projects / python3.9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: 37e8b68 eb2fc1b)
Merge version 3.9.2-1+rpi1+deb11u4 and 3.9.2-1+deb11u6 to produce 3.9.2-1+rpi1+deb11u6 bullseye-staging archive/raspbian/3.9.2-1+rpi1+deb11u6 raspbian/3.9.2-1+rpi1+deb11u6
authorRaspbian automatic forward porter <root@raspbian.org>
Thu, 16 Apr 2026 14:02:46 +0000 (15:02 +0100)
committerRaspbian automatic forward porter <root@raspbian.org>
Thu, 16 Apr 2026 14:02:46 +0000 (15:02 +0100)
1  2 
debian/changelog patch | diff1 | diff2 | blob | history

diff --cc debian/changelog
index 54caf44151e50f12f9f12d4cb15b016e66509122,c4a2b76732f915cc99e55e60e0c2fd1769055e0d..e2ea4f20e1c11de7944be4534724686897ed7ab6
--- 1/debian/changelog
--- 2/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,39 +1,46 @@@
- python3.9 (3.9.2-1+rpi1+deb11u4) bullseye-staging; urgency=medium
++python3.9 (3.9.2-1+rpi1+deb11u6) bullseye-staging; urgency=medium
 +
 +  [changes brought forward from 3.9.0~b5-2+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 30 Jul 2020 10:10:07 +0000]
 +  * Disable testsuite (test_concurrent_futures seems to hang)
 +
-  -- Raspbian forward porter <root@raspbian.org>  Sat, 24 Jan 2026 09:41:14 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Thu, 16 Apr 2026 14:02:46 +0000
++
+ python3.9 (3.9.2-1+deb11u6) bullseye-security; urgency=medium
+   * Revert fixes for CVE-2025-15366 and CVE-2025-15367. It was found that
+     those changes break backward compatibility, and upstream didn't backport
+     it to any branch. More details can be found in discussions on the upstream
+     bugtracker (issues and merge requests).
+   * Apply upstream patch for the following CVE:
+     - CVE-2026-6100: Use-after-free (UAF) was possible in the
+       `lzma.LZMADecompressor` and `bz2.BZ2Decompressor` when a memory
+       allocation fails with a `MemoryError` and the decompression instance is
+       re-used. This scenario can be triggered if the process is under memory
+       pressure.
+  -- Arnaud Rebillout <arnaudr@debian.org>  Tue, 14 Apr 2026 11:38:32 +0700
+ python3.9 (3.9.2-1+deb11u5) bullseye; urgency=medium
+   * Apply upstream patch to fix regression after CVE-2025-12084 fix
+     (see #1122875 for more details)
+   * Apply upstream patched for the following CVEs:
+     - CVE-2025-11468: Folding email comments of unfoldable characters
+       didn't preserve parenthesis which could be abused.
+     - CVE-2025-15282: User-controlled data URLs parsed by urllib allowed
+       injecting headers through newlines in the data URL mediatype.
+     - CVE-2025-15366: User-controlled command could have additional commands
+       injected using newlines.
+     - CVE-2025-15367: User-controlled command could have additional commands
+       injected using newlines.
+     - CVE-2026-0672: User-controlled cookie values and parameters could be
+       used to inject HTTP headers into messages.
+     - CVE-2026-0865: User-controlled header names and values containing
+       newlines could be used to inject HTTP headers.
+     - CVE-2026-1299: email module allowed header injection in the
+       BytesGenerator class.
+  -- Andrej Shadura <andrewsh@debian.org>  Sun, 25 Jan 2026 14:37:52 +0100
  
  python3.9 (3.9.2-1+deb11u4) bullseye-security; urgency=medium
  
Unnamed repository; edit this file 'description' to name the repository.