- python3.9 (3.9.2-1+rpi1+deb11u2) bullseye-staging; urgency=medium
++python3.9 (3.9.2-1+rpi1+deb11u3) bullseye-staging; urgency=medium
+
+ [changes brought forward from 3.9.0~b5-2+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 30 Jul 2020 10:10:07 +0000]
+ * Disable testsuite (test_concurrent_futures seems to hang)
+
- -- Raspbian forward porter <root@raspbian.org> Mon, 09 Dec 2024 13:57:34 +0000
++ -- Raspbian forward porter <root@raspbian.org> Thu, 20 Mar 2025 22:21:41 +0000
++
+ python3.9 (3.9.2-1+deb11u3) bullseye-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+
+ [ Bastien Roucariès ]
+ * Fix CVE-2025-0938:
+ The Python standard library functions `urllib.parse.urlsplit` and
+ `urlparse` accepted domain names that included square brackets
+ which isn't valid according to RFC 3986.
+ Square brackets are only meant to be used as delimiters for specifying
+ IPv6 and IPvFuture hosts in URLs. This could result in differential
+ parsing across the Python URL parser and other specification-compliant
+ URL parsers.
+
+ [ Sean Whitton ]
+ - Fix CVE-2022-0391: Missing input sanitisation when parsing URLs, which
+ could lead to injection accounts.
+ - Fix CVE-2025-1795: The implementation of e-mail header parsing and
+ folding would encode the comma used to separate list items which could
+ cause receiving applications to interpret two items in the list as
+ though they were one item.
+
+ -- Sean Whitton <spwhitton@spwhitton.name> Thu, 20 Mar 2025 10:07:39 +0800
python3.9 (3.9.2-1+deb11u2) bullseye-security; urgency=medium
projects / python3.9.git / commitdiff