UbuntuUpdates.org

Package "python2.7-minimal"

Name: python2.7-minimal

Description:

Minimal subset of the Python language (version 2.7)
Latest version: 2.7.18-13ubuntu1.5
Release: jammy (22.04)
Level: security
Repository: universe
Head package: python2.7

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python2.7-minimal"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "python2.7-minimal" in Jammy

Repository Area Version
base universe 2.7.18-13ubuntu1
updates universe 2.7.18-13ubuntu1.5

Changelog

Version: 2.7.18-13ubuntu1.5 2025-01-06 15:07:08 UTC

  python2.7 (2.7.18-13ubuntu1.5) jammy-security; urgency=medium

  * SECURITY UPDATE: User-after-free
    - debian/patches/CVE-2022-48560.patch: Fix posible crash in heapq with
      custom comparison operators in Modules/_heapqmodule.c,
      Lib/test/test_heapq.py.
    - CVE-2022-48560
  * SECURITY UPDATE: xml external entity processing
    - debian/patches/CVE-2022-48565.patch: rejects XML entity declarations in
      plist files.
    - CVE-2022-48565
  * SECURITY UPDATE: breaking of constant-time guarantee for crypto operations
    - debian/patches/CVE-2022-48566.patch: adds ``volatile`` to the accumulator
      variable result in ``hmac.compare_digest``, making
      constant-time-defeating optimizations less likely.
    - CVE-2022-48566
  * SECURITY UPDATE: Possible Bypass Blocklisting
    - debian/patches/CVE-2023-24329.patch: enforce
      that a scheme must begin with an alphabetical ASCII character
      in Lib/urlparse.py, Lib/test/test_urlparse.py.
    - debian/patches/CVE-2023-24329-2.patch: adds a complementary patch/fix
      for CVE-2023-24329 that was partially fixed before. This patch starts
      stripping C0 control and space chars in 'urlsplit' in Lib/urlparse.py,
      Lib/test/test_urlparse.py.
    - CVE-2023-24329
  * SECURITY UPDATE: TLS handshake bypass
    - debian/patches/CVE-2023-40217.diff: avoid ssl pre-close flaw in ssl.py.
    - CVE-2023-40217

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 09 Dec 2024 15:47:23 -0300
Source diff to previous version
CVE-2022-48560 A use-after-free exists in Python through 3.9 via heappushpop in heapq.
CVE-2022-48565 An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist fil
CVE-2022-48566 An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumula
CVE-2023-24329 An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with bla
CVE-2023-40217 An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (

Version: 2.7.18-13ubuntu1.4 2024-11-22 04:06:51 UTC

  python2.7 (2.7.18-13ubuntu1.4) jammy-security; urgency=medium

  * SECURITY REGRESSION: regression for CVE-2024-6232
    - d/p/fix-regression-lp2089071.patch: fix incomplete update for
      CVE-2024-6232 (LP: #2089071)

 -- Nishit Majithia <email address hidden> Thu, 21 Nov 2024 15:31:26 +0530
Source diff to previous version
2089071 tarfile.py regression: \
CVE-2024-6232 There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile heade

Version: 2.7.18-13ubuntu1.3 2024-11-19 14:06:49 UTC

  python2.7 (2.7.18-13ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2024-6232.patch: Remove backtracking when parsing
      tarfile headers
    - CVE-2024-6232
  * SECURITY UPDATE: header injection issue
    - debian/patches/CVE-2024-6923.patch: Encode newlines in headers
    - CVE-2024-6923

 -- Nishit Majithia <email address hidden> Wed, 13 Nov 2024 10:22:30 +0530
Source diff to previous version
CVE-2024-6232 There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile heade
CVE-2024-6923 There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an

Version: 2.7.18-13ubuntu1.1 2022-07-14 15:06:41 UTC

  python2.7 (2.7.18-13ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Injection Attack
    - debian/patches/CVE-2015-20107.patch: Make mailcap refuse to match unsafe
      filenames/types/param in Lib/mailcap.py.
    - CVE-2015-20107

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 01 Jul 2022 07:30:50 -0300
CVE-2015-20107 In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This m


About   -   Send Feedback to @ubuntu_updates