Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 741502 - <dev-lang/python-2.7.18-r2:2.7: Multiple vulnerabilities
Summary: <dev-lang/python-2.7.18-r2:2.7: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-09-10 11:52 UTC by Michał Górny
Modified: 2020-10-18 01:02 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/python-2.7.18-r2
Runtime testing required: ---
nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 11:52:13 UTC 
The two following vulnerabilities from Python 3.x also apply to 2.7:

CVE-2020-8492
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

[urllib2.py in py27]


bpo-39603: Prevent header injection in http methods

[httplib.py in py27]
Comment 1 NATTkA bot gentoo-dev 2020-09-10 13:28:47 UTC 
Unable to check for sanity:

> no match for package: dev-lang/python-2.7.18-r2
Comment 2 Larry the Git Cow gentoo-dev 2020-09-10 13:38:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6f8a124c2578cd3c6fffd07fbef8551bb74db7d

commit a6f8a124c2578cd3c6fffd07fbef8551bb74db7d
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-09-10 13:23:24 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-09-10 13:38:47 +0000

    dev-lang/python: Backport two more secfixes from 3.6 to 2.7.18
    
    Bug: https://bugs.gentoo.org/741502
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-2.7.18-r2.ebuild | 366 ++++++++++++++++++++++++++++++++
 2 files changed, 367 insertions(+)
Comment 3 NATTkA bot gentoo-dev 2020-09-10 13:40:52 UTC 
All sanity-check issues have been resolved
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-11 17:08:39 UTC 
arm done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-11 17:11:30 UTC 
arm64 done
Comment 6 Rolf Eike Beer archtester 2020-09-11 17:24:02 UTC 
sparc stable
Comment 7 NATTkA bot gentoo-dev 2020-09-13 10:53:08 UTC 
Sanity check failed:

> dev-lang/python-2.7.18-r2
>   depend s390 exp profile default/linux/s390/17.0 (2 total)
>     dev-libs/libressl:=
>   rdepend s390 exp profile default/linux/s390/17.0 (2 total)
>     dev-libs/libressl:=
Comment 8 Rolf Eike Beer archtester 2020-09-13 10:57:00 UTC 
hppa stable
Comment 9 NATTkA bot gentoo-dev 2020-09-13 12:01:13 UTC 
All sanity-check issues have been resolved
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-15 17:23:14 UTC 
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-09-18 07:33:04 UTC 
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-09-18 08:12:25 UTC 
s390 stable
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-03 17:11:01 UTC 
ppc stable
Comment 14 NATTkA bot gentoo-dev 2020-10-15 19:44:51 UTC 
Unable to check for sanity:

> no match for package: dev-lang/python-2.7.18-r2
Comment 15 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-10-15 19:48:44 UTC 
A newer version is stable already.
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2020-10-18 01:02:00 UTC 
Added to an existing GLSA.
Comment 17 Larry the Git Cow gentoo-dev 2020-10-18 01:02:07 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2ede0c6d92309dd7c95ec7a12efd3f1a6ef3201d

commit 2ede0c6d92309dd7c95ec7a12efd3f1a6ef3201d
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-18 01:00:26 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-18 01:00:26 +0000

    [ GLSA 202005-09 ] Update to >=dev-lang/python-2.7.18-r2
    
    Closes: https://bugs.gentoo.org/741502
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 glsa-202005-09.xml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)