[ubuntu/trusty-security] python3.4 3.4.3-1ubuntu1~14.04.5 (Accepted)
sbeattie at ubuntu.com
Tue Nov 22 18:36:02 UTC 2016
python3.4 (3.4.3-1ubuntu1~14.04.5) trusty-security; urgency=medium
* SECURITY UPDATE: StartTLS stripping attack
- debian/patches/CVE-2016-0772.patch: raise an error when
STARTTLS fails in Lib/smtplib.py.
* SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
scripts (aka HTTPOXY attack)
- debian/patches/CVE-2016-1000110.patch: if running as CGI
script, forget HTTP_PROXY in Lib/urllib.py, add test to
Lib/test/test_urllib.py, add documentation.
* SECURITY UPDATE: Integer overflow when handling zipfiles
- debian/patches/CVE-2016-5636-pre.patch: check for negative size in
- debian/patches/CVE-2016-5636.patch: check for too large value in
* SECURITY UPDATE: CRLF injection vulnerability in the
- debian/patches/CVE-2016-5699.patch: disallow newlines in
putheader() arguments when not followed by spaces or tabs in
Lib/httplib.py, add tests in Lib/test/test_httplib.py
python3.4 (3.4.3-1ubuntu1~14.04.4) trusty-proposed; urgency=medium
* SRU: LP: #1620754: Fix invalid code in pyhash/siphash24. Issue #28055.
python3.4 (3.4.3-1ubuntu1~14.04.3) trusty; urgency=medium
* Remove the config file from the package, as there is no handling in
place to deal with this config file on upgrade and it is not appropriate
for inclusion in an urgent SRU.
python3.4 (3.4.3-1ubuntu1~14.04.2) trusty-proposed; urgency=medium
* SRU: LP: #1348954.
* Disable PEP 476 certificate verification, restoring the behaviour to
the same as found in the 3.4.0 release included in 14.04 LTS.
Make the default HTTPS certificate verification setting configurable
using a config file /etc/python3.4/cert-verification.conf.
The config file and the possibility to configure the default behaviour
are removed on upgrades to Ubuntu 15.04 or newer releases.
* Provide some user-friendly advice when `python3 -m venv` fails because the
python3-venv package is not installed (Barry Warsaw).
python3.4 (3.4.3-1ubuntu1~14.04.1) trusty-proposed; urgency=medium
* Backport issue #23844 from the 3.4 branch, replacing the 512 bit dh key
with a 1024 bit one. Triggered by OpenSSL security update in
trusty-security. LP: #1264554.
* Fix expansion of makefile macros for _sysconfigdata. Issue #24705.
python3.4 (3.4.3-1ubuntu1~14.04) trusty-proposed; urgency=medium
* SRU: Update Python3 for trusty. LP: #1348954.
python3.4 (3.4.3-1ubuntu1) vivid; urgency=medium
* debian/tests: Use init system agnostic "service" command instead of
upstart specific "stop". Also drop unnecessary "status" call right after
python3.4 (3.4.3-1) experimental; urgency=medium
* Python 3.4.3 release.
* Changes since 20141202 (3.4.2-4):
- Issue #22896: Avoid using PyObject_AsCharBuffer(),
PyObject_AsReadBuffer(), and PyObject_AsWriteBuffer().
- Issue #21295: Revert some changes (issue #16795) to AST line numbers and
column offsets that constituted a regression.
- Issue #21408: The default __ne__() now returns NotImplemented if __eq__()
- Issue #23321: Fixed a crash in str.decode() when error handler returned
replacment string longer than mailformed input data.
- Issue #23048: Fix jumping out of an infinite while loop in the pdb.
- Issue #23165: Perform overflow checks before allocating memory in the
- Issue #23099: Closing io.BytesIO with exported buffer is rejected now to
prevent corrupting exported buffer.
- Issue #23363: Fix possible overflow in itertools.permutations.
- Issue #23364: Fix possible overflow in itertools.product.
- Issue #23366: Fixed possible integer overflow in itertools.combinations.
- Issue #23369: Fixed possible integer overflow in
- Issue #23353: Fix the exception handling of generators in
PyEval_EvalFrameEx(). At entry, save or swap the exception state even if
PyEval_EvalFrameEx() is called with throwflag=0. At exit, the exception
state is now always restored or swapped, not only if why is WHY_YIELD or
- Issue #18518: timeit now rejects statements which can't be compiled
outside a function or a loop (e.g. "return" or "break").
- Issue #23094: Fixed readline with frames in Python implementation of
- Issue #23268: Fixed bugs in the comparison of ipaddress classes.
- Issue #21408: Removed incorrect implementations of __ne__() which didn't
returned NotImplemented if __eq__() returned NotImplemented. The default
__ne__() now works correctly.
- Issue #19996: :class:`email.feedparser.FeedParser` now handles
(malformed) headers with no key rather than amusing the body has started.
