What's New in Python 2.4.6?
===========================
*Release date: 19-Dec-2008*
What's New in Python 2.4.6c1?
=============================
*Release date: 13-Dec-2008*
Core and builtins
-----------------
- Issue #4469: Prevent expandtabs() on string and unicode
objects from causing a segfault when a large width is passed
on 32-bit platforms. CVE-2008-5031.
- Issue #4317: Fixed a crash in the imageop.rgb2rgb8() function.
- Issue #4230: Fix a crash when a class has a custom __getattr__ and an
__getattribute__ method that deletes the __getattr__ attribute.
- Apply security patches from Apple. CVE-2008-2315.
- Issue #2620: Overflow checking when allocating or reallocating memory
was not always being done properly in some python types and extension
modules. PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have
all been updated to perform better checks and places in the code that
would previously leak memory on the error path when such an allocation
failed have been fixed.
- Issue #1179: Fix CVE-2007-4965 and CVE-2008-1679, multiple integer
overflows in the imageop and rgbimgmodule modules.
- Issue #2586: Fix CVE-2008-1721, zlib crash from
zlib.decompressobj().flush(val) when val is not positive.
- Issues #2588, #2589: Fix potential integer underflow and overflow
conditions in the PyOS_vsnprintf C API function. CVE-2008-3144.
- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
parameter but was not verifying that it was greater than zero. Values
less than zero will now raise a SystemError and return NULL to indicate a
bug in the calling C code. CVE-2008-1887.
- Security Issue #2: imageop did not validate arguments correctly and could
segfault as a result. CVE-2008-4864.
Extension Modules
-----------------
Library
-------
Tests
-----
Build
-----
Tools/Demos
-----------
- Tools/faqwiz/move-faqwiz.sh: Fix unsecure use of temporary files.
changes. The "dbm" module could fail to build correctly, erroring out with:
*** WARNING: renaming "dbm" since importing it failed: build/lib.linux-i686-2.4/dbm.so: undefined symbol: dbm_firstkey
In this case, the "dbm" module has accidentally linked with "databases/gdbm",
which happens to be installed, but was never buildlinked in. It may be
relevant that /usr/include/gdbm/ndbm.h is installed on this system.
Remove the "gdbm" test from the "dbm" module configuration, leaving the "ndbm"
support, and the fall-back "bdb" support (which will likely fall back to db4).
Bump PKGREVISION - the package would still install, but with missing
functionality.
integer overflow in the vsnprintf replacement function.
This is likely not a real problem, and the patch wasn't pulled to
the upstream 2.4 branch, but so we can formally declare our 2.4
as not vulnerable now.
We are pleased to announce the release of Python 2.4.4 (FINAL), a
bugfix release of Python 2.4, on October 18, 2006.
Important: 2.4.4 includes a security fix (PSF-2006-001) for the
repr() of unicode strings in wide unicode builds (UCS-4) [does not
affect pkgsrc]
Python 2.4 is now in bugfix-only mode; no new features are being
added. At least 80 bugs have been squished since Python 2.4.3,
including a number of bugs and potential bugs found by with the
Coverity and Klocwork static analysis tools. We'd like to offer
our thanks to both these firms for making this available for open
source projects - see their websites if you're interested.
The NIS module is not available in that case.
Call the regen script with RUNSHARED, so that it finds libpython.so,
even in the DESTDIR case.
XXX The call to regen should be moved to the build phase.
on DragonFly. Since that version is used e.g. as part of the file name
for python eggs, it makes handling easier to match normal pkgsrc
platform policy. Bump revisions of all Python packages.
Python 2.4 is now in bugfix-only mode, no new features are being added. At
least 50 bugs have been squashed since Python 2.4.2, including a number of
bugs and potential bugs found by Coverity.
not part of the std. Python install to work again.
Secondly, add a patch from Christoph Ludwig (
http://sourceforge.net/tracker/?func=detail&aid=1324762&group_id=5470&atid=305470
)
which contains the following changes (from the SourceForge post):
1) The configure option --with-cxx is renamed
--with-cxx-main. This was done to avoid surprising the user
by the changed meaning. Furthermore, it is now possible
that CXX has a different value than provided by
--with-cxx-main, so the old name would have been
confusing.
2) The compiler used to translate python's main() function is
stored in the configure / Makefile variable MAINCC. By
default, MAINCC=$(CC). If --with-cxx-main is given (without
an appended compiler name), then MAINCC=$(CXX). If
--with-cxx-main=<compiler> is on the configure command
line, then MAINCC=<compiler>. Additionally, configure sets
CXX=<compiler> unless CXX was already set on the
configure command line.
3) The command used to link the python executable is (as
before) stored in LINKCC. By default, LINKCC='$(PURIFY)
$(MAINCC)', i.e. the linker front-end is the compiler used to
translate main(). If necessary, LINKCC can be set on the
configure command line in which case it won't be altered.
4) If CXX is not set by the user (on the command line or via
--with-cxx-main), then configure tries several likely C++
compiler names. CXX is assigned the first name that refers
to a callable program in the system. (CXX is set even if
python is built with a C compiler only, so distutils can build
C++ extensions.)
5) Modules/ccpython.cc is no longer used and can be
removed.
Python 2.4.2 is a bugfix release of Python 2.4 - Python 2.4 is now in
bugfix-only mode, no new features are being added. More than 60 bugs have
been squashed since Python 2.4.1, including bugs that prevented Python working
properly on 64 bit AIX and HP/UX.
For a detailed list of changes see:
http://python.org/2.4.2/NEWS.html
Highlights of this new release include:
- Bug fixes. According to the release notes, several dozen bugs
have been fixed, including a fix for the SimpleXMLRPCServer
security issue (PSF-2005-001).
Also add a patch by Joerg Sonnenberger to add basic support
for DragonFly BSD.
For a detailed list of changes see:
http://python.org/2.4.1/NEWS.html
http://www.python.org/security/PSF-2005-001/
This disables hierarchical object lookups in SimpleXMLRPCServer.
Unfortunately, this breaks some applications (eg kenosis). Don't
shoot me for this.
bump PKGREVISION
Python is an interpreted, interactive, object-oriented
programming language that combines remarkable power with
very clear syntax. For an introduction to programming in
Python you are referred to the Python Tutorial. The
Python Library Reference documents built-in and standard
types, constants, functions and modules. Finally, the
Python Reference Manual describes the syntax and semantics
of the core language in (perhaps too) much detail.
Python's basic power can be extended with your own modules
written in C or C++. On most systems such modules may be
dynamically loaded. Python is also adaptable as an exten-
sion language for existing applications. See the internal
documentation for hints.
This package has been compiled without support for threads.
