[Oraclevm-errata] OVMBA-2015-0135 Oracle VM 3.2 python bug fix update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Fri Nov 6 12:37:25 PST 2015 

Oracle VM Bug Fix Advisory OVMBA-2015-0135

The following updated rpms for Oracle VM 3.2 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
python-2.4.3-56.el5.x86_64.rpm
python-libs-2.4.3-56.el5.x86_64.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/3.2/SRPMS-updates/python-2.4.3-56.el5.src.rpm



Description of changes:

[2.4.3-56]
- give gdb debug hooks an extra way to locate the Python frame
Related: rhbz#644661

[2.4.3-55]
- fix fcnt.ioctl() to support ioctl requests in the full range 0..0xffffffff
Resolves: rhbz#822072

[2.4.3-54]
- rework patch 223 (chown for large uids)
Resolves: rhbz#640523

[2.4.3-53]
- use an ephemeral port for IDLE, enabling multiple instances to be run
Resolves: rhbz#638514

[2.4.3-52]
- add gdb debug hooks
Resolves: rhbz#644661

[2.4.3-51]
- fix race condition that sometimes breaks the build with parallel make
Resolves: rhbz#701277
- prevent a KeyError on shutdown if logging.config.fileConfig is called
when logging handlers already exist
Resolves: rhbz#573782
- fix a minor memory leak when the _japanese_codecs module is imported
Resolves: rhbz#701569
- fix os.chown and os.lchown for large UIDs
Resolves: rhbz#640523

[2.4.3-50]
- if hash randomization is enabled, also enable it within pyexpat
Resolves: CVE-2012-0876

[2.4.3-49]
- distutils.commands.register: create ~/.pypirc securely
Resolves: CVE-2011-4944

[2.4.3-48]
- send encoding in SimpleHTTPServer.list_directory to protect IE7 against
potential XSS attacks
Resolves: CVE-2011-4940

[2.4.3-47]
- oCERT-2011-003: add -R command-line option and PYTHONHASHSEED environment
variable, to provide an opt-in way to protect against denial of service
attacks due to hash collisions within the dict and set types
Resolves: CVE-2012-1150

[2.4.3-46]
- add alias "en_IN" -> "en_IN.ISO8859-1" to locale (patch 213)
Resolves: rhbz#708292

[2.4.3-45]
- backport fix for http://bugs.python.org/issue8135 to 2.4 (patch 212)
Resolves: rhbz#732954

[2.4.3-44]
- add patch adapted from upstream (patch 208) to add support for building
against system expat; add --with-system-expat to "configure" invocation; 
remove
embedded copy of expat-1.95.8 from the source tree during "prep"
- ensure pyexpat.so gets built by explicitly listing all C modules in the
payload in %files, rather than using dynfiles
Resolves: CVE-2009-3720
- backport three security fixes to 2.4 (patches 209, 210, 211):
Resolves: CVE-2011-1521
Resolves: CVE-2011-1015
Resolves: CVE-2010-3493

[2.4.3-43]
- add missing patch 206
Related: rhbz#549372

[2.4.3-42]
- fix test_pyclbr to match the urllib change in patch 204 (patch 206)
- allow the "no_proxy" environment variable to override "ftp_proxy" in
urllib2 (patch 207)
- fix typos in names of patches 204 and 205
Related: rhbz#549372

[2.4.3-41]
- backport support for the "no_proxy" environment variable to the urllib and
urllib2 modules (patches 204 and 205, respectively)
Resolves: rhbz#549372

[2.4.3-40]
- backport fixes for arena allocator from 2.5a1
- disable arena allocator when run under valgrind on x86, x86_64, ppc, ppc64
(patch 203)
- add patch to add sys._debugmallocstats() hook (patch 202)
Resolves: rhbz#569093

[2.4.3-39]
- fix various flaws in the "audioop" module
- Resolves: CVE-2010-1634 CVE-2010-2089
- backport the new PySys_SetArgvEx libpython entrypoint from 2.6
- Related: CVE-2008-5983
- restrict creation of the .relocation-tag files to i386 builds
- Related: rhbz#644761
- move the python-optik metadata from the core subpackage to the python-libs
subpackage
- Related: rhbz#625372

[2.4.3-38]
- add metadata to ensure that "yum install python-libs" works
- Related: rhbz#625372

[2.4.3-37]
- create dummy ELF file ".relocation-tag" to force RPM directory coloring,
fixing i386 on ia64 compat
- Resolves: rhbz#644761

[2.4.3-36]
- Backport fix for http://bugs.python.org/issue7082 to 2.4.3
- Resolves: rhbz#644147

[2.4.3-35]
- Rework rgbimgmodule fix for CVE-2008-3143
- Resolves: rhbz#644425 CVE-2009-4134 CVE-2010-1449 CVE-2010-1450

[2.4.3-34]
- fix stray "touch" command
- Related: rhbz#625372

[2.4.3-33]
- Preserve timestamps when fixing shebangs (patch 104) and when 
installing, to
minimize .pyc/.pyo differences across architectures (due to the embedded 
mtime
in .pyc/.pyo headers)
- Related: rhbz#625372

[2.4.3-32]
- introduce libs subpackage as a dependency of the core package, moving the
shared libraries and python standard libraries there
- Resolves: rhbz#625372

[2.4.3-31]
- don't use -b when applying patch 103
- Related: rhbz#263401

[2.4.3-30]
- add missing patch
- Resolves: rhbz#263401

[2.4.3-29]
- Backport Python 2.5's tarfile module (0.8.0) to 2.4.3
- Resolves: rhbz#263401

[2.4.3-28]
- Backport fix for leaking filedescriptors in subprocess error-handling path
from Python 2.6
- Resolves: rhbz#609017
- Backport usage of "poll" within the subprocess module to 2.4.3
- Resolves: rhbz#609020

More information about the Oraclevm-errata mailing list