Bug 246808

Summary: lang/python36: Update to 3.6.10 (and backport security fixes)
Product: Ports & Packages Reporter: Mike Fisher <mfisher911>
Component: Individual Port(s)Assignee: Kubilay Kocak <koobs>
Status: Closed DUPLICATE    
Severity: Affects Many People CC: ports-secteam, python
Priority: Normal Keywords: security
Version: Latest   
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246738
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246984
Attachments:
Description Flags
lang/python36 update to 3.6.10 + CVE-2020-8492 patchset none

Description Mike Fisher 2020-05-28 15:43:48 UTC 
Created attachment 214977 [details]
lang/python36 update to 3.6.10 + CVE-2020-8492 patchset

Note: 246738 references 3.6.11 but this release has not been scheduled yet. I agree with Janos Mohacsi (#246738 author) that it would be nice to address the security issue in lang/python36.

This patch updates lang/python36 to 3.6.10 and includes the accepted CVE-2020-8492 patch set (https://github.com/python/cpython/pull/19304).

Here is the link to the Python bug tracker for CVE-2020-8492, which they track as "bpo-39503": https://bugs.python.org/issue39503.

According to the Python 3.6 changelog (https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-10-final), the "bpo-39503" is part of the unscheduled "Python next" release.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-06-10 04:09:50 UTC 
To reduce confusion, closing this as a duplicate (subset) of bug 246984, which also includes necessary python-docs-* port updates, as well as updates for 3.5 and 3.7

Note: That bug has different commit hashes added to the 3.6.10 port:

< 0f10ef077fc32b60cb07780ea7234516950d0f9e.patch:-p1 (here)
> 69cdeeb93e0830004a495ed854022425b93b3f3e.patch:-p1 (there)
> 83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba.patch:-p1 (there)

*** This bug has been marked as a duplicate of bug 246984 ***
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-06-13 13:26:50 UTC 
A commit references this bug:

Author: dbaio
Date: Sat Jun 13 13:26:43 UTC 2020
New revision: 538670
URL: https://svnweb.freebsd.org/changeset/ports/538670

Log:
  lang/python37: Fix security issues

  The patches for CVE-2019-18348 and CVE-2020-8492 are in the 3.7 branch
  and will be present on the next release.

  Patch for applying CVE-2020-8492 fix here in the ports tree was reported
  and submitted by Dani <i.dani@outlook.com>.

  PR:		246808
  MFH:		2020Q2
  X-MFH-with:	536770, 536776
  Security:	ca595a25-91d8-11ea-b470-080027846a02 (CVE-2019-18348)
  Security:	a27b0bb6-84fc-11ea-b5b4-641c67a117d8 (CVE-2020-8492)

Changes:
  head/lang/python37/Makefile
  head/lang/python37/distinfo
Comment 3 commit-hook freebsd_committer freebsd_triage 2020-06-15 11:23:20 UTC 
A commit references this bug:

Author: dbaio
Date: Mon Jun 15 11:22:39 UTC 2020
New revision: 538872
URL: https://svnweb.freebsd.org/changeset/ports/538872

Log:
  MFH: r536770 r536776 r538670

  Recompile _sysconfigdata.py after reinplacing it

  PR:		246618
  With hat:	portmgr

  Fix build with various python ABI

  With hat:	portmgr

  lang/python37: Fix security issues

  The patches for CVE-2019-18348 and CVE-2020-8492 are in the 3.7 branch
  and will be present on the next release.

  Patch for applying CVE-2020-8492 fix here in the ports tree was reported
  and submitted by Dani <i.dani@outlook.com>.

  PR:		246808
  X-MFH-with:	536770, 536776
  Security:	ca595a25-91d8-11ea-b470-080027846a02 (CVE-2019-18348)
  Security:	a27b0bb6-84fc-11ea-b5b4-641c67a117d8 (CVE-2020-8492)

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/lang/python37/Makefile
  branches/2020Q2/lang/python37/distinfo
  branches/2020Q2/lang/python38/Makefile