diff options
| author | obache <obache@pkgsrc.org> | 2011-06-04 03:58:58 +0000 |
|---|---|---|
| committer | obache <obache@pkgsrc.org> | 2011-06-04 03:58:58 +0000 |
| commit | 98ff2a47e3a0ea8eb985b77e65fe44838c486b1f (patch) | |
| tree | 1c2c969b11b81fd983dcd6038e291b95ce401284 /lang/python26 | |
| parent | db9dfe5370381b7dcd94dc65ee7dafefdf90dc74 (diff) | |
| download | pkgsrc-98ff2a47e3a0ea8eb985b77e65fe44838c486b1f.tar.gz | |
Update python26 to 2.6.7.
(CVE-2011-1521 had been fixed in pkgsrc).
What's New in Python 2.6.7?
===========================
*Release date: 2011-06-03*
*NOTE: Python 2.6 is in security-fix-only mode. No non-security bug fixes are
allowed. Python 2.6.7 and beyond will be source only releases.*
* No changes since 2.6.7rc2.
What's New in Python 2.6.7 rc 2?
================================
*Release date: 2011-05-20*
*NOTE: Python 2.6 is in security-fix-only mode. No non-security bug fixes are
allowed. Python 2.6.7 and beyond will be source only releases.*
Library
-------
- Issue #11662: Make urllib and urllib2 ignore redirections if the
scheme is not HTTP, HTTPS or FTP (CVE-2011-1521).
- Issue #11442: Add a charset parameter to the Content-type in SimpleHTTPServer
to avoid XSS attacks.
What's New in Python 2.6.7 rc 1?
================================
*Release date: 2011-05-06*
Library
-------
- Issue #9129: smtpd.py is vulnerable to DoS attacks deriving from missing
error handling when accepting a new connection.
Diffstat (limited to 'lang/python26')
| -rw-r--r-- | lang/python26/Makefile | 3 | ||||
| -rw-r--r-- | lang/python26/dist.mk | 4 | ||||
| -rw-r--r-- | lang/python26/distinfo | 10 | ||||
| -rw-r--r-- | lang/python26/patches/patch-ca | 29 | ||||
| -rw-r--r-- | lang/python26/patches/patch-cb | 21 |
5 files changed, 7 insertions, 60 deletions
diff --git a/lang/python26/Makefile b/lang/python26/Makefile index 8d6c20e7d1f..edd80bb91b5 100644 --- a/lang/python26/Makefile +++ b/lang/python26/Makefile @@ -1,9 +1,8 @@ -# $NetBSD: Makefile,v 1.39 2011/05/15 10:06:11 hans Exp $ +# $NetBSD: Makefile,v 1.40 2011/06/04 03:58:58 obache Exp $ .include "dist.mk" PKGNAME= python26-${PY_DISTVERSION} -PKGREVISION= 9 CATEGORIES= lang python MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/lang/python26/dist.mk b/lang/python26/dist.mk index 7f27d140e6a..9b3d3359419 100644 --- a/lang/python26/dist.mk +++ b/lang/python26/dist.mk @@ -1,6 +1,6 @@ -# $NetBSD: dist.mk,v 1.1 2010/09/17 07:11:42 obache Exp $ +# $NetBSD: dist.mk,v 1.2 2011/06/04 03:58:58 obache Exp $ -PY_DISTVERSION= 2.6.6 +PY_DISTVERSION= 2.6.7 DISTNAME= Python-${PY_DISTVERSION} EXTRACT_SUFX= .tar.bz2 DISTINFO_FILE= ${.CURDIR}/../../lang/python26/distinfo diff --git a/lang/python26/distinfo b/lang/python26/distinfo index 050d5964c74..b014b62f308 100644 --- a/lang/python26/distinfo +++ b/lang/python26/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.33 2011/03/28 16:00:06 drochner Exp $ +$NetBSD: distinfo,v 1.34 2011/06/04 