[ubuntu/precise-security] python3.2 3.2.3-0ubuntu3.8 (Accepted)

Steve Beattie sbeattie at ubuntu.com
Tue Nov 22 18:35:46 UTC 2016


python3.2 (3.2.3-0ubuntu3.8) precise-security; urgency=medium

  * SECURITY UPDATE: StartTLS stripping attack
    - debian/patches/CVE-2016-0772.patch: raise an error when
      STARTTLS fails in Lib/smtplib.py.
    - CVE-2016-0772
  * SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
    scripts (aka HTTPOXY attack)
    - debian/patches/CVE-2016-1000110.patch: if running as CGI
      script, forget HTTP_PROXY in Lib/urllib.py, add test to
      Lib/test/test_urllib.py, add documentation.
    - CVE-2016-1000110
  * SECURITY UPDATE: Integer overflow when handling zipfiles
    - debian/patches/CVE-2016-5636-pre.patch: check for negative size in
      Modules/zipimport.c
    - debian/patches/CVE-2016-5636.patch: check for too large value in
      Modules/zipimport.c
    - CVE-2016-5636
  * SECURITY UPDATE: CRLF injection vulnerability in the
    HTTPConnection.putheader
    - debian/patches/CVE-2016-5699.patch: disallow newlines in
      putheader() arguments when not followed by spaces or tabs in
      Lib/httplib.py, add tests in Lib/test/test_httplib.py
    - CVE-2016-5699

Date: 2016-11-17 00:31:27.926020+00:00
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
https://launchpad.net/ubuntu/+source/python3.2/3.2.3-0ubuntu3.8
-------------- next part --------------
Sorry, changesfile not available.


More information about the Precise-changes mailing list