python2-2.7.18

[Douglas R. Reno]

New point version

The final release of python2... ever!

[thomas]

What's New in Python 2.7.18 final? ==================================

*Release date: 2020-04-19*

There were no new changes in version 2.7.18.

What's New in Python 2.7.18 release candidate 1? ================================================

*Release date: 2020-04-04*

Security

---

• bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.

• bpo-38804: Fixes a ReDoS vulnerability in :mod:http.cookiejar. Patch by Ben Caller.

Core and Builtins

---

• bpo-38535: Fixed line numbers and column offsets for AST nodes for calls without arguments in decorators.

Library

---

• bpo-38576: Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.

• bpo-27973: Fix urllib.urlretrieve failing on subsequent ftp transfers from the same host.

Build

---

• bpo-38730: Fix problems identified by GCC's -Wstringop-truncation warning.

Windows

---

• bpo-37025: AddRefActCtx() was needlessly being checked for failure in PC/dl_nt.c.

macOS

---

• bpo-38295: Prevent failure of test_relative_path in test_py_compile on macOS Catalina.

C API

---

• bpo-38540: Fixed possible leak in :c:func:`PyArg_Parse` and similar functions for format units "es#" and "et#" when the macro :c:macro:`PY_SSIZE_T_CLEAN` is not defined.

[thomas]

Fixed in r23016

[Douglas R. Reno]

Retroactively promote to High for CVE-2020-18348.

[Douglas R. Reno]

Note that this vulnerability isn't exploitable on an LFS system above 8.4. The security vulnerability that allows this to occur, CVE-2016-10379 in glibc, was fixed in glibc-2.29.

[Bruce Dubbs]

Milestone renamed

[Bruce Dubbs]

Milestone renamed