Bug 246808 - lang/python36: Update to 3.6.10 (and backport security fixes)
Summary: lang/python36: Update to 3.6.10 (and backport security fixes)
Status: Closed DUPLICATE of bug 246984
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Kubilay Kocak
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-05-28 15:43 UTC by Mike Fisher
Modified: 2020-06-15 11:23 UTC (History)
2 users (show)

See Also:


Attachments
lang/python36 update to 3.6.10 + CVE-2020-8492 patchset (2.44 KB, patch)
2020-05-28 15:43 UTC, Mike Fisher
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Fisher 2020-05-28 15:43:48 UTC
Created attachment 214977 [details]
lang/python36 update to 3.6.10 + CVE-2020-8492 patchset

Note: 246738 references 3.6.11 but this release has not been scheduled yet. I agree with Janos Mohacsi (#246738 author) that it would be nice to address the security issue in lang/python36.

This patch updates lang/python36 to 3.6.10 and includes the accepted CVE-2020-8492 patch set (https://github.com/python/cpython/pull/19304).

Here is the link to the Python bug tracker for CVE-2020-8492, which they track as "bpo-39503": https://bugs.python.org/issue39503.

According to the Python 3.6 changelog (https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-10-final), the "bpo-39503" is part of the unscheduled "Python next" release.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-06-10 04:09:50 UTC
To reduce confusion, closing this as a duplicate (subset) of bug 246984, which also includes necessary python-docs-* port updates, as well as updates for 3.5 and 3.7

Note: That bug has different commit hashes added to the 3.6.10 port:

< 0f10ef077fc32b60cb07780ea7234516950d0f9e.patch:-p1 (here)
> 69cdeeb93e0830004a495ed854022425b93b3f3e.patch:-p1 (there)
> 83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba.patch:-p1 (there)

*** This bug has been marked as a duplicate of bug 246984 ***
Comment 2 commit-hook freebsd_committer 2020-06-13 13:26:50 UTC
A commit references this bug:

Author: dbaio
Date: Sat Jun 13 13:26:43 UTC 2020
New revision: 538670
URL: https://svnweb.freebsd.org/changeset/ports/538670

Log:
  lang/python37: Fix security issues

  The patches for CVE-2019-18348 and CVE-2020-8492 are in the 3.7 branch
  and will be present on the next release.

  Patch for applying CVE-2020-8492 fix here in the ports tree was reported
  and submitted by Dani <i.dani@outlook.com>.

  PR:		246808
  MFH:		2020Q2
  X-MFH-with:	536770, 536776
  Security:	ca595a25-91d8-11ea-b470-080027846a02 (CVE-2019-18348)
  Security:	a27b0bb6-84fc-11ea-b5b4-641c67a117d8 (CVE-2020-8492)

Changes:
  head/lang/python37/Makefile
  head/lang/python37/distinfo
Comment 3 commit-hook freebsd_committer 2020-06-15 11:23:20 UTC
A commit references this bug:

Author: dbaio
Date: Mon Jun 15 11:22:39 UTC 2020
New revision: 538872
URL: https://svnweb.freebsd.org/changeset/ports/538872

Log:
  MFH: r536770 r536776 r538670

  Recompile _sysconfigdata.py after reinplacing it

  PR:		246618
  With hat:	portmgr

  Fix build with various python ABI

  With hat:	portmgr

  lang/python37: Fix security issues

  The patches for CVE-2019-18348 and CVE-2020-8492 are in the 3.7 branch
  and will be present on the next release.

  Patch for applying CVE-2020-8492 fix here in the ports tree was reported
  and submitted by Dani <i.dani@outlook.com>.

  PR:		246808
  X-MFH-with:	536770, 536776
  Security:	ca595a25-91d8-11ea-b470-080027846a02 (CVE-2019-18348)
  Security:	a27b0bb6-84fc-11ea-b5b4-641c67a117d8 (CVE-2020-8492)

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/lang/python37/Makefile
  branches/2020Q2/lang/python37/distinfo
  branches/2020Q2/lang/python38/Makefile