From: Raspbian automatic forward porter <root@raspbian.org>
Date: Mon, 18 May 2026 18:09:44 +0000 (+0100)
Subject: Merge version 3.9.2-1+rpi1+deb11u6 and 3.9.2-1+deb11u7 to produce 3.9.2-1+rpi1+deb11u7
X-Git-Tag: archive/raspbian/3.9.2-1+rpi1+deb11u7^0
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=ab35329b13231259e2a436e3409f5176ee2d010c;p=python3.9.git

Merge version 3.9.2-1+rpi1+deb11u6 and 3.9.2-1+deb11u7 to produce 3.9.2-1+rpi1+deb11u7
---

ab35329b13231259e2a436e3409f5176ee2d010c
diff --cc debian/changelog
index e2ea4f2,13b74d3..69ae2a4
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,17 +1,24 @@@
- python3.9 (3.9.2-1+rpi1+deb11u6) bullseye-staging; urgency=medium
++python3.9 (3.9.2-1+rpi1+deb11u7) bullseye-staging; urgency=medium
 +
 +  [changes brought forward from 3.9.0~b5-2+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 30 Jul 2020 10:10:07 +0000]
 +  * Disable testsuite (test_concurrent_futures seems to hang)
 +
-  -- Raspbian forward porter <root@raspbian.org>  Thu, 16 Apr 2026 14:02:46 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Mon, 18 May 2026 18:09:43 +0000
++
+ python3.9 (3.9.2-1+deb11u7) bullseye-security; urgency=high
+ 
+   * Non-maintainer upload by the LTS Team.
+   * Apply upstream patches for the following CVEs:
+     - CVE-2025-13462: Incorrect parsing of TarInfo header when GNU long name
+       and type AREGTYPE are combined
+     - CVE-2026-2297: SourcelessFileLoader does not use io.open_code()
+     - CVE-2026-3644: Reject control characters in more places in
+       http.cookies.Morsel (follow-up of patch for CVE-2026-0672)
+     - CVE-2026-4224: pyexpat.c: Unbounded C recursion in conv_content_model
+       causes crash
+     - CVE-2026-4519: Reject leading dashes in webbrowser.open()
+ 
+  -- Arnaud Rebillout <arnaudr@debian.org>  Thu, 14 May 2026 10:00:00 +0700
  
  python3.9 (3.9.2-1+deb11u6) bullseye-security; urgency=medium