From owner-freebsd-python@freebsd.org Wed Jun 10 12:37:23 2020 Return-Path: Delivered-To: freebsd-python@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E0B6F333A1F for ; Wed, 10 Jun 2020 12:37:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 49hmhz5kXXz3g6M for ; Wed, 10 Jun 2020 12:37:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id C2C9E3339D3; Wed, 10 Jun 2020 12:37:23 +0000 (UTC) Delivered-To: python@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C28DD3339D2 for ; Wed, 10 Jun 2020 12:37:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49hmhz4cDTz3g6L for ; Wed, 10 Jun 2020 12:37:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9513726DB0 for ; Wed, 10 Jun 2020 12:37:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 05ACbNJD039599 for ; Wed, 10 Jun 2020 12:37:23 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 05ACbNR0039564 for python@FreeBSD.org; Wed, 10 Jun 2020 12:37:23 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 246984] lang/python* Fix CVE-2020-8492, CVE-2019-18348 Date: Wed, 10 Jun 2020 12:37:22 +0000 X-Bugzilla-Reason: CC AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: dbaio@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: python@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? merge-quarterly? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-python@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: FreeBSD-specific Python issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2020 12:37:23 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D246984 --- Comment #14 from Danilo G. Baio --- Thanks Dani for the explanations. Thinking in separate commits because we have an update in the middle (Python 3.6) and Python 3.5 fixes are awaiting review from Python Core. If something happens, it will be easy to revert. koobs@ as I know you like to organize commits, here it goes, any changes are welcome. ---------------------------------------------------------------------------= ---- lang/python35: Fix security issues There are no plans for a next release of Python 3.5. PR: 246984 Security: ca595a25-91d8-11ea-b470-080027846a02 (CVE-2019-18348) Security: a27b0bb6-84fc-11ea-b5b4-641c67a117d8 (CVE-2020-8492) MFH: 2020Q2 Obtained from: https://github.com/python/cpython/pull/19300 https://github.com/python/cpython/pull/19305. ---------------------------------------------------------------------------= ---- lang/python36: Update to 3.6.10, Fix security issues The patches for CVE-2019-18348 and CVE-2020-8492 are in the 3.6 branch and will be present on the next release. Patch for applying CVE-2020-8492 fix here in the ports tree was reported and submitted by Mike Fisher and Dani . PR: 246984 Security: ca595a25-91d8-11ea-b470-080027846a02 (CVE-2019-18348) Security: a27b0bb6-84fc-11ea-b5b4-641c67a117d8 (CVE-2020-8492) MFH: 2020Q2 ---------------------------------------------------------------------------= ---- lang/python37: Fix security issues The patches for CVE-2019-18348 and CVE-2020-8492 are in the 3.7 branch and will be present on the next release. Patch for applying CVE-2020-8492 fix here in the ports tree was reported and submitted by Dani . PR: 246808 Security: ca595a25-91d8-11ea-b470-080027846a02 (CVE-2019-18348) Security: a27b0bb6-84fc-11ea-b5b4-641c67a117d8 (CVE-2020-8492) MFH: 2020Q2 X-MFH-with: 536776 ---------------------------------------------------------------------------= ---- About https://github.com/python/cpython/pull/19300 and https://github.com/python/cpython/pull/19305. I subscribed on those PRs and will be watching for any changes. After commits, vuxml will be updated. --=20 You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.=