Stefano Rivera
2024-12-23 20:40:01 UTC
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ***@packages.debian.org
Control: affects -1 + src:pypy3
User: ***@packages.debian.org
Usertags: pu
Update pypy3 for the same security issues as cpython3 in bookworm:
* Security patches to the standard library:
- CVE-2023-27043: Parse email addresses with special characters,
correctly.
- CVE-2024-9287: Quote path names in venv activation scripts.
- CVE-2024-4032: Fix private IP address ranges.
- CVE-2024-6232: Fix ReDoS when parsing tarfile headers.
- CVE-2024-8088: Avoid infinite loop in zip file parsing.
- CVE-2024-6923: Encode newlines in headers in the email module.
- CVE-2024-7592: Quadratic complexity parsing cookies with backslashes.
- CVE-2024-11168: Ensure addresses in brackets are valid IPv6 addresses.
And some housekeeping:
* Clean the python 2.7 source tree.
* Clean cffi modules C source, lex and yacc tabs.
[ Reason ]
Security updates that the security team doesn't consider urgent enough
to warrant a DSA for.
[ Impact ]
Of these, CVE-2024-8088 is labelled HIGH in its description. I see we
also issued a DSA for CVE-2024-4032 in cpython.
[ Tests ]
The patches all come from cPython, so we've already got some confidence
in them. cPython is pretty good about including regression tests in
everything. I've test-built pypy3 and checked that all the new tests are
passing (pypy3 always has a lot of failing tests, so we ignore results,
sorry about that).
[ Risks ]
If they weren't an issue for cPython, they're almost certainly not for
PyPy, the user-base is much smaller.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
See the changelog above.
[ Other info ]
Uploaded to bookworm.
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ***@packages.debian.org
Control: affects -1 + src:pypy3
User: ***@packages.debian.org
Usertags: pu
Update pypy3 for the same security issues as cpython3 in bookworm:
* Security patches to the standard library:
- CVE-2023-27043: Parse email addresses with special characters,
correctly.
- CVE-2024-9287: Quote path names in venv activation scripts.
- CVE-2024-4032: Fix private IP address ranges.
- CVE-2024-6232: Fix ReDoS when parsing tarfile headers.
- CVE-2024-8088: Avoid infinite loop in zip file parsing.
- CVE-2024-6923: Encode newlines in headers in the email module.
- CVE-2024-7592: Quadratic complexity parsing cookies with backslashes.
- CVE-2024-11168: Ensure addresses in brackets are valid IPv6 addresses.
And some housekeeping:
* Clean the python 2.7 source tree.
* Clean cffi modules C source, lex and yacc tabs.
[ Reason ]
Security updates that the security team doesn't consider urgent enough
to warrant a DSA for.
[ Impact ]
Of these, CVE-2024-8088 is labelled HIGH in its description. I see we
also issued a DSA for CVE-2024-4032 in cpython.
[ Tests ]
The patches all come from cPython, so we've already got some confidence
in them. cPython is pretty good about including regression tests in
everything. I've test-built pypy3 and checked that all the new tests are
passing (pypy3 always has a lot of failing tests, so we ignore results,
sorry about that).
[ Risks ]
If they weren't an issue for cPython, they're almost certainly not for
PyPy, the user-base is much smaller.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
See the changelog above.
[ Other info ]
Uploaded to bookworm.