From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: bug#32877: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647
	CVE-2018-1000802
Date: Thu, 11 Oct 2018 04:03:22 -0400
Message-ID: <87o9c0ykol.fsf@netris.org>
References: <20180929191827.GA17619@jasmine.lan> <87in2fhv8v.fsf@fastmail.com>
	<20181010191425.GA22832@jasmine.lan>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58466)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gAVx1-00028W-Rt
	for bug-guix@gnu.org; Thu, 11 Oct 2018 04:04:13 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gAVwy-0001b0-Lw
	for bug-guix@gnu.org; Thu, 11 Oct 2018 04:04:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:39852)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1gAVwy-0001an-Gd
	for bug-guix@gnu.org; Thu, 11 Oct 2018 04:04:04 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gAVwy-0006zQ-70
	for bug-guix@gnu.org; Thu, 11 Oct 2018 04:04:04 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.32877.B32877.153924502626835@debbugs.gnu.org>
In-Reply-To: <20181010191425.GA22832@jasmine.lan> (Leo Famulari's message of
	"Wed, 10 Oct 2018 15:14:25 -0400")
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 32877@debbugs.gnu.org

Leo Famulari <leo@famulari.name> writes:

> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Sat, 6 Oct 2018 18:50:47 +0200
>> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>> 
>> This addresses CVE-2018-{1060,1061,14647,1000802}.
>> 
>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
>> gnu/packages/patches/python2-CVE-2018-1060.patch,
>> gnu/packages/patches/python2-CVE-2018-1061.patch,
>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/python.scm (python-2/fixed): New variable.
>> (python-2.7)[replacement]: New field.
>> (python2-minimal): Use PACKAGE/INHERIT.
>
> Thanks! I did some basic tests and things seem to work.

I added this commit to my private branch a few days ago, along with the
Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD
GNOME 3 system and user profile, and everything seems to be working
well.

I think they are both ready to push to master.

Thank you, Marius!

       Mark