From ${URL} : Multiple denial of service flaws were reported against various parts of Python's stdlib: * httplib [1] (fixed in 2.7.4 [2], 2.6.9 [3], and 3.3.3 [4]) * ftplib [5] (fixed in 2.7.6 [6], 2.6.9 [7], 3.3.3 [8]) * imaplib [9] (not yet fixed in 2.7.x, fixed in 2.6.9 [10], 3.3.3 [11]) * nntplib [12] (fixed in 2.7.6 [13], 2.6.9 [14], 3.3.3 [15]) * poplib [16] (not yet fixed in 2.7.x, fixed in 2.6.9 [17], 3.3.3 [18]) * smtplib [19] (not yet fixed in 2.7.x, fixed in 2.6.9 [20], not yet fixed in 3.3.x) Unfortunately, upstream assigned a single CVE to all of these, however I do not believe they can all use the same CVE due to them being fixed across so many different versions (2.6.9, 2.7.4, 2.7.6, 3.3.3, as well as future 2.7.x and 3.3.x versions). So this will likely require MITRE to detangle. [1] http://bugs.python.org/issue16037 [2] http://hg.python.org/cpython/rev/8a22a2804a66/ [3] http://hg.python.org/cpython/rev/582e5072ff89 [4] http://hg.python.org/cpython/rev/e445d02e5306/ [5] http://bugs.python.org/issue16038 [6] http://hg.python.org/cpython/rev/44ac81e6d584/ [7] http://hg.python.org/cpython/rev/8b19e7d0be45/ [8] http://hg.python.org/cpython/rev/38db4d0726bd/ [9] http://bugs.python.org/issue16039 [10] http://hg.python.org/cpython/rev/4190568ceda0/ [11] http://hg.python.org/cpython/rev/4b0364fc5711/ [12] http://bugs.python.org/issue16040 [13] http://hg.python.org/cpython/rev/36680a7c0e22/ [14] http://hg.python.org/cpython/rev/731abf7834c4/ [15] http://hg.python.org/cpython/rev/fc88bd80d925/ [16] http://bugs.python.org/issue16041 [17] http://hg.python.org/cpython/rev/7214e3324a45/ [18] http://hg.python.org/cpython/rev/68029048c9c6/ [19] http://bugs.python.org/issue16042 [20] http://hg.python.org/cpython/rev/8a6def3add5b/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*python-2.6.9 (25 Dec 2013) + + 25 Dec 2013; Mike Gilbert <floppym@gentoo.org> +python-2.6.9.ebuild: + Bump for security bug 495224. I don't have any objection to stabilizing 2.7.6 and 3.3.3. There seem to be a few unpatched issues in 2.7.6, however.
This issue was resolved and addressed in GLSA 201503-10 at https://security.gentoo.org/glsa/201503-10 by GLSA coordinator Kristian Fiskerstrand (K_F).