——————————————————————————–
Fedora Update Notification
FEDORA-2020-887d3fa26f
2020-10-16 15:18:47.312170
——————————————————————————–

Name : python27
Product : Fedora 32
Version : 2.7.18
Release : 6.fc32
URL : https://www.python.org/
Summary : Version 2.7 of the Python interpreter
Description :
Python 2 is an old version of the language that is incompatible with the 3.x
line of releases. The language is mostly the same, but many details, especially
how built-in objects like dictionaries and strings work, have changed
considerably, and a lot of deprecated features have finally been removed in the
3.x line.

Note that Python 2 is not supported upstream after 2020-01-01, please use the
python3 package instead if you can.

This package also provides the “python2” executable.

——————————————————————————–
Update Information:

CVE-2020-26116: HTTP request method CRLF injection in httplib
——————————————————————————–
ChangeLog:

* Wed Sep 30 2020 Petr Viktorin <pviktori@redhat.com> – 2.7.18-6
– CVE-2020-26116: Reject control chars in HTTP method in httplib.putrequest
* Tue Sep 29 2020 Petr Viktorin <pviktori@redhat.com> – 2.7.18-5
– Import patches from GitHub tree
——————————————————————————–
References:

[ 1 ] Bug #1883244 – CVE-2020-26116 python27: python: CRLF injection via HTTP request method in httplib/http.client [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1883244
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-887d3fa26f’ at the command
line. For more information, refer to the dnf documentation available at
https://protect2.fireeye.com/v1/url?k=719564be-2d87d0ba-7192f972-000babd90757-efed498243f6469f&q=1&e=e8b729f7-f688-464b-917b-eff2adb99ff2&u=http%3A%2F%2Fdnf.readthedocs.io%2Fen%2Flatest%2Fcommand_ref.html%23upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-d30881c970
2020-10-16 15:18:47.312128
——————————————————————————–

Name : python34
Product : Fedora 32
Version : 3.4.10
Release : 11.fc32
URL : http://www.python.org/
Summary : Version 3.4 of the Python programming language
Description :
Python 3.4 package for developers.

This package exists to allow developers to test their code against an older
version of Python. This is not a full Python stack and if you wish to run
your applications with Python 3.4, see other distributions
that support it, such as CentOS or RHEL with Software Collections.

——————————————————————————–
Update Information:

* CVE-2019-20907: Avoid infinite loop in the tarfile module * CVE-2020-14422:
Resolve hash collisions for IPv4Interface and IPv6Interface * CVE-2020-26116:
HTTP request method CRLF injection in httplib This update brings Fedora 32’s
python34 in sync with the EPEL7 package.
——————————————————————————–
ChangeLog:

* Wed Sep 30 2020 Petr Viktorin <pviktori@redhat.com> – 3.4.10-11
– CVE-2019-20907: Avoid infinite loop in the tarfile module
– CVE-2020-14422: Resolve hash collisions for IPv4Interface and IPv6Interface
– CVE-2020-26116: HTTP request method CRLF injection in httplib
– update test certs and keys
——————————————————————————–
References:

[ 1 ] Bug #1854938 – CVE-2020-14422 python34: python: Denial of service via inefficiency in IPv{4,6}Interface classes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1854938
[ 2 ] Bug #1856491 – CVE-2019-20907 python34: python: infinite loop in the tarfile module via a craft TAR archive [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1856491
[ 3 ] Bug #1883245 – CVE-2020-26116 python34: python: CRLF injection via HTTP request method in httplib/http.client [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1883245
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-d30881c970’ at the command
line. For more information, refer to the dnf documentation available at
https://protect2.fireeye.com/v1/url?k=0f5c7c64-534ec860-0f5be1a8-000babd90757-8b881cdcda729dcd&q=1&e=a486668c-649b-4c04-8e80-1c82e0682c85&u=http%3A%2F%2Fdnf.readthedocs.io%2Fen%2Flatest%2Fcommand_ref.html%23upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org