[Git][security-tracker-team/security-tracker][master] Reserve DLA-3980-1 for python3.9

Adrian Bunk (@bunk) bunk at debian.org
Mon Dec 2 10:05:25 GMT 2024 


Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
df53d0a1 by Adrian Bunk at 2024-12-02T12:05:11+02:00
Reserve DLA-3980-1 for python3.9

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -26724,7 +26724,6 @@ CVE-2024-7592 (There is a LOW severity vulnerability affecting CPython, specific
 	- python3.11 <removed>
 	[bookworm] - python3.11 <postponed> (Minor issue, wait until merged into 3.11 branch)
 	- python3.9 <removed>
-	[bullseye] - python3.9 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/pull/123075
 	NOTE: https://github.com/python/cpython/issues/123067
 	NOTE: https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621 (v3.13.0rc2)
@@ -30965,7 +30964,6 @@ CVE-2024-6923 (There is a MEDIUM severity vulnerability affecting CPython.  The
 	- python3.11 <removed>
 	[bookworm] - python3.11 <postponed> (Minor issue, wait until merged into 3.11 branch)
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
 	NOTE: https://github.com/python/cpython/issues/121650
@@ -42549,7 +42547,6 @@ CVE-2024-4032 (The \u201cipaddress\u201d module contained incorrect information
 	- python3.12 3.12.4-1
 	- python3.11 <removed>
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python2.7 <not-affected> (ipaddress module added in 3.3)
 	NOTE: https://github.com/advisories/GHSA-mh6q-v4mp-2cc7
@@ -42664,7 +42661,6 @@ CVE-2024-0397 (A defect was discovered in the Python \u201cssl\u201d module wher
 	- python3.12 3.12.3-1
 	- python3.11 3.11.9-1
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
@@ -73904,7 +73900,6 @@ CVE-2024-0450 (An issue was found in the CPython `zipfile` module affecting vers
 	[bookworm] - python3.11 3.11.2-6+deb12u2
 	- python3.10 <removed>
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
@@ -73923,7 +73918,6 @@ CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` c
 	[bookworm] - python3.11 3.11.2-6+deb12u2
 	- python3.10 <removed>
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python2.7 <not-affected> (tempfile.TemporaryDirectory added in 3.2)
 	- pypy3 7.3.13+dfsg-1
@@ -113873,7 +113867,6 @@ CVE-2023-40217 (An issue was discovered in Python before 3.8.18, 3.9.x before 3.
 	[bookworm] - python3.11 3.11.2-6+deb12u2
 	- python3.10 3.10.13-1
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 2.7.18-8+deb11u1
@@ -140700,7 +140693,6 @@ CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-m
 	[bookworm] - python3.11 <postponed> (Minor issue, wait until upstream has decided whether to backport to older branches)
 	- python3.10 <removed>
 	- python3.9 <removed>
-	[bullseye] - python3.9 <postponed> (Minor issue)
 	- python3.7 <removed>
 	[buster] - python3.7 <postponed> (Minor issue)
 	- python2.7 <removed>
@@ -148903,7 +148895,6 @@ CVE-2023-24329 (An issue in the urllib.parse component of Python before 3.11.4 a
 	- python3.11 3.11.4-1
 	[bookworm] - python3.11 3.11.2-6+deb12u2
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	[buster] - python3.7 <ignored> (Cf. related CVE-2022-0391)
 	- python2.7 <removed>
@@ -166627,7 +166618,6 @@ CVE-2022-45061 (An issue was discovered in Python before 3.11.1. An unnecessary
 	- python3.11 3.11.1-1
 	- python3.10 3.10.9-1
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
@@ -175446,7 +175436,6 @@ CVE-2022-42919 (Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux all
 	- python3.11 3.11.0-2
 	- python3.10 3.10.8-2
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	[buster] - python3.7 <not-affected> (Vulnerable functionality backported later in 3.7.8)
 	- python2.7 <not-affected> (Vulnerable code introduced later)
