[Touch-packages] [Bug 1993437] Re: Merge python-oauthlib from Debian unstable for l-series

Tue, 18 Oct 2022 21:10:57 -0700 

python-oauthlib (3.2.0-1ubuntu1) kinetic; urgency=medium

  * SECURITY UPDATE: DoS via malicious redirect uri
    - debian/patches/CVE-2022-36087-1.patch: add check of performance of
      ipv6 check in tests/test_uri_validate.py.
    - debian/patches/CVE-2022-36087-2.patch: fix IPV6 regex used to check
      redirect_uri in oauthlib/uri_validate.py, tests/test_uri_validate.py.
    - CVE-2022-36087

 -- Marc Deslauriers <marc.deslauri...@ubuntu.com>  Fri, 16 Sep 2022
10:26:11 -0400

Ubuntu delta is just this CVE fix.  Presumably that's already upstream,
so this can be a sync.

** Changed in: python-oauthlib (Ubuntu)
     Assignee: (unassigned) => Bryce Harrington (bryce)

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-36087

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python-oauthlib in Ubuntu.
https://bugs.launchpad.net/bugs/1993437

Title:
  Merge python-oauthlib from Debian unstable for l-series

Status in python-oauthlib package in Ubuntu:
  New

Bug description:
  Scheduled-For: ubuntu-22.11
  Upstream: tbd
  Debian:   3.2.1-2    
  Ubuntu:   3.2.0-1ubuntu1


  
  ### New Debian Changes ###

  python-oauthlib (3.2.1-2) unstable; urgency=medium

    [ Debian Janitor ]
    * Remove constraints unnecessary since buster (oldstable)

   -- Jelmer Vernooij <jel...@debian.org>  Sun, 16 Oct 2022 18:31:39
  +0100

  python-oauthlib (3.2.1-1) unstable; urgency=medium

    * New upstream version 3.2.1
      - Fixes CVE-2022-36087 (Closes: #1019710)
    * debian/patches/0001-Add-check-of-performance-of-ipv6-check.patch
      debian/patches/0002-Fix-IPV6-regex-used-to-check-redirect_uri.patch
      - Cherry pick upstream fix and tests for CVE-2022-36087. Many thanks to
        Salvatore Bonaccorso for the report.
    * debian/control
      - Bump Standards-Version to 4.6.1, no changes required.

   -- Daniele Tricoli <er...@debian.org>  Wed, 14 Sep 2022 15:08:45
  +0200

  python-oauthlib (3.2.0-1) unstable; urgency=medium

    * New upstream version 3.2.0. (Closes: #1005931)
    * debian/copyright
      - Update copyright years.

   -- Daniele Tricoli <er...@debian.org>  Fri, 18 Feb 2022 02:46:03
  +0100

  python-oauthlib (3.1.1-1) unstable; urgency=medium

    [ Ondřej Nový ]
    * d/control: Update Maintainer field with new Debian Python Team
      contact address.
    * d/control: Update Vcs-* fields with new Debian Python Team Salsa
      layout.

    [ Daniele Tricoli ]
    * New upstream version 3.1.1
    * Enable Salsa pipeline.
    * debian/control
      - Bump debhelper compat version to 13.
      - Bump Standards-Version to 4.6.0, no changes required.
    * debian/copyright
      - Update copyright years.
    * debian/patches/0001-Use-unittest.mock-instead-of-external-mock.patch
      - Drop since it was backported from upstream and it's included in this
        release.
    * debian/watch
      - Bump debian/watch to version 4.

   -- Daniele Tricoli <er...@debian.org>  Wed, 25 Aug 2021 16:51:46
  +0200

  python-oauthlib (3.1.0-2) unstable; urgency=medium

    [ Debian Janitor ]
    * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
      Repository-Browse.
    * Update standards version to 4.5.0, no changes needed.

    [ Daniele Tricoli ]
    * Add upstream patch to use unittest.mock instead of external mock.
      Thanks to Ondřej Nový for the report. (Closes: #962937)
    * Remove python3-mock dependency.
    * Fix lintian runtime-test-file-uses-installed-python-versions.

   -- Daniele Tricoli <er...@debian.org>  Wed, 17 Jun 2020 02:52:07
  +0200

  python-oauthlib (3.1.0-1) unstable; urgency=medium

    * New upstream version 3.1.0 (Closes: #919533)
    * Use python-pytest for testing as upstream.
    * debian/control
      - Bump compat version to 12.
      - Specify Rules-Requires-Root: no.
    * debian/copyright
      - Update copyright years.

   -- Daniele Tricoli <er...@debian.org>  Sun, 27 Oct 2019 20:22:14
  +0100

  python-oauthlib (2.1.0-2) unstable; urgency=medium

    * Team upload.
    * Use debhelper-compat instead of debian/compat.
    * Bump Standards-Version to 4.4.1.
    * Drop Python 2 support (Closes: #937964).

   -- Ondřej Nový <on...@debian.org>  Mon, 14 Oct 2019 10:42:07 +0200

  python-oauthlib (2.1.0-1) unstable; urgency=medium

    [ Ondřej Nový ]
    * d/control: Set Vcs-* to salsa.debian.org
    * d/control: Remove ancient X-Python-Version field
    * d/control: Remove ancient X-Python3-Version field
    * Convert git repository from git-dpm to gbp layout

    [ Daniele Tricoli ]
    * New upstream release.
    * Add debian/gbp.conf.
    * Make sure autopkgtests test the installed version of oauthlib.


  ### Old Ubuntu Delta ###

  python-oauthlib (3.2.0-1ubuntu1) kinetic; urgency=medium

    * SECURITY UPDATE: DoS via malicious redirect uri
      - debian/patches/CVE-2022-36087-1.patch: add check of performance of
        ipv6 check in tests/test_uri_validate.py.
      - debian/patches/CVE-2022-36087-2.patch: fix IPV6 regex used to check
        redirect_uri in oauthlib/uri_validate.py, tests/test_uri_validate.py.
      - CVE-2022-36087

   -- Marc Deslauriers <marc.deslauri...@ubuntu.com>  Fri, 16 Sep 2022
  10:26:11 -0400

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-oauthlib/+bug/1993437/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to