-
python3.2 (3.2.3-0ubuntu3.8) precise-security; urgency=medium
* SECURITY UPDATE: StartTLS stripping attack
- debian/patches/CVE-2016-0772.patch: raise an error when
STARTTLS fails in Lib/smtplib.py.
- CVE-2016-0772
* SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
scripts (aka HTTPOXY attack)
- debian/patches/CVE-2016-1000110.patch: if running as CGI
script, forget HTTP_PROXY in Lib/urllib.py, add test to
Lib/test/test_urllib.py, add documentation.
- CVE-2016-1000110
* SECURITY UPDATE: Integer overflow when handling zipfiles
- debian/patches/CVE-2016-5636-pre.patch: check for negative size in
Modules/zipimport.c
- debian/patches/CVE-2016-5636.patch: check for too large value in
Modules/zipimport.c
- CVE-2016-5636
* SECURITY UPDATE: CRLF injection vulnerability in the
HTTPConnection.putheader
- debian/patches/CVE-2016-5699.patch: disallow newlines in
putheader() arguments when not followed by spaces or tabs in
Lib/httplib.py, add tests in Lib/test/test_httplib.py
- CVE-2016-5699
-- Steve Beattie <email address hidden> Tue, 15 Nov 2016 14:34:45 -0800
-
python3.2 (3.2.3-0ubuntu3.7) precise-security; urgency=medium
* SECURITY UPDATE: denial of service in multiple servers
- debian/patches/CVE-2013-1752-ftplib.patch: limit amount of data read
in Lib/ftplib.py, added test to Lib/test/test_ftplib.py.
- debian/patches/CVE-2013-1752-httplib.patch: limit long lines in
Lib/http/client.py, added test to Lib/test/test_httplib.py.
- debian/patches/CVE-2013-1752-imaplib.patch: limit line length in
Lib/imaplib.py, added test to Lib/test/test_imaplib.py.
- debian/patches/CVE-2013-1752-nntplib.patch: limit line length in
Lib/nntplib.py, added test to Lib/test/test_nntplib.py.
- debian/patches/CVE-2013-1752-poplib.patch: limit maximum line length
in Lib/poplib.py, added test to Lib/test/test_poplib.py.
- debian/patches/CVE-2013-1752-smtplib.patch: limit amount read from
the network in Lib/smtplib.py, added test to
Lib/test/test_smtplib.py, fix Lib/test/mock_socket.py.
- CVE-2013-1752
* SECURITY UPDATE: denial of service via xmlrpc gzip-compressed
HTTP bodies
- debian/patches/CVE-2013-1753.patch: add default limit in
Lib/xmlrpc/client.py, added test to Lib/test/test_xmlrpc.py.
- CVE-2013-1753
* SECURITY UPDATE: arbitrary memory read via idx argument
- debian/patches/CVE-2014-4616.patch: reject negative idx values in
Modules/_json.c, added test to Lib/test/json_tests/test_decode.py.
- CVE-2014-4616
* SECURITY UPDATE: code execution or file disclosure via CGIHTTPServer
- debian/patches/CVE-2014-4650.patch: url unquote path in
Lib/http/server.py, added test to Lib/test/test_httpservers.py.
- CVE-2014-4650
-- Marc Deslauriers <email address hidden> Thu, 18 Jun 2015 14:42:39 -0400
-
python3.2 (3.2.3-0ubuntu3.6) precise-security; urgency=medium
* SECURITY UPDATE: denial of service and possible code execution via
buffer overflow in socket.recvfrom_into
- debian/patches/CVE-2014-1912.diff: check buffer length in
Modules/socketmodule.c, added tests to Lib/test/test_socket.py.
