UbuntuUpdates.org

Package "python3.4"

Name: python3.4

Description:

Interactive high-level object-oriented language (version 3.4)
Latest version: 3.4.3-1ubuntu1~14.04.7
Release: trusty (14.04)
Level: security
Repository: main

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3.4"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "python3.4" in Trusty

Repository Area Version
base main 3.4.0-2ubuntu1
updates main 3.4.3-1ubuntu1~14.04.7

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.4.3-1ubuntu1~14.04.7 2018-11-13 17:07:11 UTC

  python3.4 (3.4.3-1ubuntu1~14.04.7) trusty-security; urgency=medium

  * SECURITY UPDATE: command injection in shutil module
    - debian/patches/CVE-2018-1000802.patch: use subprocess rather than
      distutils.spawn in Lib/shutil.py.
    - CVE-2018-1000802
  * SECURITY UPDATE: DoS via catastrophic backtracking
    - debian/patches/CVE-2018-106x.patch: fix expressions in
      Lib/difflib.py, Lib/poplib.py. Added tests to
      Lib/test/test_difflib.py, Lib/test/test_poplib.py.
    - CVE-2018-1060
    - CVE-2018-1061
  * SECURITY UPDATE: incorrect Expat hash salt initialization
    - debian/patches/CVE-2018-14647.patch: call SetHashSalt in
      Include/pyexpat.h, Modules/_elementtree.c, Modules/pyexpat.c.
    - CVE-2018-14647

 -- Marc Deslauriers <email address hidden> Mon, 12 Nov 2018 09:06:13 -0500
Source diff to previous version
CVE-2018-1000802 Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command In
CVE-2018-1060 python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacke
CVE-2018-1061 python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An
CVE-2018-14647 Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service

Version: 3.4.3-1ubuntu1~14.04.6 2017-11-28 21:06:40 UTC

  python3.4 (3.4.3-1ubuntu1~14.04.6) trusty-security; urgency=medium

  * SECURITY UPDATE: integer overflow in the PyBytes_DecodeEscape
    function
    - debian/patches/CVE-2017-1000158.patch: fix this integer overflow
      in Objects/bytesobject.c.
    - CVE-2017-1000158

 -- <email address hidden> (Leonidas S. Barbosa) Thu, 23 Nov 2017 12:42:11 -0300
Source diff to previous version

Version: 3.4.3-1ubuntu1~14.04.5 2016-11-22 19:06:45 UTC

  python3.4 (3.4.3-1ubuntu1~14.04.5) trusty-security; urgency=medium

  * SECURITY UPDATE: StartTLS stripping attack
    - debian/patches/CVE-2016-0772.patch: raise an error when
      STARTTLS fails in Lib/smtplib.py.
    - CVE-2016-0772
  * SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI
    scripts (aka HTTPOXY attack)
    - debian/patches/CVE-2016-1000110.patch: if running as CGI
      script, forget HTTP_PROXY in Lib/urllib.py, add test to
      Lib/test/test_urllib.py, add documentation.
    - CVE-2016-1000110
  * SECURITY UPDATE: Integer overflow when handling zipfiles
    - debian/patches/CVE-2016-5636-pre.patch: check for negative size in
      Modules/zipimport.c
    - debian/patches/CVE-2016-5636.patch: check for too large value in
      Modules/zipimport.c
    - CVE-2016-5636
  * SECURITY UPDATE: CRLF injection vulnerability in the
    HTTPConnection.putheader
    - debian/patches/CVE-2016-5699.patch: disallow newlines in
      putheader() arguments when not followed by spaces or tabs in
      Lib/httplib.py, add tests in Lib/test/test_httplib.py
    - CVE-2016-5699

 -- Steve Beattie <email address hidden> Wed, 16 Nov 2016 12:38:40 -0800
Source diff to previous version
CVE-2016-0772 The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, whi
CVE-2016-1000 Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.
CVE-2016-5636 Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remot
CVE-2016-5699 CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.

Version: 3.4.0-2ubuntu1.1 2015-06-25 12:06:34 UTC

  python3.4 (3.4.0-2ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via xmlrpc gzip-compressed
    HTTP bodies
    - debian/patches/CVE-2013-1753.patch: add default limit in
      Lib/xmlrpc/client.py, added test to Lib/test/test_xmlrpc.py.
    - CVE-2013-1753
  * SECURITY UPDATE: arbitrary memory read via idx argument
    - debian/patches/CVE-2014-4616.patch: reject negative idx values in
      Modules/_json.c, added test to Lib/test/test_json/test_decode.py.
    - CVE-2014-4616
  * SECURITY UPDATE: code execution or file disclosure via CGIHTTPServer
    - debian/patches/CVE-2014-4650.patch: url unquote path in
      Lib/http/server.py, added test to Lib/test/test_httpservers.py.
    - CVE-2014-4650
  * debian/patches/fix_ssl_test_dh.patch: replace 512 bit dh key with a
    2014 bit one to fix test failure with OpenSSL security update.

 -- Marc Deslauriers <email address hidden> Fri, 19 Jun 2015 07:11:22 -0400
CVE-2014-4616 arbitrary process memory read


About   -   Send Feedback to @ubuntu_updates