[SECURITY] [DLA 3980-1] python3.9 security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3980-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
December 02, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python3.9
Version : 3.9.2-1+deb11u2
CVE ID : CVE-2015-20107 CVE-2020-10735 CVE-2021-3426 CVE-2021-3733
CVE-2021-3737 CVE-2021-4189 CVE-2021-28861 CVE-2021-29921
CVE-2022-42919 CVE-2022-45061 CVE-2023-6597 CVE-2023-24329
CVE-2023-27043 CVE-2023-40217 CVE-2024-0397 CVE-2024-0450
CVE-2024-4032 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592
CVE-2024-8088 CVE-2024-9287 CVE-2024-11168
Debian Bug : 989195 1070135 1059298 1070133
Multiple vulnerabilities have been fixed in the Python3 interpreter.
CVE-2015-20107
The mailcap module did not add escape characters into commands
discovered in the system mailcap file
CVE-2020-10735
Prevent DoS with very large int
CVE-2021-3426
Remove the pydoc getfile feature which could be abused to read
arbitrary files on the disk
CVE-2021-3733
Regular Expression Denial of Service in urllib's
AbstractBasicAuthHandler class
CVE-2021-3737
Infinite loop in the HTTP client code
CVE-2021-4189
Make ftplib not trust the PASV response
CVE-2021-28861
Open redirection vulnerability in http.server
CVE-2021-29921
Leading zeros in IPv4 addresses are no longer tolerated
CVE-2022-42919
Don't use Linux abstract sockets for multiprocessing
CVE-2022-45061
Quadratic time in the IDNA decoder
CVE-2023-6597
tempfile.TemporaryDirectory failure to remove dir
CVE-2023-24329
Strip C0 control and space chars in urlsplit
CVE-2023-27043
Reject malformed addresses in email.parseaddr()
CVE-2023-40217
ssl.SSLSocket bypass of the TLS handshake
CVE-2024-0397
Race condition in ssl.SSLContext
CVE-2024-0450
Quoted-overlap zipbomb DoS
CVE-2024-4032
Incorrect information about private addresses in the ipaddress
module
CVE-2024-6232
ReDoS when parsing tarfile headers
CVE-2024-6923
Encode newlines in headers in the email module
CVE-2024-7592
Quadratic complexity parsing cookies with backslashes
CVE-2024-8088
Infinite loop when iterating over zip archive entry names
CVE-2024-9287
venv activation scripts did't quote paths
CVE-2024-11168
urllib functions improperly validated bracketed hosts
For Debian 11 bullseye, these problems have been fixed in version
3.9.2-1+deb11u2.
We recommend that you upgrade your python3.9 packages.
For the detailed security status of python3.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmdNj4QACgkQiNJCh6LY
mLHTXQ//SYCSPEOSZS3IwsAMxWTM6ODCqEzbp70EloR3XOfAw9R/AmXBO0OcbMt+
d/re1e1W1s92UZ4gUs4vrjQOc84V0V5cU4M08rzCzZuPnY4Xt/bUdqrpLzgmO+me
ZN3nFHRD/3SCZ/WwESXXT3HW4N0+OIupYgx2J97o3Yy8frlQzxXsD6nXsbPklHic
+ViVvJZDbu14Ox+NDsDS8Kmm9gLeV/wrn/lWvrFRcsiK5bVXMscmDJNBhLF7AXSA
igsSsAMwD37Nyewj/oiwbxFziswnDPw7OCF7ztHXHiC+OiL8GaM/+/VhpTt5obdL
ww91RPfQCyqCb/tvLX/Lnlin/nr1v0vE3/4xttxmHFoGn8pYMXJR0xdHgTnCwCyw
CWpp/VMLOtshd0CR2fbBgHQK0cRilh5/zJqW1+A7PV4Wt8vC7+lLDeB+/l7m5pVP
2yuDyMEiVdKa7yABVy+T4/6LwYdLTdT9DOrt+0TviQ5LXwpCa0kgJV/33ymGyHRg
EkdfxnvXa/ynPagAxMBu+vL/0Q7i19aug86HNIcIVbuI6L3yHMWZ1YHXL36aMtpI
rs6ULNmx3Vw61a7rQNfFw9QBSYQOB9HSpzjm0KDJyMvGijSOgTRDhnuP96bT4nJ9
Bz7Bi4DAnX59b3lGN0XDgyrrHwjbYFNRfgmQlFJe/aLoJGeJmFA=
=Yxpb
-----END PGP SIGNATURE-----
Reply to: