Bug 245776 - lang/python27: Update to 2.7.18 (Fixes vulnerability)
Summary: lang/python27: Update to 2.7.18 (Fixes vulnerability)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Wen Heping
URL: https://www.python.org/downloads/rele...
Keywords: needs-qa, security
Depends on: 245819
  Show dependency treegraph
Reported: 2020-04-20 23:09 UTC by VVD
Modified: 2020-05-15 12:53 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (python)
antoine: exp-run+

Update to 2.7.18 (1.12 KB, patch)
2020-04-20 23:09 UTC, VVD
no flags Details | Diff
update patch for python-2.7.18 (3.22 KB, patch)
2020-04-21 01:18 UTC, Wen Heping
no flags Details | Diff
python27-2.7.18.patch (2.14 KB, patch)
2020-04-27 06:35 UTC, takefu
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description VVD 2020-04-20 23:09:22 UTC
Created attachment 213619 [details]
Update to 2.7.18

Python 2.7.18 is the last release of Python 2.

Tested build on 12.1 amd64.

> Fixes a ReDoS vulnerability in :mod:`http.cookiejar`. Patch by Ben Caller.
Comment 1 Wen Heping freebsd_committer 2020-04-21 01:17:58 UTC

  Some suggestions :
  i) PORTREVISION=0 is not needed.
  ii) lang/python-doc-html should be updated
  iii) many ports depends on python27, so exp-run should be required

  I shall submit a new patch.

Comment 2 Wen Heping freebsd_committer 2020-04-21 01:18:54 UTC
Created attachment 213624 [details]
update patch for python-2.7.18
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2020-04-21 01:54:47 UTC
Thank you for the report and patch VVD

^Triage: Don't need an exp run tag, exp-run flag is sufficient
Comment 4 Li-Wen Hsu freebsd_committer 2020-04-21 03:36:22 UTC
(In reply to Kubilay Kocak from comment #3)
I was told that the patch level version update doesn't strictly required a exp-run?

(I'm not opposing it, of course, just want to lower the loading of portmgr. :-)
Comment 5 Danilo G. Baio freebsd_committer 2020-04-23 01:21:50 UTC
If includes just a patch level, please change the vuxml entry (see ports r532610).
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2020-04-23 02:55:44 UTC
(In reply to Li-Wen Hsu from comment #4)

Clarifying: comment was regarding [exp-run] (and tags in general) in issue Summary/Title's, not whether and when experimental runs are needed
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2020-04-23 02:56:09 UTC
Link VuXML entry issue/commit
Comment 8 Antoine Brodin freebsd_committer 2020-04-26 08:25:08 UTC
Exp-run looks fine
Comment 9 takefu 2020-04-27 06:35:13 UTC
Created attachment 213835 [details]

Comment 10 commit-hook freebsd_committer 2020-05-05 08:23:54 UTC
A commit references this bug:

Author: wen
Date: Tue May  5 08:23:12 UTC 2020
New revision: 534040
URL: https://svnweb.freebsd.org/changeset/ports/534040

  - Update to 2.7.18 [1]
    (include security fix)
  - Fix build with OPTION of DEBUG THREADS [2]

  PR:		245776
  Submitted by:	vvd@unislabs.com [1],
  		takefu@airport.fm [2]
  Exp-run by:	antoine@ [1]
  MFH:		2020Q2
  Security:	CVE-2019-18348, CVE-2020-8492

Comment 11 Wen Heping freebsd_committer 2020-05-05 08:27:58 UTC
Hi, all:

CVE-2020-8492 had been documented in vuxml/vuln.xml, CVE-2019-18348 not, shall I create another entry in vuxml/vuln.xml?

Comment 12 Li-Wen Hsu freebsd_committer 2020-05-05 08:34:17 UTC
(In reply to Wen Heping from comment #11)
I think it's fine, another thought is since the versions fixed them are the same (right?), we can also update the a27b0bb6-84fc-11ea-b5b4-641c67a117d8 entry to include both CVEs.
Comment 13 commit-hook freebsd_committer 2020-05-09 10:15:05 UTC
A commit references this bug:

Author: wen
Date: Sat May  9 10:14:10 UTC 2020
New revision: 534731
URL: https://svnweb.freebsd.org/changeset/ports/534731

  MFH: r534040

  - Update to 2.7.18 [1]
    (include security fix)
  - Fix build with OPTION of DEBUG THREADS [2]

  PR:		245776
  Submitted by:	vvd@unislabs.com [1],
  		takefu@airport.fm [2]
  Exp-run by:	antoine@ [1]
  Security:	CVE-2019-18348, CVE-2020-8492

  Approved by:	ports-secteam@(joneum@)

_U  branches/2020Q2/