dgit.raspbian.org Git - python3.9.git/log

Merge version 3.9.2-1+rpi1+deb11u4 and 3.9.2-1+deb11u6 to produce 3.9.2-1+rpi1+deb11u6

Merge python3.9 (3.9.2-1+deb11u6) import into refs/heads/workingbranch

[PATCH] [3.11] gh-148395: Fix a possible UAF in `{LZMA,BZ2}Decompressor` (GH-148396) (#148504)

Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress

(cherry picked from commit 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2)

Origin: upstream, https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b

Gbp-Pq: Name CVE-2026-6100.patch

gh-144125: email: verify headers are sound in BytesGenerator

Co-authored-by: Denis Ledoux <dle@odoo.com>
Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com>
Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com>
Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com>
Origin: backport, https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413

Gbp-Pq: Name CVE-2026-1299.patch

gh-143935: Email preserve parens when folding comments (#143936)

Fix a bug in the folding of comments when flattening an email message
using a modern email policy. Comments consisting of a very long sequence of
non-foldable characters could trigger a forced line wrap that omitted the
required leading space on the continuation line, causing the remainder of
the comment to be interpreted as a new header field. This enabled header
injection with carefully crafted inputs.

Co-authored-by: Denis Ledoux <dle@odoo.com>
Origin: backport, https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2

Gbp-Pq: Name CVE-2025-11468.patch

gh-143925: Reject control characters in data: URL mediatypes

Origin: upstream, https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f

Gbp-Pq: Name CVE-2025-15282.patch

gh-143919: Reject control characters in http cookies

Co-authored-by: Bartosz Sławecki <bartosz@ilikepython.com>
Co-authored-by: sobolevn <mail@sobolevn.me>
Origin: upstream, https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70

Gbp-Pq: Name CVE-2026-0672.patch

[3.10] gh-143916: Reject control characters in wsgiref.headers.Headers

gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917)

* Add 'test.support' fixture for C0 control characters
* gh-143916: Reject control characters in wsgiref.headers.Headers

(cherry picked from commit f7fceed79ca1bceae8dbe5ba5bc8928564da7211)
(cherry picked from commit 22e4d55285cee52bc4dbe061324e5f30bd4dee58)

Co-authored-by: Seth Michael Larson <seth@python.org>
Origin: backport, https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2

Gbp-Pq: Name CVE-2026-0865.patch

gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (#142794)

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Origin: backport, https://github.com/python/cpython/commit/1cc7551b3f9f71efbc88d96dce90f82de98b2454
Debian-Bug: https://bugs.debian.org/1122875

Gbp-Pq: Name CVE-2025-12084-2.patch

Add a minimal test.support.os_helper

The test for CVE-2025-13837 needs os_helper.{TESTFN,unlink}.

Forwarded: not-needed

Gbp-Pq: Name CVE-2025-13837-2.patch

[3.13] gh-119342: Fix a potential denial of service in plistlib (GH-119343) (GH-142144)

Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922cf40aa3a28f898b5f5ee08b71b4922df70)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Origin: backport, https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba

Gbp-Pq: Name CVE-2025-13837.patch

[3.13] gh-119451: Fix a potential denial of service in http.client (GH-119454) (#142139)

gh-119451: Fix a potential denial of service in http.client (GH-119454)

Reading the whole body of the HTTP response could cause OOM if
the Content-Length value is too large even if the server does not send
a large amount of data. Now the HTTP client reads large data by chunks,
therefore the amount of consumed memory is proportional to the amount
of sent data.
(cherry picked from commit 5a4c4a033a4a54481be6870aa1896fad732555b5)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Origin: upstream, https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15

Gbp-Pq: Name CVE-2025-13836.patch

[3.13] gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146) (#142210)

gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)

* Remove quadratic behavior in node ID cache clearing

* Add news fragment

---------
(cherry picked from commit 08d8e18ad81cd45bc4a27d6da478b51ea49486e4)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
Origin: upstream, https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964

Gbp-Pq: Name CVE-2025-12084.patch

[3.9] gh-139700: Check consistency of the zip64 end of central directory record (GH-139702) (GH-139708) (#139715)

Support records with "zip64 extensible data" if there are no bytes
prepended to the ZIP file.

