dgit.raspbian.org Git - python3.9.git/commit

python3.9 (3.9.2-1+deb11u3) bullseye-security; urgency=high

  * Non-maintainer upload by the LTS Team.

  [ Bastien Roucariès ]
  * Fix CVE-2025-0938:
    The Python standard library functions `urllib.parse.urlsplit` and
    `urlparse` accepted domain names that included square brackets
    which isn't valid according to RFC 3986.
    Square brackets are only meant to be used as delimiters for specifying
    IPv6 and IPvFuture hosts in URLs. This could result in differential
    parsing across the Python URL parser and other specification-compliant
    URL parsers.

  [ Sean Whitton ]
  - Fix CVE-2022-0391: Missing input sanitisation when parsing URLs, which
    could lead to injection accounts.
  - Fix CVE-2025-1795: The implementation of e-mail header parsing and
    folding would encode the comma used to separate list items which could
    cause receiving applications to interpret two items in the list as
    though they were one item.

[dgit import unpatched python3.9 3.9.2-1+deb11u3]

author	Sean Whitton <spwhitton@spwhitton.name>
	Thu, 20 Mar 2025 02:07:39 +0000 (10:07 +0800)
committer	Sean Whitton <spwhitton@spwhitton.name>
	Thu, 20 Mar 2025 02:07:39 +0000 (10:07 +0800)
commit	2a9f389bb51faaba776785f2f689d80ec5901921
tree	268fb53f9c01ac1f45c702956d917c4605591552	tree \| snapshot
parent	57caa29e801e48d677467b187b6ed2be757c913d	commit \| diff
parent	a0aa6faa128adf3757ddc9fdc2aab65c8f21e0d2	commit \| diff

