Python 2.7 Extended Support Release Notes

December 2022 Release

ActivePython Enterprise Versions with Fix: 2.7.18.5

Python Core CVEs

No Changes

Updated Python Package CVEs \

Package: expat

Versions Impacted: 2.4.7

Severity: Critical

URL: CVE-2022-40674

Package: zlib

Versions Impacted: 1.2.12

Severity: Critical

URL: CVE-2022-37434

Package: expat

Versions Impacted: 2.4.7

Severity: High

URL: CVE-2022-43680

Other changes in build

OpenSSL upgraded to 1.1.1s

September 2022 Release

ActivePython Enterprise Versions with Fix: 2.7.18.5

Python Core CVEs

Language Core: Python Core (Cpython)

Versions Impacted: Python versions 2.7.18.1, .2, .3, .4

Severity: High
URL: CVE-2022-0391

Updated Python Package CVEs \

Package: expat

Versions Impacted: 2.2.9

Severity: Critical

URL: CVE-2022-22822

Package: expat

Versions Impacted: 2.2.9

Severity: Critical

URL: CVE-2022-22823

Package: expat

Versions Impacted: 2.2.9

Severity: Critical

URL: CVE-2022-22824

Package: expat

Versions Impacted: 2.2.9

Severity: Critical

URL: CVE-2022-23852

Package: expat

Versions Impacted: 2.2.9

Severity: Critical

URL: CVE-2022-23990

Package: expat

Versions Impacted: 2.2.9

Severity: Critical

URL: CVE-2022-25235

Package: expat

Versions Impacted: 2.2.9

Severity: Critical

URL: CVE-2022-25236

Package: expat

Versions Impacted: 2.2.9

Severity: Critical

URL: CVE-2022-25315

Package: OpenSSL 1.11.0.15

Versions Impacted: 1.1.1.o

Severity: Critical

URL: CVE-2022-2068

Package: expat

Versions Impacted: 2.2.9

Severity: High

URL: CVE-2021-45960

Package: expat

Versions Impacted: 2.2.9

Severity: High

URL: CVE-2021-46143

Package: expat

Versions Impacted: 2.2.9

Severity: High

URL: CVE-2022-22825

Package: expat

Versions Impacted: 2.2.9

Severity: High

URL: CVE-2022-22826

Package: expat

Versions Impacted: 2.2.9

Severity: High

URL: CVE-2022-22827

Package: expat

Versions Impacted: 2.2.9

Severity: High

URL: CVE-2022-25314

Package: OpenSSL

Versions Impacted: 1.1.1.o

Severity: High

URL: CVE-2022-2097

Package: expat

Versions Impacted: 2.2.9

Severity: Medium

URL: CVE-2022-25313

Package: expat

Versions Impacted: 2.2.9

Severity: Unscored

URL: CVE-2013-0340

June 2022 Release

ActivePython Enterprise Versions with Fix: 2.7.18.4

Python Core CVEs

No changes

Updated Python Packages CVEs \

Package: OpenSSL

Versions Impacted: 1.1.1.m

Severity: Critical

URL: CVE-2022-1292

Package: OpenSSL

Versions Impacted: 1.1.1.m

Severity: High

URL: CVE-2022-0778

Other changes in build

February 2022 Release

ActivePython Enterprise Versions with Fix: 2.7.18.4

Python Core CVEs

No changes

Updated Python Packages CVEs \

Package: OpenSSL

Versions Impacted: 1.1.1.l

Severity: Med

URL: CVE-2021-4160

Other changes in build

  • Enterprise label added \
  • more-itertools pinned to 5.0.0 \
  • pip pinned to 20.3.4 \
  • platformdirs set to capped value <2.1 \
  • attrs pinned to 21.2.0 \
  • cryptography pinned to 3.3.2 \
  • flake8 pinned to 3.9.2 \
  • importlib-metadata pinned to 2.1.1 \
  • requests pinned to 2.26.0 \
  • Virtualenv pinned to 20.8.1

November 2021 Release

ActivePython Enterprise Versions with Fix: 2.7.18.4

Python Core CVEs

No changes

Updated Python Packages CVEs \

Package: OpenSSL

Versions Impacted: 1.1.1.k

Severity: Critical

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3711

Package: Pillow

Versions Impacted: 6.2.2

Severity: Critical

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-25289

Package: OpenSSL

Versions Impacted: 1.1.1k

Severity: High

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3712

Package: Pillow

Versions Impacted: 6.2.2

Severity: High

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-11538

Package: Pillow

Versions Impacted: 6.2.2

Severity: High

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-35654

Package: requests

Versions Impacted: 2.1.0

Severity: High

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-18074 \

Package: ElasticSearch

Versions Impacted: 7.11.0

Severity: Medium (6)

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-22134

Package: ElasticSearch

Versions Impacted: 7.11.0

Severity: Medium (6)

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-22135

Package: ElasticSearch

Versions Impacted: 7.11.0

Severity: Medium (6)

