Bug #788525 “updating to python2.6.7 in lucid and updating” : Bugs : python2.6 package : Ubuntu

Revision history for this message

Barry Warsaw (barry) wrote on 2011-05-26:

#1

2.6.6 was the last bug fix release for Python 2.6. 2.6.7 (planned for June 3, 2011) and beyond will be security-fix only releases. Yes, there are a *ton* of fixes in 2.6.6. See http://hg.python.org/cpython/file/2d760cb20e1e/Misc/NEWS

I'll review these to find any I think might affect Ubuntu, and check them against any distro patches we might have applied.

Barry Warsaw (barry) on 2011-06-29

summary:

- updating to python2.6.6 or .7 in lucid and updating
+ updating to python2.6.7 in lucid and updating

Revision history for this message

Matthias Klose (doko) wrote on 2011-07-01:

#2

no, it is not necessary to check the stuff mentioned in #1, because there already is an updated package in oneiric. what needs to be done is to check the changes gone into 2.6.6 and 2.6.7, if these are only regressions fixes, or fixes which do not affect ubuntu (unsupported architectures).

Revision history for this message

Barry Warsaw (barry) wrote on 2011-07-14:

#3

Download full text (19.8 KiB)

Here are all the changes in upstream Python 2.6.6 and 2.6.7 as defined in the
Misc/News file. I've pulled out all the extraneous information and left just
the issue bullets. Those that could have SRU implications I've marked with
`@@@`.

TL;DR: Here's what Matthias wants to know: "check the upstream changes made
since 2.6.5 and make sure that these are bug and regression fixes only". The
one new feature is issue 5753, but that cannot hurt existing code, since it
won't be written to use the new API, and besides the new API fixes a CVE.

Bottom line: all other changes are bug and regression fixes only.

Details:

- Issue #11662: Make urllib and urllib2 ignore redirections if the
scheme is not HTTP, HTTPS or FTP (CVE-2011-1521).

- Issue #11442: Add a charset parameter to the Content-type in SimpleHTTPServer
to avoid XSS attacks.

- Issue #9129: smtpd.py is vulnerable to DoS attacks deriving from missing
error handling when accepting a new connection.

- Issue #9600: Don't use relative import for _multiprocessing on Windows.

- Issue #8688: Revert regression introduced in 2.6.6rc1 (making Distutils
recalculate MANIFEST every time).

- Issue #5798: Handle select.poll flag oddities properly on OS X.
This fixes test_asynchat and test_smtplib failures on OS X.

- Issue #9543: Fix regression in socket.py introduced in Python 2.6.6 rc 1
in r83624.

- Issue #7567: Don't call `setupterm' twice.

- Issue #9568: Fix test_urllib2_localnet on OS X 10.3.

- Issue #9145: Fix test_coercion failure in refleak runs.

- Issue #8433: Fix test_curses failure caused by newer versions of
ncurses returning ERR from getmouse() when there are no mouse
events available.

- Issue #6213: Implement getstate() and setstate() methods of utf-8-sig and
utf-16 incremental encoders.

@@@ Since the return value of getstate() changed, this could potentially cause
some code to break, but I think that this is such an obscure API, the
likelihood is very low.

- Issue #8271: during the decoding of an invalid UTF-8 byte sequence, only the
  start byte and the continuation byte(s) are now considered invalid, instead
  of the number of bytes specified by the start byte.
  E.g.: '\xf1\x80AB'.decode('utf-8', 'replace') now returns u'\ufffdAB' and
  replaces with U+FFFD only the start byte ('\xf1') and the continuation byte
  ('\x80') even if '\xf1' is the start byte of a 4-bytes sequence.
  Previous versions returned a single u'\ufffd'.

- Issue #9058: Remove assertions about INT_MAX in UnicodeDecodeError.

- Issue #8941: decoding big endian UTF-32 data in UCS-2 builds could crash
the interpreter with characters outside the Basic Multilingual Plane
(higher than 0x10000).

- Issue #8627: Remove bogus "Overriding __cmp__ blocks inheritance of
  __hash__ in 3.x" warning. Also fix "XXX undetected error" that
  arises from the "Overriding __eq__ blocks inheritance ..." warning
  when turned into an exception: in this case the exception simply
  gets ignored.

