From: Raspbian automatic forward porter <root@raspbian.org>
Date: Thu, 20 Mar 2025 22:21:42 +0000 (+0000)
Subject: Merge version 3.9.2-1+rpi1+deb11u2 and 3.9.2-1+deb11u3 to produce 3.9.2-1+rpi1+deb11u3
X-Git-Tag: archive/raspbian/3.9.2-1+rpi1+deb11u3
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=018f4aa259b732546f9b0ccdb9f29d2c62b06ad4;p=python3.9.git

Merge version 3.9.2-1+rpi1+deb11u2 and 3.9.2-1+deb11u3 to produce 3.9.2-1+rpi1+deb11u3
---

b0870fcabddec51b5b9872eed547996c941febff
diff --cc debian/changelog
index a6f858a,4303777..c9ba49b
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,26 +1,33 @@@
- python3.9 (3.9.2-1+rpi1+deb11u2) bullseye-staging; urgency=medium
++python3.9 (3.9.2-1+rpi1+deb11u3) bullseye-staging; urgency=medium
 +
 +  [changes brought forward from 3.9.0~b5-2+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 30 Jul 2020 10:10:07 +0000]
 +  * Disable testsuite (test_concurrent_futures seems to hang)
 +
-  -- Raspbian forward porter <root@raspbian.org>  Mon, 09 Dec 2024 13:57:34 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Thu, 20 Mar 2025 22:21:41 +0000
++
+ python3.9 (3.9.2-1+deb11u3) bullseye-security; urgency=high
+ 
+   * Non-maintainer upload by the LTS Team.
+ 
+   [ Bastien RoucariÃ¨s ]
+   * Fix CVE-2025-0938:
+     The Python standard library functions `urllib.parse.urlsplit` and
+     `urlparse` accepted domain names that included square brackets
+     which isn't valid according to RFC 3986.
+     Square brackets are only meant to be used as delimiters for specifying
+     IPv6 and IPvFuture hosts in URLs. This could result in differential
+     parsing across the Python URL parser and other specification-compliant
+     URL parsers.
+ 
+   [ Sean Whitton ]
+   - Fix CVE-2022-0391: Missing input sanitisation when parsing URLs, which
+     could lead to injection accounts.
+   - Fix CVE-2025-1795: The implementation of e-mail header parsing and
+     folding would encode the comma used to separate list items which could
+     cause receiving applications to interpret two items in the list as
+     though they were one item.
+ 
+  -- Sean Whitton <spwhitton@spwhitton.name>  Thu, 20 Mar 2025 10:07:39 +0800
  
  python3.9 (3.9.2-1+deb11u2) bullseye-security; urgency=medium