Subject: CVS commit: [pkgsrc-2016Q2] pkgsrc/lang/python27
From: Benny Siegert
Date: 2016-09-06 21:04:28
Message id: 20160906190428.2303FFBD1@cvs.NetBSD.org

Log Message:
Pullup ticket #5090 - requested by sevan
lang/python27: security fix

Revisions pulled up:
- lang/python27/Makefile                                        1.61
- lang/python27/PLIST.common                                    1.15
- lang/python27/dist.mk                                         1.12
- lang/python27/distinfo                                        1.55
- lang/python27/patches/patch-Lib_distutils_unixccompiler.py    1.4

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Sat Jul  2 15:05:43 UTC 2016

   Modified Files:
           pkgsrc/lang/python27: Makefile PLIST.common dist.mk distinfo
           pkgsrc/lang/python27/patches: patch-Lib_distutils_unixccompiler.py

   Log Message:
   Changes 2.7.2:

   Core and Builtins
   -----------------
   - Issue 20041: Fixed TypeError when frame.f_trace is set to None.
     Patch by Xavier de Gaye.

   - Issue 25702: A --with-lto configure option has been added that will
     enable link time optimizations at build time during a make profile-opt.
     Some compilers and toolchains are known to not produce stable code when
     using LTO, be sure to test things thoroughly before relying on it.
     It can provide a few % speed up over profile-opt alone.

   - Issue 26168: Fixed possible refleaks in failing Py_BuildValue() with the \ 
"N"
     format unit.

   - Issue 27039: Fixed bytearray.remove() for values greater than 127.  Patch by
     Joe Jevnik.

   - Issue 4806: Avoid masking the original TypeError exception when using star
     (*) unpacking and the exception was raised from a generator.  Based on
     patch by Hagen Fu:rstenau.

   - Issue 26659: Make the builtin slice type support cycle collection.

   - Issue 26718: super.__init__ no longer leaks memory if called multiple times.
     NOTE: A direct call of super.__init__ is not endorsed!

   - Issue 13410: Fixed a bug in PyUnicode_Format where it failed to properly
     ignore errors from a __int__() method.

   - Issue 26494: Fixed crash on iterating exhausting iterators.
     Affected classes are generic sequence iterators, iterators of bytearray,
     list, tuple, set, frozenset, dict, OrderedDict and corresponding views.

   - Issue 26581: If coding cookie is specified multiple times on a line in
     Python source code file, only the first one is taken to account.

   - Issue 22836: Ensure exception reports from PyErr_Display() and
     PyErr_WriteUnraisable() are sensible even when formatting them produces
     secondary errors.  This affects the reports produced by
     sys.__excepthook__() and when __del__() raises an exception.

   - Issue 22847: Improve method cache efficiency.

   - Issue 25843: When compiling code, don't merge constants if they are equal
     but have a different types. For example, ``f1, f2 = lambda: 1, lambda: 1.0``
     is now correctly compiled to two different functions: ``f1()`` returns ``1``
     (``int``) and ``f2()`` returns ``1.0`` (``int``), even if ``1`` and ``1.0``
     are equal.

   - Issue 22995: [UPDATE] Remove the one of the pickleability tests in
     _PyObject_GetState() due to regressions observed in Cython-based projects.

   - Issue 25961: Disallowed null characters in the type name.

   - Issue 22995: Instances of extension types with a state that aren't
     subclasses of list or dict and haven't implemented any pickle-related
     methods (__reduce__, __reduce_ex__, __getnewargs__, __getnewargs_ex__,
     or __getstate__), can no longer be pickled.  Including memoryview.

   - Issue 20440: Massive replacing unsafe attribute setting code with special
     macro Py_SETREF.

   - Issue 25421: __sizeof__ methods of builtin types now use dynamic basic size.
     This allows sys.getsize() to work correctly with their subclasses with
     __slots__ defined.

   - Issue 19543: Added Py3k warning for decoding unicode.

   - Issue 24097: Fixed crash in object.__reduce__() if slot name is freed inside
     __getattr__.

   - Issue 24731: Fixed crash on converting objects with special methods
     __str__, __trunc__, and __float__ returning instances of subclasses of
     str, long, and float to subclasses of str, long, and float correspondingly.

   - Issue 26478: Fix semantic bugs when using binary operators with dictionary
     views and tuples.

