python3.11 - Debian Package Tracker

general

source: python3.11 (main)
version: 3.11.5-3
maintainer: Matthias Klose (DMD)
arch: all any
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 3.11.2-6
testing: 3.11.5-3
unstable: 3.11.5-3

versioned links

3.11.2-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.11.5-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

idle-python3.11
libpython3.11
libpython3.11-dbg
libpython3.11-dev
libpython3.11-minimal (1 bugs: 0, 1, 0, 0)
libpython3.11-stdlib (2 bugs: 0, 2, 0, 0)
libpython3.11-testsuite
python3.11 (2 bugs: 0, 2, 0, 0)
python3.11-dbg
python3.11-dev
python3.11-doc
python3.11-examples
python3.11-full
python3.11-minimal (1 bugs: 0, 1, 0, 0)
python3.11-nopie
python3.11-venv

action needed

A new upstream version is available: 3.11.6 high

A new upstream version 3.11.6 is available, you should consider packaging it.

Created: 2023-10-04 Last update: 2023-10-04 03:35

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2023-27043: The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Created: 2023-06-11 Last update: 2023-09-01 03:00

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2023-27043: The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Created: 2023-02-25 Last update: 2023-09-01 03:00

4 security issues in bookworm high

There are 4 open security issues in bookworm.

1 important issue:

CVE-2023-40217: An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

3 issues left for the package maintainer to handle:

CVE-2023-24329: (needs triaging) An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
CVE-2023-27043: (needs triaging) The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.
CVE-2023-41105: (needs triaging) An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-02-25 Last update: 2023-09-01 03:00

debian/patches: 1 patch with invalid metadata, 20 patches to forward upstream high

Among the 38 debian patches available in version 3.11.5-3 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.
20 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-08-31 10:00

lintian reports 24 errors and 79 warnings high

Lintian reports 24 errors and 79 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-03-13 Last update: 2023-08-31 09:35

AppStream hints: 1 error and 1 warning high

AppStream found metadata issues for packages:

idle-python3.11: 1 error and 1 warning

You should get rid of them to provide more metadata about this software.

Created: 2022-06-09 Last update: 2022-06-09 02:34

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2023-09-13 Last update: 2023-10-04 04:04

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

python3.11-examples could be marked Multi-Arch: foreign

Created: 2022-06-10 Last update: 2023-10-04 03:38

4 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 4fc6edaf4ceab7fffe25831dd3aae0f480f7f456
Author: Matthias Klose <doko@ubuntu.com>
Date:   Tue Aug 29 17:32:01 2023 +0200

    prepare for upload

commit e83afaf0f2bb5e75cd30f61d835d1d20c8f832b3
Author: Matthias Klose <doko@ubuntu.com>
Date:   Tue Aug 29 17:30:30 2023 +0200

      * Add proposed patch to avoid tzdata-legacy, and drop again the
        dependency on it. See  https://github.com/python/cpython/pull/108533.

commit 6bc123a93ff42cf407148c5d7866f91d36447bf8
Author: Matthias Klose <doko@ubuntu.com>
Date:   Sat Aug 26 20:35:37 2023 +0200

      * Add loongarch support. Closes: #1049963.

commit a9d83d6399a815b810e5ff7fc3b61584b7d1d013
Author: Matthias Klose <doko@ubuntu.com>
Date:   Sat Aug 26 20:31:06 2023 +0200

      * libpython3.11-stdlib: Also depend on tzdata-legacy. Closes: #1050530.

Created: 2023-08-26 Last update: 2023-10-04 00:30

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2023-09-06 Last update: 2023-10-03 23:44

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2023-02-12 Last update: 2023-02-12 13:00

news

[rss feed]

[2023-09-01] python3.11 3.11.5-3 MIGRATED to testing (Debian testing watch)
[2023-08-29] Accepted python3.11 3.11.5-3 (source) into unstable (Matthias Klose)
[2023-08-29] python3.11 3.11.5-2 MIGRATED to testing (Debian testing watch)
[2023-08-26] Accepted python3.11 3.11.5-2 (source) into unstable (Matthias Klose)
[2023-08-25] Accepted python3.11 3.11.5-1 (source) into unstable (Matthias Klose)
[2023-06-13] python3.11 3.11.4-1 MIGRATED to testing (Debian testing watch)
[2023-06-07] Accepted python3.11 3.11.4-1 (source) into unstable (Matthias Klose)
[2023-05-31] Accepted python3.11 3.11.3-2 (source) into experimental (Matthias Klose)
[2023-04-11] Accepted python3.11 3.11.3-1 (source) into experimental (Matthias Klose)
[2023-03-25] python3.11 3.11.2-6 MIGRATED to testing (Debian testing watch)
[2023-03-13] Accepted python3.11 3.11.2-6 (source) into unstable (Matthias Klose)
[2023-03-05] Accepted python3.11 3.11.2-5 (source) into unstable (Matthias Klose)
[2023-02-22] python3.11 3.11.2-4 MIGRATED to testing (Debian testing watch)
[2023-02-12] Accepted python3.11 3.11.2-4 (source) into unstable (Matthias Klose)
[2023-02-10] Accepted python3.11 3.11.2-3 (source) into unstable (Matthias Klose)
[2023-02-08] Accepted python3.11 3.11.2-2 (source) into unstable (Matthias Klose)
[2023-02-06] Accepted python3.11 3.11.2-1 (source) into unstable (Matthias Klose)
[2023-01-03] python3.11 3.11.1-2 MIGRATED to testing (Debian testing watch)
[2022-12-31] Accepted python3.11 3.11.1-2 (source) into unstable (Matthias Klose)
[2022-12-10] python3.11 3.11.1-1 MIGRATED to testing (Debian testing watch)
[2022-12-07] Accepted python3.11 3.11.1-1 (source) into unstable (Matthias Klose)
[2022-11-07] python3.11 3.11.0-3 MIGRATED to testing (Debian testing watch)
[2022-11-04] Accepted python3.11 3.11.0-3 (source) into unstable (Matthias Klose)
[2022-11-03] Accepted python3.11 3.11.0-2 (source) into unstable (Matthias Klose)
[2022-10-28] python3.11 3.11.0-1 MIGRATED to testing (Debian testing watch)
[2022-10-24] Accepted python3.11 3.11.0-1 (source) into unstable (Matthias Klose)
[2022-10-17] python3.11 3.11.0~rc2-2 MIGRATED to testing (Debian testing watch)
[2022-10-01] Accepted python3.11 3.11.0~rc2-2 (source) into unstable (Matthias Klose)
[2022-09-15] python3.11 3.11.0~rc2-1 MIGRATED to testing (Debian testing watch)
[2022-09-12] Accepted python3.11 3.11.0~rc2-1 (source) into unstable (Matthias Klose)

bugs [bug history graph]

all: 6
RC: 0
I&N: 6
M&W: 0
F&P: 0
patch: 1

links

lintian (24, 79)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.11.5-3
4 bugs