[ubuntu/trusty-updates] python2.7 2.7.6-8ubuntu0.3 (Accepted)
Ubuntu Archive Robot
cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Tue Nov 22 19:28:42 UTC 2016
python2.7 (2.7.6-8ubuntu0.3) trusty-security; urgency=medium
* SECURITY UPDATE: StartTLS stripping attack
- debian/patches/CVE-2016-0772.patch: raise an error when
STARTTLS fails in Lib/smtplib.py.
- CVE-2016-0772
* SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
scripts (aka HTTPOXY attack)
- debian/patches/CVE-2016-1000110-pre.patch: prefer lower_case
proxy environment variables over UPPER_CASE or Mixed_Case ones.
- debian/patches/CVE-2016-1000110.patch: if running as CGI
script, forget HTTP_PROXY in Lib/urllib.py, add test to
Lib/test/test_urllib.py, add documentation.
- CVE-2016-1000110
* SECURITY UPDATE: Integer overflow when handling zipfiles
- debian/patches/CVE-2016-5636-pre.patch: check for negative size
in Modules/zipimport.c
- debian/patches/CVE-2016-5636.patch: check for too large value in
Modules/zipimport.c
- CVE-2016-5636
* SECURITY UPDATE: CRLF injection vulnerability in the
HTTPConnection.putheader
- debian/patches/CVE-2016-5699.patch: disallow newlines in
putheader() arguments when not followed by spaces or tabs in
Lib/httplib.py, add tests in Lib/test/test_httplib.py
- CVE-2016-5699
Date: 2016-10-26 20:17:14.774565+00:00
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/python2.7/2.7.6-8ubuntu0.3
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes
mailing list