| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| distutils-install-layout | Debian: Add a distutils option --install-layout=deb This option: - installs into $prefix/dist-packages instead of $prefix/site-packages. - doesn't encode the python version into the egg name. Based on cpython Debian packaging |
Stefano Rivera <stefanor@debian.org> | no | 2017-05-21 | ||
| langpack-gettext | Debian: Support Ubuntu langpacks Support alternative gettext tree in /usr/share/locale-langpack; if a file is present in both trees, prefer the newer one |
Michael Vogt <michael.vogt@ubuntu.com> | not-needed | Debian cpython packaging | 2011-12-19 | |
| bdist-wininst-notfound | Debian: Explain that wininst files are not included in Debian The wininst-* files cannot be built within Debian, needing a zlib mingw build, which the zlib maintainer isn't going to provide. |
Stefano Rivera <stefanor@debian.org> | no | Debian cPython packaging | 2020-09-26 | |
| tkinter-import | Debian: Suggest installation of pypy3-tk package On failing _tkinter import. |
Stefano Rivera <stefanor@debian.org> | no | 2013-11-15 | ||
| noise | Debian: Always output the mandelbrot So that our buildds see progress |
Stefano Rivera <stefanor@debian.org> | not-needed | 2017-10-07 | ||
| python3-sphinx | Debian: Disable some extensions to support Python 3 Sphinx Stop building any autodoc and configuration sections, that require parsing the Python 2 source code. This supports building the Sphinx docs with Python 3. |
Stefano Rivera <stefanor@debian.org> | no | 2020-03-23 | ||
| setuptools-59-editable-installs | Debian: Fix editable installs with setuptools < 60.0.1 Work-around a setuptools bug, where it failed to configure all necessary substitution variables in easy_install. |
Stefano Rivera <stefanor@debian.org> | not-needed | 2022-03-25 | ||
| int-jit-assert.patch | Upstream: #3892: fix wrong assert in intutils, it should be an InvalidLoop instead I introduced the assert in 5909f5e0a75c. before that, inconsistent intersects would just do nothing, which I am not sure is a better solution than raising InvalidLoop |
Carl Friedrich Bolz-Tereick <cfbolz@gmx.de> | no | debian | upstream, https://github.com/pypy/pypy/commit/ba8a3c45b9afe068c06780b4c34709c852ae20ea | 2023-03-03 |
| CVE-2023-24329-strip-control-chars-urlsplit.patch | gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (GH-104575) (GH-104592) (#104593) gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). I simplified the docs by eliding the state of the world explanatory paragraph in this security release only backport. (people will see that in the mainline /3/ docs) (cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10) (cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941) (cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946) |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/d7f8a5fe07b0ff3a419ccec434cc405b21a5a304 | 2023-05-22 | |
| CVE-2023-40217-ssl-pre-close-flaw.patch | gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108320) gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. |
=?utf-8?q?=C5=81ukasz_Langa?= <lukasz@langa.pl> | no | cpython, https://github.com/python/cpython/commit/264b1dacc67346efa0933d1e63f622676e0ed96b | 2023-08-22 | |
| test_fsync-eatmydata | Tests: Skip fsync tests when building with eatmydata | Stefano Rivera <stefanor@debian.org> | not-needed | 2012-02-06 | ||
| skip-test_multiprocessing | Tests: Disable test_multiprocessing It leaves stray processes. |
Stefano Rivera <stefanor@debian.org> | not-needed | 2017-10-07 | ||
| skip-hurd-deadlock | Tests: Skip test that deadlocks on GNU Hurd Per Samuel Thibault: > That's probably because pypy uses pthread_mutexes (which per POSIX aren't > interrupted by signals) instead of semaphores, and I guess that's > because sem_open isn't supported on Hurd yet. |
Stefano Rivera <stefanor@debian.org> | no | 2018-08-26 | ||
| python2-binary | Tests: Use the python2 binary Debian doesn't ship a /usr/bin/python any more |
Stefano Rivera <stefanor@debian.org> | not-needed | 2020-09-25 | ||
| test_readline-invalidterminal | Tests: Skip readline tests raising InvalidTerminal We run the tests under TERM=dumb. PyPy doesn't emulate the readline module perfectly and throws an exception here. |