   - Issue 26171: Fix possible integer overflow and heap corruption in
     zipimporter.get_data().

   Library
   -------
   - Issue 26556: Update expat to 2.1.1, fixes CVE-2015-1283.

   - Fix TLS stripping vulnerability in smptlib, CVE-2016-0772.  Reported by Team
     Oststrom

   - Issue 7356: ctypes.util: Make parsing of ldconfig output independent of the
     locale.

   - Issue 25738: Stop BaseHTTPServer.BaseHTTPRequestHandler.send_error() from
     sending a message body for 205 Reset Content.  Also, don't send the
     Content-Type header field in responses that don't have a body.  Based on
     patch by Susumu Koshiba.

   - Issue 21313: Fix the "platform" module to tolerate when sys.version
     contains truncated build information.

   - Issue 27211: Fix possible memory corruption in io.IOBase.readline().

   - Issue 27114: Fix SSLContext._load_windows_store_certs fails with
     PermissionError

   - Issue 14132: Fix urllib.request redirect handling when the target only has
     a query string.  Fix by Ja'n Janech.

   - Removed the requirements for the ctypes and modulefinder modules to be
     compatible with earlier Python versions.

   - Issue 22274: In the subprocess module, allow stderr to be redirected to
     stdout even when stdout is not redirected.  Patch by Akira Li.

   - Issue 12045: Avoid duplicate execution of command in ctypes.util._get_soname().
     Patch by Sijin Joseph.

   - Issue 26960: Backported 16270 from Python 3 to Python 2, to prevent urllib
     from hanging when retrieving certain FTP files.

   - Issue 25745: Fixed leaking a userptr in curses panel destructor.

   - Issue 17765: weakref.ref() no longer silently ignores keyword arguments.
     Patch by Georg Brandl.

   - Issue 26873: xmlrpclib now raises ResponseError on unsupported type tags
     instead of silently return incorrect result.

   - Issue 24114: Fix an uninitialized variable in `ctypes.util`.

     The bug only occurs on SunOS when the ctypes implementation searches
     for the `crle` program.  Patch by Xiang Zhang.  Tested on SunOS by
     Kees Bos.

   - Issue 26864: In urllib, change the proxy bypass host checking against
     no_proxy to be case-insensitive, and to not match unrelated host names that
     happen to have a bypassed hostname as a suffix.  Patch by Xiang Zhang.

   - Issue 26804: urllib will prefer lower_case proxy environment variables over
     UPPER_CASE or Mixed_Case ones. Patch contributed by Hans-Peter Jansen.

   - Issue 26837: assertSequenceEqual() now correctly outputs non-stringified
     differing items.  This affects assertListEqual() and assertTupleEqual().

   - Issue 26822: itemgetter, attrgetter and methodcaller objects no longer
     silently ignore keyword arguments.

   - Issue 26657: Fix directory traversal vulnerability with SimpleHTTPServer
     on Windows.  This fixes a regression that was introduced in 2.7.7.  Based
     on patch by Philipp Hagemeister.

   - Issue 19377: Add .svg to mimetypes.types_map.

   - Issue 13952: Add .csv to mimetypes.types_map.  Patch by Geoff Wilson.

   - Issue 16329: Add .webm to mimetypes.types_map.  Patch by Giampaolo Rodola'.

   - Issue 23735: Handle terminal resizing with Readline 6.3+ by installing our
     own SIGWINCH handler.  Patch by Eric Price.

   - Issue 26644: Raise ValueError rather than SystemError when a negative
     length is passed to SSLSocket.recv() or read().

   - Issue 23804: Fix SSL recv(0) and read(0) methods to return zero bytes
     instead of up to 1024.

   - Issue 24266: Ctrl+C during Readline history search now cancels the search
     mode when compiled with Readline 7.

   - Issue 23857: Implement PEP 493, adding a Python-2-only ssl module API and
     environment variable to configure the default handling of SSL/TLS certificates
     for HTTPS connections.

   - Issue 26313: ssl.py _load_windows_store_certs fails if windows cert store
     is empty. Patch by Baji.

   - Issue 26513: Fixes platform module detection of Windows Server

   - Issue 23718: Fixed parsing time in week 0 before Jan 1.  Original patch by
     Tama's Bence Gedai.

   - Issue 26177: Fixed the keys() method for Canvas and Scrollbar widgets.

