Skip to content

ActiveState Release of Python 2.7.18.14

Latest

Choose a tag to compare

@icanhasmath icanhasmath released this 28 May 04:37

Python 2.7.18.14 — ActiveState Python 2.7 fork

This release addresses 19 security advisories and remediates the Windows
(VS2022 / UCRT, 64-bit) test-suite regressions tracked under DE-3960.

Final release: tagged on the 2.7 branch HEAD after integration review
(PRs #85 and #86; same commit as v2.7.18.14rc7). Includes the header/host
control-char hardening — wsgiref/email reject control characters and
injected newlines, including in unicode values and a trailing bare CR/LF
(email.generator uses a branch-based newline check verified to fully
cover CVE-2024-6923) — plus the reviewed test adjustments.

Addressed CVEs

tarfile

  • CVE-2025-8194 — reject negative member offsets reachable via PAX size
  • CVE-2025-13462 — don't normalize AREGTYPE follow-up headers (longname/pax) to DIRTYPE

webbrowser

Header / command injection (control-character rejection)

email

  • CVE-2024-6923 — reject newline-injection in generated headers (new email.errors.HeaderWriteError); also rejects a value ending in a bare CR/LF

zipfile

  • CVE-2024-0450 — reject overlapping entries (quoted-overlap zip bomb)
  • CVE-2025-8291 — validate ZIP64 end-of-central-directory locator offset

URL parsing

Algorithmic-complexity DoS

base64

  • CVE-2025-12781 / CVE-2026-3446 — new validate=True keyword (stricter than upstream: rejects +// when altchars differs, rejects data after padding)

Not affected

  • CVE-2025-13836 (http.client) — 2.7's httplib._safe_read is bounded-chunk; no Content-Length preallocation
  • CVE-2025-15282 (urllib.request.DataHandler) — Python 3 only
  • CVE-2025-11468, CVE-2025-1795 — modern email._header_value_parser, Python 3 only
  • CVE-2026-3644Morsel.update/|=/__setstate__ entry points absent in 2.7
  • CVE-2024-5642 — NPN removed in OpenSSL 1.1.1w+
  • CVE-2026-6100 — use-after-free in bz2/lzma/zlib decompressors when MemoryError leaves next_in dangling. lzma and _ZlibDecompressor (Python 3.12+) are absent in 2.7; 2.7's legacy bz2.BZ2Decompressor and zlib compobject re-set next_in fresh each call and persist leftovers as owned Python strings (unused_data/unconsumed_tail), so no dangling raw pointer is carried across calls.

Behavior changes worth noting for downstream users

  • email.Generator now raises HeaderWriteError on headers whose serialized form contains a non-folding newline.
  • urlparse.urlsplit / urlparse.urlparse now raise ValueError for [/] outside a valid IPv6/IPvFuture host.
  • Cookie.SimpleCookie().load(...) now raises CookieError when a parsed cookie value contains control characters (even when wire-escaped as \NNN).

Windows (VS2022 / UCRT, 64-bit) regression remediation

Building 2.7 with a modern MSVC/UCRT toolchain broke several 2.7-era
assumptions, fixed on this line:

  • Invalid/closed file descriptors no longer crash or hang the interpreter — the CRT invalid-parameter handler fast-fails on bad fds; the unguarded fstat/lseek calls in FileIO buffer-sizing, os.fdopen (directory check) and signal.set_wakeup_fd are now wrapped in _Py_BEGIN_SUPPRESS_IPH.
  • asyncore recognises the Winsock codes WSAECONNRESET/WSAESHUTDOWN, and ssl accepts WSAENOTCONN — on UCRT builds the C-runtime errno constants no longer share values with the Winsock error numbers reported by the socket layer.
  • ctypes.util.find_msvcrt() returns None on VS2015+ (the UCRT is not loadable as a single msvcrXXX.dll; backport of bpo-23606).
  • Test-suite fixes for win64/UCRT: regrtest now suppresses Windows crash/CRT-assert dialogs at startup; test_bigrepeat gated on sys.maxsize (not sys.maxint, which is 2**31-1 on win64); test.support.requires_linux_version restored; and test_socket/test_ssl/test_ctypes/test_ftplib adjusted for win64 and the Winsock error-code differences.

Operational: run the test suite with the build's bin and DLLs directories on PATH so extension modules such as pyexpat can resolve their dependency DLLs (otherwise the XML tests fail to import — not a code defect).

Testing

  • Security: all 15 affected modules pass (Python 2.7 against OpenSSL 1.1.1w): test_tarfile, test_cookie, test_wsgiref, test_base64, test_urlparse, test_htmlparser, test_posixpath, test_ntpath, test_minidom, test_zipfile, test_email, test_httplib, test_imaplib, test_poplib, test_webbrowser.
  • Windows (win64): the full suite is at or below the 2.7.18.10 Windows baseline; remaining failures are the long-standing baseline known-fails (test_distutils, test_gzip, test_mailbox, test_zipfile, test_socket) plus host-locale tests (test__locale, test_locale).
  • Linux: cross-checked — no regressions from the Windows remediation.