Stefano Rivera <stefanor@debian.org> | yes | 2020-09-23 | ||
| test_fcntl | Tests: Ignore lease failure in fcntl tests Fail on tmpfs on Linux 4.19. Fixed in 5.7 possibly earlier (5.3?). |
Stefano Rivera <stefanor@debian.org> | not-needed | 2020-09-24 | ||
| ctypes-arm | Arch: armhf support Workaround the presence of hard-float in ldconfig -p output. Also, handle the wide variety of ARM unames. |
Loïc Minier | no | 2017-05-21 | ||
| plat-gnukfreebsd | Arch: DLFCN.py for kfreebsd | Jakub Wilk <jwilk@debian.org> | no | debian | Debian cpython packaging | 2017-05-21 |
| distutils-link | Stdlib: Don't add standard library dirs to library_dirs and runtime_library_dirs. | Matthias Klose <doko@debian.org> | no | Debian cpython packaging | 2011-12-19 | |
| locale-module | Stdlib: Don't map 'utf8', 'utf-8' to 'utf' 'utf' is not a known encoding for glibc. |
Matthias Klose <doko@debian.org> | no | Debian cpython packaging | 2011-12-19 | |
| rlcompleter-invalidterminal | Stdlib: Handle InvalidTerminal in rlcompleter Pypy's readline module can throw InvalidTerminal if the terminal doesn't support "clear". This is the case for TERM=dumb, which we use for tests. |
Stefano Rivera <stefanor@debian.org> | yes | 2020-09-23 | ||
| version-info | Debian: Get version details from the Debian source package Rather than VCS. Return the Debian package version in sys.version. Return null strings in sys._mercurial. |
Stefano Rivera <stefanor@debian.org> | not-needed | 2013-02-23 | ||
| ensurepip-wheels | Debian: Let ensurepip use the system wheels Not the ones from the python source. |
Stefano Rivera <stefanor@debian.org> | no | Debian cpython packaging | 2017-05-21 | |
| ensurepip-disabled | Debian: Disable ensurepip in Debian for now | Stefano Rivera <stefanor@debian.org> | no | Debian cpython packaging | 2017-05-21 | |
| CVE-2023-40217-ref-cycle.patch | gh-108342: Break ref cycle in SSLSocket._create() exc (GH-108344) (#108351) Explicitly break a reference cycle when SSLSocket._create() raises an exception. Clear the variable storing the exception, since the exception traceback contains the variables and so creates a reference cycle. This test leak was introduced by the test added for the fix of GH-108310. (cherry picked from commit 64f99350351bc46e016b2286f36ba7cd669b79e3) |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/b8058b3da542101f4a227ef2d6a263a5d73d7973 | 2023-08-23 | |
| CVE-2023-40217-test-reliability.patch | gh-108342: Make ssl TestPreHandshakeClose more reliable (GH-108370) (#108407) * In preauth tests of test_ssl, explicitly break reference cycles invoving SingleConnectionTestServerThread to make sure that the thread is deleted. Otherwise, the test marks the environment as altered because the threading module sees a "dangling thread" (SingleConnectionTestServerThread). This test leak was introduced by the test added for the fix of issue gh-108310. * Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds timeout. * SingleConnectionTestServerThread.run() catchs TimeoutError * Fix a race condition (missing synchronization) in test_preauth_data_to_tls_client(): the server now waits until the client connect() completed in call_after_accept(). * test_https_client_non_tls_response_ignored() calls server.join() explicitly. * Replace "localhost" with server.listener.getsockname()[0]. (cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47) |
=?utf-8?q?=C5=81ukasz_Langa?= <lukasz@langa.pl> | no | cpython, https://github.com/python/cpython/commit/d2cd0a3acba593334fdc2c42b64885de455a9d36 | 2023-08-24 | |
| CVE-2023-6597-tempfile-symlink.patch | gh-91133: tempfile.TemporaryDirectory: fix symlink bug in cleanup (GH-99930) (GH-112842) (cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d) |
Serhiy Storchaka <storchaka@gmail.com> | no | cpython, https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b | 2024-01-17 | |
| CVE-2024-0450-zipfile-quoted-overlap.patch | gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) (GH-113915) Raise BadZipFile when try to read an entry that overlaps with other entry or central directory. (cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba) |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 | 2024-01-17 | |
