dgit.raspbian.org Git - python3.9.git/commit

author	Arnaud Rebillout <arnaudr@debian.org>
	Tue, 14 Apr 2026 04:38:32 +0000 (11:38 +0700)
committer	Arnaud Rebillout <arnaudr@debian.org>
	Tue, 14 Apr 2026 04:38:32 +0000 (11:38 +0700)
commit	e777e839b0a57fae03421dda5dbc49840229f5cb
tree	9df7d19c1ec94acd1786aeeaf549ae97b7a2099e	tree \| snapshot
parent	57caa29e801e48d677467b187b6ed2be757c913d	commit \| diff
parent	b0294e373cc288ed24c38e4f06c6458415da0e1b	commit \| diff

python3.9 (3.9.2-1+deb11u6) bullseye-security; urgency=medium

  * Revert fixes for CVE-2025-15366 and CVE-2025-15367. It was found that
    those changes break backward compatibility, and upstream didn't backport
    it to any branch. More details can be found in discussions on the upstream
    bugtracker (issues and merge requests).
  * Apply upstream patch for the following CVE:
    - CVE-2026-6100: Use-after-free (UAF) was possible in the
      `lzma.LZMADecompressor` and `bz2.BZ2Decompressor` when a memory
      allocation fails with a `MemoryError` and the decompression instance is
      re-used. This scenario can be triggered if the process is under memory
      pressure.

[dgit import unpatched python3.9 3.9.2-1+deb11u6]

208 files changed:

