[Bug 242463] devel/mercurial: Update to 5.4
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242463 Peter Wullinger changed: What|Removed |Added Attachment #210516|0 |1 is obsolete|| --- Comment #40 from Peter Wullinger --- Created attachment 215296 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=215296&action=edit update to mercurial 5.4.1, bring bang setup.py autoplist fix, add extension compat message Next attempt to bring my last patch up to date - update to mercurial 5.4.1 - bring back setup.py get_outputs() workaround - drop USES=python:2.7 - use PKGNAMESUFFIX= - add SHEBANG_REGEX= so that hgweb.cgi gets updated properly - add install message wrt. extension compat -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. ___ freebsd-python@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-python To unsubscribe, send any mail to "freebsd-python-unsubscr...@freebsd.org"
[Bug 246984] lang/python36,37: Fix CVE-2020-8492
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246984 Kubilay Kocak changed: What|Removed |Added Priority|--- |Normal Summary|lang/python36,37: Fix |lang/python36,37: Fix |CVE-2020-8492 [PATCH] |CVE-2020-8492 URL||https://bugs.python.org/iss ||ue39503 Keywords||needs-qa, security Status|New |Open Flags|maintainer-feedback?(ports- |merge-quarterly? |sect...@freebsd.org)| --- Comment #3 from Kubilay Kocak --- Thank you for the report and patches Dani Do any of the upstream 3.6 / 3.7 / head patches apply cleanly to the 3.5 port? -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ freebsd-python@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-python To unsubscribe, send any mail to "freebsd-python-unsubscr...@freebsd.org"
[Bug 246984] lang/python36,37: Fix CVE-2020-8492
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246984 Danilo G. Baio changed: What|Removed |Added CC||db...@freebsd.org --- Comment #4 from Danilo G. Baio --- Hi. Taking a look at this PR I noticed we have issues in CVE-2019-18348 as well. And vuxml is currently wrong in both CVE's. Simple table to explain: --- 2.7: 2.7.18 April 20, 2020 CVE-2019-18348 OK / CVE-2020-8492 OK 3.5: 3.5.9 Nov. 2, 2019 CVE-2019-18348 MS / CVE-2020-8492 MS 3.6: 3.6.9 (3.6.10) July 2, 2019 CVE-2019-18348 NR / CVE-2020-8492 NR 3.7: 3.7.7 March 10, 2020 CVE-2019-18348 NR / CVE-2020-8492 NR 3.8: 3.8.3 May 13, 2020 CVE-2019-18348 OK / CVE-2020-8492 OK MS - Missing commit in upstream branch (PR open) NR - Next Release, commit is in the branch --- So we have to patch Python 3.7, update Python 3.6 to 3.6.10+patch and patch Python 3.5 for both CVE's. And fix vuxml ASAP: CVE-2019-18348, needs to add 3.5, 3.6 and 3.7 packages, they are all affected in this moment. CVE-2020-8492, 3.7, needs to update the range, it's informing that 3.7.7 is not affected. There is a misunderstanding about CVE-2020-8492, in the CVE text it says "3.7 through 3.7.6", but they applied the fix after 3.7.7 and it's on the branch waiting next release. https://python-security.readthedocs.io/vuln/urlopen-host-http-header-injection.html (CVE-2019-18348) https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html (CVE-2020-8492) 3.5 - https://github.com/python/cpython/pull/19300 (CVE-2019-18348) PR open 3.5 - https://github.com/python/cpython/pull/19305 (CVE-2020-8492) PR open Both patches for 3.5 applied cleanly, but the PRs are still open, should we test it and already add to the ports tree? So in addition to Dani's patch, we need to also address CVE-2019-18348, I think we can do this together. -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. ___ freebsd-python@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-python To unsubscribe, send any mail to "freebsd-python-unsubscr...@freebsd.org"
[Bug 246984] lang/python36,37: Fix CVE-2020-8492
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246984 --- Comment #5 from Danilo G. Baio --- Created attachment 215304 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=215304&action=edit python-CVE-2019-18348_CVE-2020-8492.patch Patch for review. Needs to decide if we will push Python 3.5 patches here, with the pending PRs. Could we ask for an exp-run and decide it later? -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ freebsd-python@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-python To unsubscribe, send any mail to "freebsd-python-unsubscr...@freebsd.org"
[Bug 246984] lang/python36,37: Fix CVE-2020-8492
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246984 --- Comment #6 from commit-h...@freebsd.org --- A commit references this bug: Author: dbaio Date: Sun Jun 7 02:20:41 UTC 2020 New revision: 538142 URL: https://svnweb.freebsd.org/changeset/ports/538142 Log: security/vuxml: Update CVE-2019-18348 and CVE-2020-8492 entries CVE-2019-18348: Add missing Python packages range CVE-2020-8492:Fix Python 3.7 entrie, it's currently affected. After committing fixes, we'll need to change ranges again. PR: 246984 Changes: head/security/vuxml/vuln.xml -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. ___ freebsd-python@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-python To unsubscribe, send any mail to "freebsd-python-unsubscr...@freebsd.org"
[Bug 246984] lang/python36,37: Fix CVE-2020-8492
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246984 Kubilay Kocak changed: What|Removed |Added See Also||https://bugs.freebsd.org/bu ||gzilla/show_bug.cgi?id=2467 ||38 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ freebsd-python@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-python To unsubscribe, send any mail to "freebsd-python-unsubscr...@freebsd.org"
[Bug 246738] lang/python36: Update to 3.6.11
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246738 Kubilay Kocak changed: What|Removed |Added See Also||https://bugs.freebsd.org/bu ||gzilla/show_bug.cgi?id=2469 ||84 -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. ___ freebsd-python@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-python To unsubscribe, send any mail to "freebsd-python-unsubscr...@freebsd.org"
[Bug 246984] lang/python: Fix CVE-2020-8492, CVE-2019-18348
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246984 Danilo G. Baio changed: What|Removed |Added See Also||https://bugs.freebsd.org/bu ||gzilla/show_bug.cgi?id=2468 ||08 Summary|lang/python36,37: Fix |lang/python: Fix |CVE-2020-8492 |CVE-2020-8492, ||CVE-2019-18348 -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. ___ freebsd-python@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-python To unsubscribe, send any mail to "freebsd-python-unsubscr...@freebsd.org"
[Bug 246808] lang/python36: Update to 3.6.10 (and backport security fixes)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246808 Danilo G. Baio changed: What|Removed |Added See Also||https://bugs.freebsd.org/bu ||gzilla/show_bug.cgi?id=2469 ||84 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ freebsd-python@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-python To unsubscribe, send any mail to "freebsd-python-unsubscr...@freebsd.org"
