Releases · ActiveState/cpython

28 May 04:37

2.7.18.14

bc3b091

2.7.18.14 (pre-release for testing) Pre-release

Pre-release

Python 2.7.18.14 — security pre-release for testing

ActiveState Python 2.7 fork, addressing 19 security advisories.
This is a pre-release tagged for testing; please report issues before
it is marked final.

Addressed CVEs

tarfile

CVE-2025-8194 — reject negative member offsets reachable via PAX size
CVE-2025-13462 — don't normalize AREGTYPE follow-up headers (longname/pax) to DIRTYPE

webbrowser

CVE-2026-4519 / CVE-2026-4786 — reject URLs starting with - (argument injection); validate after %action substitution

Header / command injection (control-character rejection)

CVE-2026-0865 — wsgiref.headers.Headers
CVE-2026-0672 — Cookie.Morsel
CVE-2025-15366 — imaplib.IMAP4._command
CVE-2025-15367 — poplib.POP3._putline (incl. SSL override)
CVE-2026-1502 — httplib.HTTPConnection.set_tunnel (CONNECT host)

email

CVE-2024-6923 — reject newline-injection in generated headers (new email.errors.HeaderWriteError)

zipfile

CVE-2024-0450 — reject overlapping entries (quoted-overlap zip bomb)
CVE-2025-8291 — validate ZIP64 end-of-central-directory locator offset

URL parsing

CVE-2025-0938 / CVE-2024-11168 — reject square brackets in non-IPv6 hostnames

Algorithmic-complexity DoS

CVE-2025-6069 — HTMLParser EOF handling
CVE-2025-6075 — posixpath.expandvars and ntpath.expandvars
CVE-2025-12084 — xml.dom.minidom id-cache clearing

base64

CVE-2025-12781 / CVE-2026-3446 — new validate=True keyword (stricter than upstream: rejects +// when altchars differs, rejects data after padding)

Not affected

CVE-2025-13836 (http.client) — 2.7's httplib._safe_read is bounded-chunk; no Content-Length preallocation
CVE-2025-15282 (urllib.request.DataHandler) — Python 3 only
CVE-2025-11468, CVE-2025-1795 — modern email._header_value_parser, Python 3 only
CVE-2026-3644 — Morsel.update/|=/__setstate__ entry points absent in 2.7
CVE-2024-5642 — NPN removed in OpenSSL 1.1.1w+
CVE-2026-6100 — use-after-free in bz2/lzma/zlib decompressors when MemoryError leaves next_in dangling. lzma and _ZlibDecompressor (Python 3.12+) are absent in 2.7; 2.7's legacy bz2.BZ2Decompressor and zlib compobject re-set next_in fresh each call and persist leftovers as owned Python strings (unused_data/unconsumed_tail), so no dangling raw pointer is carried across calls.

Behavior changes worth noting for downstream users

email.Generator now raises HeaderWriteError on headers whose serialized form contains a non-folding newline.
urlparse.urlsplit / urlparse.urlparse now raise ValueError for [/] outside a valid IPv6/IPvFuture host.
Cookie.SimpleCookie().load(...) now raises CookieError when a parsed cookie value contains control characters (even when wire-escaped as \NNN).

Testing

All 15 affected test modules pass on the build target (Python 2.7 against OpenSSL 1.1.1w):
test_tarfile, test_cookie, test_wsgiref, test_base64, test_urlparse,
test_htmlparser, test_posixpath, test_ntpath, test_minidom,
test_zipfile, test_email, test_httplib, test_imaplib, test_poplib,
test_webbrowser.

Assets 2

18 Mar 16:28

ezequielp-activestate

v2.7.18.13

3df688e

ActiveState Release of Python 2.7.18.13 Latest

Latest

What's Changed

Refactor CVE-2023-27043 patch to support Unicode characters by @ezequielp-activestate in #78, #80, and #81
2.7.18.13 Release by @ezequielp-activestate in #79

New Contributors

@ezequielp-activestate made their first contribution in #78

Full Changelog: v2.7.18.12...v2.7.18.13

Contributors

ezequielp-activestate

Assets 2

21 Jan 18:25

rickprice

v2.7.18.11

a22a1d8

AS Release 2.7.18.11

What's Changed

Be 4504 python 2 7 expat update iiii by @rickprice in #66
Add tests to show that CVE-2024-6232 is okay by @rickprice in #67
BE-4921 Expat 2.6.4 Vendored into Python2 by @rickprice in #65
Be 3659 CVE 2007 4559 iiii by @rickprice in #68