debian/2to3-3.1	\|	\|	blob
debian/FAQ.html	\|	\|	blob
debian/PVER-dbg.README.Debian.in	\|	\|	blob
debian/PVER-dbg.overrides.in	\|	\|	blob
debian/PVER-dbg.postinst.in	\|	\|	blob
debian/PVER-dbg.prerm.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-api.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-dist.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-ext.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-inst.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-lib.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-new.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-ref.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-tut.in	\|	\|	blob
debian/PVER-doc.info.in	\|	\|	blob
debian/PVER-doc.overrides.in	\|	\|	blob
debian/PVER-examples.overrides.in	\|	\|	blob
debian/PVER-minimal.README.Debian.in	\|	\|	blob
debian/PVER-minimal.overrides.in	\|	\|	blob
debian/PVER-minimal.postinst.in	\|	\|	blob
debian/PVER-minimal.postrm.in	\|	\|	blob
debian/PVER-minimal.preinst.in	\|	\|	blob
debian/PVER-minimal.prerm.in	\|	\|	blob
debian/PVER-venv.overrides.in	\|	\|	blob
debian/PVER-venv.postinst.in	\|	\|	blob
debian/PVER-venv.postrm.in	\|	\|	blob
debian/PVER-venv.prerm.in	\|	\|	blob
debian/PVER.desktop.in	\|	\|	blob
debian/PVER.overrides.in	\|	\|	blob
debian/PVER.postinst.in	\|	\|	blob
debian/PVER.prerm.in	\|	\|	blob
debian/README.Debian.in	\|	\|	blob
debian/README.PVER.in	\|	\|	blob
debian/README.Tk	\|	\|	blob
debian/README.dbm	\|	\|	blob
debian/README.idle-PVER.in	\|	\|	blob
debian/README.maintainers.in	\|	\|	blob
debian/README.python	\|	\|	blob
debian/README.source	\|	\|	blob
debian/README.venv	\|	\|	blob
debian/changelog	\|	\|	blob
debian/changelog.shared	\|	\|	blob
debian/compat	\|	\|	blob
debian/control	\|	\|	blob
debian/control.in	\|	\|	blob
debian/control.stdlib	\|	\|	blob
debian/control.udeb	\|	\|	blob
debian/copyright	\|	\|	blob
debian/depgraph.py	\|	\|	blob
debian/dh_doclink	\|	\|	blob
debian/idle-PVER.1.in	\|	\|	blob
debian/idle-PVER.overrides.in	\|	\|	blob
debian/idle-PVER.postinst.in	\|	\|	blob
debian/idle-PVER.postrm.in	\|	\|	blob
debian/idle-PVER.prerm.in	\|	\|	blob
debian/idle.desktop.in	\|	\|	blob
debian/libPVER-dbg.overrides.in	\|	\|	blob
debian/libPVER-dbg.prerm.in	\|	\|	blob
debian/libPVER-dbg.symbols.i386.in	\|	\|	blob
debian/libPVER-dbg.symbols.in	\|	\|	blob
debian/libPVER-dev.overrides.in	\|	\|	blob
debian/libPVER-minimal.overrides.in	\|	\|	blob
debian/libPVER-minimal.postinst.in	\|	\|	blob
debian/libPVER-minimal.postrm.in	\|	\|	blob
debian/libPVER-minimal.prerm.in	\|	\|	blob
debian/libPVER-stdlib.overrides.in	\|	\|	blob
debian/libPVER-stdlib.prerm.in	\|	\|	blob
debian/libPVER-testsuite.overrides.in	\|	\|	blob
debian/libPVER-testsuite.postinst.in	\|	\|	blob
debian/libPVER-testsuite.prerm.in	\|	\|	blob
debian/libPVER.overrides.in	\|	\|	blob
debian/libPVER.symbols.i386.in	\|	\|	blob
debian/libPVER.symbols.in	\|	\|	blob
debian/libpython.symbols.in	\|	\|	blob
debian/locale-gen	\|	\|	blob
debian/mincheck.py	\|	\|	blob
debian/mkbinfmt.py	\|	\|	blob
debian/multiarch.h.in	\|	\|	blob
debian/openssl.cnf	\|	\|	blob
debian/patches/0001-3.9-gh-68966-Make-mailcap-refuse-to-match-unsafe-fil.patch	\|	\|	blob
debian/patches/0002-3.9-gh-95778-CVE-2020-10735-Prevent-DoS-by-very-larg.patch	\|	\|	blob
debian/patches/0003-bpo-42988-Remove-the-pydoc-getfile-feature-GH-25015.patch	\|	\|	blob
debian/patches/0004-bpo-43075-Fix-ReDoS-in-urllib-AbstractBasicAuthHandl.patch	\|	\|	blob
