-
python3.6 (3.6.9-1~18.04ubuntu1.12) bionic-security; urgency=medium
* SECURITY UPDATE: Possible Bypass Blocklisting
- debian/patches/CVE-2023-24329.patch: enforce
that a scheme must begin with an alphabetical ASCII character
in Lib/urllib/parse.py, Lib/test/test_urlparse.py.
- CVE-2023-24329
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 10 Mar 2023 13:46:00 -0300
-
python3.6 (3.6.9-1~18.04ubuntu1.10) bionic-security; urgency=medium
* SECURITY UPDATE: Buffer overflow in SHA3 (Keccak)
- debian/patches/CVE-2022-37454.patch: fix a buffer overflow in
Modules/_sha3/kcp/KeccakSponge.inc, Lib/test/test_hashlib.py
(LP: #1995197).
- CVE-2022-37454
-- Dimitri John Ledkov <email address hidden> Tue, 28 Feb 2023 09:55:20 +0000
-
python3.6 (3.6.9-1~18.04ubuntu1.9) bionic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-45061.patch: fix quadratic time idna decoding
in Lib/encodings/idna.py, Lib/test/test_codecs.py.
- CVE-2022-45061
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 25 Nov 2022 11:10:45 -0300
-
python3.6 (3.6.9-1~18.04ubuntu1.8) bionic-security; urgency=medium
* SECURITY UPDATE: Injection Attack
- debian/patches/CVE-2015-20107.patch: Make mailcap refuse to match unsafe
filenames/types/param in Lib/mailcap.py, Lib/test/test_mailcap.py.
- CVE-2015-20107
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 29 Jun 2022 08:45:57 -0300
-
python3.6 (3.6.9-1~18.04ubuntu1.7) bionic-security; urgency=medium
* SECURITY UPDATE: Expose sensitive information
- debian/patches/CVE-2021-3426.patch: remove pydoc getfile feature
in Lib/pydoc.py, Lib/test/test_pydoc.py.
- CVE-2021-3426
* SECURITY UPDATE: Expose sensitive information
- debian/patches/CVE-2021-4189.patch: alters ftplib.FTP class
behavior to not trust the IPv4 address sent from the remote
server when setting up a passive data channel in
resposne in Lib/ftplib.py, Lib/test/test_ftplib.py.
- CVE-2021-4189
* SECURITY UPDATE: Injection Attack
- debian/patches/CVE-2022-0391.patch: sanitize urls in urllib.parse
when it containing ASCII newline and tabs in
Doc/library/urllib.parse.rst, Lib/test/test_urlparse.py,
Lib/urllib/parse.py.
- CVE-2022-0391
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 15 Mar 2022 10:55:28 -0300
-
python3.6 (3.6.9-1~18.04ubuntu1.6) bionic-security; urgency=medium
* SECURITY UPDATE: Regular Expression Denial of Service
- debian/patches/CVE-2021-3733.patch: updates a regular expression in the
urllib.request.AbstractBasicAuthHandler class which has a quadratic
worst-case time complexity and could be abused by a malicious HTTP
server to cause a Denial of Service condition for a client.
- CVE-2021-3733
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2021-3737.patch: addresses the potential for the
urllib http client to enter into an infinite loop and hang on a 100
Continue response from a malicious server.
- debian/patches/CVE-2021-3737_test-fix.patch: improves the regression
test in Lib/test/test_httplib.py
- CVE-2021-3737
-- Ian Constantin <email address hidden> Wed, 08 Dec 2021 16:08:43 -0500
-
python3.6 (3.6.9-1~18.04ubuntu1.4) bionic-security; urgency=medium
* SECURITY UPDATE: Code execution from content received via HTTP
- debian/patches/CVE-2020-27619-3.6.patch: no longer call eval() on
content received via HTTP in Lib/test/multibytecodec_support.py.
- CVE-2020-27619
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2021-3177-3.6.patch: replace snprintf with Python unicode
formatting in ctypes param reprs in Lib/ctypes/test/test_parameters.py,
Modules/_ctypes/callproc.c.
- CVE-2021-3177
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 26 Jan 2021 12:33:00 -0300
-
python3.6 (3.6.9-1~18.04ubuntu1.3) bionic-security; urgency=medium
* SECURITY UPDATE: CRLF injection
- debian/patches/CVE-2020-26116.patch: prevent header injection
in http methods in Lib/httplib.py, Lib/test/test_httlib.py.
