlcharrefreplace" error handlers. + - Issue #4346: In PyObject_CallMethod and PyObject_CallMethodObjArgs, don't overwrite the error set in PyObject_GetAttr. @@@@ -207,6 +212,9 @@@@ Core and Builtins Library ------- +- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths + before checking for a CGI script at that path. + - Issue #10744: Fix PEP 3118 format strings on ctypes objects with a nontrivial shape. @@@@ -729,6 +737,13 @@@@ Library prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen. +- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to + prevent readline() calls from consuming too much memory. Patch by Jyrki + Pulliainen. + +- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by + limiting the call to readline(). Original patch by Christian Heimes. + - Issue #12641: Avoid passing "-mno-cygwin" to the mingw32 compiler, except when necessary. Patch by Oscar Benjamin. @ 1.5 log @add the patches for Python issue 22518, also known as 22470, from the python source repository. Refresh patches @ text @d1 1 a1 1 $NetBSD: patch-Misc_NEWS,v 1.4 2014/07/02 08:22:02 he Exp $ @ 1.4 log @Apply a fix for directory-traversal vulnerability, ref. http://bugs.python.org/issue21766 Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ d5 1 a5 1 --- Misc/NEWS.orig 2014-05-31 18:58:39.000000000 +0000 d7 13 a19 1 @@@@ -63,6 +63,9 @@@@ Core and Builtins d29 1 a29 1 @@@@ -585,6 +588,13 @@@@ Library @ 1.4.2.1 log @Pullup ticket #4536 - requested by spz lang/python27: security update Revisions pulled up: - lang/python27/Makefile 1.46 - lang/python27/distinfo 1.47 - lang/python27/patches/patch-Misc_NEWS 1.5 - lang/python27/patches/patch-Modules_getpath.c 1.2 - lang/python27/patches/patch-Objects_unicodeobject.c 1.1 - lang/python27/patches/patch-Python_codecs.c 1.1 - lang/python27/patches/patch-ab 1.3 - lang/python27/patches/patch-ad 1.2 - lang/python27/patches/patch-ae 1.2 - lang/python27/patches/patch-ah 1.3 - lang/python27/patches/patch-am 1.18 - lang/python27/patches/patch-an 1.2 - lang/python27/patches/patch-ao 1.5 - lang/python27/patches/patch-au 1.7 - lang/python27/patches/patch-av 1.2 - lang/python27/patches/patch-aw 1.2 - lang/python27/patches/patch-ax 1.5 - lang/python27/patches/patch-az 1.4 - lang/python27/patches/patch-pyconfig.h.in 1.3 - lang/python27/patches/patch-xa 1.2 --- Module Name: pkgsrc Committed By: spz Date: Sun Nov 2 13:31:11 UTC 2014 Modified Files: pkgsrc/lang/python27: Makefile distinfo pkgsrc/lang/python27/patches: patch-Misc_NEWS patch-Modules_getpath.c patch-ab patch-ad patch-ae patch-ah patch-am patch-an patch-ao patch-au patch-av patch-aw patch-ax patch-az patch-pyconfig.h.in patch-xa Added Files: pkgsrc/lang/python27/patches: patch-Objects_unicodeobject.c patch-Python_codecs.c Log Message: add the patches for Python issue 22518, also known as 22470, from the python source repository. Refresh patches @ text @d5 1 a5 1 --- Misc/NEWS.orig 2014-06-30 02:05:39.000000000 +0000 d7 1 a7 13 @@@@ -10,6 +10,11 @@@@ What's New in Python 2.7.8? Core and Builtins ----------------- +- Issue #22518: Fix integer overflow issues in latin-1 encoding. + +- Issue #22470: Fixed integer overflow issues in "backslashreplace" and + "xmlcharrefreplace" error handlers. + - Issue #4346: In PyObject_CallMethod and PyObject_CallMethodObjArgs, don't overwrite the error set in PyObject_GetAttr. @@@@ -207,6 +212,9 @@@@ Core and Builtins d17 1 a17 1 @@@@ -729,6 +737,13 @@@@ Library @ 1.3 log @Add patches to fix the remaining two functions reported as being vulnerable to CVE-2013-1752, following the general theme of overflow of line lengths. This fixes the smtp and pop functions. Taken / adapted from http://bugs.python.org/issue16041 and http://bugs.python.org/issue16042. PKGREVISION bumped. @ text @d3 13 a15 2 Apply a fix for CVE-2013-1752 for the SMTP and Pop parts. From http://bugs.python.org/issue16042 