ActiveState Release of Python 2.7.18.14

Python 2.7.18.14 — ActiveState Python 2.7 fork

This release addresses 19 security advisories and remediates the Windows
(VS2022 / UCRT, 64-bit) test-suite regressions tracked under DE-3960.

Addressed CVEs

tarfile

• CVE-2025-8194 — reject negative member offsets reachable via PAX size
• CVE-2025-13462 — don't normalize AREGTYPE follow-up headers (longname/pax) to DIRTYPE

webbrowser

• CVE-2026-4519 / CVE-2026-4786 — reject URLs starting with - (argument injection); validate after %action substitution

Header / command injection (control-character rejection)

• CVE-2026-0865 — wsgiref.headers.Headers (control-char check covers unicode as well as str)
• CVE-2026-0672 — Cookie.Morsel
• CVE-2025-15366 — imaplib.IMAP4._command
• CVE-2025-15367 — poplib.POP3._putline (incl. SSL override)
• CVE-2026-1502 — httplib.HTTPConnection.set_tunnel (CONNECT host)

email

• CVE-2024-6923 — reject newline-injection in generated headers (new email.errors.HeaderWriteError); also rejects a value ending in a bare CR/LF

zipfile

• CVE-2024-0450 — reject overlapping entries (quoted-overlap zip bomb)
• CVE-2025-8291 — validate ZIP64 end-of-central-directory locator offset

URL parsing

• CVE-2025-0938 / CVE-2024-11168 — reject square brackets in non-IPv6 hostnames

Algorithmic-complexity DoS

• CVE-2025-6069 — HTMLParser EOF handling
• CVE-2025-6075 — posixpath.expandvars and ntpath.expandvars
• CVE-2025-12084 — xml.dom.minidom id-cache clearing

base64

• CVE-2025-12781 / CVE-2026-3446 — new validate=True keyword (stricter than upstream: rejects +// when altchars differs, rejects data after padding)

Not affected

• CVE-2025-13836 (http.client) — 2.7's httplib._safe_read is bounded-chunk; no Content-Length preallocation
• CVE-2025-15282 (urllib.request.DataHandler) — Python 3 only
• CVE-2025-11468, CVE-2025-1795 — modern email._header_value_parser, Python 3 only
• CVE-2026-3644 — Morsel.update/|=/__setstate__ entry points absent in 2.7
• CVE-2024-5642 — NPN removed in OpenSSL 1.1.1w+
• CVE-2026-6100 — use-after-free in bz2/lzma/zlib decompressors when MemoryError leaves next_in dangling. lzma and _ZlibDecompressor (Python 3.12+) are absent in 2.7; 2.7's legacy bz2.BZ2Decompressor and zlib compobject re-set next_in fresh each call and persist leftovers as owned Python strings (unused_data/unconsumed_tail), so no dangling raw pointer is carried across calls.

Behavior changes worth noting for downstream users

• email.Generator now raises HeaderWriteError on headers whose serialized form contains a non-folding newline.
• urlparse.urlsplit / urlparse.urlparse now raise ValueError for [/] outside a valid IPv6/IPvFuture host.
• Cookie.SimpleCookie().load(...) now raises CookieError when a parsed cookie value contains control characters (even when wire-escaped as \NNN).

Windows (VS2022 / UCRT, 64-bit) regression remediation

Building 2.7 with a modern MSVC/UCRT toolchain broke several 2.7-era
assumptions, fixed on this line:

• Invalid/closed file descriptors no longer crash or hang the interpreter — the CRT invalid-parameter handler fast-fails on bad fds; the unguarded fstat/lseek calls in FileIO buffer-sizing, os.fdopen (directory check) and signal.set_wakeup_fd are now wrapped in _Py_BEGIN_SUPPRESS_IPH.
• asyncore recognises the Winsock codes WSAECONNRESET/WSAESHUTDOWN, and ssl accepts WSAENOTCONN — on UCRT builds the C-runtime errno constants no longer share values with the Winsock error numbers reported by the socket layer.
• ctypes.util.find_msvcrt() returns None on VS2015+ (the UCRT is not loadable as a single msvcrXXX.dll; backport of bpo-23606).
• Test-suite fixes for win64/UCRT: regrtest now suppresses Windows crash/CRT-assert dialogs at startup; test_bigrepeat gated on sys.maxsize (not sys.maxint, which is 2**31-1 on win64); test.support.requires_linux_version restored; and test_socket/test_ssl/test_ctypes/test_ftplib adjusted for win64 and the Winsock error-code differences.