- Issue #4108: In urllib.robotparser, if there are multiple 'User-agent: *'
entries, consider the first one.

- Issue #9354: Provide getsockopt() in asyncore's file_wrapper.

- In the unicode/str.format(), raise ...

Here are all the changes in upstream Python 2.6.6 and 2.6.7 as defined in the
Misc/News file.  I've pulled out all the extraneous information and left just
the issue bullets.  Those that could have SRU implications I've marked with
`@@@`.

TL;DR: Here's what Matthias wants to know: "check the upstream changes made
since 2.6.5 and make sure that these are bug and regression fixes only".  The
one new feature is issue 5753, but that cannot hurt existing code, since it
won't be written to use the new API, and besides the new API fixes a CVE.

Bottom line: all other changes are bug and regression fixes only.

Details:

- Issue #11662: Make urllib and urllib2 ignore redirections if the
  scheme is not HTTP, HTTPS or FTP (CVE-2011-1521).

- Issue #11442: Add a charset parameter to the Content-type in SimpleHTTPServer
  to avoid XSS attacks.

- Issue #9129: smtpd.py is vulnerable to DoS attacks deriving from missing
  error handling when accepting a new connection.

- Issue #9600: Don't use relative import for _multiprocessing on Windows.

- Issue #8688: Revert regression introduced in 2.6.6rc1 (making Distutils
  recalculate MANIFEST every time).

- Issue #5798: Handle select.poll flag oddities properly on OS X.
  This fixes test_asynchat and test_smtplib failures on OS X.

- Issue #9543: Fix regression in socket.py introduced in Python 2.6.6 rc 1
  in r83624.

- Issue #7567: Don't call `setupterm' twice.

- Issue #9568: Fix test_urllib2_localnet on OS X 10.3.

- Issue #9145: Fix test_coercion failure in refleak runs.

- Issue #8433: Fix test_curses failure caused by newer versions of
  ncurses returning ERR from getmouse() when there are no mouse
  events available.

- Issue #6213: Implement getstate() and setstate() methods of utf-8-sig and
  utf-16 incremental encoders.

@@@ Since the return value of getstate() changed, this could potentially cause
some code to break, but I think that this is such an obscure API, the
likelihood is very low.

- Issue #8271: during the decoding of an invalid UTF-8 byte sequence, only the
  start byte and the continuation byte(s) are now considered invalid, instead
  of the number of bytes specified by the start byte.
  E.g.: '\xf1\x80AB'.decode('utf-8', 'replace') now returns u'\ufffdAB' and
  replaces with U+FFFD only the start byte ('\xf1') and the continuation byte
  ('\x80') even if '\xf1' is the start byte of a 4-bytes sequence.
  Previous versions returned a single u'\ufffd'.

- Issue #9058: Remove assertions about INT_MAX in UnicodeDecodeError.

- Issue #8941: decoding big endian UTF-32 data in UCS-2 builds could crash
  the interpreter with characters outside the Basic Multilingual Plane
  (higher than 0x10000).

- Issue #8627: Remove bogus "Overriding __cmp__ blocks inheritance of
  __hash__ in 3.x" warning.  Also fix "XXX undetected error" that
  arises from the "Overriding __eq__ blocks inheritance ..." warning
  when turned into an exception: in this case the exception simply
  gets ignored.

- Issue #4108: In urllib.robotparser, if there are multiple 'User-agent: *'
  entries, consider the first one.

- Issue #9354: Provide getsockopt() in asyncore's file_wrapper.

- In the unicode/str.format(), raise a ValueError when indexes to arguments are
  too large.

@@@ Highly unlikely that valid code expects this to work, so an exception,
while possibly unexpected by clients, should be an indication that the code is
buggy in the first place.

- Issue #3798: Write sys.exit() message to sys.stderr to use stderr encoding
  and error handler, instead of writing to the C stderr file in utf-8

@@@ Possibly disruptive if some application cares about sys.exit() text in a
specific encoding.

- Issue #7902: When using explicit relative import syntax, don't try
  implicit relative import semantics.

@@@ Has the potential to break existing working code.  I'll put "working" in
quotes though because such code was depending on broken behavior that
accidentally worked through an implementation bug.  Guido pronounced in favor
of this fix.

