File _patchinfo of Package patchinfo.727
<patchinfo incident="727">
<issue id="898572" tracker="bnc">CVE-2014-7185: python: potential buffer overflow</issue>
<issue id="901715" tracker="bnc">python: Disable SSLv2 in Python by default</issue>
<issue id="924312" tracker="bnc">Tracker Bug FATE#318300: [ECO] Update Python to 2.7.9</issue>
<issue id="935856" tracker="bnc"></issue>
<issue id="318300" tracker="fate">Update Python to 2.7.9</issue>
<issue id="CVE-2014-7185" tracker="cve" />
<issue id="CVE-2013-1752" tracker="cve" />
<issue id="CVE-2014-4650" tracker="cve" />
<issue id="CVE-2013-1753" tracker="cve" />
<category>security</category>
<rating>moderate</rating>
<packager>matejcik</packager>
<description>This update to python 2.7.9 fixes the following issues:
* python-2.7-libffi-aarch64.patch: Fix argument passing in libffi for aarch64
From the version update to 2.7.9:
* contains full backport of ssl module from Python 3.4 (PEP466)
* HTTPS certificate validation enabled by default (PEP476)
* SSLv3 disabled by default (bnc#901715)
* backported ensurepip module (PEP477)
* fixes several missing CVEs from last release: CVE-2013-1752, CVE-2013-1753
* dropped upstreamed patches: python-2.7.6-poplib.patch,
smtplib_maxline-2.7.patch, xmlrpc_gzip_27.patch
* dropped patch python-2.7.3-ssl_ca_path.patch because we don't need it
with ssl module from Python 3
* libffi was upgraded upstream, seems to contain our changes,
so dropping libffi-ppc64le.diff as well
* python-2.7-urllib2-localnet-ssl.patch - properly remove unconditional
"import ssl" from test_urllib2_localnet that caused it to fail without ssl
* skip test_thread in qemu_linux_user mode
From the version update to 2.7.8:
* fixes CVE-2014-4650 directory traversal in CGIHTTPServer
* fixes CVE-2014-7185 (bnc#898572) potential buffer overflow in buffer()
Also the DH parameters were increased to 2048 bit to fix logjam security issue (bsc#935856)
</description>
<summary>Security update for python</summary>
</patchinfo>