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-22137

Package: ElasticSearch

Versions Impacted: 7.11.0

Severity: Medium (6)

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-22144

Package: ElasticSearch

Versions Impacted: 7.11.0

Severity: Medium (6)

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-22145

Package: ElasticSearch

Versions Impacted: 7.11.0

Severity: Medium (6)

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-22147

Other changes in build

  • cycler 0.10.0 added
  • kiwisolver 1.1.0 added
  • matplotlib 2.2.5 added
  • matplotlib-set-lib 2.2.5 added
  • setuptools-scm[toml] 5.0.2 added

Updated with Auto

  • chardet 3.0.4 downgrade
  • psutil 5.3.1 downgrade
  • adodbapi 2.6.2.0 update
  • bleach 3.3.1 update
  • boto3 1.17.108 update
  • botocore 1.20.111 update
  • certifi 2020.12.5 update
  • cffi 1.14.6 update
  • cython 0.29.24 update
  • docutils 0.18 update
  • elasticsearch 7.15.1 update
  • eventlet 0.31.1 update
  • filelock 3.2.1 update
  • gevent 1.3.2.post0 update
  • greenlet 1.1.2 update
  • html5lib 1.1 update
  • httplib2 0.20.2 update
  • jsonpointer 2.2 update
  • mako 1.1.5 update
  • openssl 1.11.0.12 update
  • pathlib2 2.3.6 update
  • pillow 6.2.2.1 update
  • pkginfo 1.7.1 update
  • py 1.11.0 update
  • pycryptodome 3.11.0 update
  • pyrsistent 0.16.1 update
  • pytest 4.6.11 update
  • pytest-xdist 1.34.0 update
  • python-dateutil 2.8.2 update
  • pytz 2021.3 update
  • requests 2.25.0 update
  • s3transfer 0.4.2 update
  • singledispatch 3.7.0 update
  • soupsieve 1.9.6 update
  • tox 3.24.4 update
  • tqdm 4.62.0 update
  • urllib3 1.26.7 update
  • wcwidth 0.2.4 update
  • win_iconv update
  • zipp 1.2.0 update

June 2021 Release

ActivePython Enterprise Versions with Fix: 2.7.18.4

Python Core CVEs

No changes

Updated Python Packages CVEs \

Package: eventlet

Versions Impacted: Versions before 0.31.0

Severity: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-21419

Package: lxml

Versions Impacted: Versions before 4.6.3

Severity: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-28957 \

Non-Updated Python Packages with known CVEs

Legend - Number present at each severity (C)ritical, (H)igh, (M)edium
\

  • Python 2.7.18.4 2x “Disputed” or “Unscored”. \
  • libxml2 4xH 1xM Updates are incompatible. \
  • freetype2 1xM Cannot be upgraded without upgrading Pillow. \
  • pandas 1xC “Disputed” and no update for 2.7 available. \
  • pillow 1xC 10xH 5xM No update for 2.7 available. \
  • pygments 2xH No update for 2.7 available. \
  • redis 3xH 1xM No update available. \
  • requests 1xH No update for 2.7 is available. \
  • elasticsearch 3xM No update available. \
  • tornado 1xM No update for 2.7 available.

Other changes in build

  • numpy pinned to 1.16.6 \
  • boto3 pinned to 1.17.42

Updated with Auto

  • attrs to 21.2.0 \
  • babel to 2.9.1 \
  • flask to 1.1.4 \
  • pycodestyle down to 2.3.1 \
  • pyflakes down to 1.6.0 \
  • pytest-cov to 2.12.0 \
  • six to 1.16.0 \
  • tox to 3.23.1 \
  • tqdm to 4.61.0 \
  • urllib3 to 1.26.5 \
  • virtualenv to 20.4.7

Updated Dependencies

- apipkg removed \

  • distlib to 0.3.2 \
  • execnet to 1.9.0 \
  • greenlet to 1.1.0 \
  • importlib-resources to 3.3.1 \
  • singledispatch to 3.6.2 \
  • sortedcontainers to 2.4.0

April 2021 Release \

ActivePython Enterprise Versions with Fix: 2.7.18.4

Python Core CVEs

Language Core: Python Core (Cpython)

