info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1052222: bullseye-pu: package python2.7/2.7.18-8+deb11u1
0 views
Skip to first unread message
Helmut Grohne
Sep 19, 2023, 4:40:06 AM9/19/23
to
Package: release.debian.org
Tags: bullseye
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pyth...@packages.debian.org,debian-...@lists.debian.org,do...@debian.org
Control: affects -1 + src:python2.7
Hi release team, security team and Matthias (python maintainer),
I know that officially, we do not consider Python 2.7 covered by
security support. In bullseye, it has merely been kept to support a
small minority of applications that would otherwise have been removed.
Freexian SARL has an interest in updating it anyway. I am therefore
proposing a PU that fixes know security issues in Python 2.7. Do you
think we can accept this into bullseye? I recognize that such an update
could be seen as a promise of support. Therefore, I've Cc'ed the
security team to have them veto if desired. In effect, Freexian
currently makes this promise to customers and will continue to update
security issues in Python 2.7 as it enters LTS. So we might as well do
it now already.
[ Reason ]
The reason to update this package is two-fold. For one thing, I fix
autopkgtests and for another, I fix seven known vulnerabilities with
CVEs.
[ Impact ]
Users should not be using Python 2.7 in relevant contexts. In reality,
they do this anyway and thus remain vulnerable unless this is applied.
Much of what is being fixed here affects URL parsing or network
services.
[ Tests ]
I have fixed autopkgtests in the process of preparing the update. When
backporting patches for CVEs, I have also backported relevant patches.
Those are being run as part of autopkgtests.
[ Risks ]
The biggest risk of this change arises from the URL handling changes.
The API of functions is extended to accept new arguments for customizing
behaviour. The semantics of URL parsing changes a bit and might break
abnormal uses (which are the ones that are potentially vulnerable).
However, these changes have been applied to Python 3.x already.
For the heapq change, I initially observed Segmentation faults on
naively applying the patches. All tests pass now and I have carefully
reviewed the reference count changes and their effects in the
surrounding code.
The remaining changes bear a lower risk of negatively affecting users.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Add testsuite-fix-with-expat.diff: Fix autopkgtests with updated
expat.
* Fix issue9189.diff: Update test suite to match behaviour change.
* Add CVE-2021-23336.diff: Only use '&' as query string separator
* Add CVE-2022-0391.diff: Make urlsplit robust against newlines.
* Add CVE-2022-48560.diff: Fix use-after-free in heapq module.
* Add CVE-2022-48565.diff: Reject entities declarations while parsing
XML plists.
* Add CVE-2022-48566.diff: Make constant time comparison more
constant-time.
* Add CVE-2023-24329.diff: More WHATWG-compatible URL parsing
* Add CVE-2023-40217.diff: Prevent reading unauthenticated data on a
SSLSocket.
[ Other info ]
I am also applying a similar update for buster (and Freexian's jessie
and stretch suites).
Helmut
Tags: bullseye
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pyth...@packages.debian.org,debian-...@lists.debian.org,do...@debian.org
Control: affects -1 + src:python2.7
Hi release team, security team and Matthias (python maintainer),
I know that officially, we do not consider Python 2.7 covered by
security support. In bullseye, it has merely been kept to support a
small minority of applications that would otherwise have been removed.
Freexian SARL has an interest in updating it anyway. I am therefore
proposing a PU that fixes know security issues in Python 2.7. Do you
think we can accept this into bullseye? I recognize that such an update
could be seen as a promise of support. Therefore, I've Cc'ed the
security team to have them veto if desired. In effect, Freexian
currently makes this promise to customers and will continue to update
security issues in Python 2.7 as it enters LTS. So we might as well do
it now already.
[ Reason ]
The reason to update this package is two-fold. For one thing, I fix
autopkgtests and for another, I fix seven known vulnerabilities with
CVEs.
[ Impact ]
Users should not be using Python 2.7 in relevant contexts. In reality,
they do this anyway and thus remain vulnerable unless this is applied.
Much of what is being fixed here affects URL parsing or network
services.
[ Tests ]
I have fixed autopkgtests in the process of preparing the update. When
backporting patches for CVEs, I have also backported relevant patches.
Those are being run as part of autopkgtests.
[ Risks ]
The biggest risk of this change arises from the URL handling changes.
The API of functions is extended to accept new arguments for customizing
behaviour. The semantics of URL parsing changes a bit and might break
abnormal uses (which are the ones that are potentially vulnerable).
However, these changes have been applied to Python 3.x already.
For the heapq change, I initially observed Segmentation faults on
naively applying the patches. All tests pass now and I have carefully
reviewed the reference count changes and their effects in the
surrounding code.
The remaining changes bear a lower risk of negatively affecting users.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Add testsuite-fix-with-expat.diff: Fix autopkgtests with updated
expat.
* Fix issue9189.diff: Update test suite to match behaviour change.
* Add CVE-2021-23336.diff: Only use '&' as query string separator
* Add CVE-2022-0391.diff: Make urlsplit robust against newlines.
* Add CVE-2022-48560.diff: Fix use-after-free in heapq module.
* Add CVE-2022-48565.diff: Reject entities declarations while parsing
XML plists.
* Add CVE-2022-48566.diff: Make constant time comparison more
constant-time.
* Add CVE-2023-24329.diff: More WHATWG-compatible URL parsing
* Add CVE-2023-40217.diff: Prevent reading unauthenticated data on a
SSLSocket.
[ Other info ]
I am also applying a similar update for buster (and Freexian's jessie
and stretch suites).
Helmut
0 new messages