- CVE-2020-26116
* debian/patches/disabling_test_ttk_guionly.patch: disabling ttk_guionly
test which is causing a hang for ppc64el build.
-- <email address hidden> (Leonidas S. Barbosa) Thu, 08 Oct 2020 09:12:24 -0300
-
python3.6 (3.6.9-1~18.04ubuntu1.1) bionic-security; urgency=medium
* SECURITY UPDATE: Misleading information
- debian/patches/CVE-2019-17514.patch: explain that the orderness of the
of the result is system-dependant in Doc/library/glob.rst.
- CVE-2019-17514
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-9674.patch: add pitfalls to
zipfile module doc in Doc/library/zipfile.rst,
Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst.
- CVE-2019-9674
* SECURITY UPDATE: Infinite loop
- debian/patches/CVE-2019-20907.patch: avoid infinite loop in the
tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py and add
Lib/test/recursion.tar binary for test.
- CVE-2019-20907
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2020-14422.patch: Resolve hash collisions for
IPv4Interface and IPv6Interface in Lib/ipaddress.py,
Lib/test/test_ipaddress.py.
- CVE-2020-14422
-- <email address hidden> (Leonidas S. Barbosa) Fri, 17 Jul 2020 09:50:27 -0300
-
python3.6 (3.6.9-1~18.04ubuntu1) bionic-security; urgency=medium
* SECURITY UPDATE: CRLF injection
- debian/patches/CVE-2019-18348.patch: disallow control characters
in hostnames in http.client in Lib/http/client.py, Lib/test/test_urllib.py.
- CVE-2019-18348
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2020-8492.patch: fix the regex to prevent
the regex denial of service in Lib/urllib/request.py,
- CVE-2020-8492
-- <email address hidden> (Leonidas S. Barbosa) Fri, 17 Apr 2020 22:56:04 -0300
-
python3.6 (3.6.9-1~18.04) bionic-proposed; urgency=medium
* SRU: LP: #1835738, backport 3.6.9 to 18.04.
* Python 3.6.9 release.
* Remove patches applied upstream:
- CVE-2018-20852.patch
- CVE-2019-5010.patch
- CVE-2019-9636.patch
- CVE-2019-9740.patch
- CVE-2019-9948.patch
- CVE-2019-10160-1.patch
- CVE-2019-10160-2.patch
* Enable the lto build on arm64.
-- Matthias Klose <email address hidden> Thu, 07 Nov 2019 11:44:02 +0100
-
python3.6 (3.6.8-1~18.04.3) bionic-security; urgency=medium
* SECURITY UPDATE: incorrect email address parsing
- debian/patches/CVE-2019-16056.patch: don't parse domains containing @
in Lib/email/_header_value_parser.py, Lib/email/_parseaddr.py,
Lib/test/test_email/test__header_value_parser.py,
Lib/test/test_email/test_email.py.
- CVE-2019-16056
* SECURITY UPDATE: XSS in documentation XML-RPC server
- debian/patches/CVE-2019-16935.patch: escape the server_title in
Lib/xmlrpc/server.py, Lib/test/test_docxmlrpc.py.
- CVE-2019-16935
-- Marc Deslauriers <email address hidden> Mon, 07 Oct 2019 08:59:55 -0400
-
python3.6 (3.6.8-1~18.04.2) bionic-security; urgency=medium
* SECURITY UPDATE: incorrect cookie domain check
- debian/patches/CVE-2018-20852.patch: prefix dot in domain for proper
subdomain validation in Lib/http/cookiejar.py,
Lib/test/test_http_cookiejar.py.
- CVE-2018-20852
* SECURITY UPDATE: NULL pointer dereference via X509 certificate
- debian/patches/CVE-2019-5010.patch: fix segfault in ssl cert parser
in Lib/test/talos-2019-0758.pem, Lib/test/test_ssl.py,
Modules/_ssl.c.
- CVE-2019-5010
* SECURITY UPDATE: improper handling of unicode encoding
- debian/patches/CVE-2019-9636.patch: add check for characters in
netloc that normalize to separators in Doc/library/urllib.parse.rst,
Lib/test/test_urlparse.py, Lib/urllib/parse.py.
- CVE-2019-9636
* SECURITY UPDATE: HTTP header injection
- debian/patches/CVE-2019-9740.patch: disallow control chars in http
URLs in Lib/http/client.py, Lib/test/test_urllib.py,
Lib/test/test_xmlrpc.py.