debian/patches/0005-bpo-44022-Fix-http-client-infinite-line-reading-DoS-.patch	\|	\|	blob
debian/patches/0006-bpo-44022-Improve-the-regression-test.-GH-26503.patch	\|	\|	blob
debian/patches/0007-bpo-43285-Make-ftplib-not-trust-the-PASV-response.-G.patch	\|	\|	blob
debian/patches/0008-gh-87389-Fix-an-open-redirection-vulnerability-in-ht.patch	\|	\|	blob
debian/patches/0009-bpo-36384-Leading-zeros-in-IPv4-addresses-are-no-lon.patch	\|	\|	blob
debian/patches/0010-3.9-gh-97514-Don-t-use-Linux-abstract-sockets-for-mu.patch	\|	\|	blob
debian/patches/0011-3.9-gh-98433-Fix-quadratic-time-idna-decoding.-GH-99.patch	\|	\|	blob
debian/patches/0012-3.9-gh-91133-tempfile.TemporaryDirectory-fix-symlink.patch	\|	\|	blob
debian/patches/0013-3.9-gh-102153-Start-stripping-C0-control-and-space-c.patch	\|	\|	blob
debian/patches/0014-bpo-27513-email.utils.getaddresses-now-handles-Heade.patch	\|	\|	blob
debian/patches/0015-3.9-CVE-2023-27043-gh-102988-Reject-malformed-addres.patch	\|	\|	blob
debian/patches/0016-3.9-gh-108310-Fix-CVE-2023-40217-Check-for-avoid-the.patch	\|	\|	blob
debian/patches/0017-3.9-gh-108342-Break-ref-cycle-in-SSLSocket._create-e.patch	\|	\|	blob
debian/patches/0018-3.9-gh-108342-Make-ssl-TestPreHandshakeClose-more-re.patch	\|	\|	blob
debian/patches/0019-3.9-gh-114572-Fix-locking-in-cert_store_stats-and-ge.patch	\|	\|	blob
debian/patches/0020-3.9-gh-109858-Protect-zipfile-from-quoted-overlap-zi.patch	\|	\|	blob
debian/patches/0021-3.9-gh-113171-gh-65056-Fix-private-non-global-IP-add.patch	\|	\|	blob
debian/patches/0022-3.9-gh-121285-Remove-backtracking-when-parsing-tarfi.patch	\|	\|	blob
debian/patches/0023-3.9-gh-121650-Encode-newlines-in-headers-and-verify-.patch	\|	\|	blob
debian/patches/0024-3.9-gh-123067-Fix-quadratic-complexity-in-parsing-qu.patch	\|	\|	blob
debian/patches/0025-3.9-gh-123270-Replaced-SanitizedNames-with-a-more-su.patch	\|	\|	blob
debian/patches/0026-3.9-gh-124651-Quote-template-strings-in-venv-activat.patch	\|	\|	blob
debian/patches/0027-3.11-gh-103848-Adds-checks-to-ensure-that-bracketed-.patch	\|	\|	blob
debian/patches/0028-bpo-46811-Make-test-suite-support-Expat-2.4.5-GH-314.patch	\|	\|	blob
debian/patches/0029-3.9-Fix-tests-for-XMLPullParser-with-Expat-2.6.0-GH-.patch	\|	\|	blob
debian/patches/0030-bpo-45436-Fix-tkinter-tests-with-Tcl-Tk-8.6.11-GH-29.patch	\|	\|	blob
debian/patches/CVE-2022-0391-1.patch	\|	\|	blob
debian/patches/CVE-2022-0391-2.patch	\|	\|	blob
debian/patches/CVE-2022-37454.patch	\|	\|	blob
debian/patches/CVE-2025-0938.patch	\|	\|	blob
debian/patches/CVE-2025-11468.patch	\|	\|	blob
debian/patches/CVE-2025-12084-2.patch	\|	\|	blob
debian/patches/CVE-2025-12084.patch	\|	\|	blob
debian/patches/CVE-2025-13836.patch	\|	\|	blob
debian/patches/CVE-2025-13837-2.patch	\|	\|	blob
debian/patches/CVE-2025-13837.patch	\|	\|	blob
debian/patches/CVE-2025-15282.patch	\|	\|	blob
debian/patches/CVE-2025-1795-1.patch	\|	\|	blob
debian/patches/CVE-2025-1795-2.patch	\|	\|	blob
debian/patches/CVE-2025-4516-1.patch	\|	\|	blob
debian/patches/CVE-2025-4516-2.patch	\|	\|	blob
debian/patches/CVE-2025-4516-3.patch	\|	\|	blob
debian/patches/CVE-2025-4516-4.patch	\|	\|	blob
debian/patches/CVE-2025-4516-5.patch	\|	\|	blob
debian/patches/CVE-2025-4516-6.patch	\|	\|	blob
debian/patches/CVE-2025-6069.patch	\|	\|	blob
debian/patches/CVE-2025-6075.patch	\|	\|	blob
debian/patches/CVE-2025-8194.patch	\|	\|	blob
