[ Reason ]
This upload fixes two issues:
1. CVE-2025-69534: parser crash on malformed <![ sequences. There are two
patches for this bug: bogus_comments.diff (backported from 3.5.2, pre-CVE)
and incomplete_markup_declaration.diff (backported from 3.8.1).
2. Bug #1137043: Fix for tests failures with python3.11 >= 3.11.2-6+deb12u7,
where some changes were made to html.parser to address CVE-2025-6069, which
broke Python-Markdown because it heavily relies on html.parser internals.
[ Impact ]
CVE-2025-69534 enables remote, unauthenticated Denial of Service in web
applications, documentation systems, CI/CD pipelines, and any service that
renders untrusted Markdown.
[ Tests ]
All changes are covered by automated tests, which are run during build.
[ Risks ]
The changes have been part of upstream Python-Markdown for a while, and well
covered by tests, so they should be safe.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Backport upstream fixes for parsing bogus HTML markup (CVE-2025-69534).
* Adapt to changes in html.parser module in the new Python, backported
to Bookworm as part of CVE fixes (closes: #1137043).
There are also branch changes in debian/gbp.conf and debian/gitlab-ci.yml,
which are needed for the CI, but those files to not affect the built package
in any way.
[ Other info ]
See also #1137180: similar upload to Trixie.
See also #1131896: discussion about whether CVE-2025-69534 needs to be
addressed in Python 3.11 itself, not in Python-Markdown. In case it happens
at some point, Python-Markdown should not break. I am not waiting for a fix
in Python and including a workaround in Python-Markdown itself, since it is
needed for the #1137043 patch to apply cleanly anyway.