- Issue #7079: Fix a possible crash when closing a file object while using
  it from another thread.  Patch by Daniel Stutzbach.

- Issue #1533: fix inconsistency in range function argument
  processing: any non-float non-integer argument is now converted to
  an integer (if possible) using its __int__ method.  Previously, only
  small arguments were treated this way; larger arguments (those whose
  __int__ was outside the range of a C long) would produce a TypeError.

- Issue #8417: Raise an OverflowError when an integer larger than sys.maxsize
  is passed to bytearray.

- Issue #8329: Don't return the same lists from select.select when no fds are
  changed.

- Raise a TypeError when trying to delete a T_STRING_INPLACE struct member.

- Issue #1583863: An unicode subclass can now override the __unicode__ method.

- Issue #7507: Quote "!" in pipes.quote(); it is special to some shells.

- Issue #7544: Preallocate thread memory before creating the thread to avoid
  a fatal error in low memory condition.

- Issue #7820: The parser tokenizer restores all bytes in the right if
  the BOM check fails.

- Issue #7072: isspace(0xa0) is true on Mac OS X

- Issue #5753: A new C API function, :cfunc:`PySys_SetArgvEx`, allows
  embedders of the interpreter to set sys.argv without also modifying
  sys.path.  This helps fix `CVE-2008-5983
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983>`_.

@@@ Yes, this is a new feature, but it can't hurt because code written against
Python < 2.6.6 wouldn't have this available.

- Issue #8447: Make distutils.sysconfig follow symlinks in the path to
  the interpreter executable.  This fixes a failure of test_httpservers
  on OS X.

- Issue #7092: Fix the DeprecationWarnings emitted by the standard library
  when using the -3 flag.  Patch by Florent Xicluna.

- Issue #7395: Fix tracebacks in pstats interactive browser.

- Issue #1713: Fix os.path.ismount(), which returned true for symbolic links
  across devices.

@@@ Could potentially break code that was erroneously expecting this to work.
However if the code recognized this as a bug and has a workaround, that
workaround should still be valid.

- Issue #8826: Properly load old-style "expires" attribute in http.cookies.

- Issue #1690103: Fix initial namespace for code run with trace.main().

- Issue #5294: Fix the behavior of pdb's "continue" command when called
  in the top-level debugged frame.

- Issue #5727: Restore the ability to use readline when calling into pdb
  in doctests.

- Issue #6719: In pdb, do not stop somewhere in the encodings machinery
  if the source file to be debugged is in a non-builtin encoding.

- Issue #8048: Prevent doctests from failing when sys.displayhook has
  been reassigned.

- Issue #8015: In pdb, do not crash when an empty line is entered as
  a breakpoint command.

- Issue #7909: Do not touch paths with the special prefixes ``\\.\``
  or ``\\?\`` in ntpath.normpath().

- Issue #5146: Handle UID THREAD command correctly in imaplib.

- Issue #5147: Fix the header generated for cookie files written by
  http.cookiejar.MozillaCookieJar.

- Issue #8198: In pydoc, output all help text to the correct stream
  when sys.stdout is reassigned.

- Issue #1019882: Fix IndexError when loading certain hotshot stats.

- Issue #8471: In doctest, properly reset the output stream to an empty
  string when Unicode was previously output.

- Issue #8397: Raise an error when attempting to mix iteration and regular
  reads on a BZ2File object, rather than returning incorrect results.

- Issue #8620: when a Cmd is fed input that reaches EOF without a final
  newline, it no longer truncates the last character of the last command line.

- Issue #7066: archive_util.make_archive now restores the cwd if an error is
  raised. Initial patch by Ezio Melotti.

- Issue #5006: Better handling of unicode byte-order marks (BOM) in the io
  library. This means, for example, that opening an UTF-16 text file in append
  mode doesn't add a BOM at the end of the file if the file isn't empty.

- Issue #3704: cookielib was not properly handling URLs with a / in the
  parameters.

- Issue #4629: getopt raises an error if an argument ends with = whereas getopt
  doesn't except a value (eg. --help= is rejected if getopt uses ['help='] long
  options).

