Bug 246808 - lang/python36: Update to 3.6.10 (and backport security fixes)
Summary: lang/python36: Update to 3.6.10 (and backport security fixes)
Status: Closed DUPLICATE of bug 246984
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Kubilay Kocak
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-05-28 15:43 UTC by Mike Fisher
Modified: 2020-06-15 11:23 UTC (History)
2 users (show)

See Also:

Attachments
lang/python36 update to 3.6.10 + CVE-2020-8492 patchset (2.44 KB, patch)
2020-05-28 15:43 UTC, Mike Fisher 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Fisher 2020-05-28 15:43:48 UTC 
Created attachment 214977 [details]
lang/python36 update to 3.6.10 + CVE-2020-8492 patchset

Note: 246738 references 3.6.11 but this release has not been scheduled yet. I agree with Janos Mohacsi (#246738 author) that it would be nice to address the security issue in lang/python36.

This patch updates lang/python36 to 3.6.10 and includes the accepted CVE-2020-8492 patch set (https://github.com/python/cpython/pull/19304).

Here is the link to the Python bug tracker for CVE-2020-8492, which they track as "bpo-39503": https://bugs.python.org/issue39503.

According to the Python 3.6 changelog (https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-10-final), the "bpo-39503" is part of the unscheduled "Python next" release.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-06-10 04:09:50 UTC 
To reduce confusion, closing this as a duplicate (subset) of bug 246984, which also includes necessary python-docs-* port updates, as well as updates for 3.5 and 3.7

Note: That bug has different commit hashes added to the 3.6.10 port:

< 0f10ef077fc32b60cb07780ea7234516950d0f9e.patch:-p1 (here)
> 69cdeeb93e0830004a495ed854022425b93b3f3e.patch:-p1 (there)
> 83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba.patch:-p1 (there)

*** This bug has been marked as a duplicate of bug 246984 ***
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-06-13 13:26:50 UTC 
A commit references this bug:

Author: dbaio
Date: Sat Jun 13 13:26:43 UTC 2020
New revision: 538670
URL: https://svnweb.freebsd.org/changeset/ports/538670

Log:
  lang/python37: Fix security issues

  The patches for CVE-2019-18348 and CVE-2020-8492 are in the 3.7 branch
  and will be present on the next release.

  Patch for applying CVE-2020-8492 fix here in the ports tree was reported
  and submitted by Dani <i.dani@outlook.com>.

  PR:		246808
  MFH:		2020Q2
  X-MFH-with:	536770, 536776
  Security:	ca595a25-91d8-11ea-b470-080027846a02 (CVE-2019-18348)
  Security:	a27b0bb6-84fc-11ea-b5b4-641c67a117d8 (CVE-2020-8492)

Changes:
  head/lang/python37/Makefile
  head/lang/python37/distinfo
Comment 3 commit-hook freebsd_committer freebsd_triage 2020-06-15 11:23:20 UTC 
A commit references this bug:

Author: dbaio
Date: Mon Jun 15 11:22:39 UTC 2020
New revision: 538872
URL: https://svnweb.freebsd.org/changeset/ports/538872

Log:
  MFH: r536770 r536776 r538670

  Recompile _sysconfigdata.py after reinplacing it

  PR:		246618
  With hat:	portmgr

  Fix build with various python ABI

  With hat:	portmgr

  lang/python37: Fix security issues

  The patches for CVE-2019-18348 and CVE-2020-8492 are in the 3.7 branch
  and will be present on the next release.

  Patch for applying CVE-2020-8492 fix here in the ports tree was reported
  and submitted by Dani <i.dani@outlook.com>.

  PR:		246808
  X-MFH-with:	536770, 536776
  Security:	ca595a25-91d8-11ea-b470-080027846a02 (CVE-2019-18348)
  Security:	a27b0bb6-84fc-11ea-b5b4-641c67a117d8 (CVE-2020-8492)

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/lang/python37/Makefile
  branches/2020Q2/lang/python37/distinfo
  branches/2020Q2/lang/python38/Makefile