- Issue #23248: Update ssl error codes from latest OpenSSL git master.
- Issue #23098: 64-bit dev_t is now supported in the os module.
- Issue #23250: In the http.cookies module, capitalize "HttpOnly" and
"Secure" as they are written in the standard.
- Issue #23063: In the disutils' check command, fix parsing of reST with
code or code-block directives.
- Issue #23209, #23225: selectors.BaseSelector.close() now clears its
internal reference to the selector mapping to break a reference cycle.
- Issue #21356: Make ssl.RAND_egd() optional to support LibreSSL. The
availability of the function is checked during the compilation.
- Issue #20896, #22935: The :func:`ssl.get_server_certificate` function
now uses the :data:`~ssl.PROTOCOL_SSLv23` protocol by default, not
:data:`~ssl.PROTOCOL_SSLv3`, for maximum compatibility and support
platforms where :data:`~ssl.PROTOCOL_SSLv3` support is disabled.
- Issue #23111: In the ftplib, make ssl.PROTOCOL_SSLv23 the default
- Issue #23132: Mitigate regression in speed and clarity in
- Issue #22585: On OpenBSD 5.6 and newer, os.urandom() now calls
getentropy(), instead of reading /dev/urandom, to get pseudo-random
- Issue #23112: Fix SimpleHTTPServer to correctly carry the query string
and fragment when it redirects to add a trailing slash.
- Issue #23093: In the io, module allow more operations to work on detached
- Issue #19104: pprint now produces evaluable output for wrapped strings.
- Issue #23071: Added missing names to codecs.__all__.
- Issue #15513: Added a __sizeof__ implementation for pickle classes.
- Issue #19858: pickletools.optimize() now aware of the MEMOIZE opcode, can
produce more compact result and no longer produces invalid output if
input data contains MEMOIZE opcodes together with PUT or BINPUT opcodes.
- Issue #22095: Fixed HTTPConnection.set_tunnel with default port.
The port value in the host header was set to "None".
- Issue #23016: A warning no longer produces an AttributeError when the
program is run with pythonw.exe.
- Issue #21775: shutil.copytree(): fix crash when copying to VFAT. An
exception handler assumed that that OSError objects always have a
'winerror' attribute. That is not the case, so the exception handler
itself raised AttributeError when run on Linux (and, presumably,
any other non-Windows OS).
- Issue #1218234: Fix inspect.getsource() to load updated source of
- Issue #22959: In the constructor of http.client.HTTPSConnection, prefer
the context's check_hostname attribute over the *check_hostname*
- Issue #23009: Make sure selectors.EpollSelecrtor.select() works when no
FD is registered.
- Issue #20577: Configuration of the max line length for the
FormatParagraph extension has been moved from the General tab of the
Idle preferences dialog to the FormatParagraph tab of the Config
- Issue #16893: Update Idle doc chapter to match current Idle and add new
- Issue #23180: Rename IDLE "Windows" menu item to "Window".
- Issue #19548: Added some additional checks to test_codecs to ensure that
statements in the updated documentation remain accurate.
- Issue #15506: Use standard PKG_PROG_PKG_CONFIG autoconf macro in the
- Issue #22935: Allow the ssl module to be compiled if openssl doesn't
support SSL 3.
- Issue #22079: PyType_Ready() now checks that statically allocated type
has no dynamically allocated bases.
- Issue #19548: Update the codecs module documentation to better cover the
distinction between text encodings and other codecs, together with other
- Issue #22914: Update the Python 2/3 porting HOWTO to describe a more
- Issue #22735: Fix many edge cases (including crashes) involving custom
- Issue #23399: pyvenv creates relative symlinks where possible.
- Issue #23392: Added tests for marshal C API that works with FILE*.
- Issue #18982: Add tests for CLI of the calendar module.
- Issue #23345: Prevent test_ssl failures with large OpenSSL patch level
values (like 0.9.8zc).
* Remove LTO sections from the static libraries.
python3.4 (3.4.2-4) unstable; urgency=medium
* Fix issue #22935: Fix ssl module when SSLv3 protocol is not supported.
* Fix issue #16043: Add a default limit for the amount of data
xmlrpclib.gzip_decode will return. CVE-2013-1753. Closes: #742927.
* Disable ensurepip for the system installation, only enable it for virtual
environments. Closes: #772730.
python3.4 (3.4.2-3) unstable; urgency=medium
* Update to 20141202 from the 3.4 branch.
- Issue #20335: bytes constructor now raises TypeError when encoding or
errors is specified with non-string argument.
- Issue #21971: Update turtledemo doc and add module to the index.
