Univention Bugzilla – Bug 56739
python3.7: Multiple issues (5.0)
Last modified: 2023-10-18 16:20:32 CEST
New Debian python3.7 3.7.3-2+deb10u6 fixes: This update addresses the following issues: 3.7.3-2+deb10u6 (Wed, 11 Oct 2023 10:51:27 +0100) * Non-maintainer upload by the LTS Security Team. * CVE-2022-48560: Use-after-free via heappushpop in heapq. * CVE-2022-48564: Potential DoS in read_ints in plistlib.py. * CVE-2022-48565: Avoid XML External Entity (XXE) issues by rejecting entity declarations in XML plist files in plistlib. * CVE-2022-48566: Avoid some possible constant-time-defeating compiler optimisations in the accumulator variable in hmac.compare_digest. * CVE-2023-40217: Fix possible bypass of some of the protections implemented by the TLS handshake in ssl.SSLSocket class. - Also apply two upstream commits to stabilise the test suite.
--- mirror/ftp/pool/main/p/python3.7/python3.7_3.7.3-2+deb10u5.dsc +++ apt/ucs_5.0-0-errata5.0-5/source/python3.7_3.7.3-2+deb10u6.dsc @@ -1,3 +1,16 @@ +3.7.3-2+deb10u6 [Wed, 11 Oct 2023 10:51:27 +0100] Sean Whitton <spwhitton@spwhitton.name>: + + * Non-maintainer upload by the LTS Security Team. + * CVE-2022-48560: Use-after-free via heappushpop in heapq. + * CVE-2022-48564: Potential DoS in read_ints in plistlib.py. + * CVE-2022-48565: Avoid XML External Entity (XXE) issues by rejecting + entity declarations in XML plist files in plistlib. + * CVE-2022-48566: Avoid some possible constant-time-defeating compiler + optimisations in the accumulator variable in hmac.compare_digest. + * CVE-2023-40217: Fix possible bypass of some of the protections + implemented by the TLS handshake in ssl.SSLSocket class. + - Also apply two upstream commits to stabilise the test suite. + 3.7.3-2+deb10u5 [Thu, 29 Jun 2023 21:03:57 +0300] Adrian Bunk <bunk@debian.org>: * Non-maintainer upload by the LTS Security Team. <http://piuparts.knut.univention.de/5.0-5/#6721434331769799905>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-5] 994c58aaa5 Bug #56739: python3.7 3.7.3-2+deb10u6 doc/errata/staging/python3.7.yaml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) [5.0-5] 02886c2b16 Bug #56739: python3.7 3.7.3-2+deb10u6 doc/errata/staging/python3.7.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x847>