(cherry picked from commit 333d4a6f4967d3ace91492a39ededbcf3faa76a6)
(cherry picked from commit 162997bb70e067668c039700141770687bc8f267)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Origin: upstream, https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196

Gbp-Pq: Name CVE-2025-8291.patch

[3.9] gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) (GH-137645)

gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027)

(cherry picked from commit 7040aa54f14676938970e10c5f74ea93cd56aa38)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Origin: upstream, https://github.com/python/cpython/commit/73f03e4808206f71eb6b92c579505a220942ef19

Gbp-Pq: Name CVE-2025-8194.patch

[3.9] gh-136065: Fix quadratic complexity in os.path.expandvars() (GH-134952) (GH-140839)

(cherry picked from commit f029e8db626ddc6e3a3beea4eff511a71aaceb5c)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Origin: backport, https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c

Gbp-Pq: Name CVE-2025-6075.patch

[3.9] gh-135462: Fix quadratic complexity in processing special input in HTMLParser (GH-135464) (GH-135486)

End-of-file errors are now handled according to the HTML5 specs --
comments and declarations are automatically closed, tags are ignored.
(cherry picked from commit 6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41)

Origin: upstream, https://github.com/python/cpython/commit/8d1b3dfa09135affbbf27fb8babcf3c11415df49

Gbp-Pq: Name CVE-2025-6069.patch

[3.9] gh-133767: Fix use-after-free in the unicode-escape decoder with an error handler (GH-129648) (GH-133944) (#134346)

* [3.9] gh-133767: Fix use-after-free in the unicode-escape decoder with an error handler (GH-129648) (GH-133944)

If the error handler is used, a new bytes object is created to set as
the object attribute of UnicodeDecodeError, and that bytes object then
replaces the original data. A pointer to the decoded data will became invalid
after destroying that temporary bytes object. So we need other way to return
the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal().

_PyBytes_DecodeEscape() does not have such issue, because it does not
use the error handlers registry, but it should be changed for compatibility
with _PyUnicode_DecodeUnicodeEscapeInternal().
(cherry picked from commit 9f69a58623bd01349a18ba0c7a9cb1dad6a51e8e)
(cherry picked from commit 6279eb8c076d89d3739a6edb393e43c7929b429d)
(cherry picked from commit a75953b347716fff694aa59a7c7c2489fa50d1f5)
(cherry picked from commit 0c33e5baedf18ebcb04bc41dff7cfc614d5ea5fe)
(cherry picked from commit 8b528cacbbde60504f6ac62784d04889d285f18b)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Origin: upstream, https://github.com/python/cpython/commit/8d35fd1b34935221aff23a1ab69a429dd156be77

Gbp-Pq: Name CVE-2025-4516-6.patch

[3.9] gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data (GH-99613) (GH-107224) (#107231)

Previously *consumed was not set in this case.
(cherry picked from commit f08e52ccb027f6f703302b8c1a82db9fd3934270).
(cherry picked from commit b8b3e6afc0a48c3cbb7c36d2f73e332edcd6058c)

Origin: upstream, https://github.com/python/cpython/commit/4a793281956db0e4a1ca5fdc5f3a0e91f331a75d

Gbp-Pq: Name CVE-2025-4516-5.patch

bpo-36819: Fix crashes in built-in encoders with weird error handlers (GH-28593)

If the error handler returns position less or equal than the starting
position of non-encodable characters, most of built-in encoders didn't
properly re-size the output buffer. This led to out-of-bounds writes,
and segfaults.
(cherry picked from commit 18b07d773e09a2719e69aeaa925d5abb7ba0c068)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Origin: upstream, https://github.com/python/cpython/commit/206f416bd07ca3bc9c8bafd124c943d4d0293039

Gbp-Pq: Name CVE-2025-4516-4.patch

gh-91421: Use constant value check during runtime (GH-91422) (GH-91493)

The left-hand side expression of the if-check can be converted to a
constant by the compiler, but the addition on the right-hand side is
performed during runtime.

