python-interpreters/python314
SHA256
6
0
Fork 1
forked from pool/python314
Code Pull Requests Activity

Fix format of CVE changelong entries

Browse Source
This commit is contained in:
Matej Cepl
2026-02-10 11:32:52 +01:00
parent ae199523cc
commit 3198f34561
1 changed files with 18 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
python314.changes
View File

@@ -1,17 +1,15 @@
-------------------------------------------------------------------
Thu Feb 5 17:26:23 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-12781-b64decode-alt-chars.patch fixing bsc#1257108
(CVE-2025-12781) combining gh#python/cpython!141061,
gh#python/cpython!141128, and gh#python/cpython!141153. All
`*b64decode` functions should not accept non-altchars.
- Add CVE-2025-15366-imap-ctrl-chars.patch fixing bsc#1257044
(CVE-2025-15366, gh-143921) using gh#python/cpython!143922 and
doing basically the same as the previous patch for IMAP
protocol.
- Add CVE-2025-15367-poplib-ctrl-chars.patch fixing bsc#1257041
(CVE-2025-15367) using gh#python/cpython!143924 and doing
basically the same as the previous patch for poplib library.
- CVE-2025-12781: All `*b64decode` functions should not accept
non-altchars. (bsc#1257108, gh#python/cpython#125346)
CVE-2025-12781-b64decode-alt-chars.patch
- CVE-2025-15366: IMAP protocol should not accept non-altchars as
well. (bsc#1257044, gh-143921)
CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch but for
the poplib library. (bsc#1257041, gh#python/cpython#143923)
CVE-2025-15367-poplib-ctrl-chars.patch
-------------------------------------------------------------------
Thu Feb 5 12:57:09 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
@@ -43,21 +41,22 @@ Thu Feb 5 12:57:09 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
(write) headers that are unsafely folded or delimited; see
verify_generated_headers. (Contributed by Bas Bloemsaat and
Petr Viktorin in gh-121650).
- gh-143935: Fixed a bug in the folding of comments when
- CVE-2025-11468: Fixed a bug in the folding of comments when
flattening an email message using a modern email policy.
Comments consisting of a very long sequence of non-foldable
characters could trigger a forced line wrap that omitted
the required leading space on the continuation line,
causing the remainder of the comment to be interpreted as
a new header field. This enabled header injection with
carefully crafted inputs (bsc#1257029, CVE-2025-11468).
- gh-143925: Reject control characters in data: URL media
types (bsc#1257046, CVE-2025-15282).
- gh-143919: Reject control characters in http.cookies.Morsel
fields and values (bsc#1257031, CVE-2026-0672).
- gh-143916: Reject C0 control characters within
carefully crafted inputs (bsc#1257029, gh-143935).
- CVE-2025-15282: Reject control characters in data: URL
media types (bsc#1257046, gh-143925).
- CVE-2026-0672: Reject control characters in
http.cookies.Morsel fields and values (bsc#1257031,
gh-143919).
- CVE-2026-0865: Reject C0 control characters within
wsgiref.headers.Headers fields, values, and parameters
(bsc#1257042, CVE-2026-0865).
(bsc#1257042, gh-143916).
- Library
- gh-144380: Improve performance of io.BufferedReader line
iteration by ~49%.