03:58:58 obache Exp $ -SHA1 (Python-2.6.6.tar.bz2) = a1daf2c2c7cffe0939c015260447572fe75c7e50 -RMD160 (Python-2.6.6.tar.bz2) = 2d63f4f0ad3c124a8e62215ca94bd0231350e912 -Size (Python-2.6.6.tar.bz2) = 11080872 bytes +SHA1 (Python-2.6.7.tar.bz2) = 5d35eb746e85fb3deaff8518448137c9b9fb6daa +RMD160 (Python-2.6.7.tar.bz2) = 513e84a7cb76ca876e3803bb03ed558bd0378063 +Size (Python-2.6.7.tar.bz2) = 11084667 bytes SHA1 (patch-SA43463) = a0285ce9eb1d994bb05cd54812f3fc9cb678fe7f SHA1 (patch-aa) = 0528fc5da76d5f1d19586ea3dda1acd09a4b0113 SHA1 (patch-ab) = b47aa9d18a7c1a99ac8cc8b29c64867443f303e5 @@ -20,5 +20,3 @@ SHA1 (patch-av) = d6bf0419015656a8d2f13d3132873e453c8a6b6e SHA1 (patch-ba) = 97dcf72d7380a2d257220669845c52a698165fcf SHA1 (patch-bb) = 6cdd94dd1e69630159194c7c153b6c4e46c81456 SHA1 (patch-bc) = 09aaa254a54109026bb262a949b4006235df7858 -SHA1 (patch-ca) = aa0ad5a9dff1cd7c1c456aa6371733727ac1425b -SHA1 (patch-cb) = f8fa30bb9aae0ef02c187d1d6db176bac731381e diff --git a/lang/python26/patches/patch-ca b/lang/python26/patches/patch-ca deleted file mode 100644 index 457474d629a..00000000000 --- a/lang/python26/patches/patch-ca +++ /dev/null @@ -1,29 +0,0 @@ -$NetBSD: patch-ca,v 1.1 2011/03/28 16:00:07 drochner Exp $ - -Issue #11662 (CVE-2011-1521) - ---- Lib/urllib.py.orig 2007-03-14 08:27:57.000000000 +0000 -+++ Lib/urllib.py -@@ -638,10 +638,20 @@ class FancyURLopener(URLopener): - newurl = headers['uri'] - else: - return -- void = fp.read() -- fp.close() -+ - # In case the server sent a relative URL, join with original: - newurl = basejoin(self.type + ":" + url, newurl) -+ -+ # For security reasons we do not allow redirects to protocols -+ # other than HTTP, HTTPS or FTP. -+ newurl_lower = newurl.lower() -+ if not (newurl_lower.startswith('http://') or -+ newurl_lower.startswith('https://') or -+ newurl_lower.startswith('ftp://')): -+ return -+ -+ void = fp.read() -+ fp.close() - return self.open(newurl) - - def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff --git a/lang/python26/patches/patch-cb b/lang/python26/patches/patch-cb deleted file mode 100644 index 1af34378a99..00000000000 --- a/lang/python26/patches/patch-cb +++ /dev/null @@ -1,21 +0,0 @@ -$NetBSD: patch-cb,v 1.1 2011/03/28 16:00:07 drochner Exp $ - -Issue #11662 (CVE-2011-1521) - ---- Lib/urllib2.py.orig 2011-03-28 15:17:02.000000000 +0000 -+++ Lib/urllib2.py -@@ -578,6 +578,14 @@ class HTTPRedirectHandler(BaseHandler): - - newurl = urlparse.urljoin(req.get_full_url(), newurl) - -+ # For security reasons we do not allow redirects to protocols -+ # other than HTTP, HTTPS or FTP. -+ newurl_lower = newurl.lower() -+ if not (newurl_lower.startswith('http://') or -+ newurl_lower.startswith('https://') or -+ newurl_lower.startswith('ftp://')): -+ return -+ - # XXX Probably want to forget about the state of the current - # request, although that might interact poorly with other - # handlers that also use handler-specific request attributes |