Univention Bugzilla – Bug 53122
python2.7: Multiple issues (4.4)
Last modified: 2021-04-21 16:57:00 CEST
New Debian python2.7 2.7.13-2+deb9u5 fixes: This update addresses the following issues: * XSS vulnerability in the documentation XML-RPC server in server_title field (CVE-2019-16935) * Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters (CVE-2021-23336)
--- mirror/ftp/4.4/unmaintained/4.4-6/source/python2.7_2.7.13-2+deb9u4.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/python2.7_2.7.13-2+deb9u5.dsc @@ -1,3 +1,12 @@ +2.7.13-2+deb9u5 [Fri, 16 Apr 2021 16:02:03 +0200] Anton Gladky <gladk@debian.org>: + + * Non-maintainer upload by the LTS Security Team. + * Update keycert.pem to fix corresponding tests. + * Disable some failing tests (see debian/TODO). + * CVE-2021-23336: only use '&' as a query string separator. + * CVE-2019-16935: Escape the server title of DocXMLRPCServer. + * Add debian/.gitlab-ci.yml. + 2.7.13-2+deb9u4 [Sat, 22 Aug 2020 12:03:02 +0200] Thorsten Alteholz <debian@alteholz.de>: * Non-maintainer upload by the LTS Team. <http://piuparts.knut.univention.de/4.4-7/#6102485430686676297>
OK: yaml OK: announce_errata OK: patch ~OK: piuparts > After purging files have disappeared: > /usr/lib/python2.7/lib-dynload/ owned by: libpython2.7-minimal:amd64 [4.4-7] 1f71d086d4 Bug #53122: python2.7 2.7.13-2+deb9u5 doc/errata/staging/python2.7.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x960>