UbuntuUpdates.org

Package "libpython2.7-minimal"

Name: libpython2.7-minimal

Description:

Minimal subset of the Python language (version 2.7)

Latest version: 2.7.12-1ubuntu0~16.04.18
Release: xenial (16.04)
Level: updates
Repository: main
Head package: python2.7

Links


Download "libpython2.7-minimal"


Other versions of "libpython2.7-minimal" in Xenial

Repository Area Version
base main 2.7.11-7ubuntu1
security main 2.7.12-1ubuntu0~16.04.18

Changelog

Version: 2.7.12-1ubuntu0~16.04.11 2020-04-21 14:06:16 UTC

  python2.7 (2.7.12-1ubuntu0~16.04.11) xenial-security; urgency=medium

  * SECURITY UPDATE: CRLF injection
    - debian/patches/CVE-2019-18348.patch: disallow control characters
      in hostnames in http.client in Lib/httplib.py, Lib/test/test_urllib2.py.
    - CVE-2019-18348
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2020-8492.patch: fix the regex to prevent
      the regex denial of service in Lib/urllib2.py.
    - CVE-2020-8492

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 15 Apr 2020 14:07:12 -0300

Source diff to previous version
CVE-2019-18348 An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker co
CVE-2020-8492 Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular E

Version: 2.7.12-1ubuntu0~16.04.9 2019-10-14 17:07:09 UTC

  python2.7 (2.7.12-1ubuntu0~16.04.9) xenial-security; urgency=medium

  * SECURITY UPDATE: incorrect email address parsing
    - debian/patches/CVE-2019-16056.patch: don't parse domains containing @
      in Lib/email/_parseaddr.py, Lib/test/test_email/test_email.py.
    - CVE-2019-16056
  * SECURITY UPDATE: XSS in documentation XML-RPC server
    - debian/patches/CVE-2019-16935.patch: escape the server_title in
      Lib/DocXMLRPCServer.py, Lib/test/test_docxmlrpc.py.
    - CVE-2019-16935
  * debian/patches/avoid_test_docxmlrpc_race.patch: avoid race in
    test_docxmlrpc server setup in Lib/test/test_docxmlrpc.py.

 -- Marc Deslauriers <email address hidden> Tue, 08 Oct 2019 10:14:10 -0400

Source diff to previous version
CVE-2019-16056 An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses em
CVE-2019-16935 The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs

Version: 2.7.12-1ubuntu0~16.04.8 2019-09-09 19:06:57 UTC
No changelog available yet.
Source diff to previous version

Version: 2.7.12-1ubuntu0~16.04.4 2018-11-13 17:07:25 UTC

  python2.7 (2.7.12-1ubuntu0~16.04.4) xenial-security; urgency=medium

  * SECURITY UPDATE: heap buffer overflow via race condition
    - debian/patches/CVE-2018-1000030-1.patch: stop crashes when iterating
      over a file on multiple threads in Lib/test/test_file2k.py,
      Objects/fileobject.c.
    - debian/patches/CVE-2018-1000030-2.patch: fix crash when multiple
      threads iterate over a file in Lib/test/test_file2k.py,
      Objects/fileobject.c.
    - CVE-2018-1000030
  * SECURITY UPDATE: command injection in shutil module
    - debian/patches/CVE-2018-1000802.patch: use subprocess rather than
      distutils.spawn in Lib/shutil.py.
    - CVE-2018-1000802
  * SECURITY UPDATE: DoS via catastrophic backtracking
    - debian/patches/CVE-2018-106x.patch: fix expressions in
      Lib/difflib.py, Lib/poplib.py. Added tests to
      Lib/test/test_difflib.py, Lib/test/test_poplib.py.
    - CVE-2018-1060
    - CVE-2018-1061
  * SECURITY UPDATE: incorrect Expat hash salt initialization
    - debian/patches/CVE-2018-14647.patch: call SetHashSalt in
      Include/pyexpat.h, Modules/_elementtree.c, Modules/pyexpat.c.
    - CVE-2018-14647

 -- Marc Deslauriers <email address hidden> Mon, 12 Nov 2018 09:36:49 -0500

Source diff to previous version
CVE-2018-1000030 Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it
CVE-2018-1000802 Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command In
CVE-2018-1060 python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacke
CVE-2018-1061 python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An
CVE-2018-14647 Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service

Version: 2.7.12-1ubuntu0~16.04.3 2018-01-18 11:06:37 UTC

  python2.7 (2.7.12-1ubuntu0~16.04.3) xenial-proposed; urgency=medium

  * Some performance improvements: LP: #1638695.
    - Build the _math.o object file without -fPIC for static builds.
  * Rename md5_* functions to _Py_md5_*. Closes: #868366. LP: #1734109.
  * Explicitly use the system python for byte compilation in postinst scripts.
    LP: #1682934.
  * Fix issue #22636: Avoid shell injection problems with
    ctypes.util.find_library(). LP: #1512068.

 -- Matthias Klose <email address hidden> Mon, 04 Dec 2017 15:50:18 +0100

1638695 Python 2.7.12 performance regression
1734109 Avoid symbol conflicts with `md5_*' symbols in third party extensions
1682934 python3 in /usr/local/bin can cause python3 packages to fail to install
1512068 Python ctypes.util , Shell Injection in find_library()
868366 python2.7: Exports `md5_init', causing conflicts with extension modules - Debian Bug report logs



About   -   Send Feedback to @ubuntu_updates