Received: by mail.netbsd.org (Postfix, from userid 605) id BA0ED8512C; Tue, 29 Jun 2021 12:37:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id EECA584D26 for ; Tue, 29 Jun 2021 12:37:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id W0fEBHeJvu7K for ; Tue, 29 Jun 2021 12:37:48 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 2006184CE0 for ; Tue, 29 Jun 2021 12:37:48 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 18380FA95; Tue, 29 Jun 2021 12:37:48 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1624970268174350" MIME-Version: 1.0 Date: Tue, 29 Jun 2021 12:37:48 +0000 From: "Adam Ciarcinski" Subject: CVS commit: pkgsrc/lang To: pkgsrc-changes@NetBSD.org Reply-To: adam@netbsd.org X-Mailer: log_accum Message-Id: <20210629123748.18380FA95@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1624970268174350 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8" Module Name: pkgsrc Committed By: adam Date: Tue Jun 29 12:37:47 UTC 2021 Modified Files: pkgsrc/lang/py36-html-docs: Makefile distinfo pkgsrc/lang/python36: dist.mk distinfo Log Message: python36: updated to 3.6.14 Python 3.6.14 final Security bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server. bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks. Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks. bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer. bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it. bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 pkgsrc/lang/py36-html-docs/Makefile cvs rdiff -u -r1.13 -r1.14 pkgsrc/lang/py36-html-docs/distinfo cvs rdiff -u -r1.14 -r1.15 pkgsrc/lang/python36/dist.mk cvs rdiff -u -r1.35 -r1.36 pkgsrc/lang/python36/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1624970268174350 Content-Disposition: inline Content-Length: 3601 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/lang/py36-html-docs/Makefile diff -u pkgsrc/lang/py36-html-docs/Makefile:1.14 pkgsrc/lang/py36-html-docs/Makefile:1.15 --- pkgsrc/lang/py36-html-docs/Makefile:1.14 Tue Feb 16 19:39:53 2021 +++ pkgsrc/lang/py36-html-docs/Makefile Tue Jun 29 12:37:47 2021 @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.14 2021/02/16 19:39:53 adam Exp $ +# $NetBSD: Makefile,v 1.15 2021/06/29 12:37:47 adam Exp $ -VERS= 3.6.13 +VERS= 3.6.14 DISTNAME= python-${VERS}-docs-html PKGNAME= py36-html-docs-${VERS} CATEGORIES= lang python Index: pkgsrc/lang/py36-html-docs/distinfo diff -u pkgsrc/lang/py36-html-docs/distinfo:1.13 pkgsrc/lang/py36-html-docs/distinfo:1.14 --- pkgsrc/lang/py36-html-docs/distinfo:1.13 Tue Feb 16 19:39:53 2021 +++ pkgsrc/lang/py36-html-docs/distinfo Tue Jun 29 12:37:47 2021 @@ -1,6 +1,6 @@ -$NetBSD: distinfo,v 1.13 2021/02/16 19:39:53 adam Exp $ +$NetBSD: distinfo,v 1.14 2021/06/29 12:37:47 adam Exp $ -SHA1 (python-3.6.13-docs-html.tar.bz2) = 6c751bb1fe1a2aa10cdac1572609c367026efb3f -RMD160 (python-3.6.13-docs-html.tar.bz2) = 62c854d18f22805194a85e0d0c954bd341370015 -SHA512 (python-3.6.13-docs-html.tar.bz2) = 7bdc77767211a652dbbe654cf9675e325a959d1d90eb751fa2f86abd04ddc41301d1035c8cf1a4968a8f23c97f95cf87b06763fd97f7844ac13c365b39dfcd8b -Size (python-3.6.13-docs-html.tar.bz2) = 6016532 bytes +SHA1 (python-3.6.14-docs-html.tar.bz2) = 0588aea479ace5c56cbdde1206fe24b1eb71094a +RMD160 (python-3.6.14-docs-html.tar.bz2) = 4a52d55d10d9db86f220316ad6fd654dcb22c0e2 +SHA512 (python-3.6.14-docs-html.tar.bz2) = a35525fd934e7e95a4e242fb7cfaa770ee42acdb4db40cbe8e40d77d73e98bf72ab02554f3733c884a73f7afaf28e079e0b37ba300134814cf9a08bb61dfee45 +Size (python-3.6.14-docs-html.tar.bz2) = 6022374 bytes Index: pkgsrc/lang/python36/dist.mk diff -u pkgsrc/lang/python36/dist.mk:1.14 pkgsrc/lang/python36/dist.mk:1.15 --- pkgsrc/lang/python36/dist.mk:1.14 Tue Feb 16 19:39:53 2021 +++ pkgsrc/lang/python36/dist.mk Tue Jun 29 12:37:47 2021 @@ -1,6 +1,6 @@ -# $NetBSD: dist.mk,v 1.14 2021/02/16 19:39:53 adam Exp $ +# $NetBSD: dist.mk,v 1.15 2021/06/29 12:37:47 adam Exp $ -PY_DISTVERSION= 3.6.13 +PY_DISTVERSION= 3.6.14 DISTNAME= Python-${PY_DISTVERSION} EXTRACT_SUFX= .tar.xz DISTINFO_FILE= ${.CURDIR}/../../lang/python36/distinfo Index: pkgsrc/lang/python36/distinfo diff -u pkgsrc/lang/python36/distinfo:1.35 pkgsrc/lang/python36/distinfo:1.36 --- pkgsrc/lang/python36/distinfo:1.35 Tue Feb 16 19:39:53 2021 +++ pkgsrc/lang/python36/distinfo Tue Jun 29 12:37:47 2021 @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.35 2021/02/16 19:39:53 adam Exp $ +$NetBSD: distinfo,v 1.36 2021/06/29 12:37:47 adam Exp $ -SHA1 (Python-3.6.13.tar.xz) = 4fa72f749446e907a5b80c0ae47ab03d890f14c8 -RMD160 (Python-3.6.13.tar.xz) = 129f0f49c2db86c17f768f320484f116bd61cf2c -SHA512 (Python-3.6.13.tar.xz) = 0482b3e7eea22b0635b61f06753e77c832c9431385c5ea1ecb8f60868262afd2b45c239badb8e906a33f035ffbf347b4a499fe6f0f008f1fa9ecc9de66c63947 -Size (Python-3.6.13.tar.xz) = 17213520 bytes +SHA1 (Python-3.6.14.tar.xz) = 980845d74f9ca6a57999ac90c2ddb1fdffb7933a +RMD160 (Python-3.6.14.tar.xz) = 6c6dedfe1781604cabaab1ca7c16e1c59e537648 +SHA512 (Python-3.6.14.tar.xz) = 15b82b7285db97cb27a6fcd57ce9e258fdf8dbdb2f00e22e4331161b8557c8244342546c4143e84c72730759e0276770396b6ca5bb7cf87310cca8e175423006 +Size (Python-3.6.14.tar.xz) = 17218148 bytes SHA1 (patch-Lib_ctypes_____init____.py) = 7136d2af2d144b58a3ada07ed3aabddcf6823ced SHA1 (patch-Lib_ctypes_util.py) = 3b7aecb2879cce70c76bd4bc60f2ec577a5bed61 SHA1 (patch-Lib_distutils_command_install.py) = 29204f34296f36ab2b21c745f915ba73caf2b71c --_----------=_1624970268174350--