| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| test_fsync-eatmydata | Tests: Skip fsync tests when building with eatmydata | Stefano Rivera <stefanor@debian.org> | not-needed | 2012-02-06 | ||
| skip-test_multiprocessing | Tests: Disable test_multiprocessing It leaves stray processes. |
Stefano Rivera <stefanor@debian.org> | not-needed | 2017-10-07 | ||
| skip-hurd-deadlock | Tests: Skip test that deadlocks on GNU Hurd Per Samuel Thibault: > That's probably because pypy uses pthread_mutexes (which per POSIX aren't > interrupted by signals) instead of semaphores, and I guess that's > because sem_open isn't supported on Hurd yet. |
Stefano Rivera <stefanor@debian.org> | no | 2018-08-26 | ||
| python2-binary | Tests: Use the python2 binary Debian doesn't ship a /usr/bin/python any more |
Stefano Rivera <stefanor@debian.org> | not-needed | 2020-09-25 | ||
| test_readline-invalidterminal | Tests: Skip readline tests raising InvalidTerminal We run the tests under TERM=dumb. PyPy doesn't emulate the readline module perfectly and throws an exception here. |
Stefano Rivera <stefanor@debian.org> | yes | 2020-09-23 | ||
| test_fcntl | Tests: Ignore lease failure in fcntl tests Fail on tmpfs on Linux 4.19. Fixed in 5.7 possibly earlier (5.3?). |
Stefano Rivera <stefanor@debian.org> | not-needed | 2020-09-24 | ||
| fpic-archs | Arch: x32 requires -fPIC x32 detection is currently Debian-specific. |
Stefano Rivera <stefanor@debian.org> | no | 2017-10-07 | ||
| ctypes-arm | Arch: armhf support Workaround the presence of hard-float in ldconfig -p output. Also, handle the wide variety of ARM unames. |
Loïc Minier | no | 2017-05-21 | ||
| plat-gnukfreebsd | Arch: DLFCN.py for kfreebsd | Jakub Wilk <jwilk@debian.org> | no | debian | Debian cpython packaging | 2017-05-21 |
| distutils-link | Stdlib: Don't add standard library dirs to library_dirs and runtime_library_dirs. | Matthias Klose <doko@debian.org> | no | Debian cpython packaging | 2011-12-19 | |
| locale-module | Stdlib: Don't map 'utf8', 'utf-8' to 'utf' 'utf' is not a known encoding for glibc. |
Matthias Klose <doko@debian.org> | no | Debian cpython packaging | 2011-12-19 | |
| platform-lsbrelease | Stdlib: Use /etc/lsb-release to identify the platform | Matthias Klose <doko@debian.org> | no | cpython Debian packaging | 2011-12-19 | |
| rlcompleter-invalidterminal | Stdlib: Handle InvalidTerminal in rlcompleter Pypy's readline module can throw InvalidTerminal if the terminal doesn't support "clear". This is the case for TERM=dumb, which we use for tests. |
Stefano Rivera <stefanor@debian.org> | yes | 2020-09-23 | ||
| version-info | Debian: Get version details from the Debian source package Rather than VCS. Return the Debian package version in sys.version. Return null strings in sys._mercurial. |
Stefano Rivera <stefanor@debian.org> | not-needed | 2013-02-23 | ||
| ensurepip-wheels | Debian: Let ensurepip use the system wheels Not the ones from the python source. |
Stefano Rivera <stefanor@debian.org> | no | Debian cpython packaging | 2017-05-21 | |
| ensurepip-disabled | Debian: Disable ensurepip in Debian for now | Stefano Rivera <stefanor@debian.org> | no | Debian cpython packaging | 2017-05-21 | |
| multiarch | Debian: Expose the multiarch tag used in C extension file names Add _multiarch variable to sys.implementation, and MULTIARCH to sysconfig variables. Based on Debian's multiarch patch. |
Stefano Rivera <stefanor@debian.org> | not-needed | 2017-10-07 | ||
| distutils-install-layout | Debian: Add a distutils option --install-layout=deb This option: - installs into $prefix/dist-packages instead of $prefix/site-packages. - doesn't encode the python version into the egg name. Based on cpython Debian packaging |
Stefano Rivera <stefanor@debian.org> | no | 2017-05-21 | ||
| langpack-gettext | Debian: Support Ubuntu langpacks Support alternative gettext tree in /usr/share/locale-langpack; if a file is present in both trees, prefer the newer one |