debian/patches/CVE-2025-8291.patch	\|	\|	blob
debian/patches/CVE-2026-0672.patch	\|	\|	blob
debian/patches/CVE-2026-0865.patch	\|	\|	blob
debian/patches/CVE-2026-1299.patch	\|	\|	blob
debian/patches/CVE-2026-6100.patch	\|	\|	blob
debian/patches/argparse-no-shutil.diff	\|	\|	blob
debian/patches/arm-alignment.diff	\|	\|	blob
debian/patches/bdist-wininst-notfound.diff	\|	\|	blob
debian/patches/build-math-object.diff	\|	\|	blob
debian/patches/ctypes-arm.diff	\|	\|	blob
debian/patches/deb-locations.diff	\|	\|	blob
debian/patches/deb-setup.diff	\|	\|	blob
debian/patches/disable-sem-check.diff	\|	\|	blob
debian/patches/disable-some-tests.diff	\|	\|	blob
debian/patches/distutils-install-layout.diff	\|	\|	blob
debian/patches/distutils-link.diff	\|	\|	blob
debian/patches/distutils-sysconfig-2.diff	\|	\|	blob
debian/patches/distutils-sysconfig.diff	\|	\|	blob
debian/patches/doc-build-texinfo.diff	\|	\|	blob
debian/patches/ensurepip-disabled.diff	\|	\|	blob
debian/patches/ensurepip-wheels.diff	\|	\|	blob
debian/patches/ext-no-libpython-link.diff	\|	\|	blob
debian/patches/gdbm-import.diff	\|	\|	blob
debian/patches/git-updates.diff	\|	\|	blob
debian/patches/hurd_kfreebsd_thread_native_id.diff	\|	\|	blob
debian/patches/langpack-gettext.diff	\|	\|	blob
debian/patches/lib-argparse.diff	\|	\|	blob
debian/patches/lib2to3-no-pickled-grammar.diff	\|	\|	blob
debian/patches/link-opt.diff	\|	\|	blob
debian/patches/link-timemodule.diff	\|	\|	blob
debian/patches/local-doc-references.diff	\|	\|	blob
debian/patches/locale-module.diff	\|	\|	blob
debian/patches/lto-link-flags.diff	\|	\|	blob
debian/patches/mangle-fstack-protector.diff	\|	\|	blob
debian/patches/mpdecimal-2.5.1.diff	\|	\|	blob
debian/patches/multiarch-extname.diff	\|	\|	blob
debian/patches/multiarch.diff	\|	\|	blob
debian/patches/profiled-build.diff	\|	\|	blob
debian/patches/pydoc-use-pager.diff	\|	\|	blob
debian/patches/reproducible-buildinfo.diff	\|	\|	blob
debian/patches/series	\|	\|	blob
debian/patches/setup-modules.diff	\|	\|	blob
debian/patches/sphinx3.diff	\|	\|	blob
debian/patches/sysconfig-debian-schemes.diff	\|	\|	blob
debian/patches/sysconfigdata-name.diff	\|	\|	blob
debian/patches/tempfile-minimal.diff	\|	\|	blob
debian/patches/test-no-random-order.diff	\|	\|	blob
debian/patches/tkinter-import.diff	\|	\|	blob
debian/pdb.1.in	\|	\|	blob
debian/pydoc.1.in	\|	\|	blob
debian/pygettext.1	\|	\|	blob
debian/pyhtml2devhelp.py	\|	\|	blob
debian/pylogo.xpm	\|	\|	blob
debian/pymindeps.py	\|	\|	blob
debian/pysetup3.1	\|	\|	blob
debian/python3-config.1	\|	\|	blob
debian/rules	\|	\|	blob
debian/salsa-ci.yml	\|	\|	blob
debian/script.py	\|	\|	blob
debian/sitecustomize.py.in	\|	\|	blob
debian/source/format	\|	\|	blob
debian/source/lintian-overrides	\|	\|	blob
debian/tests/control	\|	\|	blob
debian/tests/failing-tests	\|	\|	blob
debian/tests/failing-tests-dbg	\|	\|	blob
debian/tests/module-install-local	\|	\|	blob
debian/tests/module-install-user	\|	\|	blob
debian/tests/module-install-venv	\|	\|	blob
debian/tests/module-install-virtualenv	\|	\|	blob
debian/tests/packages/fibc/fibc.c	\|	\|	blob
debian/tests/packages/fibc/setup.py	\|	\|	blob
debian/tests/packages/fibpy/fibpy.py	\|	\|	blob
debian/tests/packages/fibpy/setup.py	\|	\|	blob
debian/tests/test-common.sh	\|	\|	blob
debian/tests/testsuite	\|	\|	blob
debian/tests/testsuite-dbg	\|	\|	blob
debian/watch	\|	\|	blob

Unnamed repository; edit this file 'description' to name the repository.

RSS Atom