Overview

File _patchinfo of Package patchinfo.1378

<patchinfo incident="1378">
  <issue id="991069" tracker="bnc">python 3.4.5 minor version update</issue>
  <issue id="951166" tracker="bnc">python3 upstream issue #21121</issue>
  <issue id="983582" tracker="bnc">Python3 issues with distributed version 3.4.1</issue>
  <issue id="984751" tracker="bnc">CVE-2016-0772: python,python3: smtplib StartTLS stripping attack</issue>
  <issue id="989523" tracker="bnc">CVE-2016-1000110: python,python3: Python CGIHandler: sets environmental variable based on user supplied Proxy request header</issue>
  <issue id="985177" tracker="bnc">CVE-2016-5636: python3,python: Heap overflow in zipimporter module</issue>
  <issue id="985348" tracker="bnc">CVE-2016-5699: python,python3: http protocol steam injection attack</issue>
  <issue id="2016-1000110" tracker="cve"/>
  <issue id="2016-0772" tracker="cve"/>
  <issue id="2016-5636" tracker="cve"/>
  <issue id="2016-5699" tracker="cve"/>
  <issue id="320949" tracker="fate"/>
  <category>security</category>
  <rating>moderate</rating>
  <packager>matejcik</packager>
  <description>
This update provides Python 3.4.5, which brings many fixes and enhancements.

The following security issues have been fixed:

- CVE-2016-1000110: CGIHandler could have allowed setting of HTTP_PROXY environment
  variable based on user supplied Proxy request header. (bsc#989523)
- CVE-2016-0772: A vulnerability in smtplib could have allowed a MITM attacker to
  perform a startTLS stripping attack. (bsc#984751)
- CVE-2016-5636: A heap overflow in Python's zipimport module. (bsc#985177)
- CVE-2016-5699: A header injection flaw in urrlib2/urllib/httplib/http.client.
  (bsc#985348)

The update also includes the following non-security fixes:

- Don't force 3rd party C extensions to be built with -Werror=declaration-after-statement.
  (bsc#951166)
- Make urllib proxy var handling behave as usual on POSIX. (bsc#983582)

For a comprehensive list of changes please refer to the upstream change log:
https://docs.python.org/3.4/whatsnew/changelog.html
</description>
  <summary>Security update for python3</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places