The two following vulnerabilities from Python 3.x also apply to 2.7: CVE-2020-8492 Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. [urllib2.py in py27] bpo-39603: Prevent header injection in http methods [httplib.py in py27]
Unable to check for sanity: > no match for package: dev-lang/python-2.7.18-r2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6f8a124c2578cd3c6fffd07fbef8551bb74db7d commit a6f8a124c2578cd3c6fffd07fbef8551bb74db7d Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-09-10 13:23:24 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-09-10 13:38:47 +0000 dev-lang/python: Backport two more secfixes from 3.6 to 2.7.18 Bug: https://bugs.gentoo.org/741502 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-2.7.18-r2.ebuild | 366 ++++++++++++++++++++++++++++++++ 2 files changed, 367 insertions(+)
All sanity-check issues have been resolved
arm done
arm64 done
sparc stable
Sanity check failed: > dev-lang/python-2.7.18-r2 > depend s390 exp profile default/linux/s390/17.0 (2 total) > dev-libs/libressl:= > rdepend s390 exp profile default/linux/s390/17.0 (2 total) > dev-libs/libressl:=
hppa stable
x86 stable
amd64 stable
s390 stable
ppc stable
A newer version is stable already.
Added to an existing GLSA.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=2ede0c6d92309dd7c95ec7a12efd3f1a6ef3201d commit 2ede0c6d92309dd7c95ec7a12efd3f1a6ef3201d Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-10-18 01:00:26 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-10-18 01:00:26 +0000 [ GLSA 202005-09 ] Update to >=dev-lang/python-2.7.18-r2 Closes: https://bugs.gentoo.org/741502 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> glsa-202005-09.xml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)