| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2023-40217-ssl-pre-close-flaw.patch | gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108320) gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. |
=?utf-8?q?=C5=81ukasz_Langa?= <lukasz@langa.pl> | no | cpython, https://github.com/python/cpython/commit/264b1dacc67346efa0933d1e63f622676e0ed96b | 2023-08-22 | |
| test_fsync-eatmydata | Tests: Skip fsync tests when building with eatmydata | Stefano Rivera <stefanor@debian.org> | not-needed | 2012-02-06 | ||
| skip-test_multiprocessing | Tests: Disable test_multiprocessing It leaves stray processes. |
Stefano Rivera <stefanor@debian.org> | not-needed | 2017-10-07 | ||
| skip-hurd-deadlock | Tests: Skip test that deadlocks on GNU Hurd Per Samuel Thibault: > That's probably because pypy uses pthread_mutexes (which per POSIX aren't > interrupted by signals) instead of semaphores, and I guess that's > because sem_open isn't supported on Hurd yet. |
Stefano Rivera <stefanor@debian.org> | no | 2018-08-26 | ||
| python2-binary | Tests: Use the python2 binary Debian doesn't ship a /usr/bin/python any more |
Stefano Rivera <stefanor@debian.org> | not-needed | 2020-09-25 | ||
| test_readline-invalidterminal | Tests: Skip readline tests raising InvalidTerminal We run the tests under TERM=dumb. PyPy doesn't emulate the readline module perfectly and throws an exception here. |
Stefano Rivera <stefanor@debian.org> | yes | 2020-09-23 | ||
| test_fcntl | Tests: Ignore lease failure in fcntl tests Fail on tmpfs on Linux 4.19. Fixed in 5.7 possibly earlier (5.3?). |
Stefano Rivera <stefanor@debian.org> | not-needed | 2020-09-24 | ||
| fpic-archs | Arch: x32 requires -fPIC x32 detection is currently Debian-specific. |
Stefano Rivera <stefanor@debian.org> | no | 2017-10-07 | ||
| ctypes-arm | Arch: armhf support Workaround the presence of hard-float in ldconfig -p output. Also, handle the wide variety of ARM unames. |
Loïc Minier | no | 2017-05-21 | ||
| plat-gnukfreebsd | Arch: DLFCN.py for kfreebsd | Jakub Wilk <jwilk@debian.org> | no | debian | Debian cpython packaging | 2017-05-21 |
| distutils-link | Stdlib: Don't add standard library dirs to library_dirs and runtime_library_dirs. | Matthias Klose <doko@debian.org> | no | Debian cpython packaging | 2011-12-19 | |
| locale-module | Stdlib: Don't map 'utf8', 'utf-8' to 'utf' 'utf' is not a known encoding for glibc. |
Matthias Klose <doko@debian.org> | no | Debian cpython packaging | 2011-12-19 | |
| platform-lsbrelease | Stdlib: Use /etc/lsb-release to identify the platform | Matthias Klose <doko@debian.org> | no | cpython Debian packaging | 2011-12-19 | |
| rlcompleter-invalidterminal | Stdlib: Handle InvalidTerminal in rlcompleter Pypy's readline module can throw InvalidTerminal if the terminal doesn't support "clear". This is the case for TERM=dumb, which we use for tests. |
Stefano Rivera <stefanor@debian.org> | yes | 2020-09-23 | ||
| version-info | Debian: Get version details from the Debian source package Rather than VCS. Return the Debian package version in sys.version. Return null strings in sys._mercurial. |
Stefano Rivera <stefanor@debian.org> | not-needed | 2013-02-23 | ||
| ensurepip-wheels | Debian: Let ensurepip use the system wheels Not the ones from the python source. |
Stefano Rivera <stefanor@debian.org> | no | Debian cpython packaging | 2017-05-21 | |
| ensurepip-disabled | Debian: Disable ensurepip in Debian for now | Stefano Rivera <stefanor@debian.org> | no | Debian cpython packaging | 2017-05-21 | |
| multiarch | Debian: Expose the multiarch tag used in C extension file names Add _multiarch variable to sys.implementation, and MULTIARCH to sysconfig variables. Based on Debian's multiarch patch. |
Stefano Rivera <stefanor@debian.org> | not-needed | 2017-10-07 | ||
| distutils-install-layout | Debian: Add a distutils option --install-layout=deb This option: - installs into $prefix/dist-packages instead of $prefix/site-packages. - doesn't encode the python version into the egg name. Based on cpython Debian packaging |
Stefano Rivera <stefanor@debian.org> | no | 2017-05-21 | ||
| langpack-gettext | Debian: Support Ubuntu langpacks Support alternative gettext tree in /usr/share/locale-langpack; if a file is present in both trees, prefer the newer one |
Michael Vogt <michael.vogt@ubuntu.com> | not-needed | Debian cpython packaging | 2011-12-19 | |
