Update legacy Python to 2.7.16. Most significant improvement is that is builds against OpenSSL 1.1.1. See upstream release announcement and changelog (+ rc1 changelog).
Fixes the following CVEs:
- CVE-2019-5010 Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco.
- CVE-2013-1752: Change use of readline() in
imaplib.IMAP4_SSL to limit line length.
(CVE-2018-14647 is listed in upstream changelog, but it was already backported in Fedora.)
Note that Python 2 is deprecated in Fedora 30 and users are advised to switch to Python 3. Upstream support of Python 2 ends on 2020-01-01.
Please login to add feedback.