[SECURITY] [DLA 3477-1] python3.7 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3477-1] python3.7 security update
From: Adrian Bunk <bunk@debian.org>
Date: Fri, 30 Jun 2023 23:52:04 +0300
Message-id: <[🔎] ZJ9AdNDKCvIhTgTg@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3477-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
June 30, 2023                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python3.7
Version        : 3.7.3-2+deb10u5
CVE ID         : CVE-2015-20107 CVE-2020-10735 CVE-2021-3426 CVE-2021-3733 
                 CVE-2021-3737 CVE-2021-4189 CVE-2022-45061

Several vulnerabilities were fixed in the Python3 interpreter.

CVE-2015-20107

    The mailcap module did not add escape characters into commands 
    discovered in the system mailcap file.

CVE-2020-10735

    Prevent DoS with very large int.

CVE-2021-3426

    Remove the pydoc getfile feature which could be abused to read 
    arbitrary files on the disk.

CVE-2021-3733

    Regular Expression Denial of Service in urllib's AbstractBasicAuthHandler class.

CVE-2021-3737

    Infinite loop in the HTTP client code.

CVE-2021-4189

    Make ftplib not trust the PASV response.

CVE-2022-45061

    Quadratic time in the IDNA decoder.

For Debian 10 buster, these problems have been fixed in version
3.7.3-2+deb10u5.

We recommend that you upgrade your python3.7 packages.

For the detailed security status of python3.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmSfQHAACgkQiNJCh6LY
mLFENA/9GmRVfnKG5p47RlAX2dibE+2fBguKS9U9CnvRcal/2UdxZ+viFNQfzAlH
mHpNcd3btQujxjeXba5BFiIJlVCL4osKItRuMRyfipj08W2+GQBoy/lNYbROAJ9r
HziNN0ixV9HKymcKwIpiFp7pE2wM+xMjhlITIFiojZ5VAGDncXWL40tHcjJ3hEqY
p3wDLflPqncp/Te83BooXGgkDVh1xycacrpvSRRdqgLC2cahODLy5t8WiU7jdQsI
84TPOMFvAqyH9JWGBMt+scejm912tuCkNP+BYr7jn/5wU+M+Bb2VZqlI1c9f723o
D9idXWgka0ArMaIQI3sog1PehXL/01ZUD2vFWFYIccXeCuTT3tgM/JROYGvK3Ftn
gEJiaZfr2J5Z0F8S8mcy59E9vNmIkIqD4QIjOk7/B2Wnn/WcoNs70GjybDLURD5a
JwxQrDY5kf9WgeuiTWVhwRVtfy54eXHPKWMJ5bDbT2DztxQZ2jPDeZW204SP1M+9
5uokvXfEfYyEtr6s77xfJVf2zhKLkVflokgeOjDJh3hhz/ypRXVJ9GVaYNkPnvwj
nU23kvCVCBGcGYt72dvcH1Xx5UEpAqw/IEwq1C2CRSxaz7B/SrmppeDEkE8E6ZL4
g3lmJWtuPS7iMCOucA2szaYDVuOuWxIozCaTHT4vn42LKuVWQ6k=
=we+R
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3476-1] cups security update
Previous by thread: [SECURITY] [DLA 3476-1] cups security update
Index(es):
- Date
- Thread