From: Raspbian automatic forward porter <root@raspbian.org>
Date: Mon, 9 Dec 2024 13:57:35 +0000 (+0000)
Subject: Merge version 3.9.2-1+rpi1 and 3.9.2-1+deb11u2 to produce 3.9.2-1+rpi1+deb11u2
X-Git-Tag: archive/raspbian/3.9.2-1+rpi1+deb11u2^0
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=9aad1526532e994a2cf37cf87cb5766ad49d1cc1;p=python3.9.git

Merge version 3.9.2-1+rpi1 and 3.9.2-1+deb11u2 to produce 3.9.2-1+rpi1+deb11u2
---

9aad1526532e994a2cf37cf87cb5766ad49d1cc1
diff --cc debian/changelog
index 3e002b9,6271c66..a6f858a
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,43 +1,50 @@@
- python3.9 (3.9.2-1+rpi1) bullseye-staging; urgency=medium
++python3.9 (3.9.2-1+rpi1+deb11u2) bullseye-staging; urgency=medium
 +
 +  [changes brought forward from 3.9.0~b5-2+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 30 Jul 2020 10:10:07 +0000]
 +  * Disable testsuite (test_concurrent_futures seems to hang)
 +
-  -- Raspbian forward porter <root@raspbian.org>  Fri, 12 Mar 2021 04:06:34 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Mon, 09 Dec 2024 13:57:34 +0000
++
+ python3.9 (3.9.2-1+deb11u2) bullseye-security; urgency=medium
+ 
+   * Non-maintainer upload by the LTS Team.
+   * Fix the binary-all tests.
+ 
+  -- Adrian Bunk <bunk@debian.org>  Sun, 01 Dec 2024 14:12:57 +0200
+ 
+ python3.9 (3.9.2-1+deb11u1) bullseye-security; urgency=medium
+ 
+   * Non-maintainer upload by the LTS Team.
+   * CVE-2015-20107: The mailcap module did not add escape characters
+     into commands discovered in the system mailcap file
+   * CVE-2020-10735: Prevent DoS with very large int
+   * CVE-2021-3426: Remove the pydoc getfile feature which
+     could be abused to read arbitrary files on the disk
+   * CVE-2021-3733: Regular Expression Denial of Service in urllib's
+     AbstractBasicAuthHandler class
+   * CVE-2021-3737: Infinite loop in the HTTP client code
+   * CVE-2021-4189: Make ftplib not trust the PASV response
+   * CVE-2021-28861: Open redirection vulnerability in http.server
+   * CVE-2021-29921: Leading zeros in IPv4 addresses are no longer tolerated
+   * CVE-2022-42919: Don't use Linux abstract sockets for multiprocessing
+   * CVE-2022-45061: Quadratic time in the IDNA decoder
+   * CVE-2023-6597: tempfile.TemporaryDirectory failure to remove dir
+   * CVE-2023-24329: Strip C0 control and space chars in urlsplit
+   * CVE-2023-27043: Reject malformed addresses in email.parseaddr()
+   * CVE-2023-40217: ssl.SSLSocket bypass of the TLS handshake
+   * CVE-2024-0397: Race condition in ssl.SSLContext
+   * CVE-2024-0450: quoted-overlap zipbomb DoS
+   * CVE-2024-4032: Incorrect information about private addresses
+     in the ipaddress module
+   * CVE-2024-6232: ReDoS when parsing tarfile headers
+   * CVE-2024-6923: Encode newlines in headers in the email module
+   * CVE-2024-7592: Quadratic complexity parsing cookies with backslashes
+   * CVE-2024-8088: Infinite loop when iterating over zip archive entry names
+   * CVE-2024-9287: venv activation scripts did't quote paths
+   * CVE-2024-11168: urllib functions improperly validated bracketed hosts
+   * Fix build test failures and make them fatal.
+ 
+  -- Adrian Bunk <bunk@debian.org>  Fri, 29 Nov 2024 19:38:21 +0200
  
  python3.9 (3.9.2-1) unstable; urgency=medium