New Debian python3.7 3.7.3-2+deb10u9 fixes: This update addresses the following issues: Debian update 3.7.3-2+deb10u9 3.7.3-2+deb10u9 (Sat, 23 Nov 2024 16:31:22 +0000) * Non-maintainer upload by the ELTS Team. * Fix CVE-2023-27043: The email module of Python incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. * Fix CVE-2024-6232: Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. * Fix CVE-2024-6923: The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. * Fix CVE-2024-7592: When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. * Fix CVE-2024-9287: A vulnerability has been found in the `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. * Fix CVE-2024-11168: The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
--- mirror/ftp/pool/main/p/python3.7/python3.7_3.7.3-2+deb10u8.dsc +++ apt/ucs_5.0-0-errata5.0-9/source/python3.7_3.7.3-2+deb10u9.dsc @@ -1,3 +1,43 @@ +3.7.3-2+deb10u9 [Sat, 23 Nov 2024 16:31:22 +0000] Bastien Roucariès <rouca@debian.org>: + + * Non-maintainer upload by the ELTS Team. + * Fix CVE-2023-27043: The email module of Python + incorrectly parses e-mail addresses that contain + a special character. The wrong portion of an + RFC2822 header is identified as the value of the addr-spec. + In some applications, an attacker can bypass a protection + mechanism in which application access is granted only after + verifying receipt of e-mail to a specific domain (e.g., + only @company.example.com addresses may be used for signup). + This occurs in email/_parseaddr.py in recent + versions of Python. + * Fix CVE-2024-6232: Regular expressions that allowed excessive + backtracking during tarfile.TarFile header parsing are vulnerable + to ReDoS via specifically-crafted tar archives. + * Fix CVE-2024-6923: The email module didn’t properly quote + newlines for email headers when serializing an email message + allowing for header injection when an email is serialized. + * Fix CVE-2024-7592: When parsing cookies that contained + backslashes for quoted characters in the cookie value, + the parser would use an algorithm with quadratic complexity, + resulting in excess CPU resources being used while parsing + the value. + * Fix CVE-2024-9287: A vulnerability has been found in the `venv` + module and CLI where path names provided when creating a + virtual environment were not quoted properly, allowing the + creator to inject commands into virtual environment "activation" + scripts (ie "source venv/bin/activate"). This means + that attacker-controlled virtual environments are able to run + commands when the virtual environment is activated. + Virtual environments which are not created by an attacker + or which aren't activated before being used (ie "./venv/bin/python") + are not affected. + * Fix CVE-2024-11168: The urllib.parse.urlsplit() and urlparse() + functions improperly validated bracketed hosts (`[]`), + allowing hosts that weren't IPv6 or IPvFuture. This behavior + was not conformant to RFC 3986 and potentially enabled SSRF + if a URL is processed by more than one URL parser. + 3.7.3-2+deb10u8 [Fri, 19 Jul 2024 19:25:16 +0300] Adrian Bunk <bunk@debian.org>: * Non-maintainer upload by the ELTS Team. <http://piuparts.knut.univention.de/5.0-9/#3206206717836454111>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-9] f01a282b80d Bug #57780: python3.7 3.7.3-2+deb10u9 doc/errata/staging/python3.7.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x1187>