Operational: run the test suite with the build's bin and DLLs directories on PATH so extension modules such as pyexpat can resolve their dependency DLLs (otherwise the XML tests fail to import — not a code defect).

Testing

• Security: all 15 affected modules pass (Python 2.7 against OpenSSL 1.1.1w): test_tarfile, test_cookie, test_wsgiref, test_base64, test_urlparse, test_htmlparser, test_posixpath, test_ntpath, test_minidom, test_zipfile, test_email, test_httplib, test_imaplib, test_poplib, test_webbrowser.
• Windows (win64): the full suite is at or below the 2.7.18.10 Windows baseline; remaining failures are the long-standing baseline known-fails (test_distutils, test_gzip, test_mailbox, test_zipfile, test_socket) plus host-locale tests (test__locale, test_locale).
• Linux: cross-checked — no regressions from the Windows remediation.

ActiveState Release of Python 2.7.18.13

What's Changed

• Refactor CVE-2023-27043 patch to support Unicode characters by @ezequielp-activestate in #78, #80, and #81
• 2.7.18.13 Release by @ezequielp-activestate in #79

New Contributors

• @ezequielp-activestate made their first contribution in #78

Full Changelog: v2.7.18.12...v2.7.18.13

AS Release 2.7.18.11

What's Changed

• Be 4504 python 2 7 expat update iiii by @rickprice in #66
• Add tests to show that CVE-2024-6232 is okay by @rickprice in #67
• BE-4921 Expat 2.6.4 Vendored into Python2 by @rickprice in #65
• Be 3659 CVE 2007 4559 iiii by @rickprice in #68

Full Changelog: v2.7.18.10...v2.7.18.11

ActivePython Release 3.7.17.5

What's Changed

Security

Upgrade bundled libexpat to 2.6.3 to fix the following CVEs:

• CVE-2024-28757 libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

• CVE-2024-45490 An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

• CVE-2024-45491 An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

• CVE-2024-45492 An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

ActiveState Release of Python 2.7.18.10

ActiveState Release of Python 2.7.18.10

What's Changed

Security

• CVE-2024-0397 Fix for the problem, backported from Python3.8 pythongh-114572 by @rickprice in #53
• CVE-2024-7592 Fix quadratic complexity in parsing quoted cookie, backported from Python3.8 pythongh-123067 by @rickprice in #62

Core and Builtins

• Fix Async import problem on Posix by @rickprice in #51
• Add VCRuntime and additional MSVC Redistributables by @icanhasmath in #52 #55 #64

Full Changelog: v2.7.18.9...v2.7.18.10

ActivePython Release 3.7.17.4

What's Changed

• CVE-2024-0397 Fix locking in cert_store_stats and get_ca_certs by @rickprice in #56
• CVE-2024-4032 Fix "private" (non-global) IP address ranges (pythonGH-113179… by @rickprice in #57
• Enable ActiveState build by @icanhasmath in #59

Full Changelog: v3.7.17.3...v3.7.17.4

AS Release v2.7.18.9

ActiveState Release of Python 2.7.18.9

What's Changed

• CVE-2022-45061 by @rickprice in #41
• CVE-2022-48560 by @rickprice in #42
• CVE-2017-18207 by @rickprice in #43
• CVE-2022-48566 by @rickprice in #44
• Support for Tkinter on windows by @MatthewZMD in #46
• Add WSA Error support for socket and async modules on windows by @rickprice in #48
• Redistribute VS runtime DLLs

Full Changelog: v2.7.18.8...v2.7.18.9

AS Release v2.7.18.8

ActiveState release 2.7.18.8

What's Changed

• CVE-2023-24329 by @rickprice in #33
• CVE-2023-40217 by @rickprice in #34
• CVE-2021-4189 by @rickprice in #36
• CVE-2022-48565 by @icanhasmath in #39
• Fix regression in test_signal by @rickprice in #32
• Always include inttypes.h because of pytime.h by @rickprice in #38

Full Changelog: v2.7.18.7...v2.7.18.8

AS Release v3.7.17.3

Release of ActivePython 3.7.17.3

AS Release v3.7.17.2

AS Release v3.7.17.2