Python 2.7.18.14 — ActiveState Python 2.7 fork
This release addresses 19 security advisories and remediates the Windows
(VS2022 / UCRT, 64-bit) test-suite regressions tracked under DE-3960.
Final release: tagged on the
2.7branch HEAD after integration review
(PRs #85 and #86; same commit asv2.7.18.14rc7). Includes the header/host
control-char hardening —wsgiref/
injected newlines, including inunicodevalues and a trailing bare CR/LF
(email.generatoruses a branch-based newline check verified to fully
cover CVE-2024-6923) — plus the reviewed test adjustments.
Addressed CVEs
tarfile
- CVE-2025-8194 — reject negative member offsets reachable via PAX
size - CVE-2025-13462 — don't normalize
AREGTYPEfollow-up headers (longname/pax) toDIRTYPE
webbrowser
- CVE-2026-4519 / CVE-2026-4786 — reject URLs starting with
-(argument injection); validate after%actionsubstitution
Header / command injection (control-character rejection)
- CVE-2026-0865 —
wsgiref.headers.Headers(control-char check coversunicodeas well asstr) - CVE-2026-0672 —
Cookie.Morsel - CVE-2025-15366 —
imaplib.IMAP4._command - CVE-2025-15367 —
poplib.POP3._putline(incl. SSL override) - CVE-2026-1502 —
httplib.HTTPConnection.set_tunnel(CONNECT host)
- CVE-2024-6923 — reject newline-injection in generated headers (new
email.errors.HeaderWriteError); also rejects a value ending in a bare CR/LF
zipfile
- CVE-2024-0450 — reject overlapping entries (quoted-overlap zip bomb)
- CVE-2025-8291 — validate ZIP64 end-of-central-directory locator offset
URL parsing
- CVE-2025-0938 / CVE-2024-11168 — reject square brackets in non-IPv6 hostnames
Algorithmic-complexity DoS
- CVE-2025-6069 —
HTMLParserEOF handling - CVE-2025-6075 —
posixpath.expandvarsandntpath.expandvars - CVE-2025-12084 —
xml.dom.minidomid-cache clearing
base64
- CVE-2025-12781 / CVE-2026-3446 — new
validate=Truekeyword (stricter than upstream: rejects+//whenaltcharsdiffers, rejects data after padding)
Not affected
- CVE-2025-13836 (
http.client) — 2.7'shttplib._safe_readis bounded-chunk; no Content-Length preallocation - CVE-2025-15282 (
urllib.request.DataHandler) — Python 3 only - CVE-2025-11468, CVE-2025-1795 — modern
email._header_value_parser, Python 3 only - CVE-2026-3644 —
Morsel.update/|=/__setstate__entry points absent in 2.7 - CVE-2024-5642 — NPN removed in OpenSSL 1.1.1w+
- CVE-2026-6100 — use-after-free in
bz2/lzma/zlibdecompressors whenMemoryErrorleavesnext_indangling.lzmaand_ZlibDecompressor(Python 3.12+) are absent in 2.7; 2.7's legacybz2.BZ2Decompressorand zlibcompobjectre-setnext_infresh each call and persist leftovers as owned Python strings (unused_data/unconsumed_tail), so no dangling raw pointer is carried across calls.
Behavior changes worth noting for downstream users
email.Generatornow raisesHeaderWriteErroron headers whose serialized form contains a non-folding newline.urlparse.urlsplit/urlparse.urlparsenow raiseValueErrorfor[/]outside a valid IPv6/IPvFuture host.Cookie.SimpleCookie().load(...)now raisesCookieErrorwhen a parsed cookie value contains control characters (even when wire-escaped as\NNN).
Windows (VS2022 / UCRT, 64-bit) regression remediation
Building 2.7 with a modern MSVC/UCRT toolchain broke several 2.7-era
assumptions, fixed on this line:
- Invalid/closed file descriptors no longer crash or hang the interpreter — the CRT invalid-parameter handler fast-fails on bad fds; the unguarded
fstat/lseekcalls inFileIObuffer-sizing,os.fdopen(directory check) andsignal.set_wakeup_fdare now wrapped in_Py_BEGIN_SUPPRESS_IPH. asyncorerecognises the Winsock codesWSAECONNRESET/WSAESHUTDOWN, andsslacceptsWSAENOTCONN— on UCRT builds the C-runtimeerrnoconstants no longer share values with the Winsock error numbers reported by the socket layer.ctypes.util.find_msvcrt()returnsNoneon VS2015+ (the UCRT is not loadable as a singlemsvcrXXX.dll; backport of bpo-23606).- Test-suite fixes for win64/UCRT: regrtest now suppresses Windows crash/CRT-assert dialogs at startup;
test_bigrepeatgated onsys.maxsize(notsys.maxint, which is2**31-1on win64);test.support.requires_linux_versionrestored; andtest_socket/test_ssl/test_ctypes/test_ftplibadjusted for win64 and the Winsock error-code differences.
Operational: run the test suite with the build's bin and DLLs directories on PATH so extension modules such as pyexpat can resolve their dependency DLLs (otherwise the XML tests fail to import — not a code defect).
Testing
- Security: all 15 affected modules pass (Python 2.7 against OpenSSL 1.1.1w):
test_tarfile,test_cookie,test_wsgiref,test_base64,test_urlparse,test_htmlparser,test_posixpath,test_ntpath,test_minidom,test_zipfile,test_email,test_httplib,test_imaplib,test_poplib,test_webbrowser. - Windows (win64): the full suite is at or below the 2.7.18.10 Windows baseline; remaining failures are the long-standing baseline known-fails (
test_distutils,test_gzip,test_mailbox,test_zipfile,test_socket) plus host-locale tests (test__locale,test_locale). - Linux: cross-checked — no regressions from the Windows remediation.