245776 – lang/python27: Update to 2.7.18 (Fixes vulnerability)

Bug 245776 - lang/python27: Update to 2.7.18 (Fixes vulnerability)

Summary: lang/python27: Update to 2.7.18 (Fixes vulnerability)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Wen Heping

URL:	https://www.python.org/downloads/rele...
Keywords:	needs-qa, security

Depends on:	245819
Blocks:
	Show dependency tree / graph

Reported:	2020-04-20 23:09 UTC by Vladimir Druzenko
Modified:	2020-05-15 12:53 UTC (History)
CC List:	5 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (python) antoine: exp-run+

Attachments
Update to 2.7.18 (1.12 KB, patch) 2020-04-20 23:09 UTC, Vladimir Druzenko	no flags	Details \| Diff
update patch for python-2.7.18 (3.22 KB, patch) 2020-04-21 01:18 UTC, Wen Heping	no flags	Details \| Diff
python27-2.7.18.patch (2.14 KB, patch) 2020-04-27 06:35 UTC, takefu	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vladimir Druzenko freebsd_committer

2020-04-20 23:09:22 UTC

Created attachment 213619 [details]
Update to 2.7.18

Python 2.7.18 is the last release of Python 2.

Tested build on 12.1 amd64.

> Fixes a ReDoS vulnerability in :mod:`http.cookiejar`. Patch by Ben Caller.
https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.18rc1.rst

Comment 1 Wen Heping freebsd_committer

2020-04-21 01:17:58 UTC

Hi,

  Some suggestions :
  i) PORTREVISION=0 is not needed.
  ii) lang/python-doc-html should be updated
  iii) many ports depends on python27, so exp-run should be required

  I shall submit a new patch.

wen

Comment 2 Wen Heping freebsd_committer

2020-04-21 01:18:54 UTC

Created attachment 213624 [details]
update patch for python-2.7.18

Comment 3 Kubilay Kocak freebsd_committer

2020-04-21 01:54:47 UTC

Thank you for the report and patch VVD

^Triage: Don't need an exp run tag, exp-run flag is sufficient

Comment 4 Li-Wen Hsu freebsd_committer

2020-04-21 03:36:22 UTC

(In reply to Kubilay Kocak from comment #3)
I was told that the patch level version update doesn't strictly required a exp-run?

(I'm not opposing it, of course, just want to lower the loading of portmgr. :-)

Comment 5 Danilo G. Baio freebsd_committer

2020-04-23 01:21:50 UTC

If includes just a patch level, please change the vuxml entry (see ports r532610).

Comment 6 Kubilay Kocak freebsd_committer

2020-04-23 02:55:44 UTC

(In reply to Li-Wen Hsu from comment #4)

Clarifying: comment was regarding [exp-run] (and tags in general) in issue Summary/Title's, not whether and when experimental runs are needed

Comment 7 Kubilay Kocak freebsd_committer

2020-04-23 02:56:09 UTC

Link VuXML entry issue/commit

Comment 8 Antoine Brodin freebsd_committer

2020-04-26 08:25:08 UTC

Exp-run looks fine

Comment 9 takefu 2020-04-27 06:35:13 UTC

Created attachment 213835 [details]
python27-2.7.18.patch

Fix:
  OPTION DEBUG THREADS

Comment 10 commit-hook freebsd_committer

2020-05-05 08:23:54 UTC

A commit references this bug:

Author: wen
Date: Tue May  5 08:23:12 UTC 2020
New revision: 534040
URL: https://svnweb.freebsd.org/changeset/ports/534040

Log:
  - Update to 2.7.18 [1]
    (include security fix)
  - Fix build with OPTION of DEBUG THREADS [2]

  PR:		245776
  Submitted by:	vvd@unislabs.com [1],
  		takefu@airport.fm [2]
  Exp-run by:	antoine@ [1]
  MFH:		2020Q2
  Security:	CVE-2019-18348, CVE-2020-8492

Changes:
  head/lang/python-doc-html/distinfo
  head/lang/python27/Makefile
  head/lang/python27/Makefile.version
  head/lang/python27/distinfo
  head/lang/python27/pkg-plist

Comment 11 Wen Heping freebsd_committer

2020-05-05 08:27:58 UTC

Hi, all:

CVE-2020-8492 had been documented in vuxml/vuln.xml, CVE-2019-18348 not, shall I create another entry in vuxml/vuln.xml?

wen

Comment 12 Li-Wen Hsu freebsd_committer

2020-05-05 08:34:17 UTC

(In reply to Wen Heping from comment #11)
I think it's fine, another thought is since the versions fixed them are the same (right?), we can also update the a27b0bb6-84fc-11ea-b5b4-641c67a117d8 entry to include both CVEs.

Comment 13 commit-hook freebsd_committer

2020-05-09 10:15:05 UTC

A commit references this bug:

Author: wen
Date: Sat May  9 10:14:10 UTC 2020
New revision: 534731
URL: https://svnweb.freebsd.org/changeset/ports/534731

Log:
  MFH: r534040

  - Update to 2.7.18 [1]
    (include security fix)
  - Fix build with OPTION of DEBUG THREADS [2]

  PR:		245776
  Submitted by:	vvd@unislabs.com [1],
  		takefu@airport.fm [2]
  Exp-run by:	antoine@ [1]
  Security:	CVE-2019-18348, CVE-2020-8492

  Approved by:	ports-secteam@(joneum@)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/lang/python-doc-html/distinfo
  branches/2020Q2/lang/python27/Makefile
  branches/2020Q2/lang/python27/Makefile.version
  branches/2020Q2/lang/python27/distinfo
  branches/2020Q2/lang/python27/pkg-plist