Michael Vogt <michael.vogt@ubuntu.com> | not-needed | Debian cpython packaging | 2011-12-19 | |
| bdist-wininst-notfound | Debian: Explain that wininst files are not included in Debian The wininst-* files cannot be built within Debian, needing a zlib mingw build, which the zlib maintainer isn't going to provide. |
Stefano Rivera <stefanor@debian.org> | no | Debian cPython packaging | 2020-09-26 | |
| tkinter-import | Debian: Suggest installation of pypy3-tk package On failing _tkinter import. |
Stefano Rivera <stefanor@debian.org> | no | 2013-11-15 | ||
| noise | Debian: Always output the mandelbrot So that our buildds see progress |
Stefano Rivera <stefanor@debian.org> | not-needed | 2017-10-07 | ||
| python3-sphinx | Debian: Disable some extensions to support Python 3 Sphinx Stop building any autodoc and configuration sections, that require parsing the Python 2 source code. This supports building the Sphinx docs with Python 3. |
Stefano Rivera <stefanor@debian.org> | no | 2020-03-23 | ||
| import-h-endif | cpyext: typo in import.h | Matti Picus <matti.picus@gmail.com> | no | debian | upstream, https://foss.heptapod.net/pypy/pypy/-/commit/f8d0f6ad0832af43ef0cd0feabad9f0f408b0110 | 2021-12-25 |
| CVE-2022-37454 | fix segfault from CVE-2022-37454 via cpython PR 98527 | Matti Picus <matti.picus@gmail.com> | no | upstream, https://foss.heptapod.net/pypy/pypy/-/commit/860b897b2611a4099ef9c63ce848fdec89c74b31 | 2022-10-29 | |
| CVE-2023-24329-strip-control-chars-urlsplit.patch | gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (GH-104575) (GH-104592) (#104593) gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). I simplified the docs by eliding the state of the world explanatory paragraph in this security release only backport. (people will see that in the mainline /3/ docs) (cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10) (cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941) (cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946) |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/d7f8a5fe07b0ff3a419ccec434cc405b21a5a304 | 2023-05-22 | |
| CVE-2023-40217-ssl-pre-close-flaw.patch | gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108320) gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. |
=?utf-8?q?=C5=81ukasz_Langa?= <lukasz@langa.pl> | no | cpython, https://github.com/python/cpython/commit/264b1dacc67346efa0933d1e63f622676e0ed96b | 2023-08-22 | |
| CVE-2023-40217-ref-cycle.patch | gh-108342: Break ref cycle in SSLSocket._create() exc (GH-108344) (#108351) Explicitly break a reference cycle when SSLSocket._create() raises an exception. Clear the variable storing the exception, since the exception traceback contains the variables and so creates a reference cycle. This test leak was introduced by the test added for the fix of GH-108310. (cherry picked from commit 64f99350351bc46e016b2286f36ba7cd669b79e3) |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/b8058b3da542101f4a227ef2d6a263a5d73d7973 | 2023-08-23 | |
| CVE-2023-40217-test-reliability.patch | gh-108342: Make ssl TestPreHandshakeClose more reliable (GH-108370) (#108407) * In preauth tests of test_ssl, explicitly break reference cycles invoving SingleConnectionTestServerThread to make sure that the thread is deleted. Otherwise, the test marks the environment as altered because the threading module sees a "dangling thread" (SingleConnectionTestServerThread). This test leak was introduced by the test added for the fix of issue gh-108310. * Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds timeout. * SingleConnectionTestServerThread.run() catchs TimeoutError * Fix a race condition (missing synchronization) in test_preauth_data_to_tls_client(): the server now waits until the client connect() completed in call_after_accept(). * test_https_client_non_tls_response_ignored() calls server.join() explicitly. * Replace "localhost" with server.listener.getsockname()[0]. (cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47) |