| bdist-wininst-notfound | Debian: Explain that wininst files are not included in Debian The wininst-* files cannot be built within Debian, needing a zlib mingw build, which the zlib maintainer isn't going to provide. |
Stefano Rivera <stefanor@debian.org> | no | Debian cPython packaging | 2020-09-26 | |
| tkinter-import | Debian: Suggest installation of pypy3-tk package On failing _tkinter import. |
Stefano Rivera <stefanor@debian.org> | no | 2013-11-15 | ||
| noise | Debian: Always output the mandelbrot So that our buildds see progress |
Stefano Rivera <stefanor@debian.org> | not-needed | 2017-10-07 | ||
| python3-sphinx | Debian: Disable some extensions to support Python 3 Sphinx Stop building any autodoc and configuration sections, that require parsing the Python 2 source code. This supports building the Sphinx docs with Python 3. |
Stefano Rivera <stefanor@debian.org> | no | 2020-03-23 | ||
| import-h-endif | cpyext: typo in import.h | Matti Picus <matti.picus@gmail.com> | no | debian | upstream, https://foss.heptapod.net/pypy/pypy/-/commit/f8d0f6ad0832af43ef0cd0feabad9f0f408b0110 | 2021-12-25 |
| CVE-2022-37454 | fix segfault from CVE-2022-37454 via cpython PR 98527 | Matti Picus <matti.picus@gmail.com> | no | upstream, https://foss.heptapod.net/pypy/pypy/-/commit/860b897b2611a4099ef9c63ce848fdec89c74b31 | 2022-10-29 | |
| CVE-2023-24329-strip-control-chars-urlsplit.patch | gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (GH-104575) (GH-104592) (#104593) gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). I simplified the docs by eliding the state of the world explanatory paragraph in this security release only backport. (people will see that in the mainline /3/ docs) (cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10) (cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941) (cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946) |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/d7f8a5fe07b0ff3a419ccec434cc405b21a5a304 | 2023-05-22 | |
| CVE-2023-40217-ref-cycle.patch | gh-108342: Break ref cycle in SSLSocket._create() exc (GH-108344) (#108351) Explicitly break a reference cycle when SSLSocket._create() raises an exception. Clear the variable storing the exception, since the exception traceback contains the variables and so creates a reference cycle. This test leak was introduced by the test added for the fix of GH-108310. (cherry picked from commit 64f99350351bc46e016b2286f36ba7cd669b79e3) |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/b8058b3da542101f4a227ef2d6a263a5d73d7973 | 2023-08-23 | |
| CVE-2023-40217-test-reliability.patch | gh-108342: Make ssl TestPreHandshakeClose more reliable (GH-108370) (#108407) * In preauth tests of test_ssl, explicitly break reference cycles invoving SingleConnectionTestServerThread to make sure that the thread is deleted. Otherwise, the test marks the environment as altered because the threading module sees a "dangling thread" (SingleConnectionTestServerThread). This test leak was introduced by the test added for the fix of issue gh-108310. * Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds timeout. * SingleConnectionTestServerThread.run() catchs TimeoutError * Fix a race condition (missing synchronization) in test_preauth_data_to_tls_client(): the server now waits until the client connect() completed in call_after_accept(). * test_https_client_non_tls_response_ignored() calls server.join() explicitly. * Replace "localhost" with server.listener.getsockname()[0]. (cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47) |
=?utf-8?q?=C5=81ukasz_Langa?= <lukasz@langa.pl> | no | cpython, https://github.com/python/cpython/commit/d2cd0a3acba593334fdc2c42b64885de455a9d36 | 2023-08-24 | |
| CVE-2023-6597-tempfile-symlink.patch | gh-91133: tempfile.TemporaryDirectory: fix symlink bug in cleanup (GH-99930) (GH-112842) (cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d) |
Serhiy Storchaka <storchaka@gmail.com> | no | cpython, https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b | 2024-01-17 | |
| CVE-2024-0450-zipfile-quoted-overlap.patch | gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) (GH-113915) Raise BadZipFile when try to read an entry that overlaps with other entry or central directory. (cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba) |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 | 2024-01-17 |