Move the addition from the right-hand side to the left-hand side by
turning it into a subtraction there. Since the values are known to
be large enough to not turn negative, this is a safe operation.

Prevents a very unlikely integer overflow on 32 bit systems.

Fixes GH-91421.
(cherry picked from commit 0859368335d470b9ff33fc53ed9a85ec2654b278)

Co-authored-by: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
Origin: upstream, https://github.com/python/cpython/commit/edf1a77f239069235f59103cfd8ce7f939c7fd10

Gbp-Pq: Name CVE-2025-4516-3.patch

bpo-45467: Fix IncrementalDecoder and StreamReader in the "raw-unicode-escape" codec (GH-28944) (GH-28953)

They support now splitting escape sequences between input chunks.

Add the third parameter "final" in codecs.raw_unicode_escape_decode().
It is True by default to match the former behavior.

(cherry picked from commit 39aa98346d5dd8ac591a7cafb467af21c53f1e5d)

Origin: upstream, https://github.com/python/cpython/commit/684860280687561f6312e206c4ccfbe4baa17e89

Gbp-Pq: Name CVE-2025-4516-2.patch

[3.9] bpo-45461: Fix IncrementalDecoder and StreamReader in the "unicode-escape" codec (GH-28939) (GH-28945)

They support now splitting escape sequences between input chunks.

Add the third parameter "final" in codecs.unicode_escape_decode().
It is True by default to match the former behavior.
(cherry picked from commit c96d1546b11b4c282a7e21737cb1f5d16349656d)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Origin: backport, https://github.com/python/cpython/commit/7c722e32bf582108680f49983cf01eaed710ddb9

Gbp-Pq: Name CVE-2025-4516-1.patch

[3.9] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (#98526)

This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].

[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
[2]: https://mouha.be/sha-3-buffer-overflow/

Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3)

Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
Origin: upstream, https://github.com/python/cpython/commit/857efee6d2d43c5c12fc7e377ce437144c728ab8

Gbp-Pq: Name CVE-2022-37454.patch

[PATCH] [3.9] bpo-43882 Remove the newline, and tab early. From query and fragments. (#25853)

* Remove the newline, and tab early. From query and fragments.

Gbp-Pq: Name CVE-2022-0391-2.patch

[PATCH] [3.9] bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25595) (GH-25725)

* bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25595)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4)
Co-authored-by: Senthil Kumaran <skumaran@gatech.edu>
Gbp-Pq: Name CVE-2022-0391-1.patch

[PATCH] [3.11] gh-118643: Fix AttributeError in the email module (GH-119099) (#119393)

Fix regression introduced in gh-100884: AttributeError when re-fold a long
address list.

Also fix more cases of incorrect encoding of the address separator in the
address list missed in gh-100884.
(cherry picked from commit 858b9e85fcdd495947c9e892ce6e3734652c48f2)
(cherry picked from commit 4762b365406a8cf026a4a4ddcae34c28a41c3de9)

Gbp-Pq: Name CVE-2025-1795-2.patch

[PATCH] [3.11] gh-100884: email/_header_value_parser: don't encode list separators (GH-100885) (GH-115593)

ListSeparator should not be encoded. This could happen when a long line
pushes its separator to the next line, which would have been encoded.
(cherry picked from commit 09fab93c3d857496c0bd162797fab816c311ee48)

Co-authored-by: Thomas Weißschuh <thomas@t-8ch.de>
(cherry picked from commit 70754d21c288535e86070ca7a6e90dcb670b8593)

Gbp-Pq: Name CVE-2025-1795-1.patch

[PATCH] gh-105704: Disallow square brackets (`[` and `]`) in domain names for parsed URLs (GH-129418)

* gh-105704: Disallow square brackets ( and ) in domain names for parsed URLs

* Use Sphinx references

Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
* Add mismatched bracket test cases, fix news format