- Issue #7895: platform.mac_ver() no longer crashes after calling os.fork()

- Issue #5395: array.fromfile() would raise a spurious EOFError when an
  I/O error occurred.  Now an IOError is raised instead.  Patch by chuck
  (Jan Hosang).

- Issue #1555570: email no longer inserts extra blank lines when a \r\n
  combo crosses an 8192 byte boundary.

- Issue #9164: Ensure sysconfig handles dupblice archs while building on OSX

- Issue #7646: The fnmatch pattern cache no longer grows without bound.

- Issue #9136: Fix 'dictionary changed size during iteration'
  RuntimeError produced when profiling the decimal module.  This was
  due to a dangerous iteration over 'locals()' in Context.__init__.

- Fix extreme speed issue in Decimal.pow when the base is an exact
  power of 10 and the exponent is tiny (for example,
  Decimal(10) ** Decimal('1e-999999999')).

- Issue #9130: Fix validation of relative imports in parser module.

- Issue #9128: Fix validation of class decorators in parser module.

- Issue #7673: Fix security vulnerability (CVE-2010-2089) in the audioop
  module, ensure that the input string length is a multiple of the frame size

- Issue #6589: cleanup asyncore.socket_map in case smtpd.SMTPServer constructor
  raises an exception.

- Issue #9125: Add recognition of 'except ... as ...' syntax to parser module.

- Issue #9085: email package version number bumped to its correct
  value of 4.0.2 (same as it was in 2.5).

- Issue #9075: In the ssl module, remove the setting of a ``debug`` flag
  on an OpenSSL structure.

- Issue #5610: feedparser no longer eats extra characters at the end of
  a body part if the body part ends with a \r\n.

- Issue #8924: logging: Improved error handling for Unicode in exception text.

- Fix codecs.escape_encode to return the correct consumed size.

- Issue #6470: Drop UNC prefix in FixTk.

- Issue #8833: tarfile created hard link entries with a size field != 0 by
  mistake.

- Issue #1368247: set_charset (and therefore MIMEText) now automatically
  encodes a unicode _payload to the output_charset.

- Issue #7150: Raise OverflowError if the result of adding or subtracting
  timedelta from date or datetime falls outside of the MINYEAR:MAXYEAR range.

- Issue #6662: Fix parsing of malformatted charref (&#bad;), patch written by
  Fredrik Håård

- Issue #1628205: Socket file objects returned by socket.socket.makefile() now
  properly handles EINTR within the read, readline, write & flush methods.
  The socket.sendall() method now properly handles interrupted system calls.

- Issue #3924: Ignore cookies with invalid "version" field in cookielib.

- Issue #6268: Fix seek() method of codecs.open(), don't read or write the BOM
  twice after seek(0). Fix also reset() method of codecs, UTF-16, UTF-32 and
  StreamWriter classes.

- Issue #5640: Fix Shift-JIS incremental encoder for error handlers different
  than strict

- Issue #8782: Add a trailing newline in linecache.updatecache to the last line
  of files without one.

- Issue #8729: Return NotImplemented from collections.Mapping.__eq__ when
  comparing to a non-mapping.

- Issue #5918: Fix a crash in the parser module.

- Issue #8688: Distutils now recalculates MANIFEST everytime.

- Issue #7640: In the new `io` module, fix relative seek() for buffered
  readable streams when the internal buffer isn't empty.  Patch by Pascal
  Chambon.

- Issue #5099: subprocess.Popen.__del__ no longer references global objects,
  leading to issues during interpreter shutdown.

- Issue #8681: Make the zlib module's error messages more informative when
  the zlib itself doesn't give any detailed explanation.

- Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing
  overflow checks in the audioop module.

- Issue #8571: Fix an internal error when compressing or decompressing a
  chunk larger than 1GB with the zlib module's compressor and decompressor
  objects.

- Issue #8573: asyncore _strerror() function might throw ValueError.

- Issue #8483: asyncore.dispatcher's __getattr__ method produced confusing
  error messages when accessing undefined class attributes because of the cheap
  inheritance with the underlying socket object.

- Issue #4265: shutil.copyfile() was leaking file descriptors when disk fills.
  Patch by Tres Seaver.

- Issue #8621: uuid.uuid4() returned the same sequence of values in the
  parent and any children created using ``os.fork`` on MacOS X 10.6.

