Dear Release team,
this is a follow-up update to the +deb12u7 update already accepted in
bookwork-proposed-updates a few weeks ago. It fixes low severity CVEs,
which have been backported to the upstream 3.11 branch for the most
part. It will bring the bookworm package in-line with the trixie package
+deb13u2 (currently in trixie-p-u) in terms of CVE fixes.
The debdiff also includes a patch to fix the autopkgtest.
[ CVE details ]
The following patches:
* CVE-2025-13462
* CVE-2026-2297
* CVE-2026-4224
* CVE-2026-4519
* CVE-2026-6100
have been cherry-picked from the upstream 3.11 branch.
CVE-2026-3644 is not yet merged upstream, but it will be included in the
next 3.11 point release, according to:
https://github.com/python/cpython/pull/146026#issuecomment-4418137974
CVE-2026-6019 wasn't merged upstream because the automatic backport
failed, and upstream didn't bother (very low severity), however it turns
out that automatic backport will pass after CVE-2026-3644 is applied, so
it's possible that it will also be backported upstream, cf.
https://github.com/python/cpython/pull/148848#issuecomment-4299364914
(and other comments below).
For this reason I believe it's Ok to be a bit ahead of upstream for
these 2 CVE fixes. Note that they both come with unit tests.
[ Autopkgtest fix ]
The debdiff also contains a fix so that the autopkgtest succeeds again.
In short, autopkgtest has been failing for almost a year, since the
upload of expat/2.5.0-1+deb12u2. It makes it difficult to detect
regressions.
I have found a long discussion upstream on the matter, and from my
reading, upstream recommends downstream who patched expat to skip the
failing tests. This is what I did here. I elaborated a bit more in the
message of the patch itself.
[ Other info ]
The debusine workflow looks good:
https://debusine.debian.net/debian/developers/work-request/688225/
I checked the failures in reverse autopkgtests and they are unrelated.
Git commits are available at:
https://salsa.debian.org/arnaudr/python3.11/-/tree/wip/deb12u8?ref_type=heads
IMPORTANT! The debdiff attached is relative to the version
3.11.2-6+deb12u7 that is already in bookworm-p-u.
Thanks,
Arnaud