LTS Link to heading
Released DLAs Link to heading
-
DLA-2619-1 python3.5_3.5.3-1+deb9u4
- CVE-2021-23336: only use ‘&’ as a query string separator
- CVE-2021-3426: remove the pydoc getfile feature
- CVE-2021-3177: replace snprintf with Python unicode
CVE-2021-23336 introduced an API-change. It was hard decision to upload this fix, because it can potentially break user’s code, if they code uses semicolon as separator. Another option is not to fix it at all, leaving the security issue open. Not the best solution.
Also I have fixed the failing autopkgtest, which was introduced in one of latest CVE fixes. CI-pipelines on salsa.d.o are helping now to detect such mistakes.
-
DLA-2628-1 python2.7_2.7.13-2+deb9u5
- CVE-2021-23336: only use ‘&’ as a query string separator
- CVE-2019-16935: Escape the server title of DocXMLRPCServer.
CVE-2021-23336 introduced an API-change, same as for python3.5. But the backporting was much harder because python3->2 is not always easy.
Other LTS-related work Link to heading
CI-pipelines Link to heading
I try to setup for all LTS-packages which I touch CI-pipelines on salsa.d.o. Setting up pipelines for python3.5 and python2.7 was much harder as for other packages. Failing autopkgtests and some other issues. Though it takes at the beginning more time to setup, I believe it improves package quality.
LTS-Meeting Link to heading
I attended the Debian LTS team Jitsi-meeting.