- CVE-2014-1912
-- Marc Deslauriers <email address hidden> Thu, 27 Feb 2014 14:28:16 -0500
-
python3.2 (3.2.3-0ubuntu3.5) precise-security; urgency=low
* SECURITY UPDATE: denial of service via ssl hostname wildcards
- debian/patches/CVE-2013-2099.diff: limit number of wildcards in
Lib/ssl.py, add test to Lib/test/test_ssl.py.
- CVE-2013-2099
* SECURITY UPDATE: incorrect ssl hostname verification
- debian/patches/CVE-2013-4238.diff: correctly handle NULL bytes in
the subjectAltName in Modules/_ssl.c, add test to
Lib/test/test_ssl.py, Lib/test/nullbytecert.pem.
- CVE-2013-4238
* This package does _not_ contain the changes from 3.2.3-0ubuntu3.4 in
precise-proposed.
-- Marc Deslauriers <email address hidden> Wed, 25 Sep 2013 10:54:30 -0400
-
python3.2 (3.2.3-0ubuntu3.4) precise-proposed; urgency=low
* debian/patches/atomic-pyc-rename.diff: Add patch to fix possible race
conditions when writing .pyc/.pyo files in py_compile.py.
Issue #13146. LP: #1058884
-- Barry Warsaw <email address hidden> Fri, 07 Jun 2013 17:13:32 -0400
-
python3.2 (3.2.3-0ubuntu3.3) precise-proposed; urgency=low
* Make python3.2{,-minimal,-dbg} Multi-Arch: allowed. LP: #1130709.
* distutils: Append the abiflags to the python include dir (avoids
extensions installing over a symlink).
-- Matthias Klose <email address hidden> Fri, 22 Feb 2013 09:55:09 +0100
-
python3.2 (3.2.3-0ubuntu3.2) precise-security; urgency=low
* SECURITY UPDATE: http://bugs.python.org/issue13512
- debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
- CVE-2011-4944
* SECURITY UPDATE: http://bugs.python.org/issue14579
- debian/patches/CVE-2012-2135.diff: fix vulnerability in the utf-16
decoder after error handling
-- Jamie Strandboge <email address hidden> Thu, 18 Oct 2012 19:39:43 -0500
-
python3.2 (3.2.3-0ubuntu3.1) precise-proposed; urgency=low
* debian/patches/ncursesw-include.diff:
- Refresh from quantal to fix curses build (LP: #1021783)
-- Jason Conti <email address hidden> Thu, 26 Jul 2012 13:22:26 -0400
-
python3.2 (3.2.3-0ubuntu3) precise-proposed; urgency=low
* Build _ctypes as an extension, not a builtin. LP: #909292.
* Mark symbols defined in the _ctypes extension as optional.
-- Matthias Klose <email address hidden> Thu, 03 May 2012 13:20:08 +0200
-
python3.2 (3.2.3-0ubuntu2) precise-proposed; urgency=low
* Build _ctypes as an extension, not a builtin. LP: #909292.
-- Matthias Klose <email address hidden> Thu, 03 May 2012 13:20:08 +0200
-
python3.2 (3.2.3-0ubuntu1) precise; urgency=low
* Python 3.2.3 release.
* Use xdg-open/gvfs-open in Lib/webbrowser.py (Michael Vogt).
LP: #971311.
-- Matthias Klose <email address hidden> Thu, 12 Apr 2012 16:52:42 +0200
-
python3.2 (3.2.3~rc2-1ubuntu1) precise; urgency=low
* Loosen build dependency on expat (the version in precise has the
security fixes applied).
-- Matthias Klose <email address hidden> Wed, 21 Mar 2012 17:05:58 +0100
-
python3.2 (3.2.3~rc2-1) unstable; urgency=low
* Python 3.2.3 release candidate 2.
* Build-depend on expat (>= 2.1~).
-- Matthias Klose <email address hidden> Wed, 21 Mar 2012 06:34:44 +0100
-
python3.2 (3.2.3~rc1-1) unstable; urgency=low
* Python 3.2.3 release candidate 1.
