UbuntuUpdates.org

Package "libpython2.7"

Name: libpython2.7

Description:

Shared Python runtime library (version 2.7)

Latest version: 2.7.3-0ubuntu3.19
Release: precise (12.04)
Level: updates
Repository: main
Head package: python2.7

Links


Download "libpython2.7"


Other versions of "libpython2.7" in Precise

Repository Area Version
base main 2.7.3-0ubuntu3
security main 2.7.3-0ubuntu3.19

Changelog

Version: 2.7.3-0ubuntu3.19 2021-05-03 16:06:19 UTC

  python2.7 (2.7.3-0ubuntu3.19) precise-security; urgency=medium

  * SECURITY UPDATE: CRLF injection
    - debian/patches/CVE-2020-26116.patch: prevent header injection
      in http methods in Lib/httplib.py, Lib/test/test_httlib.py.
    - CVE-2020-26116

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 06 Oct 2020 09:11:11 -0300

Source diff to previous version
CVE-2020-26116 http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker contro

Version: 2.7.3-0ubuntu3.9 2016-11-22 20:06:44 UTC

  python2.7 (2.7.3-0ubuntu3.9) precise-security; urgency=medium

  * SECURITY UPDATE: StartTLS stripping attack
    - debian/patches/CVE-2016-0772.patch: raise an error when
      STARTTLS fails in Lib/smtplib.py.
    - CVE-2016-0772
  * SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
    scripts (aka HTTPOXY attack)
    - debian/patches/CVE-2016-1000110-pre.patch: prefer lower_case
      proxy environment variables over UPPER_CASE or Mixed_Case ones.
    - debian/patches/CVE-2016-1000110.patch: if running as CGI
      script, forget HTTP_PROXY in Lib/urllib.py, add test to
      Lib/test/test_urllib.py, add documentation.
    - CVE-2016-1000110
  * SECURITY UPDATE: Integer overflow when handling zipfiles
    - debian/patches/CVE-2016-5636-pre.patch: check for negative size in
      Modules/zipimport.c
    - debian/patches/CVE-2016-5636.patch: check for too large value in
      Modules/zipimport.c
    - CVE-2016-5636
  * SECURITY UPDATE: CRLF injection vulnerability in the
    HTTPConnection.putheader
    - debian/patches/CVE-2016-5699.patch: disallow newlines in
      putheader() arguments when not followed by spaces or tabs in
      Lib/httplib.py, add tests in Lib/test/test_httplib.py
    - CVE-2016-5699

 -- Steve Beattie <email address hidden> Tue, 25 Oct 2016 15:38:47 -0700

Source diff to previous version
CVE-2016-0772 The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, whi
CVE-2016-1000 Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.
CVE-2016-5636 Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remot
CVE-2016-5699 CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.

Version: 2.7.3-0ubuntu3.8 2015-06-25 14:06:16 UTC

  python2.7 (2.7.3-0ubuntu3.8) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in multiple servers
    - debian/patches/CVE-2013-1752-ftplib.patch: limit amount of data read
      in Lib/ftplib.py, added test to Lib/test/test_ftplib.py.
    - debian/patches/CVE-2013-1752-httplib-1.patch: limit long lines in
      Lib/httplib.py.
    - debian/patches/CVE-2013-1752-httplib-2.patch: limit amount of headers
      in Lib/httplib.py, added test to Lib/test/test_httplib.py.
    - debian/patches/CVE-2013-1752-imaplib-1.patch: limit line length in
      Lib/imaplib.py, added test to Lib/test/test_imaplib.py.
    - debian/patches/CVE-2013-1752-imaplib-2.patch: disable broken test in
      Lib/test/test_imaplib.py.
    - debian/patches/CVE-2013-1752-nntplib.patch: limit line length in
      Lib/nntplib.py, added test to Lib/test/test_nntplib.py.
    - debian/patches/CVE-2013-1752-poplib.patch: limit maximum line length
      in Lib/poplib.py, added test to Lib/test/test_poplib.py.
    - debian/patches/CVE-2013-1752-smtplib.patch: limit amount read from
      the network in Lib/smtplib.py, added test to
      Lib/test/test_smtplib.py.
    - CVE-2013-1752
  * SECURITY UPDATE: denial of service via xmlrpc gzip-compressed
    HTTP bodies
    - debian/patches/CVE-2013-1753.patch: add default limit in
      Lib/xmlrpclib.py, added test to Lib/test/test_xmlrpc.py.
    - CVE-2013-1753
  * SECURITY UPDATE: arbitrary memory read via idx argument
    - debian/patches/CVE-2014-4616.patch: reject negative idx values in
      Modules/_json.c, added test to Lib/json/tests/test_decode.py.
    - CVE-2014-4616
  * SECURITY UPDATE: code execution or file disclosure via CGIHTTPServer
    - debian/patches/CVE-2014-4650.patch: url unquote path in
      Lib/CGIHTTPServer.py, added test to Lib/test/test_httpservers.py.
    - CVE-2014-4650
  * SECURITY UPDATE: information disclosure via buffer function
    - debian/patches/CVE-2014-7185.patch: avoid overflow in
      Objects/bufferobject.c, added test to Lib/test/test_buffer.py.
    - CVE-2014-7185

 -- Marc Deslauriers <email address hidden> Mon, 22 Jun 2015 10:55:41 -0400

Source diff to previous version
CVE-2014-4616 arbitrary process memory read
CVE-2014-7185 Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via

Version: 2.7.3-0ubuntu3.6 2015-01-05 19:06:37 UTC

  python2.7 (2.7.3-0ubuntu3.6) precise-proposed; urgency=medium

  * Ensure failed connections to /dev/log are full closed, preventing
    infinite loop on logging applications due to socket state (LP: #1081022):
    - d/p/syslog.diff: Cherry picked fix from upstream bugtracker.
 -- James Page <email address hidden> Thu, 18 Dec 2014 12:05:28 +0000

Source diff to previous version
1081022 logging.SysLogHandler doesn't close UNIX socket when connection failed

Version: 2.7.3-0ubuntu3.5 2014-03-03 19:06:50 UTC

  python2.7 (2.7.3-0ubuntu3.5) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible code execution via
    buffer overflow in socket.recvfrom_into
    - debian/patches/CVE-2014-1912.diff: check buffer length in
      Modules/socketmodule.c, added tests to Lib/test/test_socket.py.
    - CVE-2014-1912
 -- Marc Deslauriers <email address hidden> Thu, 27 Feb 2014 09:17:26 -0500

CVE-2014-1912 buffer overflow in socket.recvfrom_into



About   -   Send Feedback to @ubuntu_updates