- Issue #8313: traceback.format_exception_only() encodes unicode message to
  ASCII with backslashreplace error handler if str(value) failed

- Issue #8567: Fix precedence of signals in Decimal module: when a
  Decimal operation raises multiple signals and more than one of those
  signals is trapped, the specification determines the order in which
  the signals should be handled.  In many cases this order wasn't
  being followed, leading to the wrong Python exception being raised.

- Issue #7865: The close() method of :mod:`io` objects should not swallow
  exceptions raised by the implicit flush().  Also ensure that calling
  close() several times is supported.  Initial patch by Pascal Chambon.

- Issue #8581: logging: removed errors raised when closing handlers twice.

- Issue #4687: Fix accuracy of garbage collection runtimes displayed with
  gc.DEBUG_STATS.

- Issue #8354: The siginterrupt setting is now preserved for all signals,
  not just SIGCHLD.

@@@ Potential API change, but how likely to hurt an Ubuntu developer?

- Issue #8577: distutils.sysconfig.get_python_inc() now makes a difference
  between the build dir and the source dir when looking for "python.h" or
  "Include".

@@@ Looks correct still on Ubuntu.

- Issue #8464: tarfile no longer creates files with execute permissions set
  when mode="w|" is used.

@@@ Could affect applications that expect the execute bit to be set.

- Issue #7834: Fix connect() of Bluetooth L2CAP sockets with recent versions
  of the Linux kernel.  Patch by Yaniv Aknin.

- Issue #6312: Fixed http HEAD request when the transfer encoding is chunked.
  It should correctly return an empty response now.

- Issue #8086: In :func:`ssl.DER_cert_to_PEM_cert()`, fix missing newline
  before the certificate footer.  Patch by Kyle VanderBeek.

- Issue #8549: Fix compiling the _ssl extension under AIX.  Patch by
  Sridhar Ratnakumar.

- Issue #2302: Fix a race condition in SocketServer.BaseServer.shutdown,
  where the method could block indefinitely if called just before the
  event loop started running.  This also fixes the occasional freezes
  witnessed in test_httpservers.

- Issue #5103: SSL handshake would ignore the socket timeout and block
  indefinitely if the other end didn't respond.

- The do_handshake() method of SSL objects now adjusts the blocking mode of
  the SSL structure if necessary (as other methods already do).

- Issue #5238: Calling makefile() on an SSL object would prevent the
  underlying socket from being closed until all objects get truely destroyed.

- Issue #7943: Fix circular reference created when instantiating an SSL
  socket.  Initial patch by Péter Szabó.

- Issue #8108: Fix the unwrap() method of SSL objects when the socket has
  a non-infinite timeout.  Also make that method friendlier with applications
  wanting to continue using the socket in clear-text mode, by disabling
  OpenSSL's internal readahead.  Thanks to Darryl Miles for guidance.

- Issue #8484: Load all ciphers and digest algorithms when initializing
  the _ssl extension, such that verification of some SSL certificates
  doesn't fail because of an "unknown algorithm".

- Issue #4814: timeout parameter is now applied also for connections resulting
  from PORT/EPRT commands.

- Issue #3817: ftplib.FTP.abort() method now considers 225 a valid response
  code as stated in RFC-959 at chapter 5.4.

- Issue #5277: Fix quote counting when parsing RFC 2231 encoded parameters.

- Issue #8179: Fix macpath.realpath() on a non-existing path.

- Issue #8310: Allow dis to examine new style classes.

- Issue #7667: Fix doctest failures with non-ASCII paths.

- Issue #7624: Fix isinstance(foo(), collections.Callable) for old-style
  classes.

- Issue #7512: shutil.copystat() could raise an OSError when the filesystem
  didn't support chflags() (for example ZFS under FreeBSD).  The error is
  now silenced.

- Issue #3890, #8222: Fix recv() and recv_into() on non-blocking SSL sockets.
  Also, enable the SSL_MODE_AUTO_RETRY flag on SSL sockets, so that blocking
  reads and writes are always retried by OpenSSL itself.

- Issue #6544: fix a reference leak in the kqueue implementation's error
  handling.