* Add more test coverage for ports

---------

(cherry picked from commit d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
origin: https://github.com/python/cpython/commit/b1e8501473c59485a55452dda94270a61c9ce14d
bug-freexian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-0938
bug: https://github.com/python/cpython/pull/129530

Gbp-Pq: Name CVE-2025-0938.patch

bpo-45436: Fix tkinter tests with Tcl/Tk 8.6.11+ (GH-29077) (GH-29081)

Since v8.6.11, a few configuration options seem to accept an empty value
where they did not previously; particularly the `type` of a `Menu`
widget, and the `compound` of any ttk widget with a label. Providing an
explicit expected error message to `checkEnumParam` bypasses the check
of an empty value, which no longer raises `TclError`.
(cherry picked from commit 4fe454c6f54b0948af67b53af6c2f35af6377e69)

Co-authored-by: Zachary Ware <zach@python.org>
Gbp-Pq: Name 0030-bpo-45436-Fix-tkinter-tests-with-Tcl-Tk-8.6.11-GH-29.patch

[3.9] Fix tests for XMLPullParser with Expat 2.6.0 (GH-115133) (GH-115535)

Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Gbp-Pq: Name 0029-3.9-Fix-tests-for-XMLPullParser-with-Expat-2.6.0-GH-.patch

bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) (GH-31469)

Curly brackets were never allowed in namespace URIs
according to RFC 3986, and so-called namespace-validating
XML parsers have the right to reject them a invalid URIs.

libexpat >=2.4.5 has become strcter in that regard due to
related security issues; with ET.XML instantiating a
namespace-aware parser under the hood, this test has no
future in CPython.

References:
- https://datatracker.ietf.org/doc/html/rfc3968
- https://www.w3.org/TR/xml-names/

Also, test_minidom.py: Support Expat >=2.4.5
(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
Gbp-Pq: Name 0028-bpo-46811-Make-test-suite-support-Expat-2.4.5-GH-314.patch

[3.11] gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (GH-103849) (#104349)

gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (GH-103849)

* Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format

---------

(cherry picked from commit 29f348e232e82938ba2165843c448c2b291504c5)

Co-authored-by: JohnJamesUtley <81572567+JohnJamesUtley@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0027-3.11-gh-103848-Adds-checks-to-ensure-that-bracketed-.patch

[3.9] gh-124651: Quote template strings in `venv` activation scripts (GH-124712) (GH-126185) (GH-126269) (GH-126301)

(cherry picked from commit ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97)

Gbp-Pq: Name 0026-3.9-gh-124651-Quote-template-strings-in-venv-activat.patch

[3.9] gh-123270: Replaced SanitizedNames with a more surgical fix. (GH-123354) (#123432)

Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286d78d328c2f575e0b05b16fe447d1656d6)
(cherry picked from commit 17b77bb41409259bad1cd6c74761c18b6ab1e860)

Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
Gbp-Pq: Name 0025-3.9-gh-123270-Replaced-SanitizedNames-with-a-more-su.patch

[3.9] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) (#123107)

This fixes CVE-2024-7592.
(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Gbp-Pq: Name 0024-3.9-gh-123067-Fix-quadratic-complexity-in-parsing-qu.patch

[3.9] gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) (#122610)

Per RFC 2047:

> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects

It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.

This should fail for custom fold() implementations that aren't careful
about newlines.

(cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384)

Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Gbp-Pq: Name 0023-3.9-gh-121650-Encode-newlines-in-headers-and-verify-.patch

[3.9] gh-121285: Remove backtracking when parsing tarfile headers (GH-121286) (#123641)

* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0

(cherry picked from commit 34ddb64d088dd7ccc321f6103d23153256caa5d4)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0022-3.9-gh-121285-Remove-backtracking-when-parsing-tarfi.patch

[3.9] gh-113171: gh-65056: Fix "private" (non-global) IP address ranges (GH-113179) (GH-113186) (GH-118177) (GH-118472)

The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).

