* SECURITY UPDATE: StartTLS stripping attack
- debian/patches/CVE-2016-0772.patch: raise an error when
STARTTLS fails in Lib/smtplib.py.
- CVE-2016-0772
* SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
scripts (aka HTTPOXY attack)
- debian/patches/CVE-2016-1000110.patch: if running as CGI
script, forget HTTP_PROXY in Lib/urllib.py, add test to
Lib/test/test_urllib.py, add documentation.
- CVE-2016-1000110
* SECURITY UPDATE: Integer overflow when handling zipfiles
- debian/patches/CVE-2016-5636-pre.patch: check for negative size in
Modules/zipimport.c
- debian/patches/CVE-2016-5636.patch: check for too large value in
Modules/zipimport.c
- CVE-2016-5636
* SECURITY UPDATE: CRLF injection vulnerability in the
HTTPConnection.putheader
- debian/patches/CVE-2016-5699.patch: disallow newlines in
putheader() arguments when not followed by spaces or tabs in
Lib/httplib.py, add tests in Lib/test/test_httplib.py
- CVE-2016-5699
-- Steve Beattie <email address hidden> Wed, 16 Nov 2016 12:38:40 -0800
This bug was fixed in the package python3.4 - 3.4.3-1ubuntu1~ 14.04.5
--------------- 1ubuntu1~ 14.04.5) trusty-security; urgency=medium
python3.4 (3.4.3-
* SECURITY UPDATE: StartTLS stripping attack patches/ CVE-2016- 0772.patch: raise an error when patches/ CVE-2016- 1000110. patch: if running as CGI test/test_ urllib. py, add documentation. patches/ CVE-2016- 5636-pre. patch: check for negative size in zipimport. c patches/ CVE-2016- 5636.patch: check for too large value in zipimport. c ion.putheader patches/ CVE-2016- 5699.patch: disallow newlines in httplib. py, add tests in Lib/test/ test_httplib. py
- debian/
STARTTLS fails in Lib/smtplib.py.
- CVE-2016-0772
* SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
scripts (aka HTTPOXY attack)
- debian/
script, forget HTTP_PROXY in Lib/urllib.py, add test to
Lib/
- CVE-2016-1000110
* SECURITY UPDATE: Integer overflow when handling zipfiles
- debian/
Modules/
- debian/
Modules/
- CVE-2016-5636
* SECURITY UPDATE: CRLF injection vulnerability in the
HTTPConnect
- debian/
putheader() arguments when not followed by spaces or tabs in
Lib/
- CVE-2016-5699
-- Steve Beattie <email address hidden> Wed, 16 Nov 2016 12:38:40 -0800