- Issue #7774: Set sys.executable to an empty string if argv[0] has been
  set to an non existent program name and Python is unable to retrieve the real
  program name

- Issue #6906: Tk should not set Unicode environment variables on Windows.

- Issue #1054943: Fix unicodedata.normalize('NFC', text) for the Public Review
  Issue #29

- Issue #7494: fix a crash in _lsprof (cProfile) after clearing the profiler,
  reset also the pointer to the current pointer context.

- Issue #4961: Inconsistent/wrong result of askyesno function in tkMessageBox
  with Tcl/Tk-8.5.

- Issue #7356: ctypes.util: Make parsing of ldconfig output independent of
  the locale.

- Fix memory leak in ssl._ssl._test_decode_cert.

- Issue #9422: Fix memory leak when re-initializing a struct.Struct object.

- Issue #7900: The getgroups(2) system call on MacOSX behaves rather oddly
  compared to other unix systems. In particular, os.getgroups() does
  not reflect any changes made using os.setgroups() but basicly always
  returns the same information as the id command.

os.getgroups() can now return more than 16 groups on MacOSX.

- Issue #9277: Fix bug in struct.pack for bools in standard mode
  (e.g., struct.pack('>?')):  if conversion to bool raised an exception
  then that exception wasn't properly propagated on machines where
  char is unsigned.

- Issue #7384: If the system readline library is linked against
  ncurses, do not link the readline module against ncursesw. The
  additional restriction of linking the readline and curses modules
  against the same curses library is currently not enabled.

- Issue #2810: Fix cases where the Windows registry API returns
  ERROR_MORE_DATA, requiring a re-try in order to get the complete result.

- Issue #8854: Fix finding Visual Studio 2008 on Windows x64.

- Issue #3928: os.mknod() now available in Solaris, also.

- Issue #8175: --with-universal-archs=all works correctly on OSX 10.5

- Issue #6716: Quote -x arguments of compileall in MSI installer.

- Issue #1628484: The Makefile doesn't ignore the CFLAGS environment
  variable anymore.  It also forwards the LDFLAGS settings to the linker
  when building a shared library.

- Issue #7849: Now the utility ``check_warnings`` verifies if the warnings are
  effectively raised.  A new private utility ``_check_py3k_warnings`` has been
  backported to help silencing py3k warnings.

- Issue #8672: Add a zlib test ensuring that an incomplete stream can be
  handled by a decompressor object without errors (it returns incomplete
  uncompressed data).

- Issue #8629: Disable some test_ssl tests, since they give different
  results with OpenSSL 1.0.0 and higher.

- Issue #8576: Remove use of find_unused_port() in test_smtplib and
  test_multiprocessing.  Patch by Paul Moore.

- Issue #7027: regrtest.py keeps a reference to the encodings.ascii module as a
  workaround to #7140 bug

- Issue #3864: Skip three test_signal tests on freebsd6 because they fail
  if any thread was previously started, most likely due to a platform bug.

- Issue #8193: Fix test_zlib failure with zlib 1.2.4.

- Issue #9255: Document that the 'test' package is for internal Python use
  only.

- Issue #8909: Added the size of the bitmap used in the installer created by
  distutils' bdist_wininst. Patch by Anatoly Techtonik.

description:

updated

Launchpad Janitor (janitor) on 2011-07-30

Changed in python2.6 (Ubuntu):
status:	New → Confirmed

Revision history for this message

Barry Warsaw (barry) wrote on 2011-08-16:

#4

Matthias, any thoughts on this? Was the information in comment #3 sufficient?

Revision history for this message

Alex Grönholm (agronholm) wrote on 2011-11-24:

#5

I just got hit by this. Why has this not gone forward since August?

Revision history for this message

Roger Hu (roger-hu) wrote on 2012-04-02:

#6

Any update on whether Python 2.6.7 will make its way into Ubuntu 10.04? The SSL handshake indefinite timeout bug happens to be a big one on the list to fix. Thanks!

Revision history for this message

dino99 (9d9) wrote on 2015-05-03:

#7

Support for this version has ended

Changed in python2.6 (Ubuntu):
status:	Confirmed → Invalid

Ubuntu
python2.6 package

updating to python2.6.7 in lucid and updating

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntupython2.6 package

updating to python2.6.7 in lucid and updating

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
python2.6 package