This patch updates the ranges with what was missing or otherwise
incorrect.

100.64.0.0/10 is left alone, for now, as it's been made special in [1].

The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.

[1] https://github.com/python/cpython/issues/61602

In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.

For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").

---------

Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
Gbp-Pq: Name 0021-3.9-gh-113171-gh-65056-Fix-private-non-global-IP-add.patch

[3.9] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) (GH-113915)

Raise BadZipFile when try to read an entry that overlaps with other entry or
central directory.
(cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Gbp-Pq: Name 0020-3.9-gh-109858-Protect-zipfile-from-quoted-overlap-zi.patch

[3.9] gh-114572: Fix locking in cert_store_stats and get_ca_certs (#118109)

Gbp-Pq: Name 0019-3.9-gh-114572-Fix-locking-in-cert_store_stats-and-ge.patch

[3.9] gh-108342: Make ssl TestPreHandshakeClose more reliable (GH-108370) (#108407)

* In preauth tests of test_ssl, explicitly break reference cycles
  invoving SingleConnectionTestServerThread to make sure that the
  thread is deleted. Otherwise, the test marks the environment as
  altered because the threading module sees a "dangling thread"
  (SingleConnectionTestServerThread). This test leak was introduced
  by the test added for the fix of issue gh-108310.
* Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds
  timeout.
* SingleConnectionTestServerThread.run() catchs TimeoutError
* Fix a race condition (missing synchronization) in
  test_preauth_data_to_tls_client(): the server now waits until the
  client connect() completed in call_after_accept().
* test_https_client_non_tls_response_ignored() calls server.join()
  explicitly.
* Replace "localhost" with server.listener.getsockname()[0].
(cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47)

Co-authored-by: Victor Stinner <vstinner@python.org>
Gbp-Pq: Name 0018-3.9-gh-108342-Make-ssl-TestPreHandshakeClose-more-re.patch

[3.9] gh-108342: Break ref cycle in SSLSocket._create() exc (GH-108344) (#108351)

Explicitly break a reference cycle when SSLSocket._create() raises an
exception. Clear the variable storing the exception, since the
exception traceback contains the variables and so creates a reference
cycle.

This test leak was introduced by the test added for the fix of GH-108310.
(cherry picked from commit 64f99350351bc46e016b2286f36ba7cd669b79e3)

Co-authored-by: Victor Stinner <vstinner@python.org>
Gbp-Pq: Name 0017-3.9-gh-108342-Break-ref-cycle-in-SSLSocket._create-e.patch

[3.9] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108320)

gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw

Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers’ TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.

Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Gbp-Pq: Name 0016-3.9-gh-108310-Fix-CVE-2023-40217-Check-for-avoid-the.patch

[3.9] [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (GH-111116) (#123769)

Detect email address parsing errors and return empty tuple to
indicate the parsing error (old API). Add an optional 'strict'
parameter to getaddresses() and parseaddr() functions. Patch by
Thomas Dwyer.

(cherry picked from commit 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19)

Co-authored-by: Victor Stinner <vstinner@python.org>
Co-Authored-By: Thomas Dwyer <github@tomd.tel>
Gbp-Pq: Name 0015-3.9-CVE-2023-27043-gh-102988-Reject-malformed-addres.patch

bpo-27513: email.utils.getaddresses() now handles Header objects (GH-13797) (#27245)

getaddresses() should be able to handle a Header object if passed
one.

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 89f4c34797de2f0e5045da2b97c1c8cbbb42fbb2)

Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Gbp-Pq: Name 0014-bpo-27513-email.utils.getaddresses-now-handles-Heade.patch

[3.9] gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (GH-104575) (GH-104592) (#104593)

gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)

`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.

This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).

