[Git][security-tracker-team/security-tracker][master] Reserve DLA-3432-1 for python2.7

Sylvain Beucler (@beuc) beuc at debian.org
Wed May 24 18:02:50 BST 2023 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1c425f85 by Sylvain Beucler at 2023-05-24T19:02:31+02:00
Reserve DLA-3432-1 for python2.7

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -39893,7 +39893,6 @@ CVE-2022-45061 (An issue was discovered in Python before 3.11.1. An unnecessary
 	[buster] - python3.7 <postponed> (Minor issue; fix along with next DLA)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
-	[buster] - python2.7 <postponed> (Minor issue, DoS, fix along with next DLA)
 	NOTE: https://github.com/python/cpython/issues/98433
 	NOTE: https://github.com/python/cpython/pull/99092
 	NOTE: https://github.com/python/cpython/commit/a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15 (v3.11.1)
@@ -86815,7 +86814,6 @@ CVE-2015-20107 (In Python (aka CPython) up to 3.10.8, the mailcap module does no
 	[stretch] - python3.5 <no-dsa> (Minor issue)
 	- python2.7 <unfixed>
 	[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
-	[buster] - python2.7 <no-dsa> (Minor issue)
 	[stretch] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue24778
 	NOTE: https://github.com/python/cpython/issues/68966
@@ -109452,7 +109450,6 @@ CVE-2021-4189 (A flaw was found in Python, specifically in the FTP (File Transfe
 	[experimental] - python2.7 2.7.18-13.1~exp1
 	- python2.7 2.7.18-13.1
 	[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
-	[buster] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue43285
 	NOTE: https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e (master)
 	NOTE: https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335 (v3.9.3)
@@ -130095,7 +130092,6 @@ CVE-2021-3737 (A flaw was found in python. An improperly handled HTTP response i
 	- python3.4 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
-	[buster] - python2.7 <postponed> (Minor issue, DoS)
 	NOTE: https://bugs.python.org/issue44022
 	NOTE: https://github.com/python/cpython/pull/25916
 	NOTE: https://github.com/python/cpython/pull/26503
@@ -131305,7 +131301,6 @@ CVE-2021-3733 (There's a flaw in urllib's AbstractBasicAuthHandler class. An att
 	- python3.5 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
-	[buster] - python2.7 <postponed> (Minor issue, ReDoS)
 	NOTE: https://bugs.python.org/issue43075
 	NOTE: https://github.com/python/cpython/pull/24391
 	NOTE: https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1 (master)
@@ -167973,7 +167968,6 @@ CVE-2021-3177 (Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in
 	[stretch] - python3.7 <no-dsa> (Minor issue)
 	- python3.5 <removed>
 	- python2.7 2.7.18-2
-	[buster] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue42938
 	NOTE: https://github.com/python/cpython/pull/24239
 	NOTE: https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
@@ -220876,7 +220870,6 @@ CVE-2019-20907 (In Lib/tarfile.py in Python through 3.8.3, an attacker is able t
 	[buster] - python3.7 3.7.3-2+deb10u2
 	- python3.5 <removed> (low)
 	- python2.7 2.7.18-2 (low; bug #970099)
-	[buster] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue39017
 	NOTE: https://github.com/python/cpython/commit/5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4 (master)
 	NOTE: https://github.com/python/cpython/commit/f3232294ee695492f43d424cc6969d018d49861d (3.9-branch)
@@ -241462,7 +241455,6 @@ CVE-2020-8492 (Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10,
 	- python3.4 <removed>
 	[jessie] - python3.4 <postponed> (Minor issue)
 	- python2.7 2.7.18-2 (low; bug #970099)
-	[buster] - python2.7 <no-dsa> (Minor issue)
 	[stretch] - python2.7 <ignored> (Too destructive to backport. Though the patch is partly ready. https://salsa.debian.org/lts-team/packages/python2.7/-/blob/master/debian/patches/CVE-2020-8492.patch)
 	[jessie] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue39503


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[24 May 2023] DLA-3432-1 python2.7 - security update
+	{CVE-2015-20107 CVE-2019-20907 CVE-2020-8492 CVE-2020-26116 CVE-2021-3177 CVE-2021-3733 CVE-2021-3737 CVE-2021-4189 CVE-2022-45061}
+	[buster] - python2.7 2.7.16-2+deb10u2
 [22 May 2023] DLA-3431-1 sqlite - security update
 	{CVE-2016-6153 CVE-2018-8740}
 	[buster] - sqlite 2.8.17-15+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -141,12 +141,6 @@ python-oslo.privsep
   NOTE: 20221231: Programming language: Python.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/python-oslo.privsep.git
 --
-python2.7 (Sylvain Beucler)
-  NOTE: 20230416: Programming language: C, Python.
-  NOTE: 20230416: VCS: https://salsa.debian.org/lts-team/packages/python2.7.git
-  NOTE: 20230416: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html
-  NOTE: 20230513: Backporting patches (Beuc)
---
 python3.7
   NOTE: 20230220: Programming language: Python.
   NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/python3.7.git



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c425f856e0a2327d97bb090724ed1af850d29ec

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c425f856e0a2327d97bb090724ed1af850d29ec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230524/c305324c/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list