debian/2to3-3.1	\|	\|	blob
debian/FAQ.html	\|	\|	blob
debian/PVER-dbg.README.Debian.in	\|	\|	blob
debian/PVER-dbg.overrides.in	\|	\|	blob
debian/PVER-dbg.postinst.in	\|	\|	blob
debian/PVER-dbg.prerm.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-api.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-dist.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-ext.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-inst.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-lib.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-new.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-ref.in	\|	\|	blob
debian/PVER-doc.doc-base.PVER-tut.in	\|	\|	blob
debian/PVER-doc.info.in	\|	\|	blob
debian/PVER-doc.overrides.in	\|	\|	blob
debian/PVER-examples.overrides.in	\|	\|	blob
debian/PVER-minimal.README.Debian.in	\|	\|	blob
debian/PVER-minimal.overrides.in	\|	\|	blob
debian/PVER-minimal.postinst.in	\|	\|	blob
debian/PVER-minimal.postrm.in	\|	\|	blob
debian/PVER-minimal.preinst.in	\|	\|	blob
debian/PVER-minimal.prerm.in	\|	\|	blob
debian/PVER-venv.overrides.in	\|	\|	blob
debian/PVER-venv.postinst.in	\|	\|	blob
debian/PVER-venv.postrm.in	\|	\|	blob
debian/PVER-venv.prerm.in	\|	\|	blob
debian/PVER.desktop.in	\|	\|	blob
debian/PVER.overrides.in	\|	\|	blob
debian/PVER.postinst.in	\|	\|	blob
debian/PVER.prerm.in	\|	\|	blob
debian/README.Debian.in	\|	\|	blob
debian/README.PVER.in	\|	\|	blob
debian/README.Tk	\|	\|	blob
debian/README.dbm	\|	\|	blob
debian/README.idle-PVER.in	\|	\|	blob
debian/README.maintainers.in	\|	\|	blob
debian/README.python	\|	\|	blob
debian/README.source	\|	\|	blob
debian/README.venv	\|	\|	blob
debian/changelog	\|	\|	blob
debian/changelog.shared	\|	\|	blob
debian/compat	\|	\|	blob
debian/control	\|	\|	blob
debian/control.in	\|	\|	blob
debian/control.stdlib	\|	\|	blob
debian/control.udeb	\|	\|	blob
debian/copyright	\|	\|	blob
debian/depgraph.py	\|	\|	blob
debian/dh_doclink	\|	\|	blob
debian/idle-PVER.1.in	\|	\|	blob
debian/idle-PVER.overrides.in	\|	\|	blob
debian/idle-PVER.postinst.in	\|	\|	blob
debian/idle-PVER.postrm.in	\|	\|	blob
debian/idle-PVER.prerm.in	\|	\|	blob
debian/idle.desktop.in	\|	\|	blob
debian/libPVER-dbg.overrides.in	\|	\|	blob
debian/libPVER-dbg.prerm.in	\|	\|	blob
debian/libPVER-dbg.symbols.i386.in	\|	\|	blob
debian/libPVER-dbg.symbols.in	\|	\|	blob
debian/libPVER-dev.overrides.in	\|	\|	blob
debian/libPVER-minimal.overrides.in	\|	\|	blob
debian/libPVER-minimal.postinst.in	\|	\|	blob
debian/libPVER-minimal.postrm.in	\|	\|	blob
debian/libPVER-minimal.prerm.in	\|	\|	blob
debian/libPVER-stdlib.overrides.in	\|	\|	blob
debian/libPVER-stdlib.prerm.in	\|	\|	blob
debian/libPVER-testsuite.overrides.in	\|	\|	blob
debian/libPVER-testsuite.postinst.in	\|	\|	blob
debian/libPVER-testsuite.prerm.in	\|	\|	blob
debian/libPVER.overrides.in	\|	\|	blob
debian/libPVER.symbols.i386.in	\|	\|	blob
debian/libPVER.symbols.in	\|	\|	blob
debian/libpython.symbols.in	\|	\|	blob
debian/locale-gen	\|	\|	blob
debian/mincheck.py	\|	\|	blob
debian/mkbinfmt.py	\|	\|	blob
debian/multiarch.h.in	\|	\|	blob
debian/openssl.cnf	\|	\|	blob
debian/patches/0001-3.9-gh-68966-Make-mailcap-refuse-to-match-unsafe-fil.patch	\|	\|	blob
debian/patches/0002-3.9-gh-95778-CVE-2020-10735-Prevent-DoS-by-very-larg.patch	\|	\|	blob
debian/patches/0003-bpo-42988-Remove-the-pydoc-getfile-feature-GH-25015.patch	\|	\|	blob
debian/patches/0004-bpo-43075-Fix-ReDoS-in-urllib-AbstractBasicAuthHandl.patch	\|	\|	blob
debian/patches/0005-bpo-44022-Fix-http-client-infinite-line-reading-DoS-.patch	\|	\|	blob
debian/patches/0006-bpo-44022-Improve-the-regression-test.-GH-26503.patch	\|	\|	blob
debian/patches/0007-bpo-43285-Make-ftplib-not-trust-the-PASV-response.-G.patch	\|	\|	blob
debian/patches/0008-gh-87389-Fix-an-open-redirection-vulnerability-in-ht.patch	\|	\|	blob
debian/patches/0009-bpo-36384-Leading-zeros-in-IPv4-addresses-are-no-lon.patch	\|	\|	blob
debian/patches/0010-3.9-gh-97514-Don-t-use-Linux-abstract-sockets-for-mu.patch	\|	\|	blob
debian/patches/0011-3.9-gh-98433-Fix-quadratic-time-idna-decoding.-GH-99.patch	\|	\|	blob
debian/patches/0012-3.9-gh-91133-tempfile.TemporaryDirectory-fix-symlink.patch	\|	\|	blob
debian/patches/0013-3.9-gh-102153-Start-stripping-C0-control-and-space-c.patch	\|	\|	blob
debian/patches/0014-bpo-27513-email.utils.getaddresses-now-handles-Heade.patch	\|	\|	blob
debian/patches/0015-3.9-CVE-2023-27043-gh-102988-Reject-malformed-addres.patch	\|	\|	blob
debian/patches/0016-3.9-gh-108310-Fix-CVE-2023-40217-Check-for-avoid-the.patch	\|	\|	blob
