From: Raspbian automatic forward porter <root@raspbian.org>
Date: Thu, 16 Apr 2026 14:02:46 +0000 (+0100)
Subject: Merge version 3.9.2-1+rpi1+deb11u4 and 3.9.2-1+deb11u6 to produce 3.9.2-1+rpi1+deb11u6
X-Git-Tag: archive/raspbian/3.9.2-1+rpi1+deb11u6^0
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/%22mailto:ematirov%40gmail.com//%22mailto:i18n-csb%40linuxcsb.org/%22/%22http:/www.example.com/%22mailto:ematirov%40gmail.com/%22mailto:i18n-csb%40linuxcsb.org/%22?a=commitdiff_plain;h=71230df188737914284ee90e63f2e7eabcb52c45;p=python3.9.git

Merge version 3.9.2-1+rpi1+deb11u4 and 3.9.2-1+deb11u6 to produce 3.9.2-1+rpi1+deb11u6
---

71230df188737914284ee90e63f2e7eabcb52c45
diff --cc debian/changelog
index 54caf44,c4a2b76..e2ea4f2
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,39 +1,46 @@@
- python3.9 (3.9.2-1+rpi1+deb11u4) bullseye-staging; urgency=medium
++python3.9 (3.9.2-1+rpi1+deb11u6) bullseye-staging; urgency=medium
 +
 +  [changes brought forward from 3.9.0~b5-2+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 30 Jul 2020 10:10:07 +0000]
 +  * Disable testsuite (test_concurrent_futures seems to hang)
 +
-  -- Raspbian forward porter <root@raspbian.org>  Sat, 24 Jan 2026 09:41:14 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Thu, 16 Apr 2026 14:02:46 +0000
++
+ python3.9 (3.9.2-1+deb11u6) bullseye-security; urgency=medium
+ 
+   * Revert fixes for CVE-2025-15366 and CVE-2025-15367. It was found that
+     those changes break backward compatibility, and upstream didn't backport
+     it to any branch. More details can be found in discussions on the upstream
+     bugtracker (issues and merge requests).
+   * Apply upstream patch for the following CVE:
+     - CVE-2026-6100: Use-after-free (UAF) was possible in the
+       `lzma.LZMADecompressor` and `bz2.BZ2Decompressor` when a memory
+       allocation fails with a `MemoryError` and the decompression instance is
+       re-used. This scenario can be triggered if the process is under memory
+       pressure.
+ 
+  -- Arnaud Rebillout <arnaudr@debian.org>  Tue, 14 Apr 2026 11:38:32 +0700
+ 
+ python3.9 (3.9.2-1+deb11u5) bullseye; urgency=medium
+ 
+   * Apply upstream patch to fix regression after CVE-2025-12084 fix
+     (see #1122875 for more details)
+   * Apply upstream patched for the following CVEs:
+     - CVE-2025-11468: Folding email comments of unfoldable characters
+       didn't preserve parenthesis which could be abused.
+     - CVE-2025-15282: User-controlled data URLs parsed by urllib allowed
+       injecting headers through newlines in the data URL mediatype.
+     - CVE-2025-15366: User-controlled command could have additional commands
+       injected using newlines.
+     - CVE-2025-15367: User-controlled command could have additional commands
+       injected using newlines.
+     - CVE-2026-0672: User-controlled cookie values and parameters could be
+       used to inject HTTP headers into messages.
+     - CVE-2026-0865: User-controlled header names and values containing
+       newlines could be used to inject HTTP headers.
+     - CVE-2026-1299: email module allowed header injection in the
+       BytesGenerator class.
+ 
+  -- Andrej Shadura <andrewsh@debian.org>  Sun, 25 Jan 2026 14:37:52 +0100
  
  python3.9 (3.9.2-1+deb11u4) bullseye-security; urgency=medium