Python in the 2.3 slot ships a copy of PCRE which might be vulnerable to several security issues as pointed out in bug #198198. Python herd, are you aware which version of PCRE python 2.3 is shipping?
Python herd, please advise.
(In reply to comment #1) > Python herd, please advise. > *ping*
Created attachment 138282 [details, diff] python-CVE-2006-7228-pcre.patch
Created attachment 138283 [details, diff] python-CVE-2007-2052-strxfrm-obo.patch
Python herd, I attached a backported patch for the PCRE issue, courtesy of RedHat. I also attached a patch to fix bug 177804 for python 2.3, which it currently is affected by. Please either include those patches in 2.3 or we should declare the 2.3 not security supported anymore by a mask and GLSA.
Rerating B2 as Python 2.3 obviously is not used by many people anymore. Python herd, please advise.
(In reply to comment #6) > Rerating B2 as Python 2.3 obviously is not used by many people anymore. > > Python herd, please advise. > Sorry for the late reply and thanks for the patches. python2.3 is not maintained upstream and we certainly don't want to keep it in our tree anymore. Waiting your call to proceed with masking.
(In reply to comment #7) > Sorry for the late reply and thanks for the patches. python2.3 is not > maintained upstream and we certainly don't want to keep it in our tree anymore. > Waiting your call to proceed with masking. If it does not break any dependencies, please mask it. We'll probably send a maskglsa afterwards.
# Ali Polatel <hawking@gentoo.org> (07 Jan 2008) # Old, unmaintained version. Will be removed in 30 days. =dev-lang/python-2.3* Done.
Thanks, we'll maskglsa this.
Ali Polatel writes: > Appearently there are some packages which I missed are broken due to > masking this, unmasked for now. Sorry for the inconvenience and thanks > again to mr_bones_. Does this mean you'll bump the ebuild with the attached patches?
Ali, we'll either have to patch or mask this. Please apply the patches attached to this bug.
python-2.3.6-r4 is in the tree with the patches included.
Arches, please test and mark stable: =dev-lang/python-2.3.6-r4 Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
ppc done
I'm getting failed tests on this with ppc64. Anyone aware of busticated tests in previous versions? 213 tests OK. 2 tests failed: test_openpty test_socket 32 tests skipped: test_aepack test_al test_audioop test_bsddb185 test_bsddb3 test_cd test_cl test_curses test_dl test_email_codecs test_gl test_imageop test_imgfile test_linuxaudiodev test_macfs test_macostools test_nis test_normalization test_ossaudiodev test_pep277 test_plistlib test_pty test_rgbimg test_scriptpackages test_socket_ssl test_socketserver test_sunaudiodev test_timeout test_unicode_file test_urllibnet test_winreg test_winsound 4 skips unexpected on linux2: test_audioop test_pty test_rgbimg test_imageop make: *** [test] Error 1 * I can provide ppc64 access should someone like to poke this.
Stable for HPPA.
On x86, several "issues": 2.) bsddb test fails if Python is built with USE=nothreads (disable it, please)...I mean USE="nothreads berkdb" will not work. x86 stable
(In reply to comment #18) > On x86, several "issues": It was one issue in the end...
alpha/ia64/sparc stable
amd64 done.
23 Jan 2008; Brent Baude <ranger@gentoo.org> python-2.3.6-r4.ebuild: Marking python-2.3.6-r4 ppc for bug 198373
ppc64 stable
GLSA 200802-10.