subject:"Bug#948104\: buster\-pu\: package python3.7\/3.7.3\-2\+deb10u1"

Bug#948104: buster-pu: package python3.7/3.7.3-2+deb10u1

2020-01-03 Thread Moritz Muehlenhoff

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Similar to the python2.7 update which landed in Buster 10.2. Debdiff
below. All these are fixed in bullseye/sid (but none had a dedicated
bug)

Cheers,
Moritz

diff -Nru python3.7-3.7.3/debian/changelog python3.7-3.7.3/debian/changelog
--- python3.7-3.7.3/debian/changelog2019-04-03 07:39:12.0 +0200
+++ python3.7-3.7.3/debian/changelog2019-12-20 18:01:46.0 +0100
@@ -1,3 +1,14 @@
+python3.7 (3.7.3-2+deb10u1) buster; urgency=medium
+
+  * CVE-2019-9740
+  * CVE-2019-9947
+  * CVE-2019-9948
+  * CVE-2019-10160
+  * CVE-2019-16056
+  * CVE-2019-16935
+
+ -- Moritz Mühlenhoff   Fri, 20 Dec 2019 19:57:59 +0100
+
 python3.7 (3.7.3-2) unstable; urgency=medium
 
   * d/p/arm-alignment.diff: Don't allow unaligned memory accesses in the
diff -Nru python3.7-3.7.3/debian/patches/CVE-2019-10160-1.diff 
python3.7-3.7.3/debian/patches/CVE-2019-10160-1.diff
--- python3.7-3.7.3/debian/patches/CVE-2019-10160-1.diff1970-01-01 
01:00:00.0 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2019-10160-1.diff2019-12-20 
17:57:53.0 +0100
@@ -0,0 +1,59 @@
+From 4d723e76e1ad17e9e7d5e828e59bb47e76f2174b Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-isling...@users.noreply.github.com>
+Date: Tue, 30 Apr 2019 05:21:02 -0700
+Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in
+ urlsplit() (GH-13017)
+
+(cherry picked from commit d537ab0ff9767ef024f26246899728f0116b1ec3)
+
+Co-authored-by: Steve Dower 
+---
+ Lib/test/test_urlparse.py |  6 ++
+ Lib/urllib/parse.py   | 11 +++
+ .../Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst |  1 +
+ 3 files changed, 14 insertions(+), 4 deletions(-)
+ create mode 100644 
Misc/NEWS.d/next/Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index e6638aee2244..c26235449461 100644
+--- a/Lib/test/test_urlparse.py
 b/Lib/test/test_urlparse.py
+@@ -1001,6 +1001,12 @@ def test_urlsplit_normalization(self):
+ self.assertIn('\u2100', denorm_chars)
+ self.assertIn('\uFF03', denorm_chars)
+ 
++# bpo-36742: Verify port separators are ignored when they
++# existed prior to decomposition
++urllib.parse.urlsplit('http://\u30d5\u309a:80')
++with self.assertRaises(ValueError):
++urllib.parse.urlsplit('http://\u30d5\u309a\ufe1380')
++
+ for scheme in ["http", "https", "ftp"]:
+ for c in denorm_chars:
+ url = "{}://netloc{}false.netloc/path".format(scheme, c)
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 1eec26e0f1f3..f5b3487ea9d6 100644
+--- a/Lib/urllib/parse.py
 b/Lib/urllib/parse.py
+@@ -397,13 +397,16 @@ def _checknetloc(netloc):
+ # looking for characters like \u2100 that expand to 'a/c'
+ # IDNA uses NFKC equivalence, so normalize for this check
+ import unicodedata
+-netloc2 = unicodedata.normalize('NFKC', netloc)
+-if netloc == netloc2:
++n = netloc.rpartition('@')[2] # ignore anything to the left of '@'
++n = n.replace(':', '')# ignore characters already included
++n = n.replace('#', '')# but not the surrounding text
++n = n.replace('?', '')
++netloc2 = unicodedata.normalize('NFKC', n)
++if n == netloc2:
+ return
+-_, _, netloc = netloc.rpartition('@') # anything to the left of '@' is 
okay
+ for c in '/?#@:':
+ if c in netloc2:
+-raise ValueError("netloc '" + netloc2 + "' contains invalid " +
++raise ValueError("netloc '" + netloc + "' contains invalid " +
+  "characters under NFKC normalization")
+ 
+ def urlsplit(url, scheme='', allow_fragments=True):
diff -Nru python3.7-3.7.3/debian/patches/CVE-2019-10160-2.diff 
python3.7-3.7.3/debian/patches/CVE-2019-10160-2.diff
--- python3.7-3.7.3/debian/patches/CVE-2019-10160-2.diff1970-01-01 
01:00:00.0 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2019-10160-2.diff2019-12-20 
17:57:53.0 +0100
@@ -0,0 +1,54 @@
+From 250b62acc59921d399f0db47db3b462cd6037e09 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-isling...@users.noreply.github.com>
+Date: Tue, 4 Jun 2019 09:15:13 -0700
+Subject: [PATCH] bpo-36742: Corrects fix to handle decomposition in usernames
+ (GH-13812)
+
+(cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e)
+
+Co-authored-by: Steve Dower 
+---
+ Lib/test/test_urlparse.py | 11 ++-
+ Lib/urllib/parse.py   |  6 +++---
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index c26235449461..68f633ca3a7d 100644
+--- a/Lib/test/test_urlparse.py
 b/Lib/test/test_urlparse.py
+@@ -1008,11 +100

Bug#948104: buster-pu: package python3.7/3.7.3-2+deb10u1

2020-01-06 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Fri, 2020-01-03 at 22:56 +0100, Moritz Muehlenhoff wrote:
> Similar to the python2.7 update which landed in Buster 10.2. Debdiff
> below. All these are fixed in bullseye/sid (but none had a dedicated
> bug)
> 

Please go ahead.

Regards,

Adam

Bug#948104: buster-pu: package python3.7/3.7.3-2+deb10u1

Bug#948104: buster-pu: package python3.7/3.7.3-2+deb10u1

2 matches

Site Navigation

Mail list logo

Footer information