Debian alert DLA-3980-1 (python3.9)
| From: | Adrian Bunk <bunk@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 3980-1] python3.9 security update | |
| Date: | Mon, 02 Dec 2024 12:44:24 +0200 | |
| Message-ID: | <Z02PiE2bncqUeBaT@localhost> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3980-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk December 02, 2024 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : python3.9 Version : 3.9.2-1+deb11u2 CVE ID : CVE-2015-20107 CVE-2020-10735 CVE-2021-3426 CVE-2021-3733 CVE-2021-3737 CVE-2021-4189 CVE-2021-28861 CVE-2021-29921 CVE-2022-42919 CVE-2022-45061 CVE-2023-6597 CVE-2023-24329 CVE-2023-27043 CVE-2023-40217 CVE-2024-0397 CVE-2024-0450 CVE-2024-4032 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-8088 CVE-2024-9287 CVE-2024-11168 Debian Bug : 989195 1070135 1059298 1070133 Multiple vulnerabilities have been fixed in the Python3 interpreter. CVE-2015-20107 The mailcap module did not add escape characters into commands discovered in the system mailcap file CVE-2020-10735 Prevent DoS with very large int CVE-2021-3426 Remove the pydoc getfile feature which could be abused to read arbitrary files on the disk CVE-2021-3733 Regular Expression Denial of Service in urllib's AbstractBasicAuthHandler class CVE-2021-3737 Infinite loop in the HTTP client code CVE-2021-4189 Make ftplib not trust the PASV response CVE-2021-28861 Open redirection vulnerability in http.server CVE-2021-29921 Leading zeros in IPv4 addresses are no longer tolerated CVE-2022-42919 Don't use Linux abstract sockets for multiprocessing CVE-2022-45061 Quadratic time in the IDNA decoder CVE-2023-6597 tempfile.TemporaryDirectory failure to remove dir CVE-2023-24329 Strip C0 control and space chars in urlsplit CVE-2023-27043 Reject malformed addresses in email.parseaddr() CVE-2023-40217 ssl.SSLSocket bypass of the TLS handshake CVE-2024-0397 Race condition in ssl.SSLContext CVE-2024-0450 Quoted-overlap zipbomb DoS CVE-2024-4032 Incorrect information about private addresses in the ipaddress module CVE-2024-6232 ReDoS when parsing tarfile headers CVE-2024-6923 Encode newlines in headers in the email module CVE-2024-7592 Quadratic complexity parsing cookies with backslashes CVE-2024-8088 Infinite loop when iterating over zip archive entry names CVE-2024-9287 venv activation scripts did't quote paths CVE-2024-11168 urllib functions improperly validated bracketed hosts For Debian 11 bullseye, these problems have been fixed in version 3.9.2-1+deb11u2. We recommend that you upgrade your python3.9 packages. For the detailed security status of python3.9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python3.9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmdNj4QACgkQiNJCh6LY mLHTXQ//SYCSPEOSZS3IwsAMxWTM6ODCqEzbp70EloR3XOfAw9R/AmXBO0OcbMt+ d/re1e1W1s92UZ4gUs4vrjQOc84V0V5cU4M08rzCzZuPnY4Xt/bUdqrpLzgmO+me ZN3nFHRD/3SCZ/WwESXXT3HW4N0+OIupYgx2J97o3Yy8frlQzxXsD6nXsbPklHic +ViVvJZDbu14Ox+NDsDS8Kmm9gLeV/wrn/lWvrFRcsiK5bVXMscmDJNBhLF7AXSA igsSsAMwD37Nyewj/oiwbxFziswnDPw7OCF7ztHXHiC+OiL8GaM/+/VhpTt5obdL ww91RPfQCyqCb/tvLX/Lnlin/nr1v0vE3/4xttxmHFoGn8pYMXJR0xdHgTnCwCyw CWpp/VMLOtshd0CR2fbBgHQK0cRilh5/zJqW1+A7PV4Wt8vC7+lLDeB+/l7m5pVP 2yuDyMEiVdKa7yABVy+T4/6LwYdLTdT9DOrt+0TviQ5LXwpCa0kgJV/33ymGyHRg EkdfxnvXa/ynPagAxMBu+vL/0Q7i19aug86HNIcIVbuI6L3yHMWZ1YHXL36aMtpI rs6ULNmx3Vw61a7rQNfFw9QBSYQOB9HSpzjm0KDJyMvGijSOgTRDhnuP96bT4nJ9 Bz7Bi4DAnX59b3lGN0XDgyrrHwjbYFNRfgmQlFJe/aLoJGeJmFA= =Yxpb -----END PGP SIGNATURE-----