I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport. (people will see
that in the mainline /3/ docs)

(cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10)
(cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941)
(cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946)

Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
Gbp-Pq: Name 0013-3.9-gh-102153-Start-stripping-C0-control-and-space-c.patch

[3.9] gh-91133: tempfile.TemporaryDirectory: fix symlink bug in cleanup (GH-99930) (GH-112842)

(cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d)

Co-authored-by: Søren Løvborg <sorenl@unity3d.com>
Gbp-Pq: Name 0012-3.9-gh-91133-tempfile.TemporaryDirectory-fix-symlink.patch

[3.9] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) (#99230)

There was an unnecessary quadratic loop in idna decoding. This restores
the behavior to linear.

(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)

Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0011-3.9-gh-98433-Fix-quadratic-time-idna-decoding.-GH-99.patch

[3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) (#98504)

Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.

This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
https://github.com/python/cpython/pull/18866 while fixing
https://github.com/python/cpython/issues/84031.

Explicit use of an abstract socket by a user now generates a
RuntimeWarning. If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0010-3.9-gh-97514-Don-t-use-Linux-abstract-sockets-for-mu.patch

bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099) (GH-25815)

Reverts commit e653d4d8e820a7a004ad399530af0135b45db27a and makes
parsing even more strict. Like socket.inet_pton() any leading zero
is now treated as invalid input.

Signed-off-by: Christian Heimes <christian@python.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 60ce8f0be6354ad565393ab449d8de5d713f35bc)

Gbp-Pq: Name 0009-bpo-36384-Leading-zeros-in-IPv4-addresses-are-no-lon.patch

gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) (GH-94093)

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0008-gh-87389-Fix-an-open-redirection-vulnerability-in-ht.patch

bpo-43285 Make ftplib not trust the PASV response. (GH-24838)

bpo-43285: Make ftplib not trust the PASV response.

The IPv4 address value returned from the server in response to the PASV command
should not be trusted. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.

Instead of using the returned address, we use the IP address we're
already connected to. This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.

For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True.
(cherry picked from commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0007-bpo-43285-Make-ftplib-not-trust-the-PASV-response.-G.patch

bpo-44022: Improve the regression test. (GH-26503)

It wasn't actually detecting the regression due to the
assertion being too lenient.
(cherry picked from commit e60ab843cbb016fb6ff8b4f418641ac05a9b2fcc)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0006-bpo-44022-Improve-the-regression-test.-GH-26503.patch

bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d)

Co-authored-by: Gen Xu <xgbarry@gmail.com>
Gbp-Pq: Name 0005-bpo-44022-Fix-http-client-infinite-line-reading-DoS-.patch

bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (GH-25247)

Fix Regular Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the HTTP server.
(cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1)

Co-authored-by: Yeting Li <liyt@ios.ac.cn>
Co-authored-by: Yeting Li <liyt@ios.ac.cn>
Gbp-Pq: Name 0004-bpo-43075-Fix-ReDoS-in-urllib-AbstractBasicAuthHandl.patch

bpo-42988: Remove the pydoc getfile feature (GH-25015)

CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)

Co-authored-by: Victor Stinner <vstinner@python.org>
Gbp-Pq: Name 0003-bpo-42988-Remove-the-pydoc-getfile-feature-GH-25015.patch

[3.9] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96502)

* Correctly pre-check for int-to-str conversion (#96537)

Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)

The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.

The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```

In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$

From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.


* Issue: gh-95778


Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
Gbp-Pq: Name 0002-3.9-gh-95778-CVE-2020-10735-Prevent-DoS-by-very-larg.patch

[3.9] gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (#98190)

gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
(cherry picked from commit b9509ba7a9c668b984dab876c7926fe1dc5aa0ba)

Co-authored-by: Petr Viktorin <encukou@gmail.com>
Gbp-Pq: Name 0001-3.9-gh-68966-Make-mailcap-refuse-to-match-unsafe-fil.patch

mpdecimal-2.5.1

Gbp-Pq: Name mpdecimal-2.5.1.diff

sphinx3

Gbp-Pq: Name sphinx3.diff

hurd_kfreebsd_thread_native_id

Gbp-Pq: Name hurd_kfreebsd_thread_native_id.diff

sysconfigdata-name

Gbp-Pq: Name sysconfigdata-name.diff

Use aligned access for _sha3 module on ARM.

