1.216. python

1.216.1. RHBA-2011:0284: bug fix update

Updated python packages that fix two bugs are now available for Red Hat Enterprise Linux 6.

Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme, or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems such as X11, Motif, Tk, Mac, and MFC.

This update fixes the following bugs:

Prior to this update, Python programs that used "ulimit -n" to enable communication with large numbers of subprocesses could still monitor only 1024 file descriptors at a time, which caused an exception:
ValueError: filedescriptor out of range in select()
This was due to the subprocess module using the "select" system call. The module now uses the "poll" system call, removing this limitation. (BZ#668975)
Due to the urllib2 module ignoring the "no_proxy" environment variable for the FTP scheme, programs such as Yum could erroneously access a proxy server for ftp:// URLs covered by a "no_proxy" exclusion. With this update, a patch has been applied to address this issue, and "no_proxy" is no longer ignored. (BZ#671343)

All users of python are advised to upgrade to these updated packages, which resolve these issues.

1.216.2. RHSA-2011:0554: Moderate security, bug fix, and enhancement update

Updated python packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Python is an interpreted, interactive, object-oriented programming language.

A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the "file://" URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521)

A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493)

An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially-crafted request to obtain the CGI script's source code. (CVE-2011-1015)

This errata upgrades Python to version 2.6.6 (BZ#627301), and includes a number of bug fixes and enhancements.

Bug fixes:

BZ#603073

The pydoc -k command performs a keyword search of the synopses in all installed Python modules. This command failed on modules that did not import, resulting in a traceback. pydoc -k now ignores modules that have import exceptions, allowing searches on the remaining modules.

BZ#625393

A minor incompatibility with SELinux in one of the commands module selftests was corrected.

BZ#625395

The python-tests subpackage was missing some test files and directories used by the selftests for lib2to3. This update adds the missing content to the subpackage.

BZ#626756

Previously, the in operator for dbm mappings erroneously returned False for all keys on big-endian 64-bit builds of Python (64-bit PowerPC and IBM System z). This update fixes this issue.

BZ#634944

A harmless but unnecessary RPATH directive from the _sqlite3.so module was removed. Execution and "#!" lines from .py files within the standard library that did not require these lines were also removed.

BZ#637895

Previously, the urllib2 module ignored the no_proxy variable for the FTP scheme. This could lead to programs such as yum erroneously accessing a proxy server for ftp:// URLs covered by a no_proxy exclusion. The no_proxy variable now overrides the ftp_proxy variable, enforcing this exclusion.

BZ#639222

Previously, the IDLE Python IDE used a hard-coded port (8833) when communicating between the shell and the execution sub-processes. Attempts to use more than one instance of IDLE on one computer failed with a "Port Binding Error" dialog box. This update backports a patch from Python 2.7 to use an ephemeral port instead, resolving this issue.

BZ#639392

On AMD64 and Intel 64 architectures, running gdb (configured using the --with-python option) on python applications to generate backtraces caused a traceback error. python-gdb.py, the python module that deals with the case of debugging a python process, was updated to prevent this.

BZ#649274

Using an invalid username or password while attempting to authenticate against HTTPS via the urllib2 module resulted in infinite recursion. This behavior has been patched, and urllib22 now attempts authentication a maximum of five times before authentication is considered failed.

BZ#650588

Previously, Python programs that used ulimit -n to enable communication with large numbers of subprocesses could still monitor only 1024 file descriptors at a time, due to the subprocess module using the select system call. This could cause an exception:

ValueError: filedescriptor out of range in select()

The module now uses the poll system call, removing this limitation.

BZ#669847

Basic HTTP authentication via the urllib2 module was limited to six requests because the retried attribute was not reset when authentication was successful. This attribute is now reset, and authentication requests work as expected.

BZ#677392

The test_structmembers unit test failed on big-endian 64-bit builds of Python (64-bit PowerPC and IBM System z) because a variable was not well-defined. The variable is now defined correctly, and the unit test works as expected. Note that this issue was discovered and corrected during development, and was not encountered in production systems in the field.

BZ#684991

Upgrading Python removed a call to the PyErr_Clear() method, which exposed an assertion failure in RhythmBox that resulted in RhythmBox crashing. Python now compensates for the RhythmBox assertion failure.

BZ#690315

A race condition was discovered in python Makefile.pre.in. The make command interprets a make rule with two dependents as two copies of the rule. On machines with more than one core, this could lead to race conditions in which the compiler attempted to read a partially-overwritten file. This resulted in syntax or link errors when attempting to build python on machines with multiple cores. A check has been added to prevent this issue.

Enhancements:

BZ#529274: This updated package now provides the python-ssl package, rendering the python-ssl package provided by the EPEL repository obsolete.
BZ#567229: The subprocess module now includes an optional timeout argument, which can be used by the subprocess.call, Popen.communicate and Popen.wait API entry points. This argument allows users to specify either an integer or a float value, which represents the number of seconds these processes will wait for a call to return before raising an exception of type TimeoutExpired.
BZ#569695: SystemTap static probes have been added to the Python runtime. Two example scripts are also provided: pyfuntop.stp, which provides a top-like view of all bytecode being executed; and systemtap-example.stp, which shows the function-call hierarchy of Python bytecode.
BZ#614680: Reference-handling bugs within C extension modules can lead to crashes when Python's garbage collector runs. The garbage collector now prints more informative messages to stderr when exiting due to unrecoverable reference errors.

All users of Python are advised to upgrade to these updated packages, which correct these issues and add these enhancements.