- CVE-2019-9740
- CVE-2019-9947
* SECURITY UPDATE: urllib support the local_file: scheme
- debian/patches/CVE-2019-9948.patch: disallow file reading in
Lib/urllib/request.py, Lib/test/test_urllib.py.
- CVE-2019-9948
* SECURITY UPDATE: incomplete fix for CVE-2019-9636
- debian/patches/CVE-2019-10160-1.patch: fix handling of
pre-normalization characters in urlsplit() in
Lib/test/test_urlparse.py, Lib/urllib/parse.py.
- debian/patches/CVE-2019-10160-2.patch: correct fix to handle
decomposition in usernames in Lib/test/test_urlparse.py,
Lib/urllib/parse.py.
- CVE-2019-10160
-- Marc Deslauriers <email address hidden> Tue, 20 Aug 2019 13:12:48 -0400
-
python3.6 (3.6.8-1~18.04.1) bionic; urgency=medium
* Rebuild with OpenSSL 1.1.1. LP: #1797386
python3.6 (3.6.8-1) unstable; urgency=medium
* Python 3.6.8 release.
* Revert the link optimization changes which appeared after the
release candidate.
python3.6 (3.6.8~rc1-1) unstable; urgency=medium
* Python 3.6.8 release candidate 1.
* Update symbols files.
-- Dimitri John Ledkov <email address hidden> Mon, 14 Jan 2019 12:02:34 +0100
-
python3.6 (3.6.7-1~18.04) bionic-proposed; urgency=medium
* SRU: LP: #1799206.
python3.6 (3.6.7-1) unstable; urgency=medium
* Python 3.6.7 release.
python3.6 (3.6.7~rc2-1) unstable; urgency=medium
* Python 3.6.7 release candidate 2.
python3.6 (3.6.7~rc1-1) unstable; urgency=medium
* Python 3.6.7 release candidate 1.
python3.6 (3.6.6-4) unstable; urgency=medium
* Update to 20180901 from the 3.6 branch.
* Add idle-python3.6 to the autopkg test depends.
python3.6 (3.6.6-3) unstable; urgency=medium
* Update to 20180828 from the 3.6 branch.
* Disable running some tests which are not ready for Debian's OpenSSL
defaults (test_{asyncio,ftplib,httplib,imaplib,nntplib,poplib,ssl}).
Closes: #907215.
python3.6 (3.6.6-2) unstable; urgency=medium
* Update to 20180820 from the 3.6 branch.
* Avoid usage of distutils in the platform module. See issue #26544.
* Move test/__main__.py into libpython3.6-stdlib.
* Pass the list of the pyFPE breaks as a parameter into dpkg-gencontrol
instead of hard-coding them in the control file.
-- Matthias Klose <email address hidden> Mon, 22 Oct 2018 13:32:17 +0200
-
python3.6 (3.6.6-1~18.04) bionic-proposed; urgency=medium
* SRU: LP: #1792143. Update Python 3.6 to the recent subminor release.
python3.6 (3.6.6-1) unstable; urgency=medium
* Python 3.6.6 release.
python3.6 (3.6.6~rc1-4) unstable; urgency=medium
* Update to 20180622 from the 3.6 branch.
- Fix installation of idlelib testsuite.
python3.6 (3.6.6~rc1-3) unstable; urgency=medium
* Update to 20180619 from the 3.6 branch.
* Let ensurepip work with pip versions 9 or 10. Closes: #901797.
* pdb(1): Fix pointer to HTML documentation. Closes: #901603.
python3.6 (3.6.6~rc1-1) unstable; urgency=medium
* Python 3.6.6 release candidate 1.
python3.6 (3.6.5-10) unstable; urgency=medium
* Update to 20180608 from the 3.6 branch.
* Update the the sysconfig-debian-schemes patch, not yet applied.
sysconfig: The 'posix_local' schema name is the default unless the env var
DEB_PYTHON_INSTALL_LAYOUT is set to 'deb' or 'deb_system'. Use the latter
for package buillds.
* Build cmath as a builtin instead of an extension.
* Run the test_code_module, test_zipfile tests in the autopkg tests again.
