Package: python3.4
Version: 3.4.2-1+deb8u3
Followup-For: Bug #931044
The following fix could be applied to the faulty Python standard library file
ultimately used by the /var/lib/dpkg/info/python3.4.postinst script:
--- /usr/lib/python3.4/http/client.py 2019-06-25 14:41:35.000000000 +0200
+++ /usr/lib/python3.4/http/client.py 2019-06-25 14:41:55.000000000 +0200
@@ -1011,8 +1011,9 @@
# Prevent CVE-2019-9740.
match = _contains_disallowed_url_pchar_re.search(url)
if match:
- raise InvalidURL(f"URL can't contain control characters. {url!r} "
- f"(found at least {match.group()!r})")
+ raise InvalidURL("URL can't contain control characters. {url!r} "
+ "(found at least {group!r})"
+ .format(url=url, group=match.group()))
request = '%s %s %s' % (method, url, self._http_vsn_str)
# Non-ASCII characters should have been eliminated earlier
Sorry to provide this patch inline, but I am using the textual bug reporting
interface! I imagine that this regression has occurred because someone has
applied the noted vulnerability countermeasure without backporting it to the
syntax understood by Python 3.5 or earlier.
I hope this helps others experiencing the same problem.
Paul
-- System Information:
Debian Release: 8.11
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-9-586
Locale: LANG=en_GB.ISO-8859-15, LC_CTYPE=en_GB.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python3.4 depends on:
ii libpython3.4-stdlib 3.4.2-1+deb8u3
ii mime-support 3.58
ii python3.4-minimal 3.4.2-1+deb8u3
python3.4 recommends no packages.
Versions of packages python3.4 suggests:
ii binutils 2.25-5+deb8u1
pn python3.4-doc <none>
pn python3.4-venv <none>
-- no debconf information