Gbp-Pq: Name arm-alignment.diff

argparse-no-shutil

Gbp-Pq: Name argparse-no-shutil.diff

build-math-object

Gbp-Pq: Name build-math-object.diff

Add the option to build Texinfo-format documentation.

Bug-Debian: https://bugs.debian.org/881959
Last-Update: 2017-11-27

Gbp-Pq: Name doc-build-texinfo.diff

local-doc-references

Gbp-Pq: Name local-doc-references.diff

pydoc-use-pager

# DP: pydoc: use the pager command if available.

# DP: pydoc: use the pager command if available.

Gbp-Pq: Name pydoc-use-pager.diff

reproducible-buildinfo

# DP: Build getbuildinfo.o with DATE/TIME values when defined

# DP: Build getbuildinfo.o with DATE/TIME values when defined

Gbp-Pq: Name reproducible-buildinfo.diff

mangle-fstack-protector

# DP: When using GCC versions older than 4.9, automagically mangle
# DP: -fstack-protector-strong to -fstack-protector

# DP: When using GCC versions older than 4.9, automagically mangle
# DP: -fstack-protector-strong to -fstack-protector

Gbp-Pq: Name mangle-fstack-protector.diff

ensurepip-disabled

# DP: Disable ensurepip for the system installation, only enable it for virtual environments.

# DP: Disable ensurepip for the system installation, only enable it for virtual environments.

Gbp-Pq: Name ensurepip-disabled.diff

ensurepip-wheels

Gbp-Pq: Name ensurepip-wheels.diff

disable-some-tests

# DP: Disable some failing tests we are not interested in

# DP: Disable some failing tests we are not interested in

Gbp-Pq: Name disable-some-tests.diff

tempfile-minimal

# DP: Avoid shutil import when it is not available.

# DP: Avoid shutil import when it is not available.

Gbp-Pq: Name tempfile-minimal.diff

multiarch-extname

# DP: Make sure to rename extensions to a tag including the MULTIARCH name

# DP: Make sure to rename extensions to a tag including the MULTIARCH name

this patch can be dropped for python3.5 final, if the upstream chage is kept.

Gbp-Pq: Name multiarch-extname.diff

test-no-random-order

# DP: Don't run the test suite in random order.

# DP: Don't run the test suite in random order.

Gbp-Pq: Name test-no-random-order.diff

ext-no-libpython-link

# DP: Don't link extensions with the shared libpython library.

# DP: Don't link extensions with the shared libpython library.

Gbp-Pq: Name ext-no-libpython-link.diff

lib2to3-no-pickled-grammar

Gbp-Pq: Name lib2to3-no-pickled-grammar.diff

multiarch

Gbp-Pq: Name multiarch.diff

ctypes-arm

Gbp-Pq: Name ctypes-arm.diff

lib-argparse

# DP: argparse.py: Make the gettext import conditional

# DP: argparse.py: Make the gettext import conditional

Gbp-Pq: Name lib-argparse.diff

disable-sem-check

# DP: Assume working semaphores, don't rely on running kernel for the check.

# DP: Assume working semaphores, don't rely on running kernel for the check.

Gbp-Pq: Name disable-sem-check.diff

langpack-gettext

# DP: Description: support alternative gettext tree in
# DP: /usr/share/locale-langpack; if a file is present in both trees,
# DP: prefer the newer one
# DP: Upstream status: Ubuntu-Specific

# DP: Description: support alternative gettext tree in
# DP: /usr/share/locale-langpack; if a file is present in both trees,
# DP: prefer the newer one
# DP: Upstream status: Ubuntu-Specific