- Issue #21032. Fixed socket leak if HTTPConnection.getresponse() fails.
- Issue #22960: Add a context argument to xmlrpclib.ServerProxy constructor.
- Issue #22915: SAX parser now supports files opened with file descriptor
or bytes path.
- Issue #22609: Constructors and update methods of mapping classes in the
collections module now accept the self keyword argument.
- Issue #22788: Add *context* parameter to logging.handlers.HTTPHandler.
- Issue #22921: Allow SSLContext to take the *hostname* parameter even if
OpenSSL doesn't support SNI.
- Issue #22894: TestCase.subTest() would cause the test suite to be stopped
when in failfast mode, even in the absence of failures.
- Issue #22638: SSLv3 is now disabled throughout the standard library.
It can still be enabled by instantiating a SSLContext manually.
- Issue #22370: Windows detection in pathlib is now more robust.
- Issue #22841: Reject coroutines in asyncio add_signal_handler().
- Issue #22838: All test_re tests now work with unittest test discovery.
- Issue #21514: The documentation of the json module now refers to new
JSON RFC 7159 instead of obsoleted RFC 4627.
- Issue #22314: pydoc now works when the LINES environment variable is set.
- IDLE updates.
* Fix byte-code removal for the __phello__ module (mismatching source
and byte-code file name). Closes: #769769.
* Let ensurepip use a temporary location for the copy of the wheels.
Remove the ad-hoc /usr/lib/python-wheels location on package purge.
Let python3.4-venv break python3-pip (<< 1.5.6-4). Closes: #769449.
* Don't pass default compiler search directories in the pkgconfig file.
* Don't run pyexpat.test_exception as an autopkg test, requires a source
* Allow building and testing without SSLv3 support (Kurt Roeckx).
* Fix issue 22966, when byte compiling, keep the base name of a file
containing dots. Closes: #769769.
python3.4 (3.4.2-2) unstable; urgency=medium
* Repackage the upstream source without the bundled ensurepip wheels (using
package format 3.0 (quilt)).
* Update to 20141112 from the 3.4 branch.
- Issue #19524: Fixed resource leak in the HTTP connection when an invalid
response is received.
- Issue #22216: smtplib now resets its state more completely after a quit.
The most obvious consequence of the previous behavior was a STARTTLS
failure during a connect/starttls/quit/connect/starttls sequence.
- Issue #22185: Fix an occasional RuntimeError in threading.Condition.wait()
caused by mutation of the waiters queue without holding the lock.
- Issue #22182: Use e.args to unpack exceptions correctly in
- The webbrowser module now uses subprocess's start_new_session=True rather
than a potentially risky preexec_fn=os.setsid call.
- Issue #22191: Fix warnings.__all__.
- Issue #8797: Raise HTTPError on failed Basic Authentication immediately.
- Issue #21166: Prevent possible segfaults and other random failures of
python --generate-posix-vars in pybuilddir.txt build target.
- Idle changes:
- Issue #17390: Adjust Editor window title; remove 'Python',
move version to end.
- Issue #14105: Idle debugger breakpoints no longer disappear
when inseting or deleting lines.
- Issue #17172: Turtledemo can now be run from Idle.
- Issue #22236: Tkinter tests now don't reuse default root window.
New root window is created for every test class.
- Tk changes:
- Issue #22226: First letter no longer is stripped from the "status" key
in the result of Treeview.heading().
- Issue #22051: turtledemo no longer reloads examples to re-run them.
Initialization of variables and gui setup should be done in main(),
which is called each time a demo is run, but not on import.
- Issue #21933: Turtledemo users can change the code font size with a
menu selection or control(command) '-' or '+' or control-mousewheel.
- Issue #21597: The separator between the turtledemo text pane and the
drawing canvas can now be grabbed and dragged with a mouse. The code
text pane can be widened to easily view or copy the full width of the
The canvas can be widened on small screens.
- Issue #18132: Turtledemo buttons no longer disappear when the window
- Issue #22236: Fixed Tkinter images copying operations in NoDefaultRoot
* Fix maintainer scripts for byte-code removal. Closes: #769079.
python3.4 (3.4.2-1) unstable; urgency=medium
* Python 3.4.2 release.
* Refresh patches.
* Bump standards version to 3.9.6.
python3.4 (3.4.2~rc1-1) unstable; urgency=medium
* Python 3.4.2 release candidate 1.
* Update to 20140930 from the 3.4 branch.
python3.4 (3.4.1-11) unstable; urgency=medium
* Update to 20140910 from the 3.4 branch.
python3.4 (3.4.1-10) unstable; urgency=medium
* Update to 20140818 from the 3.4 branch.