* Update to 20120309 from the 3.2 branch.
* Fix libpython.a symlink. Closes: #660146.
* Build-depend on xauth.
* Run the gdb tests for the debug build only.
-- Matthias Klose <email address hidden> Fri, 09 Mar 2012 18:40:39 +0100
-
python3.2 (3.2.2-4ubuntu1) precise; urgency=low
* Update to 20120216 from the 3.2 branch.
* Build-depend on xauth.
* Run the gdb tests for the debug build only.
-- Matthias Klose <email address hidden> Thu, 16 Feb 2012 19:07:40 +0100
-
python3.2 (3.2.2-4) unstable; urgency=low
* The static library belongs into the -dev package.
* Remove obsolete attributes in the control file.
-- Matthias Klose <email address hidden> Sat, 07 Jan 2012 20:46:39 +0100
-
python3.2 (3.2.2-3) unstable; urgency=low
* Update to 20120106 from the 3.2 branch.
* Install manual pages for 2to3 and python-config.
* Fix file permission of token.py module.
* Add the ability to build an python3.x udeb, as copy of the
python3.x-minimal package (Colin Watson).
* Overwrite some lintian warnings:
- The -dbg interpreters are not unusual.
- The -gdb.py files don't need a python dependency.
- lintian can't handle a whatis entry starting with one word on the line.
* Fix test failures related to distutils debian installation layout.
* Update symbols files.
* Add build-arch/build-indep targets.
* Regenerate Setup and Makefiles after correcting Setup.local.
* profiled-build.diff: Pass PY_CFLAGS instead of CFLAGS for the profiled
build.
* Pass dpkg-buildflags to the build process, and build third party
extensions with these flags.
* Add support to build using -flto (and -g1) on some architectures.
* Disable pgo builds for some architectures (for now, keep just
amd64 armel armhf i386 powerpc ppc64).
* Build-depend on libgdbm-dev to build and run the gdbm tests.
* Build-depend on xvfb to run the tkinter tests.
-- Matthias Klose <email address hidden> Sat, 07 Jan 2012 06:25:14 +0000
-
python3.2 (3.2.2-2ubuntu3) precise; urgency=low
* Avoid python3 in the build dependencies.
-- Matthias Klose <email address hidden> Mon, 19 Dec 2011 12:31:21 +0100
-
python3.2 (3.2.2-2ubuntu2) precise; urgency=low
* Fix python3 symlinks in the udeb.
-- Matthias Klose <email address hidden> Mon, 19 Dec 2011 12:15:06 +0100
-
python3.2 (3.2.2-2ubuntu1) precise; urgency=low
* Update to 20111218 from the 3.2 branch.
* Add an udeb (Colin Watson).
-- Matthias Klose <email address hidden> Mon, 19 Dec 2011 00:25:38 +0100
-
python3.2 (3.2.2-2) unstable; urgency=low
* Update platform patches (alpha, hppa, mips, sparc).
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 13 Dec 2011 09:43:00 +0000
-
python3.2 (3.2.2-1build1) precise; urgency=low
* No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
-- Adam Conrad <email address hidden> Fri, 02 Dec 2011 17:32:09 -0700
-
python3.2 (3.2.2-1) unstable; urgency=low
* Python 3.2.2 release.
* Update to 20111201 from the 3.2 branch.
* Search headers in /usr/include/ncursesw for the curses/panel extensions.
* New patch, ctypes-arm, allow for ",hard-float" after libc6 in ldconfig -p
output (Loic Minier). LP: #898172.
-- Matthias Klose <email address hidden> Thu, 01 Dec 2011 13:19:16 +0100
-
python3.2 (3.2.2-0ubuntu1) oneiric; urgency=low
* Python 3.2.2 release.
* Search headers in /usr/include/ncursesw for the curses/panel extensions.
-- Matthias Klose <email address hidden> Mon, 05 Sep 2011 22:01:13 +0200