   - Issue 15068: Got rid of excessive buffering in the fileinput module.
     The bufsize parameter is no longer used.

   - Issue 2202: Fix UnboundLocalError in
     AbstractDigestAuthHandler.get_algorithm_impls.  Initial patch by Mathieu Dupuy.

   - Issue 26475: Fixed debugging output for regular expressions with the (?x)
     flag.

   - Issue 26385: Remove the file if the internal fdopen() call in
     NamedTemporaryFile() fails.  Based on patch by Silent Ghost.

   - Issue 26309: In the "socketserver" module, shut down the request \ 
(closing
     the connected socket) when verify_request() returns false.  Based on patch
     by Aviv Palivoda.

   - Issue 25939: On Windows open the cert store readonly in ssl.enum_certificates.

   - Issue 24303: Fix random EEXIST upon multiprocessing semaphores creation with
     Linux PID namespaces enabled.

   - Issue 25698: Importing module if the stack is too deep no longer replaces
     imported module with the empty one.

   - Issue 12923: Reset FancyURLopener's redirect counter even if there is an
     exception.  Based on patches by Brian Brazil and Daniel Rocco.

   - Issue 25945: Fixed a crash when unpickle the functools.partial object with
     wrong state.  Fixed a leak in failed functools.partial constructor.
     "args" and "keywords" attributes of functools.partial \ 
have now always types
     tuple and dict correspondingly.

   - Issue 19883: Fixed possible integer overflows in zipimport.

   - Issue 26147: xmlrpclib now works with unicode not encodable with used
     non-UTF-8 encoding.

   - Issue 16620: Fixed AttributeError in msilib.Directory.glob().

   - Issue 21847: Fixed xmlrpclib on Unicode-disabled builds.

   - Issue 6500: Fixed infinite recursion in urllib2.Request.__getattr__().

   - Issue 26083: Workaround a subprocess bug that raises an incorrect
     "ValueError: insecure string pickle" exception instead of the actual
     exception on some platforms such as Mac OS X when an exception raised
     in the forked child process prior to the exec() was large enough that
     it overflowed the internal errpipe_read pipe buffer.

   - Issue 24103: Fixed possible use after free in ElementTree.iterparse().

   - Issue 20954: _args_from_interpreter_flags used by multiprocessing and some
     tests no longer behaves incorrectly in the presence of the PYTHONHASHSEED
     environment variable.

   - Issue 14285: When executing a package with the "python -m \ 
package" option,
     and package initialization raises ImportError, a proper traceback is now
     reported.

   - Issue 6478: _strptime's regexp cache now is reset after changing timezone
     with time.tzset().

   - Issue 25718: Fixed copying object with state with boolean value is false.

   - Issue 25742: :func:`locale.setlocale` now accepts a Unicode string for
     its second parameter.

   - Issue 10131: Fixed deep copying of minidom documents.  Based on patch
     by Marian Ganisin.

   - Issue 25725: Fixed a reference leak in cPickle.loads() when unpickling
     invalid data including tuple instructions.

   - Issue 25663: In the Readline completer, avoid listing duplicate global
     names, and search the global namespace before searching builtins.

   - Issue 25688: Fixed file leak in ElementTree.iterparse() raising an error.

   - Issue 23914: Fixed SystemError raised by CPickle unpickler on broken data.

   - Issue 25924: Avoid unnecessary serialization of getaddrinfo(3) calls on
     OS X versions 10.5 or higher.  Original patch by A. Jesse Jiryu Davis.

   - Issue 26406: Avoid unnecessary serialization of getaddrinfo(3) calls on
     current versions of OpenBSD and NetBSD.  Patch by A. Jesse Jiryu Davis.

   IDLE
   ----
   - Issue 5124: Paste with text selected now replaces the selection on X11.
     This matches how paste works on Windows, Mac, most modern Linux apps,
     and ttk widgets.  Original patch by Serhiy Storchaka.

   - Issue 24759: Make clear in idlelib.idle_test.__init__ that the directory
     is a private implementation of test.test_idle and tool for maintainers.

   - Issue 26673: When tk reports font size as 0, change to size 10.
     Such fonts on Linux prevented the configuration dialog from opening.

   - Issue 27044: Add ConfigDialog.remove_var_callbacks to stop memory leaks.