Gbp-Pq: Name langpack-gettext.diff

profiled-build

# DP: Ignore errors in the profile task.

# DP: Ignore errors in the profile task.

Gbp-Pq: Name profiled-build.diff

bdist-wininst-notfound

# DP: suggest installation of the pythonX.Y-dev package, if bdist_wininst
# DP: cannot find the wininst-* files.

# DP: suggest installation of the pythonX.Y-dev package, if bdist_wininst
# DP: cannot find the wininst-* files.

Gbp-Pq: Name bdist-wininst-notfound.diff

setup-modules

Gbp-Pq: Name setup-modules.diff

link-opt

# DP: Call the linker with -O1 -Bsymbolic-functions

# DP: Call the linker with -O1 -Bsymbolic-functions

Gbp-Pq: Name link-opt.diff

gdbm-import

# DP: suggest installation of python3-gdbm package on failing _gdbm import

# DP: suggest installation of python3-gdbm package on failing _gdbm import

Gbp-Pq: Name gdbm-import.diff

tkinter-import

# DP: suggest installation of python-tk package on failing _tkinter import

# DP: suggest installation of python-tk package on failing _tkinter import

Gbp-Pq: Name tkinter-import.diff

distutils-sysconfig-2

Gbp-Pq: Name distutils-sysconfig-2.diff

distutils-sysconfig

# DP: Get CONFIGURE_CFLAGS, CONFIGURE_CPPFLAGS, CONFIGURE_LDFLAGS from
# DP: the python build, when CFLAGS, CPPFLAGS, LDSHARED) are not set
# DP: in the environment.

# DP: Get CONFIGURE_CFLAGS, CONFIGURE_CPPFLAGS, CONFIGURE_LDFLAGS from
# DP: the python build, when CFLAGS, CPPFLAGS, LDSHARED) are not set
# DP: in the environment.

Gbp-Pq: Name distutils-sysconfig.diff

distutils-link

# DP: Don't add standard library dirs to library_dirs and runtime_library_dirs.

# DP: Don't add standard library dirs to library_dirs and runtime_library_dirs.

Gbp-Pq: Name distutils-link.diff

locale-module

# DP:   * Lib/locale.py:
# DP:     - Don't map 'utf8', 'utf-8' to 'utf', which is not a known encoding
# DP:       for glibc.

# DP:   * Lib/locale.py:
# DP:     - Don't map 'utf8', 'utf-8' to 'utf', which is not a known encoding
# DP:       for glibc.

Gbp-Pq: Name locale-module.diff

distutils-install-layout

# DP: distutils: Add an option --install-layout=deb, which
# DP: - installs into $prefix/dist-packages instead of $prefix/site-packages.
# DP: - doesn't encode the python version into the egg name.

# DP: distutils: Add an option --install-layout=deb, which
# DP: - installs into $prefix/dist-packages instead of $prefix/site-packages.
# DP: - doesn't encode the python version into the egg name.

Gbp-Pq: Name distutils-install-layout.diff

deb-locations

# DP: adjust locations of directories to debian policy

# DP: adjust locations of directories to debian policy

Gbp-Pq: Name deb-locations.diff

deb-setup

# DP: Don't include /usr/local/include and /usr/local/lib as gcc search paths

# DP: Don't include /usr/local/include and /usr/local/lib as gcc search paths

Gbp-Pq: Name deb-setup.diff

python3.9 (3.9.2-1+deb11u6) bullseye-security; urgency=medium

  * Revert fixes for CVE-2025-15366 and CVE-2025-15367. It was found that
    those changes break backward compatibility, and upstream didn't backport
    it to any branch. More details can be found in discussions on the upstream
    bugtracker (issues and merge requests).
  * Apply upstream patch for the following CVE:
    - CVE-2026-6100: Use-after-free (UAF) was possible in the
      `lzma.LZMADecompressor` and `bz2.BZ2Decompressor` when a memory
      allocation fails with a `MemoryError` and the decompression instance is
      re-used. This scenario can be triggered if the process is under memory
      pressure.

[dgit import unpatched python3.9 3.9.2-1+deb11u6]

Import python3.9_3.9.2-1+deb11u6.debian.tar.xz

[dgit import tarball python3.9 3.9.2-1+deb11u6 python3.9_3.9.2-1+deb11u6.debian.tar.xz]

Merge python3.9 (3.9.2-1+deb11u5) import into refs/heads/workingbranch