* Build using GCC 8.
python3.6 (3.6.5-9) unstable; urgency=medium
* python3.6: Add breaks on python3-all (<< 3.6.5~rc1-1),
python3-dev (<< 3.6.5~rc1-1), python3-venv (<< 3.6.5-2). Closes: #898401.
python3.6 (3.6.5-8) unstable; urgency=medium
* Fix the lto build for extensions, passing -fPIC to the linker.
python3.6 (3.6.5-6) unstable; urgency=medium
* Don't inject dpkg's compiler specs into distutils. LP: #1768644.
python3.6 (3.6.5-5) unstable; urgency=medium
* Fix the lto build on x86_64 architectures.
* Make the build of the shared modules verbose again.
python3.6 (3.6.5-4) unstable; urgency=medium
* Re-enable pgo/lto builds.
-- Matthias Klose <email address hidden> Wed, 12 Sep 2018 20:26:19 +0200
-
python3.6 (3.6.5-3) unstable; urgency=medium
* Fix library name in the python debug pkgconfig file. Closes: #894498.
-- Matthias Klose <email address hidden> Sun, 01 Apr 2018 13:46:30 +0800
-
python3.6 (3.6.5-2) unstable; urgency=medium
* libpython3.6-stdlib: Add missing python3-distutils breaks. Closes: #894204.
-- Matthias Klose <email address hidden> Sat, 31 Mar 2018 06:34:57 +0100
-
python3.6 (3.6.5~rc1-1) unstable; urgency=medium
* Python 3.6.5 release candidate 1.
- Fix issue #32185: The SSL module no longer sends IP addresses in SNI TLS
extension on platforms with OpenSSL 1.0.2+ or inet_pton. See #892814.
- XXX check https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890844
* Add support for riscv64 (Aurelien Jarno). Closes: #892328.
* Update symbols file.
-- Matthias Klose <email address hidden> Wed, 14 Mar 2018 07:54:23 +0100
-
python3.6 (3.6.4-4) unstable; urgency=medium
* Update to 20180212 from the 3.6 branch.
* Add test_idle as expected to fail in the autopkg tests.
* Update symbols file.
-- Matthias Klose <email address hidden> Mon, 12 Feb 2018 09:25:03 +0100
-
python3.6 (3.6.4-3build1) bionic; urgency=high
* No change rebuild against openssl1.1.
-- Dimitri John Ledkov <email address hidden> Mon, 05 Feb 2018 16:52:44 +0000
-
python3.6 (3.6.4-3) unstable; urgency=medium
* Stop building python3.6-2to3, now replaced by 2to3 and python3-lib2to3.
-- Matthias Klose <email address hidden> Fri, 05 Jan 2018 03:13:53 +0100
-
python3.6 (3.6.4-2) unstable; urgency=medium
* Stop shipping lib2to3, now shipped in python3-lib2to3.
-- Matthias Klose <email address hidden> Wed, 27 Dec 2017 14:02:49 +0100
-
python3.6 (3.6.4-1) unstable; urgency=medium
* Python 3.6.4 release.
-- Matthias Klose <email address hidden> Tue, 19 Dec 2017 15:09:48 +0100
-
python3.6 (3.6.4~rc1-2) unstable; urgency=medium
* Build documentation in info format (Benjamin Moody). Closes: #881959.
* Split out a python3.6-2to3 package.
* Stop shipping the tkinter and distutils modules in libpython3.6-stdlib.
-- Matthias Klose <email address hidden> Wed, 13 Dec 2017 12:08:21 +0100
-
python3.6 (3.6.4~rc1-1) unstable; urgency=medium
* Python 3.6.4 release candidate 1.
-- Matthias Klose <email address hidden> Wed, 06 Dec 2017 11:08:29 +0100
-
python3.6 (3.6.3-2) unstable; urgency=medium
* Update to 20171205 from the 3.6 branch.
* Add support for mipsr6 triplets (YunQiang Su). Closes: #881942.
* Move the idle library into the idle-python3.6 package.
-- Matthias Klose <email address hidden> Tue, 05 Dec 2017 11:22:15 +0100
-
python3.6 (3.6.3-1ubuntu1) artful; urgency=medium
* Regenerate the control file.
python3.6 (3.6.3-1) unstable; urgency=medium
* Python 3.6.3 release.
* Don't run test_platform/test_linux_distribution_encoding, Fedora only.
* test_*: Run tests with TLSv1_2.
* Update symbols files.
-- Matthias Klose <email address hidden> Tue, 03 Oct 2017 23:45:48 +0200
