[security-announce] Security Update: Python: upgrade 2.7.11 -> 2.7.1

Sona Sarmadi sona.sarmadi at enea.com
Wed Apr 5 13:26:22 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		Enea Linux Security Advisory

==============================================================
Product/package: Enea Linux 6.0: (upgrade from 2.7.11 to 2.7.12)
Severity: Medium
Architecture: all
CVE name: CVE-2016-5636: Heap overflow in zipimporter module
==============================================================

Python package has been upgraded in Enea Linux 6.0 from 2.7.11 to 2.7.12
.
Python 2.7.12 is a bugfix release in the Python 2.7.x series.


What's New in Python 2.7.12 release?
====================================

- - Issue #26171 (CVE-2016-5636): Fix possible integer overflow and heap
corruption in zipimporter.get_data().

- - Issue #20041: Fixed TypeError when frame.f_trace is set to None.
  Patch by Xavier de Gaye.

- - Issue #25702: A --with-lto configure option has been added that will
  enable link time optimizations at build time .

- - Issue #26168: Fixed possible refleaks in failing Py_BuildValue()
  	with the "N" format unit.

- - Issue #27039: Fixed bytearray.remove() for values greater than 127.
 Patch by Joe Jevnik.

- - Issue #4806: Avoid masking the original TypeError exception when
using star (*) unpacking and the exception was raised from a
generator. Based on patch by Hagen Fürstenau.

- - Issue #26659: Make the builtin slice type support cycle collection.

- - Issue #26718: super.__init__ no longer leaks memory if called
multiple times. NOTE: A direct call of super.__init__ is not endorsed!

- - Issue #13410: Fixed a bug in PyUnicode_Format where it failed to
properly ignore errors from a __int__() method.

- - Issue #26494: Fixed crash on iterating exhausting iterators.
Affected classes are generic sequence iterators, iterators of bytearray,
list, tuple, set, frozenset, dict, OrderedDict and corresponding views.

- - Issue #26581: If coding cookie is specified multiple times on a line
in Python source code file, only the first one is taken to account.

- - Issue #22836: Ensure exception reports from PyErr_Display() and
PyErr_WriteUnraisable() are sensible even when formatting them produces
secondary errors.

- - Issue #22847: Improve method cache efficiency.

- - Issue #25843: When compiling code, don't merge constants if they are
equal but have a different types.

- - Issue #22995: [UPDATE] Remove the one of the pickleability tests in
_PyObject_GetState() due to regressions observed in Cython-based project
s.

- - Issue #25961: Disallowed null characters in the type name.

- - Issue #22995: Instances of extension types with a state that aren't
subclasses of list or dict and haven't implemented any pickle-related
methods (__reduce__, __reduce_ex__, __getnewargs__, __getnewargs_ex__,
or __getstate__), can no longer be pickled.  Including memoryview.

- - Issue #20440: Massive replacing unsafe attribute setting code with
special macro Py_SETREF.

- - Issue #25421: __sizeof__ methods of builtin types now use dynamic
basic size. This allows sys.getsize() to work correctly with their
subclasses with  __slots__ defined.

- - Issue #19543: Added Py3k warning for decoding unicode.

- - Issue #24097: Fixed crash in object.__reduce__() if slot name is
freed inside __getattr__.

- - Issue #24731: Fixed crash on converting objects with special methods
__str__, __trunc__, and __float__ returning instances of subclasses of
str, long, and float to subclasses of str, long, and float
correspondingly.

- - Issue #26478: Fix semantic bugs when using binary operators with
dictionary views and tuples.

For detailed info please see
https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636

Reference to the Enea Linux fix:
https://git.enea.com/cgit/linux/poky.git/patch/?id=dd5a3c0c80ac35b30b612
96507bf5d3bd3a609d2

How to get the latest patches
=============================
- - If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- - If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
- -u git://git.enea.com/linux/el_manifests-standard.git \ -b krogoth\ -m
<manifest file> $ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/solutions/Enea-Linux/Security/CVEs-list/

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJY5NReAAoJEAilI68fskZdhwEH/R/3cBFRiizs3a6dZ6oalS+p
seFaodVjvMA2X82MlcWmSR9MFThhXpJwbq5fMiC2v7w5dhWRY18NQuZpmidGf7iv
ipGyIubJDVSeqG4iaIi6zG6G5RZNpekgMhn1tNJ8R0lbvZ2ruaXV5weQq3yw8mxp
C4iEppNjal5dMpLTNg5lPLvXqP+xdKcLpLsVcziTVP0F4jIX5WH1FATlbv9h+z8Z
BnLZ4meoViH+Asl7dKMf1/jujRh6phQdRl/MZhWvttpugDIc+4hqn2sDqLbGxbcq
/JvFDAVfTm+pGIw+GzH1FeT701kavrwFoeEq3g3bW8x+nHNweO/4MkguSfwbW8g=
=erD8
-----END PGP SIGNATURE-----


More information about the security-announce mailing list