debian/patches/0017-3.9-gh-108342-Break-ref-cycle-in-SSLSocket._create-e.patch	\|	\|	blob
debian/patches/0018-3.9-gh-108342-Make-ssl-TestPreHandshakeClose-more-re.patch	\|	\|	blob
debian/patches/0019-3.9-gh-114572-Fix-locking-in-cert_store_stats-and-ge.patch	\|	\|	blob
debian/patches/0020-3.9-gh-109858-Protect-zipfile-from-quoted-overlap-zi.patch	\|	\|	blob
debian/patches/0021-3.9-gh-113171-gh-65056-Fix-private-non-global-IP-add.patch	\|	\|	blob
debian/patches/0022-3.9-gh-121285-Remove-backtracking-when-parsing-tarfi.patch	\|	\|	blob
debian/patches/0023-3.9-gh-121650-Encode-newlines-in-headers-and-verify-.patch	\|	\|	blob
debian/patches/0024-3.9-gh-123067-Fix-quadratic-complexity-in-parsing-qu.patch	\|	\|	blob
debian/patches/0025-3.9-gh-123270-Replaced-SanitizedNames-with-a-more-su.patch	\|	\|	blob
debian/patches/0026-3.9-gh-124651-Quote-template-strings-in-venv-activat.patch	\|	\|	blob
debian/patches/0027-3.11-gh-103848-Adds-checks-to-ensure-that-bracketed-.patch	\|	\|	blob
debian/patches/0028-bpo-46811-Make-test-suite-support-Expat-2.4.5-GH-314.patch	\|	\|	blob
debian/patches/0029-3.9-Fix-tests-for-XMLPullParser-with-Expat-2.6.0-GH-.patch	\|	\|	blob
debian/patches/0030-bpo-45436-Fix-tkinter-tests-with-Tcl-Tk-8.6.11-GH-29.patch	\|	\|	blob
debian/patches/CVE-2022-0391-1.patch	\|	\|	blob
debian/patches/CVE-2022-0391-2.patch	\|	\|	blob
debian/patches/CVE-2025-0938.patch	\|	\|	blob
debian/patches/CVE-2025-1795-1.patch	\|	\|	blob
debian/patches/CVE-2025-1795-2.patch	\|	\|	blob
debian/patches/argparse-no-shutil.diff	\|	\|	blob
debian/patches/arm-alignment.diff	\|	\|	blob
debian/patches/bdist-wininst-notfound.diff	\|	\|	blob
debian/patches/build-math-object.diff	\|	\|	blob
debian/patches/ctypes-arm.diff	\|	\|	blob
debian/patches/deb-locations.diff	\|	\|	blob
debian/patches/deb-setup.diff	\|	\|	blob
debian/patches/disable-sem-check.diff	\|	\|	blob
debian/patches/disable-some-tests.diff	\|	\|	blob
debian/patches/distutils-install-layout.diff	\|	\|	blob
debian/patches/distutils-link.diff	\|	\|	blob
debian/patches/distutils-sysconfig-2.diff	\|	\|	blob
debian/patches/distutils-sysconfig.diff	\|	\|	blob
debian/patches/doc-build-texinfo.diff	\|	\|	blob
debian/patches/ensurepip-disabled.diff	\|	\|	blob
debian/patches/ensurepip-wheels.diff	\|	\|	blob
debian/patches/ext-no-libpython-link.diff	\|	\|	blob
debian/patches/gdbm-import.diff	\|	\|	blob
debian/patches/git-updates.diff	\|	\|	blob
debian/patches/hurd_kfreebsd_thread_native_id.diff	\|	\|	blob
debian/patches/langpack-gettext.diff	\|	\|	blob
debian/patches/lib-argparse.diff	\|	\|	blob
debian/patches/lib2to3-no-pickled-grammar.diff	\|	\|	blob
debian/patches/link-opt.diff	\|	\|	blob
debian/patches/link-timemodule.diff	\|	\|	blob
debian/patches/local-doc-references.diff	\|	\|	blob
debian/patches/locale-module.diff	\|	\|	blob
debian/patches/lto-link-flags.diff	\|	\|	blob
debian/patches/mangle-fstack-protector.diff	\|	\|	blob
debian/patches/mpdecimal-2.5.1.diff	\|	\|	blob
debian/patches/multiarch-extname.diff	\|	\|	blob
debian/patches/multiarch.diff	\|	\|	blob
debian/patches/profiled-build.diff	\|	\|	blob
debian/patches/pydoc-use-pager.diff	\|	\|	blob
debian/patches/reproducible-buildinfo.diff	\|	\|	blob
debian/patches/series	\|	\|	blob
debian/patches/setup-modules.diff	\|	\|	blob
debian/patches/sphinx3.diff	\|	\|	blob
debian/patches/sysconfig-debian-schemes.diff	\|	\|	blob
debian/patches/sysconfigdata-name.diff	\|	\|	blob
debian/patches/tempfile-minimal.diff	\|	\|	blob
debian/patches/test-no-random-order.diff	\|	\|	blob
debian/patches/tkinter-import.diff	\|	\|	blob
debian/pdb.1.in	\|	\|	blob
debian/pydoc.1.in	\|	\|	blob
debian/pygettext.1	\|	\|	blob
debian/pyhtml2devhelp.py	\|	\|	blob
debian/pylogo.xpm	\|	\|	blob
debian/pymindeps.py	\|	\|	blob
debian/pysetup3.1	\|	\|	blob
debian/python3-config.1	\|	\|	blob
debian/rules	\|	\|	blob
debian/script.py	\|	\|	blob
debian/sitecustomize.py.in	\|	\|	blob
debian/source/format	\|	\|	blob
debian/source/lintian-overrides	\|	\|	blob
debian/tests/control	\|	\|	blob
debian/tests/failing-tests	\|	\|	blob
debian/tests/failing-tests-dbg	\|	\|	blob
debian/tests/module-install-local	\|	\|	blob
debian/tests/module-install-user	\|	\|	blob
debian/tests/module-install-venv	\|	\|	blob
debian/tests/module-install-virtualenv	\|	\|	blob
debian/tests/packages/fibc/fibc.c	\|	\|	blob
debian/tests/packages/fibc/setup.py	\|	\|	blob
debian/tests/packages/fibpy/fibpy.py	\|	\|	blob
debian/tests/packages/fibpy/setup.py	\|	\|	blob
debian/tests/test-common.sh	\|	\|	blob
debian/tests/testsuite	\|	\|	blob
debian/tests/testsuite-dbg	\|	\|	blob
debian/watch	\|	\|	blob