Package "python3.5"

Name: python3.5


Interactive high-level object-oriented language (version 3.5)

Latest version: 3.5.2-2ubuntu0~16.04.13
Release: xenial (16.04)
Level: security
Repository: main


Download "python3.5"

Other versions of "python3.5" in Xenial

Repository Area Version
base universe 3.5.1-10
base main 3.5.1-10
security universe 3.5.2-2ubuntu0~16.04.13
updates main 3.5.2-2ubuntu0~16.04.13
updates universe 3.5.2-2ubuntu0~16.04.13

Packages in group

Deleted packages are displayed in grey.


Version: 3.5.2-2ubuntu0~16.04.13 2021-02-25 14:06:17 UTC

  python3.5 (3.5.2-2ubuntu0~16.04.13) xenial-security; urgency=medium

  * SECURITY UPDATE: Code execution from content received via HTTP
    - debian/patches/CVE-2020-27619.patch: no longer call eval() on
      content received via HTTP in Lib/test/multibytecodec_support.py.
    - CVE-2020-27619
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2021-3177.patch: replace snprintf with Python unicode
      formatting in ctypes param reprs in Lib/ctypes/test/test_parameters.py,
    - CVE-2021-3177

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 26 Jan 2021 10:30:48 -0300

Source diff to previous version
CVE-2020-27619 In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVE-2021-3177 Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applic

Version: 3.5.2-2ubuntu0~16.04.12 2020-10-14 17:06:58 UTC

  python3.5 (3.5.2-2ubuntu0~16.04.12) xenial-security; urgency=medium

    - debian/patches/CVE-2020-26116.patch: prevent header injection
      in http methods in Lib/httplib.py, Lib/test/test_httlib.py.
    - CVE-2020-26116
  * debian/patches/skipping_broken_test_httphandlertest.patch:
    - skipping Lib/test/test_logging.py was hanging during building time
      causing the building to be killed after 150 minutes of hang.

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 07 Oct 2020 14:19:02 -0300

Source diff to previous version
CVE-2020-26116 http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker contro

Version: 3.5.2-2ubuntu0~16.04.11 2020-07-22 15:06:16 UTC

  python3.5 (3.5.2-2ubuntu0~16.04.11) xenial-security; urgency=medium

  * SECURITY UPDATE: Misleading information
    - debian/patches/CVE-2019-17514.patch: explain that the orderness of the
      of the result is system-dependant in Doc/library/glob.rst.
    - CVE-2019-17514
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-9674.patch: add pitfalls to
      zipfile module doc in Doc/library/zipfile.rst,
    - CVE-2019-9674
  * SECURITY UPDATE: Infinite loop
    - debian/patches/CVE-2019-20907.patch: avoid infinite loop in the
      tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py and add
      Lib/test/recursion.tar binary for test.
    - CVE-2019-20907
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2020-14422.patch: Resolve hash collisions for
      IPv4Interface and IPv6Interface in Lib/ipaddress.py,
    - CVE-2020-14422

 -- <email address hidden> (Leonidas S. Barbosa) Fri, 17 Jul 2020 11:04:10 -0300

Source diff to previous version
CVE-2019-17514 library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrate
CVE-2019-9674 Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
CVE-2019-20907 In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, becaus
CVE-2020-14422 Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote a

Version: 3.5.2-2ubuntu0~16.04.10 2020-04-21 14:06:14 UTC

  python3.5 (3.5.2-2ubuntu0~16.04.10) xenial-security; urgency=medium

    - debian/patches/CVE-2019-18348.patch: disallow control characters
      in hostnames in http.client in Lib/http/client.py, Lib/test/test_urllib.py.
    - CVE-2019-18348
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2020-8492.patch: fix the regex to prevent
      the regex denial of service in Lib/urllib/request.py,
    - CVE-2020-8492

 -- <email address hidden> (Leonidas S. Barbosa) Thu, 16 Apr 2020 14:47:17 -0300

Source diff to previous version
CVE-2019-18348 An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker co
CVE-2020-8492 Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular E

Version: 3.5.2-2ubuntu0~16.04.9 2019-10-09 14:08:19 UTC

  python3.5 (3.5.2-2ubuntu0~16.04.9) xenial-security; urgency=medium

  * SECURITY UPDATE: incorrect email address parsing
    - debian/patches/CVE-2019-16056.patch: don't parse domains containing @
      in Lib/email/_header_value_parser.py, Lib/email/_parseaddr.py,
    - CVE-2019-16056
  * SECURITY UPDATE: XSS in documentation XML-RPC server
    - debian/patches/CVE-2019-16935.patch: escape the server_title in
      Lib/xmlrpc/server.py, Lib/test/test_docxmlrpc.py.
    - CVE-2019-16935
  * debian/patches/avoid_test_docxmlrpc_race.patch: avoid race in
    test_docxmlrpc server setup in Lib/test/test_docxmlrpc.py.

 -- Marc Deslauriers <email address hidden> Tue, 08 Oct 2019 09:06:37 -0400

CVE-2019-16056 An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses em
CVE-2019-16935 The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs

About   -   Send Feedback to @ubuntu_updates