Full Changelog: v2.7.18.10...v2.7.18.11

Contributors

rickprice

Assets 2

19 Sep 19:45

i-shenl

v3.7.17.5

50309c3

ActivePython Release 3.7.17.5

What's Changed

Security

Upgrade bundled libexpat to 2.6.3 to fix the following CVEs:

CVE-2024-28757 libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).
CVE-2024-45490 An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
CVE-2024-45491 An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
CVE-2024-45492 An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Assets 2

06 Sep 16:22

icanhasmath

v2.7.18.10

3e06fbb

ActiveState Release of Python 2.7.18.10

What's Changed

Security

CVE-2024-0397 Fix for the problem, backported from Python3.8 pythongh-114572 by @rickprice in #53
CVE-2024-7592 Fix quadratic complexity in parsing quoted cookie, backported from Python3.8 pythongh-123067 by @rickprice in #62

Core and Builtins

Fix Async import problem on Posix by @rickprice in #51
Add VCRuntime and additional MSVC Redistributables by @icanhasmath in #52 #55 #64

Full Changelog: v2.7.18.9...v2.7.18.10

Contributors

rickprice and icanhasmath

Assets 2

23 Jul 04:34

icanhasmath

v3.7.17.4

1f33a00

ActivePython Release 3.7.17.4

What's Changed

CVE-2024-0397 Fix locking in cert_store_stats and get_ca_certs by @rickprice in #56
CVE-2024-4032 Fix "private" (non-global) IP address ranges (pythonGH-113179… by @rickprice in #57
Enable ActiveState build by @icanhasmath in #59

Full Changelog: v3.7.17.3...v3.7.17.4

Contributors

rickprice and icanhasmath

Assets 2

27 Jun 23:17

icanhasmath

v2.7.18.9

76f11e1

AS Release v2.7.18.9

ActiveState Release of Python 2.7.18.9

What's Changed

CVE-2022-45061 by @rickprice in #41
CVE-2022-48560 by @rickprice in #42
CVE-2017-18207 by @rickprice in #43
CVE-2022-48566 by @rickprice in #44
Support for Tkinter on windows by @MatthewZMD in #46
Add WSA Error support for socket and async modules on windows by @rickprice in #48
Redistribute VS runtime DLLs

Full Changelog: v2.7.18.8...v2.7.18.9

Contributors

rickprice and MatthewZMD

Assets 2

28 Jun 05:09

icanhasmath

v2.7.18.8

24790e1

AS Release v2.7.18.8

ActiveState release 2.7.18.8

What's Changed

CVE-2023-24329 by @rickprice in #33
CVE-2023-40217 by @rickprice in #34
CVE-2021-4189 by @rickprice in #36
CVE-2022-48565 by @icanhasmath in #39
Fix regression in test_signal by @rickprice in #32
Always include inttypes.h because of pytime.h by @rickprice in #38

Full Changelog: v2.7.18.7...v2.7.18.8

Contributors

rickprice and icanhasmath

Assets 2

21 Sep 20:33

icanhasmath

v3.7.17.3

4fe54f4

AS Release v3.7.17.3

Release of ActivePython 3.7.17.3

Assets 2

09 Sep 00:11

rickprice

v3.7.17.2

ecc9d0f

AS Release v3.7.17.2

AS Release v3.7.17.2

Assets 2

Releases: ActiveState/cpython

2.7.18.14 (pre-release for testing)

Addressed CVEs

tarfile

webbrowser

Header / command injection (control-character rejection)

email

zipfile

URL parsing

Algorithmic-complexity DoS

base64

Not affected

Behavior changes worth noting for downstream users

Testing

Uh oh!

ActiveState Release of Python 2.7.18.13

What's Changed

New Contributors

Contributors

Uh oh!

AS Release 2.7.18.11

What's Changed

Contributors

Uh oh!

ActivePython Release 3.7.17.5

What's Changed

Security

Uh oh!

ActiveState Release of Python 2.7.18.10

What's Changed

Security

Core and Builtins

Contributors

Uh oh!

ActivePython Release 3.7.17.4

What's Changed

Contributors

Uh oh!

AS Release v2.7.18.9

What's Changed

Contributors

Uh oh!

AS Release v2.7.18.8

What's Changed

Contributors

Uh oh!

AS Release v3.7.17.3

Uh oh!

AS Release v3.7.17.2

Uh oh!