Debian Package Tracker

general

source: python2.7 (main)
version: 2.7.17-1
maintainer: Matthias Klose (DMD)
arch: all any
std-ver: 4.4.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.7.9-2+deb8u1
o-o-sec: 2.7.9-2+deb8u5
oldstable: 2.7.13-2+deb9u3
old-sec: 2.7.13-2+deb9u3
stable: 2.7.16-2+deb10u1
testing: 2.7.17-1
unstable: 2.7.17-1

versioned links

2.7.9-2+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.7.9-2+deb8u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.7.13-2+deb9u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.7.16-2+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.7.17-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

idle-python2.7 (2 bugs: 0, 1, 1, 0)
libpython2.7 (2 bugs: 0, 2, 0, 0)
libpython2.7-dbg (1 bugs: 0, 1, 0, 0)
libpython2.7-dev (1 bugs: 0, 1, 0, 0)
libpython2.7-minimal
libpython2.7-stdlib (3 bugs: 0, 3, 0, 0)
libpython2.7-testsuite
python2.7 (23 bugs: 0, 18, 5, 0)
python2.7-dbg
python2.7-dev (3 bugs: 0, 3, 0, 0)
python2.7-doc
python2.7-examples (3 bugs: 0, 0, 3, 0)
python2.7-minimal (1 bugs: 0, 1, 0, 0)

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:19:21
Last run: 2020-01-25 09:40:32 UTC
Previous status: pass

testing: pass (log)
The tests ran in 0:21:28
Last run: 2020-02-11 06:43:10 UTC
Previous status: pass

stable: fail (log)
The tests ran in 0:16:34
Last run: 2019-06-30 22:45:32 UTC
Previous status: fail

Created: 2019-10-06 Last update: 2020-02-18 05:08

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2020-8492: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Please fix it.

Created: 2020-01-30 Last update: 2020-02-15 00:37

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2020-8492: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Please fix it.

Created: 2020-01-30 Last update: 2020-02-15 00:37

AppStream hints: 1 error high

AppStream found metadata issues for packages:

idle-python2.7: 1 error

You should get rid of them to provide more metadata about this software.

Created: 2018-11-29 Last update: 2018-11-29 10:00

1 bug tagged help in the BTS normal

The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.

Created: 2019-03-21 Last update: 2020-02-18 05:02

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-09-11 Last update: 2020-02-18 02:02

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.7.17-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 404828976b61cb2897cb3fa318c34bf36701b953
Author: Matthias Klose <doko@ubuntu.com>
Date:   Thu Jan 23 10:44:51 2020 +0100

      * Make autopkgtests cross-test-friendly (Steve Langasek).

Created: 2019-10-10 Last update: 2020-02-13 23:04

1 ignored security issue in buster low

There is 1 open security issue in buster.

1 issue skipped by the security teams:

CVE-2020-8492: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Please fix it.

Created: 2020-01-30 Last update: 2020-02-15 00:37

2 ignored security issues in jessie low

There are 2 open security issues in jessie.

2 issues skipped by the security teams:

CVE-2020-8492: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2019-16935: The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

Please fix them.

Created: 2019-09-28 Last update: 2020-02-15 00:37

9 ignored security issues in stretch low

There are 9 open security issues in stretch.

9 issues skipped by the security teams:

CVE-2019-9947: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
CVE-2019-9948: urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
CVE-2019-9740: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.
CVE-2019-5010: An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
CVE-2019-9636: Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
CVE-2020-8492: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2019-16935: The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
CVE-2019-16056: An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Please fix them.

Created: 2019-01-16 Last update: 2020-02-15 00:37

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2019-02-18 Last update: 2019-02-18 23:47

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 4.4.1).

Created: 2020-01-21 Last update: 2020-01-21 05:06

news

[rss feed]

[2019-11-09] Accepted python2.7 2.7.16-2+deb10u1 (source all amd64) into proposed-updates->stable-new, proposed-updates (Moritz Mühlenhoff)
[2019-10-22] python2.7 2.7.17-1 MIGRATED to testing (Debian testing watch)
[2019-10-20] Accepted python2.7 2.7.17-1 (source) into unstable (Matthias Klose)
[2019-10-12] python2.7 2.7.17~rc1-1 MIGRATED to testing (Debian testing watch)
[2019-10-10] Accepted python2.7 2.7.17~rc1-1 (source) into unstable (Matthias Klose)
[2019-09-16] Accepted python2.7 2.7.9-2+deb8u5 (source all amd64) into oldoldstable (Roberto C. Sanchez)
[2019-09-08] python2.7 2.7.16-4 MIGRATED to testing (Debian testing watch)
[2019-09-04] Accepted python2.7 2.7.16-4 (source) into unstable (Matthias Klose)
[2019-08-31] Accepted python2.7 2.7.9-2+deb8u4 (source all amd64) into oldoldstable (Thorsten Alteholz)
[2019-07-23] python2.7 2.7.16-3 MIGRATED to testing (Debian testing watch)
[2019-07-08] Accepted python2.7 2.7.16-3 (source) into unstable (Matthias Klose)
[2019-06-25] Accepted python2.7 2.7.9-2+deb8u3 (source all amd64) into oldstable (Roberto C. Sanchez)
[2019-04-11] python2.7 2.7.16-2 MIGRATED to testing (Debian testing watch)
[2019-04-06] Accepted python2.7 2.7.16-2 (source) into unstable (Matthias Klose)
[2019-04-05] python2.7 2.7.16-1 MIGRATED to testing (Debian testing watch)
[2019-03-04] Accepted python2.7 2.7.16-1 (source) into unstable (Matthias Klose)
[2019-02-28] python2.7 2.7.16~rc1-1 MIGRATED to testing (Debian testing watch)
[2019-02-18] Accepted python2.7 2.7.16~rc1-1 (source) into unstable (Matthias Klose)
[2019-02-16] Accepted python2.7 2.7.15-9 (source) into unstable (Matthias Klose)
[2019-02-05] python2.7 2.7.15-8 MIGRATED to testing (Debian testing watch)
[2019-02-03] Accepted python2.7 2.7.15-8 (source) into unstable (Matthias Klose)
[2019-02-03] Accepted python2.7 2.7.15-7 (source) into unstable (Matthias Klose)
[2019-02-01] Accepted python2.7 2.7.15-6 (source) into unstable (Matthias Klose)
[2018-12-01] python2.7 2.7.15-5 MIGRATED to testing (Debian testing watch)
[2018-11-28] Accepted python2.7 2.7.15-5 (source) into unstable (Matthias Klose)
[2018-10-02] Accepted python2.7 2.7.13-2+deb9u3 (source all amd64) into proposed-updates->stable-new, proposed-updates (Moritz Mühlenhoff)
[2018-09-27] Accepted python2.7 2.7.13-2+deb9u3 (source all amd64) into stable->embargoed, stable (Moritz Mühlenhoff)
[2018-09-25] Accepted python2.7 2.7.9-2+deb8u2 (source all amd64) into oldstable (Antoine Beaupré)
[2018-09-02] python2.7 2.7.15-4 MIGRATED to testing (Debian testing watch)
[2018-08-31] Accepted python2.7 2.7.15-4 (source) into unstable (Matthias Klose)

bugs [bug history graph]

all: 0
help: 1

links

buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots
debci