=?utf-8?q?=C5=81ukasz_Langa?= <lukasz@langa.pl> | no | cpython, https://github.com/python/cpython/commit/d2cd0a3acba593334fdc2c42b64885de455a9d36 | 2023-08-24 | |
| CVE-2023-6597-tempfile-symlink.patch | gh-91133: tempfile.TemporaryDirectory: fix symlink bug in cleanup (GH-99930) (GH-112842) (cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d) |
Serhiy Storchaka <storchaka@gmail.com> | no | cpython, https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b | 2024-01-17 | |
| CVE-2024-0450-zipfile-quoted-overlap.patch | gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) (GH-113915) Raise BadZipFile when try to read an entry that overlaps with other entry or central directory. (cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba) |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 | 2024-01-17 | |
| CVE-2022-45061-quadratic-time-idna-decode.patch | gh-98433: Fix quadratic time idna decoding. (GH-99092) There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15 | 2022-11-07 | |
| CVE-2022-0391-remove-nl-tab-early.patch | bpo-43882 Remove the newline, and tab early. From query and fragments. (#25853) * Remove the newline, and tab early. From query and fragments. |
Senthil Kumaran <senthil@uthcode.com> | no | cpython, https://github.com/python/cpython/commit/8a595744e696a0fb92dccc5d4e45da41571270a1 | 2021-05-03 | |
| CVE-2021-3737-http-client-infinite-reading-after-http100.patch | bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916) (GH-25931) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/47895e31b6f626bc6ce47d175fe9d43c1098909d | 2021-05-05 | |
| CVE-2020-10735-prevent-dos-by-large-int-str-conv.patch | CVE-2020-10735: Prevent DoS by large int<->str conversions implement the int_max_str_digits handling from CPython PR 96503 - sys.get(State).w_int_max_str_digits is the value to be used in conversions - sys.int_info.default_max_str_digits and sys.int_info.str_digits_check_threshold are the compiled-in limits - sys.{sg}et_int_max_str_digits are interfaces to manage w_int_max_str_digits - sys.flags.int_max_str_digits is the startup value of w_int_max_str_digits - new command line -X int_max_str_digits=number and environment PYTHONINTMAXSTRDIGITS are use at startup to set sys.flags.int_max_str_digits and w_int_max_str_digits |
Matti Picus <matti.picus@gmail.com> | no | cpython, https://github.com/python/cpython/pull/96503/commits/17bd053ef45715d18bd2f3b666b1a6fcec2aaeae | 2022-10-16 | |
| CVE-2024-9287-venv-template-quote-strings.patch | gh-124651: Quote template strings in `venv` activation scripts (GH-124712) (GH-126185) (GH-126269) (GH-126301) | Victor Stinner <vstinner@python.org> | no | cpython, https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97 | 2024-11-04 | |
| CVE-2021-28861-open-redir-vuln-http-server.patch | gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) (GH-94094) Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google]. (cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e) |
"Miss Islington (bot)" | no | cpython, https://github.com/python/cpython/commit/4dc2cae3abd75f386374d0635d00443b897d0672 | 2022-06-22 | |
| CVE-2020-29651-fix-blame-regex-dos.patch | svnwc: fix regular expression vulnerable to DoS in blame functionality The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject to catastrophic backtracing given a string like `"1" * 5000`. SVN blame output seems to always have at least one space between the revision number and the user name, so the ambiguity can be fixed by changing the `*` to `+`. |
Ran Benita <ran@unusedvar.com> | no | py, https://github.com/pytest-dev/py/commit/4a9017dc6199d2a564b6e4b0aa39d6d8870e4144 | 2020-09-04 | |
| CVE-2023-27043-reject-malformed-email-parseaddr.patch | gh-102988: Reject malformed addresses in email.parseaddr() (GH-111116) (#123769) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. |
Petr Viktorin <encukou@gmail.com> | no | cpython, https://github.com/python/cpython/commit/4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19 | 2024-09-06 |