and issue16041. d17 1 a17 3 --- Misc/NEWS.orig 2014-06-09 11:29:34.000000000 +0000 +++ Misc/NEWS @@@@ -585,6 +585,13 @@@@ Library @ 1.3.2.1 log @Pullup ticket #4441 - requested by he lang/python27: security patch Revisions pulled up: - lang/python27/distinfo 1.43 - lang/python27/patches/patch-Lib_CGIHTTPServer.py 1.1 - lang/python27/patches/patch-Lib_test_test__httpservers.py 1.1 - lang/python27/patches/patch-Misc_NEWS 1.4 --- Module Name: pkgsrc Committed By: he Date: Wed Jul 2 08:22:02 UTC 2014 Modified Files: pkgsrc/lang/python27: distinfo pkgsrc/lang/python27/patches: patch-Misc_NEWS Added Files: pkgsrc/lang/python27/patches: patch-Lib_CGIHTTPServer.py patch-Lib_test_test__httpservers.py Log Message: Apply a fix for directory-traversal vulnerability, ref. http://bugs.python.org/issue21766 Bump PKGREVISION. @ text @d3 4 a6 3 Note added fixes. --- Misc/NEWS.orig 2014-05-31 18:58:39.000000000 +0000 d8 1 a8 11 @@@@ -63,6 +63,9 @@@@ Core and Builtins Library ------- +- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths + before checking for a CGI script at that path. + - Issue #10744: Fix PEP 3118 format strings on ctypes objects with a nontrivial shape. @@@@ -585,6 +588,13 @@@@ Library @ 1.2 log @Changes 2.7.6: This is a 2.7 series bugfix release. Most importantly, it resolves an issue that caused the interactive prompt to crash on OS X 10.9. It also includes numerous bugfixes over 2.7.5. @ text @d1 1 a1 1 $NetBSD: patch-Misc_NEWS,v 1.1 2013/08/18 13:42:14 spz Exp $ d3 4 a6 4 patch for CVE-2013-4238 taken from http://hg.python.org/cpython/rev/bd2360476bdb --- Misc/NEWS.orig 2013-05-12 03:32:49.000000000 +0000 d8 3 a10 3 @@@@ -26,6 +26,12 @@@@ Core and Builtins Library ------- d12 6 a17 5 +- Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes + inside subjectAltName correctly. Formerly the module has used OpenSSL's + GENERAL_NAME_print() function to get the string represention of ASN.1 + strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and + ``uniformResourceIdentifier`` (URI). d19 2 a20 2 - Issue #16601: Restarting iteration over tarfile no more continues from where it left off. Patch by Michael Birtwell. @ 1.1 log @patch for CVE-2013-4238 taken from http://hg.python.org/cpython/rev/bd2360476bdb @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-Misc_NEWS was added on branch pkgsrc-2013Q2 on 2013-08-21 11:47:14 +0000 @ text @d1 20 @ 1.1.2.2 log @Pullup ticket #4213 - requested by spz lang/python27: security patch Revisions pulled up: - lang/python27/Makefile 1.27 - lang/python27/PLIST.common 1.6 - lang/python27/distinfo 1.25 - lang/python27/patches/patch-Lib_test_nullbytecert.pem 1.1 - lang/python27/patches/patch-Lib_test_test__ssl.py 1.1 - lang/python27/patches/patch-Misc_NEWS 1.1 - lang/python27/patches/patch-Modules___ssl.c 1.2 --- Module Name: pkgsrc Committed By: spz Date: Sun Aug 18 13:42:14 UTC 2013 Modified Files: pkgsrc/lang/python27: Makefile PLIST.common distinfo pkgsrc/lang/python27/patches: patch-Modules___ssl.c Added Files: pkgsrc/lang/python27/patches: patch-Lib_test_nullbytecert.pem patch-Lib_test_test__ssl.py patch-Misc_NEWS Log Message: patch for CVE-2013-4238 taken from http://hg.python.org/cpython/rev/bd2360476bdb @ text @a0 20 $NetBSD$ patch for CVE-2013-4238 taken from http://hg.python.org/cpython/rev/bd2360476bdb --- Misc/NEWS.orig 2013-05-12 03:32:49.000000000 +0000 +++ Misc/NEWS @@@@ -26,6 +26,12 @@@@ Core and Builtins Library ------- +- Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes + inside subjectAltName correctly. Formerly the module has used OpenSSL's + GENERAL_NAME_print() function to get the string represention of ASN.1 + strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and + ``uniformResourceIdentifier`` (URI). + - Issue #16601: Restarting iteration over tarfile no more continues from where it left off. Patch by Michael Birtwell. @