   - In the 'IDLE-console differences' section of the IDLE doc, clarify
     how running with IDLE affects sys.modules and the standard streams.

   - Issue 25507: fix incorrect change in IOBinding that prevented printing.
     Change also prevented saving shell window with non-ascii characters.
     Augment IOBinding htest to include all major IOBinding functions.

   - Issue 25905: Revert unwanted conversion of ' to ? RIGHT SINGLE QUOTATION
     MARK in README.txt and open this and NEWS.txt with 'ascii'.
     Re-encode CREDITS.txt to utf-8 and open it with 'utf-8'.

   - Issue 26417: Prevent spurious errors and incorrect defaults when
     installing IDLE 2.7 on OS X: default configuration settings are
     no longer installed from OS X specific copies.

   Documentation
   -------------
   - Issue 26736: Used HTTPS for external links in the documentation if possible.

   - Issue 6953: Rework the Readline module documentation to group related
     functions together, and add more details such as what underlying Readline
     functions and variables are accessed.

   - Issue 26014: Guide users to the newer packaging documentation as was done
     for Python 3.x.  In particular, the top-level 2.7 documentation page now
     links to the newer installer and distributions pages rather than the
     legacy install and Distutils pages; these are still linked to in the
     library/distutils doc page.

   Tests
   -----
   - Issue 21916: Added tests for the turtle module.  Patch by ingrid,
     Gregory Loyse and Jelle Zijlstra.

   - Issue 25940: Changed test_ssl to use self-signed.pythontest.net.  This
     avoids relying on svn.python.org, which recently changed root certificate.

   - Issue 25616: Tests for OrderedDict are extracted from test_collections
     into separate file test_ordered_dict.

   Build
   -----
   - Issue 22359: Avoid incorrect recursive $(MAKE), and disable the rules for
     running pgen when cross-compiling.  The pgen output is normally saved with
     the source code anyway, and is still regenerated when doing a native build.
     Patch by Jonas Wagner and Xavier de Gaye.

   - Issue 19450: Update Windows builds to use SQLite 3.8.11.0.

   - Issue 27229: Fix the cross-compiling pgen rule for in-tree builds.  Patch
     by Xavier de Gaye.

   - Issue 17603: Avoid error about nonexistant fileblocks.o file by using a
     lower-level check for st_blocks in struct stat.

   - Issue 26465: Update Windows builds to use OpenSSL 1.0.2g.

   - Issue 24421: Compile Modules/_math.c once, before building extensions.
     Previously it could fail to compile properly if the math and cmath builds
     were concurrent.

   - Issue 25824: Fixes sys.winver to not include any architecture suffix.

   - Issue 25348: Added ``--pgo`` and ``--pgo-job`` arguments to
     ``PCbuild\build.bat`` for building with Profile-Guided Optimization.  The
     old ``PCbuild\build_pgo.bat`` script is now deprecated, and simply calls
     ``PCbuild\build.bat --pgo %*``.

   - Issue 25827: Add support for building with ICC to ``configure``, including
     a new ``--with-icc`` flag.

   - Issue 25696: Fix installation of Python on UNIX with make -j9.

   - Issue 26930: Update OS X 10.5+ 32-bit-only installer to build
     and link with OpenSSL 1.0.2h.

   - Issue 26268: Update Windows builds to use OpenSSL 1.0.2f.

   - Issue 25136: Support Apple Xcode 7's new textual SDK stub libraries.

   Tools/Demos
   -----------
   - Issue 26799: Fix python-gdb.py: don't get C types once when the Python code
     is loaded, but get C types on demand. The C types can change if
     python-gdb.py is loaded before the Python executable. Patch written by Thomas
     Ilsche.

   C API
   -----
   - Issue 26476: Fixed compilation error when use PyErr_BadInternalCall() in C++.
     Patch by Jeroen Demeyer.

   Misc
   ----
   - Issue 17500, and https://github.com/python/pythondotorg/issues/945: Remove
     unused and outdated icons.

Files:
RevisionActionfile
1.60.2.1modifypkgsrc/lang/python27/Makefile
1.14.6.1modifypkgsrc/lang/python27/PLIST.common
1.11.6.1modifypkgsrc/lang/python27/dist.mk
1.54.4.1modifypkgsrc/lang/python27/distinfo
1.3.10.1modifypkgsrc/lang/python27/patches/patch-Lib_distutils_unixccompiler.py