Created by Ubuntu Package Importer on 2012-10-26 and last modified on 2016-11-15
Get this branch:
bzr branch lp:ubuntu/precise-security/python3.2
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

41. By Steve Beattie on 2016-11-15

* SECURITY UPDATE: StartTLS stripping attack
  - debian/patches/CVE-2016-0772.patch: raise an error when
    STARTTLS fails in Lib/smtplib.py.
  - CVE-2016-0772
* SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
  scripts (aka HTTPOXY attack)
  - debian/patches/CVE-2016-1000110.patch: if running as CGI
    script, forget HTTP_PROXY in Lib/urllib.py, add test to
    Lib/test/test_urllib.py, add documentation.
  - CVE-2016-1000110
* SECURITY UPDATE: Integer overflow when handling zipfiles
  - debian/patches/CVE-2016-5636-pre.patch: check for negative size in
  - debian/patches/CVE-2016-5636.patch: check for too large value in
  - CVE-2016-5636
* SECURITY UPDATE: CRLF injection vulnerability in the
  - debian/patches/CVE-2016-5699.patch: disallow newlines in
    putheader() arguments when not followed by spaces or tabs in
    Lib/httplib.py, add tests in Lib/test/test_httplib.py
  - CVE-2016-5699

40. By Marc Deslauriers on 2015-06-18

* SECURITY UPDATE: denial of service in multiple servers
  - debian/patches/CVE-2013-1752-ftplib.patch: limit amount of data read
    in Lib/ftplib.py, added test to Lib/test/test_ftplib.py.
  - debian/patches/CVE-2013-1752-httplib.patch: limit long lines in
    Lib/http/client.py, added test to Lib/test/test_httplib.py.
  - debian/patches/CVE-2013-1752-imaplib.patch: limit line length in
    Lib/imaplib.py, added test to Lib/test/test_imaplib.py.
  - debian/patches/CVE-2013-1752-nntplib.patch: limit line length in
    Lib/nntplib.py, added test to Lib/test/test_nntplib.py.
  - debian/patches/CVE-2013-1752-poplib.patch: limit maximum line length
    in Lib/poplib.py, added test to Lib/test/test_poplib.py.
  - debian/patches/CVE-2013-1752-smtplib.patch: limit amount read from
    the network in Lib/smtplib.py, added test to
    Lib/test/test_smtplib.py, fix Lib/test/mock_socket.py.
  - CVE-2013-1752
* SECURITY UPDATE: denial of service via xmlrpc gzip-compressed
  HTTP bodies
  - debian/patches/CVE-2013-1753.patch: add default limit in
    Lib/xmlrpc/client.py, added test to Lib/test/test_xmlrpc.py.
  - CVE-2013-1753
* SECURITY UPDATE: arbitrary memory read via idx argument
  - debian/patches/CVE-2014-4616.patch: reject negative idx values in
    Modules/_json.c, added test to Lib/test/json_tests/test_decode.py.
  - CVE-2014-4616
* SECURITY UPDATE: code execution or file disclosure via CGIHTTPServer
  - debian/patches/CVE-2014-4650.patch: url unquote path in
    Lib/http/server.py, added test to Lib/test/test_httpservers.py.
  - CVE-2014-4650

39. By Marc Deslauriers on 2014-02-27

* SECURITY UPDATE: denial of service and possible code execution via
  buffer overflow in socket.recvfrom_into
  - debian/patches/CVE-2014-1912.diff: check buffer length in
    Modules/socketmodule.c, added tests to Lib/test/test_socket.py.
  - CVE-2014-1912

38. By Marc Deslauriers on 2013-09-25

* SECURITY UPDATE: denial of service via ssl hostname wildcards
  - debian/patches/CVE-2013-2099.diff: limit number of wildcards in
    Lib/ssl.py, add test to Lib/test/test_ssl.py.
  - CVE-2013-2099
* SECURITY UPDATE: incorrect ssl hostname verification
  - debian/patches/CVE-2013-4238.diff: correctly handle NULL bytes in
    the subjectAltName in Modules/_ssl.c, add test to
    Lib/test/test_ssl.py, Lib/test/nullbytecert.pem.
  - CVE-2013-4238
* This package does _not_ contain the changes from 3.2.3-0ubuntu3.4 in

37. By Jamie Strandboge on 2012-10-18

* SECURITY UPDATE: http://bugs.python.org/issue13512
  - debian/patches/CVE-2011-4944.diff: create ~/.pypirc securely
  - CVE-2011-4944
* SECURITY UPDATE: http://bugs.python.org/issue14579
  - debian/patches/CVE-2012-2135.diff: fix vulnerability in the utf-16
    decoder after error handling

36. By Matthias Klose on 2012-04-12

* Python 3.2.3 release.
* Use xdg-open/gvfs-open in Lib/webbrowser.py (Michael Vogt).
  LP: #971311.

35. By Matthias Klose on 2012-03-21

Loosen build dependency on expat (the version in precise has the
security fixes applied).

34. By Matthias Klose on 2012-03-21

* Python 3.2.3 release candidate 2.
* Build-depend on expat (>= 2.1~).

33. By Matthias Klose on 2012-03-09

* Python 3.2.3 release candidate 1.
* Update to 20120309 from the 3.2 branch.
* Fix libpython.a symlink. Closes: #660146.
* Build-depend on xauth.
* Run the gdb tests for the debug build only.

32. By Matthias Klose on 2012-02-16

* Update to 20120216 from the 3.2 branch.
* Build-depend on xauth.
* Run the gdb tests for the debug build only.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.