* Build-depend on dpkg-dev (>= 1.17.11).
python3.4 (3.4.1-9) unstable; urgency=medium
* Update to 20140810 from the 3.4 branch.
python3.4 (3.4.1-8) unstable; urgency=medium
* Update to 20140726 from the 3.4 branch.
* Move turtledemo from libpython3.4-testsuite to python3.4-examples.
* Call dpkg -L in the maintainer scripts with an architecture qualifier
for M-A: same packages. Closes: #754914.
python3.4 (3.4.1-7) unstable; urgency=medium
* Update to 20140706 from the 3.4 branch.
python3.4 (3.4.1-6) unstable; urgency=medium
* Fix logic to disable running the pystone benchmark on KFreeBSD (Steven
python3.4 (3.4.1-5) unstable; urgency=medium
* Update to 20140608 from the 3.4 branch.
* Disable running the pystone benchmark on KFreeBSD.
python3.4 (3.4.1-4) unstable; urgency=medium
* Disable running the pybench benchmark on KFreeBSD.
python3.4 (3.4.1-3) unstable; urgency=medium
* Update to 20140605 from the 3.4 branch.
- pull in pyvenv changes.
* Update the ensurepip-wheels patch (Barry Warsaw).
* Fix python3.4-venv package removal.
python3.4 (3.4.1-2) unstable; urgency=medium
* Update to 20140603 from the 3.4 branch.
* Remove the __pycache__ directories on libpython3.4-testsuite package
removal. Closes: #749999.
* In the autopkg tests, set HOME to the temporary home directory after
the su call.
* In the autopkg tests, make $ADTTMP accessible to the su user, and
re-enable the test_site autopkg test.
* Don't try to access the pip module in ensurepip, when the wheels
are not available.
python3.4 (3.4.1-1) unstable; urgency=medium
* Python 3.4.1 release.
* Set a temporary home directory for the build and the autopkg tests.
* Fix issue #17752, test_distutils failures in the installed location.
* Update pydoc_data/topics.py, broken in the release candidate.
* Run again the test_code_module test in the autopkg tests.
* Fix issue #21264, test_compileall test failures in the installed
location. Re-enable in autopkg tests. LP: #1264554.
* ensurepip and pyvenv:
- Split out a python3.4-venv package, include the pyvenv-3.4 binary
and the ensurepip package.
- Adjust the ensurepip patch so that the wheels are installed from
the universal wheel packages (Barry Warsaw).
- Let ensurepip read wheel dependencies from a file shipped in the
- Remove any version check on required pip and setuptools versions.
These are handled within these packages if necessary.
* Re-enable the pgo build.
python3.4 (3.4.1~rc1-1) unstable; urgency=medium
* Python 3.4.1 release candidate 1.
* Don't run test_code_module in the autopkg test environment, fails there
but succeeds during the build. See issue #17756. Applied workaround
for the test case.
python3.4 (3.4.0+20140427-1) unstable; urgency=medium
* Update to 20140427 from the 3.4 branch.
* Fix dependency for the -testsuite package: Closes: #745879.
python3.4 (3.4.0+20140425-1) unstable; urgency=medium
* Update to 20140425 from the 3.4 branch.
* Don't try to byte-compile bad syntax files in the testsuite.
python3.4 (3.4.0+20140417-1) unstable; urgency=medium
* Update to 20140417 from the 3.4 branch.
- Fix the test_site test failure.
* Repackage as a new tarball and remove the wheels shipped with ensurepip.
* Re-enable running some tests, disable some tests:
- Re-enable test_platform, test_subprocess, test_code_module, test_pydoc,
- Fix a distutils test error, skip a Solaris distutils test error.
- Skip the test_platform encoding test, failing with the lsb-release patch.
- Skip tests which are failing with python3.4.zip removed from sys.path.
Tracked in issue #21249.
* Byte-compile the files in the libpython3.4-testsuite package.
* d/p/distutils-install-layout.diff, d/p/site-locations.diff: Adjust the
"am I in a virtual environment" tests to include checking
sys.base_prefix != sys.prefix. This is the definitive such test for
pyvenv created virtual environments (Barry Warsaw).
* Disallow running ensurepip with the system python, when not used in
a virtual environment (Barry Warsaw).
* Don't yet install the ensurepip module, requires further work.
ensurepip wants to install bundled modules setuptools and python-pip,
which should be built from the distro packages instead of using the
* python3.4-dbg: Add a python3.4-dbg.py symlink.
* Remove the linecache patch, not needed anymore in 3.4.
* Remove the disable-utimes patch, not needed anymore since glibc-2.4.
* Remove the statvfs-f_flag-constants, avoid-rpath, hurd-path_max,
kfreebsd-xattrs, freebsd-testsuite and ncurses-configure patches
* Don't add runtime paths for libraries found in multiarch locations.
Date: 2016-11-17 00:35:15.163508+00:00
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes