UbuntuUpdates.org

Package "libpython2.7-testsuite"

Name: libpython2.7-testsuite

Description:

Testsuite for the Python standard library (v2.7)
Latest version: 2.7.18-1~20.04.7
Release: focal (20.04)
Level: security
Repository: universe
Head package: python2.7

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libpython2.7-testsuite"

All arch deb package
APT INSTALL

Other versions of "libpython2.7-testsuite" in Focal

Repository Area Version
base universe 2.7.18~rc1-2
updates universe 2.7.18-1~20.04.7

Changelog

Version: 2.7.18-1~20.04.7 2025-01-06 16:07:17 UTC

  python2.7 (2.7.18-1~20.04.7) focal-security; urgency=medium

  * SECURITY UPDATE: User-after-free
    - debian/patches/CVE-2022-48560.patch: Fix posible crash in heapq with
      custom comparison operators in Modules/_heapqmodule.c,
      Lib/test/test_heapq.py.
    - CVE-2022-48560
  * SECURITY UPDATE: xml external entity processing
    - debian/patches/CVE-2022-48565.patch: rejects XML entity declarations in
      plist files.
    - CVE-2022-48565
  * SECURITY UPDATE: breaking of constant-time guarantee for crypto operations
    - debian/patches/CVE-2022-48566.patch: adds ``volatile`` to the accumulator
      variable result in ``hmac.compare_digest``, making
      constant-time-defeating optimizations less likely.
    - CVE-2022-48566
  * SECURITY UPDATE: Possible Bypass Blocklisting
    - debian/patches/CVE-2023-24329.patch: enforce
      that a scheme must begin with an alphabetical ASCII character
      in Lib/urlparse.py, Lib/test/test_urlparse.py.
    - debian/patches/CVE-2023-24329-2.patch: adds a complementary patch/fix
      for CVE-2023-24329 that was partially fixed before. This patch starts
      stripping C0 control and space chars in 'urlsplit' in Lib/urlparse.py,
      Lib/test/test_urlparse.py.
    - CVE-2023-24329
  * SECURITY UPDATE: TLS handshake bypass
    - debian/patches/CVE-2023-40217.diff: avoid ssl pre-close flaw in ssl.py.
    - CVE-2023-40217

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 09 Dec 2024 16:35:20 -0300
Source diff to previous version
CVE-2022-48560 A use-after-free exists in Python through 3.9 via heappushpop in heapq.
CVE-2022-48565 An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist fil
CVE-2022-48566 An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumula
CVE-2023-24329 An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with bla
CVE-2023-40217 An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (

Version: 2.7.18-1~20.04.6 2024-11-22 04:06:50 UTC

  python2.7 (2.7.18-1~20.04.6) focal-security; urgency=medium

  * SECURITY REGRESSION: regression for CVE-2024-6232
    - d/p/fix-regression-lp2089071.patch: fix incomplete update for
      CVE-2024-6232 (LP: #2089071)

 -- Nishit Majithia <email address hidden> Thu, 21 Nov 2024 15:28:47 +0530
Source diff to previous version
2089071 tarfile.py regression: \
CVE-2024-6232 There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile heade

Version: 2.7.18-1~20.04.5 2024-11-19 14:06:48 UTC

  python2.7 (2.7.18-1~20.04.5) focal-security; urgency=medium

  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2024-6232.patch: Remove backtracking when parsing
      tarfile headers
    - CVE-2024-6232
  * SECURITY UPDATE: header injection issue
    - debian/patches/CVE-2024-6923.patch: Encode newlines in headers
    - CVE-2024-6923

 -- Nishit Majithia <email address hidden> Wed, 13 Nov 2024 10:42:32 +0530
Source diff to previous version
CVE-2024-6232 There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile heade
CVE-2024-6923 There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an

Version: 2.7.18-1~20.04.3 2022-07-14 15:06:35 UTC

  python2.7 (2.7.18-1~20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: Injection Attack
    - debian/patches/CVE-2015-20107.patch: Make mailcap refuse to match unsafe
      filenames/types/param in Lib/mailcap.py.
    - CVE-2015-20107

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 01 Jul 2022 09:27:04 -0300
Source diff to previous version
CVE-2015-20107 In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This m

Version: 2.7.18-1~20.04.1 2021-03-11 22:07:04 UTC

  python2.7 (2.7.18-1~20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-9674.patch: add pitfalls to
      zipfile module doc in Doc/library/zipfile.rst,
      Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst.
    - CVE-2019-9674
  * SECURITY UPDATE: Misleading information
    - debian/patches/CVE-2019-17514.patch: explain that the orderness of the
      of the result is system-dependant in Doc/library/glob.rst.
    - CVE-2019-17514
  * SECURITY UPDATE: Infinite loop
    - debian/patches/CVE-2019-20907.patch: avoid infinite loop in the
      tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py.
    - CVE-2019-20907
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2020-8492.patch: fix the regex to prevent
      the regex denial of service in Lib/urllib2.py.
    - CVE-2020-8492
  * SECURITY UPDATE: CRLF injection
    - debian/patches/CVE-2020-26116.patch: prevent header injection
      in http methods in Lib/httplib.py, Lib/test/test_httlib.py.
    - CVE-2020-26116
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2021-3177.patch: use improved patch backport.
    - CVE-2021-3177

 -- Paulo Flabiano Smorigo <email address hidden> Mon, 08 Mar 2021 13:02:45 +0000
CVE-2019-9674 Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
CVE-2019-17514 library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrate
CVE-2019-20907 In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, becaus
CVE-2020-8492 Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular E
CVE-2020-26116 http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker contro
CVE-2021-3177 Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applic


About   -   Send Feedback to @ubuntu_updates