head 1.2; access; symbols pkgsrc-2014Q4:1.1.0.6 pkgsrc-2014Q4-base:1.1 pkgsrc-2014Q3:1.1.0.4 pkgsrc-2014Q3-base:1.1 pkgsrc-2014Q2:1.1.0.2; locks; strict; comment @# @; 1.2 date 2015.01.01.21.39.45; author he; state dead; branches; next 1.1; commitid N4qIMPqICwyfNm4y; 1.1 date 2014.07.02.12.53.52; author he; state Exp; branches 1.1.2.1; next ; commitid LdHc0rHXxhFFQNGx; 1.1.2.1 date 2014.07.02.12.53.52; author tron; state dead; branches; next 1.1.2.2; commitid 7gQjsQQ149rkfbHx; 1.1.2.2 date 2014.07.05.11.21.49; author tron; state Exp; branches; next ; commitid 7gQjsQQ149rkfbHx; desc @@ 1.2 log @Update to 3.3.6. Python 3.3.6 was released on October 11, 2014. Python 3.3.6 includes fixes for a few of our previously added patches, as well as other important security-related fixes. Local changes: rename the configure patch, remove now-included patches. Upstream list of changes for this version: Core and Builtins ----------------- - Issue #22518: Fixed integer overflow issues in "backslashreplace", "xmlcharrefreplace", and "surrogatepass" error handlers. - Issue #22520: Fix overflow checking when generating the repr of a unicode object. - Issue #22519: Fix overflow checking in PyBytes_Repr. - Issue #22518: Fix integer overflow issues in latin-1 encoding. Library ------- - Issue #22517: When a io.BufferedRWPair object is deallocated, clear its weakrefs. - Issue #22419: Limit the length of incoming HTTP request in wsgiref server to 65536 bytes and send a 414 error code for higher lengths. Patch contributed by Devin Cook. - Lax cookie parsing in http.cookies could be a security issue when combined with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov. - Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths before checking for a CGI script at that path. - Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second parameter. Bug reported by Guido Vranken. - Issue #20633: Replace relative import by absolute import. - Issue #21082: In os.makedirs, do not set the process-wide umask. Note this changes behavior of makedirs when exist_ok=True. - Issue #20875: Prevent possible gzip "'read' is not defined" NameError. Patch by Claudiu Popa. - Issue #11599: When an external command (e.g. compiler) fails, distutils now prints out the whole command line (instead of just the command name) if the environment variable DISTUTILS_DEBUG is set. - Issue #4931: distutils should not produce unhelpful "error: None" messages anymore. distutils.util.grok_environment_error is kept but doc-deprecated. - Issue #20283: RE pattern methods now accept the string keyword parameters as documented. The pattern and source keyword parameters are left as deprecated aliases. - Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, broken by the fix for security issue #19435. Patch by Zach Byrne. Tests ----- - Issue #17752: Fix distutils tests when run from the installed location. - Issue #20946: Correct alignment assumptions of some ctypes tests. - Issue #20939: Fix test_geturl failure in test_urllibnet due to new redirect of http://www.python.org/ to https://www.python.org. @ text @$NetBSD: patch-Misc_NEWS,v 1.1 2014/07/02 12:53:52 he Exp $ Note fix for directory traversal vulnerability is included. --- Misc/NEWS.orig 2014-03-09 08:40:23.000000000 +0000 +++ Misc/NEWS @@@@ -30,6 +30,9 @@@@ Core and Builtins Library ------- +- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths + before checking for a CGI script at that path. + - Issue #20778: Fix modulefinder to work with bytecode-only modules. - Issue #20791: copy.copy() now doesn't make a copy when the input is @ 1.1 log @Add a fix, test-case and note for directory traversal vulnerability, ref. http://bugs.python.org/issue21766 Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-Misc_NEWS was added on branch pkgsrc-2014Q2 on 2014-07-05 11:21:49 +0000 @ text @d1 16 @ 1.1.2.2 log @Pullup ticket #4441 - requested by he lang/python33: security patch Revisions pulled up: - lang/python33/Makefile 1.26 - lang/python33/distinfo 1.18 - lang/python33/patches/patch-Lib_http_server.py 1.1 - lang/python33/patches/patch-Lib_test_test__httpservers.py 1.1 - lang/python33/patches/patch-Misc_NEWS 1.1 --- Module Name: pkgsrc Committed By: he Date: Wed Jul 2 12:53:52 UTC 2014 Modified Files: pkgsrc/lang/python33: Makefile distinfo Added Files: pkgsrc/lang/python33/patches: patch-Lib_http_server.py patch-Lib_test_test__httpservers.py patch-Misc_NEWS Log Message: Add a fix, test-case and note for directory traversal vulnerability, ref. http://bugs.python.org/issue21766 Bump PKGREVISION. @ text @a0 16 $NetBSD$ Note fix for directory traversal vulnerability is included. --- Misc/NEWS.orig 2014-03-09 08:40:23.000000000 +0000 +++ Misc/NEWS @@@@ -30,6 +30,9 @@@@ Core and Builtins Library ------- +- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths + before checking for a CGI script at that path. + - Issue #20778: Fix modulefinder to work with bytecode-only modules. - Issue #20791: copy.copy() now doesn't make a copy when the input is @