@@ -214004,7 +213993,6 @@ CVE-2015-20107 (In Python (aka CPython) up to 3.10.8, the mailcap module does no
 	{DLA-3477-1 DLA-3432-1}
 	- python3.10 3.10.6-1
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python3.5 <removed>
 	[stretch] - python3.5 <no-dsa> (Minor issue)
@@ -236811,7 +236799,6 @@ CVE-2021-4189 (A flaw was found in Python, specifically in the FTP (File Transfe
 	{DLA-3477-1 DLA-3432-1 DLA-2919-1}
 	- python3.10 <not-affected> (Fixed before initial upload to Debian unstable)
 	- python3.9 3.9.7-1
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python3.5 <removed>
 	[stretch] - python3.5 <no-dsa> (Minor issue)
@@ -257489,7 +257476,6 @@ CVE-2021-3737 (A flaw was found in python. An improperly handled HTTP response i
 	{DLA-3966-1 DLA-3477-1 DLA-3432-1 DLA-2808-1}
 	[experimental] - python3.9 3.9.6-1
 	- python3.9 3.9.7-1
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python3.5 <removed>
 	- python3.4 <removed>
@@ -258700,7 +258686,6 @@ CVE-2021-39616 (Summary:Product: AndroidVersions: Android SoCAndroid ID: A-20468
 CVE-2021-3733 (There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker ...)
 	{DLA-3477-1 DLA-3432-1 DLA-2808-1}
 	- python3.9 3.9.7-1
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python3.5 <removed>
 	- python2.7 <removed>
@@ -283909,7 +283894,6 @@ CVE-2021-29922 (library/std/src/net/parser.rs in Rust before 1.53.0 does not pro
 CVE-2021-29921 (In Python before 3,9,5, the ipaddress library mishandles leading zero  ...)
 	[experimental] - python3.9 3.9.5-1
 	- python3.9 3.9.7-1 (bug #989195)
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python2.7 <not-affected> (Vulnerable code introduced later)
 	- pypy3 7.3.8+dfsg-1
 	[buster] - pypy3 <no-dsa> (Minor issue)
@@ -288484,7 +288468,6 @@ CVE-2021-3426 (There's a flaw in Python 3's pydoc. A local or adjacent attacker
 	{DLA-3477-1 DLA-2619-1}
 	[experimental] - python3.9 3.9.3-1
 	- python3.9 3.9.7-1
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python3.5 <removed>
 	- python2.7 <not-affected> (Vulnerable code not present)
@@ -363681,7 +363664,6 @@ CVE-2020-10735 (A flaw was found in python. In algorithms with quadratic time co
 	- python3.11 3.11.0~rc2-1
 	- python3.10 3.10.7-1
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[02 Dec 2024] DLA-3980-1 python3.9 - security update
+	{CVE-2015-20107 CVE-2020-10735 CVE-2021-3426 CVE-2021-3733 CVE-2021-3737 CVE-2021-4189 CVE-2021-28861 CVE-2021-29921 CVE-2022-42919 CVE-2022-45061 CVE-2023-6597 CVE-2023-24329 CVE-2023-27043 CVE-2023-40217 CVE-2024-0397 CVE-2024-0450 CVE-2024-4032 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-8088 CVE-2024-9287 CVE-2024-11168}
+	[bullseye] - python3.9 3.9.2-1+deb11u2
 [30 Nov 2024] DLA-3979-1 lemonldap-ng - security update
 	{CVE-2024-48933 CVE-2024-52946 CVE-2024-52947}
 	[bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u6


=====================================
data/dla-needed.txt
=====================================
@@ -159,10 +159,6 @@ python-tornado (dleidert)
 python-werkzeug (Sean Whitton)
   NOTE: 20241110: Added by Front-Desk (apo)
 --
-python3.9 (Adrian Bunk)
-  NOTE: 20240906: Added by Front-Desk (lamby)
-  NOTE: 20241121: Also follow fixes from bookworm 12.8 (CVE-2024-6232 + CVE-2024-8088 regression) (Beuc/front-desk)
---
 qemu (santiago)
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: Follow fixes from bookworm 12.4 (CVE-2023-5088)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df53d0a19cee7e4078cfd0980b35a1e3b1f0f4d3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df53d0a19cee7e4078cfd0980b35a1e3b1f0f4d3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241202/6ce99a7b/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list