| CVE-2023-27043-email-parseaddr | gh-102988: Reject malformed addresses in email.parseaddr() (GH-111116) (#123768) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19) |
Petr Viktorin <encukou@gmail.com> | no | upstream, https://github.com/python/cpython/commit/2a9273a0e4466e2f057f9ce6fe98cd8ce570331b | 2024-09-06 | |
| CVE-2024-9287-venv-activation-templates | gh-124651: Quote template strings in `venv` activation scripts (GH-124712) (GH-126185) (GH-126269) (GH-126300) (cherry picked from commit ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97) |
Victor Stinner <vstinner@python.org> | no | https://github.com/python/cpython/pull/126300 | 2024-11-04 | |
| CVE-2024-4032-private-ip-ranges | gh-113171: gh-65056: Fix "private" (non-global) IP address ranges (GH-113179) (GH-113186) (GH-118177) (GH-118472) The _private_networks variables, used by various is_private implementations, were missing some ranges and at the same time had overly strict ranges (where there are more specific ranges considered globally reachable by the IANA registries). This patch updates the ranges with what was missing or otherwise incorrect. 100.64.0.0/10 is left alone, for now, as it's been made special in [1]. The _address_exclude_many() call returns 8 networks for IPv4, 121 networks for IPv6. [1] https://github.com/python/cpython/issues/61602 In 3.10 and below, is_private checks whether the network and broadcast address are both private. In later versions (where the test wss backported from), it checks whether they both are in the same private network. For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private, but one is in 0.0.0.0/8 ("This network") and the other in 255.255.255.255/32 ("Limited broadcast"). |
Petr Viktorin <encukou@gmail.com> | no | 2024-05-07 | ||
| CVE-2024-6232-tarfile-redos | gh-121285: Remove backtracking when parsing tarfile headers (GH-121286) (#123641) * Remove backtracking when parsing tarfile headers * Rewrite PAX header parsing to be stricter * Optimize parsing of GNU extended sparse headers v0.0 (cherry picked from commit 34ddb64d088dd7ccc321f6103d23153256caa5d4) |
Seth Michael Larson <seth@python.org> | no | cpython, https://github.com/python/cpython/commit/b4225ca91547aa97ed3aca391614afbb255bc877 | 2024-09-04 | |
| CVE-2024-8088-zipfile-loop-dos | gh-123270: Replaced SanitizedNames with a more surgical fix. (GH-123354) (#123432) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286d78d328c2f575e0b05b16fe447d1656d6) (cherry picked from commit 17b77bb41409259bad1cd6c74761c18b6ab1e860) |
"Jason R. Coombs" <jaraco@jaraco.com> | no | cpython, https://github.com/python/cpython/commit/962055268ed4f2ca1d717bfc8b6385de50a23ab7 | 2024-09-04 | |
| CVE-2024-6923-encode-email-header-newlines | gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) (#122610) Per RFC 2047: > [...] these encoding schemes allow the > encoding of arbitrary octet values, mail readers that implement this > decoding should also ensure that display of the decoded data on the > recipient's terminal will not cause unwanted side-effects It seems that the "quoted-word" scheme is a valid way to include a newline character in a header value, just like we already allow undecodable bytes or control characters. They do need to be properly quoted when serialized to text, though. This should fail for custom fold() implementations that aren't careful about newlines. (cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384) |
=?utf-8?q?=C5=81ukasz_Langa?= <lukasz@langa.pl> | no | cpython, https://github.com/python/cpython/commit/f7be505d137a22528cb0fc004422c0081d5d90e6 | 2024-09-04 | |
| CVE-2024-7592-http-cookie-quadratic-complexity | gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) (#123107) This fixes CVE-2024-7592. (cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef) |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774 | 2024-09-04 | |
| CVE-2024-11168-urllib-parse-bracketed-names | gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (#103849) (#126976) (cherry picked from commit 29f348e232e82938ba2165843c448c2b291504c5) |
Victor Stinner <vstinner@python.org> | no | cpython, https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132 | 2024-12-02 |