Versions Impacted: Python versions 2.7.18.1, .2, & .3

Severity: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2021-23336

Python Packages CVEs


Package: OpenSSL

Versions Impacted: Versions before 1.2

Severity: High

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-23840

Package: OpenSSL

Versions Impacted: Versions before 1.2.21.2

Severity: High

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-0732

Package: OpenSSL

Versions Impacted: Versions before 1.2.21.2

Severity: High

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-23840

Package: OpenSSL

Versions Impacted: Versions before 1.2

Severity: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-1971

Package: OpenSSL

Versions Impacted: Versions before 1.2

Severity: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-23841

Package: OpenSSL

Versions Impacted: Versions before 1.2

Severity: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3449

Package: OpenSSL

Versions Impacted: Versions before 1.2.21.2

Severity: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-1547

Package: OpenSSL

Versions Impacted: Versions before 1.2.21.2

Severity: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-1551

Package: OpenSSL

Versions Impacted: Versions before 1.2.21.2

Severity: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-1971

Package: OpenSSL

Versions Impacted: Versions before 1.2.21.2

Severity: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-23841

Package: OpenSSL

Versions Impacted: Versions before 1.2.21.2

Severity: Low

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-1552

Package: OpenSSL

Versions Impacted: Versions before 1.2.21.2

Severity: Low

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-1563

Package: OpenSSL

Versions Impacted: Versions before 1.2.21.2

Severity: Low

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-1968

Package: OpenSSL

Versions Impacted: Versions before 1.2.21.2

Severity: Low

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-23839

February 2021 Release \

ActivePython Enterprise Versions with Fix: 2.7.18.3

Python Core CVEs

Language Core: Python Core (Cpython)

Versions Impacted: Python versions 2.7.18.2 & 3

Severity: Critical
URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3177
NOTE: Please see separate CVE notification attached.

Python Packages CVEs


Package: bzip2

Versions Impacted: Versions before 1.0.7

Severity: Critical
URL: https://nvd.nist.gov/vuln/detail/CVE-2019-12900 \


Package: cryptography

Versions Impacted: In the cryptography package before 3.3.2

Severity: Critical
URL:https://nvd.nist.gov/vuln/detail/CVE-2020-36242


Package: pyYAML

Versions Impacted: PyYAML library in versions before 5.4

Severity: Critical
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-14343


Package: elasticsearch

Versions Impacted: Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2

Severity: High
URL:https://nvd.nist.gov/vuln/detail/CVE-2020-7009

Package: httplib2

Versions Impacted: In httplib2 before version 0.19.0

Severity: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2021-21240

Package: lxml

Versions Impacted: Versions from 1.2 up to 4.6.2

Severity: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-27783 \

Package: httplib2

Versions Impacted: In httplib2 before version 0.18.0

Severity: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-11078

Package: jinja2

Versions Impacted: package jinja2 from 0.0.0 and before 2.11.3
Severity: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-28493


Package: bleach

Versions Impacted: Bleach versions before 3.1.4.

Severity: Medium

CVE details: CVE-2020-6817

Package: openssl

Versions Impacted: All OpenSSL 1.1.1 and 1.0.2 versions

Severity: Medium

CVE details: CVE-2020-1971

November 2020 Release \

ActivePython Enterprise Versions with Fix: 2.7.18.2

Python Core CVEs


Language Core: Python core (CPython)

Versions Impacted: 2.7.18.1

Severity: Critical
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-27619


Package: Python core (CPython)

Versions Impacted: 2.7.18.1

Severity: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-26116 \


Package: Python core (CPython)

Versions Impacted: 2.7.18.1

Severity: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2019-20907

Python Packages CVEs

Package: libxslt

Versions Impacted: Versions before 1.1.34

ActivePython Enterprise Versions with Fix:1.1.34

Severity: Critical
URL: https://nvd.nist.gov/vuln/detail/CVE-2019-11068

Package: urllib3

Versions Impacted: Versions before 1.25.8

ActivePython Enterprise Versions with Fix: 1.25.8 or higher

Severity: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-7212

\

Package: pySAML

Versions Impacted: Versions before 5.0.0

ActivePython Enterprise Versions with Fix: 5.0.0

Severity: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-5390

Package: urllib3

Versions Impacted: Versions before 1.25.9

ActivePython Enterprise Versions with Fix: 1.25.9 or higher

Severity: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-26137
\

Package: Twisted

Versions Impacted: Versions before 19.2.1

ActivePython Enterprise Versions with Fix: 19.2.1 or higher

Severity: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2019-12387

August 2020 Release \

ActivePython Enterprise Versions with Fix: 2.7.18.1

Python Core CVEs

Language Core: Python core (CPython)

Versions Impacted: 2.7.18

Severity: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-8492 \

Python Packages CVEs

Package: Pillow

Versions Impacted: In Pillow before 6.2.2

ActivePython Enterprise Versions with Fix: 6.2.2 or higher

Severity: Critical
URL:
https://nvd.nist.gov/vuln/detail/CVE-2020-5311

https://nvd.nist.gov/vuln/detail/CVE-2020-5310

https://nvd.nist.gov/vuln/detail/CVE-2020-5312

https://nvd.nist.gov/vuln/detail/CVE-2020-5313

Package: Python core dependency (SQLite )

Versions Impacted: All versions prior to 3.31.1

Severity: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-11655

Package: Bleach

Versions Impacted: In Mozilla Bleach before 3.1.2

ActivePython Enterprise Versions with Fix: 3.1.2 or higher

Severity: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-6816
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-6802

If you have any questions, please contact enterprise-support@activestate.com.