nltk (3.2.5-1ubuntu0.1+esm4) bionic-security; urgency=medium

  * SECURITY UPDATE: Path traversal via filestring() function
    - debian/patches/CVE-2026-0846.patch: Add sandbox enforcement for
      filestring() to prevent arbitrary file read in nltk/util.py. Add tests in
      nltk/test/test_filestring_sandbox.py.
    - CVE-2026-0846
  * SECURITY UPDATE: Path traversal via CorpusReader classes
    - debian/patches/CVE-2026-0847.patch: Validate file paths in CorpusReader
      in nltk/corpus/reader/api.py.
    - CVE-2026-0847
  * SECURITY UPDATE: Arbitrary code execution via StanfordSegmenter
    - debian/patches/CVE-2026-0848.patch: Add SHA256 validation to prevent
      malicious JAR execution in StanfordSegmenter in
      nltk/tokenize/stanford_segmenter.py.
    - CVE-2026-0848
  * SECURITY UPDATE: Reflected cross-site scripting in nltk.app.wordnet_app
    - debian/patches/CVE-2026-33230.patch: Fix XSS in wordnet_app lookup route
      in nltk/app/wordnet_app.py.
    - CVE-2026-33230
  * SECURITY UPDATE: Denial of service in nltk.app.wordnet_app
    - debian/patches/CVE-2026-33231.patch: Bind WordNet browser to localhost
      only to prevent unauthneticated access in nltk/app/wordnet_app.py.
    - CVE-2026-33231
  * SECURITY UPDATE: Path traversal in downloader via malicious XML index
    - debian/patches/CVE-2026-33236.patch: Validate file paths in
      nltk/downloader.py.
    - CVE-2026-33236

 -- Edwin Jiang <edwin.jiang@canonical.com>  Wed, 06 May 2026 16:18:49 -0400

nltk (3.2.5-1ubuntu0.1+esm3) bionic-security; urgency=medium

  * SECURITY UPDATE: Remote code execution using zipslip
    - debian/patches/CVE-2025-14009.patch: Add directory and symlink
      validation to avoid zipslip attacks in `_unzip_iter`
    - CVE-2025-14009

 -- Shishir Subedi <shishir.subedi@canonical.com>  Fri, 24 Apr 2026 13:03:56 +0545

nltk (3.2.5-1ubuntu0.1+esm2) bionic-security; urgency=medium

  * SECURITY UPDATE: Regular Expression Denial of Service
    - debian/patches/CVE-2021-3842.patch: Fix regular expressions to
      prevent ReDoS
    - debian/patches/CVE-2021-43854.patch: Fix regular expressions in
      PunktSentenceTokenizer to prevent ReDoS
    - CVE-2021-3842
    - CVE-2021-43854

 -- Bruce Cable <bruce.cable@canonical.com>  Wed, 19 Mar 2025 15:15:08 +1100

nltk (3.2.5-1ubuntu0.1+esm1) bionic-security; urgency=medium

  * SECURITY UPDATE: Fix regular expression denial of service in CorpusReader
    - debian/patches/CVE-2021-3828-1.patch: Fix ReDoS vulnerability
    - debian/patches/CVE-2021-3828-2.patch: Improve test case
    - CVE-2021-3828

 -- Spyros Seimenis <spyros.seimenis@canonical.com>  Mon, 10 Jan 2022 15:32:56 +0200

nltk (3.2.5-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Zip Slip directory traversal via a malicious NLTK package
    download
    - debian/patches/CVE-2019-14751.patch: use built-in implementation of unzip
    - CVE-2019-14751

 -- Mike Salvatore <mike.salvatore@canonical.com>  Thu, 08 Aug 2019 07:54:18 -0400

nltk (3.2.5-1) unstable; urgency=medium

  [ Andreas Tille ]
  * Remove invalid space at end of entry

  [ Gianfranco Costamagna ]
  * QA upload
  * Make fields in https mode
  * New upstream version 3.2.5
  * Bump std-version to 4.1.1

 -- Gianfranco Costamagna <locutusofborg@debian.org>  Thu, 26 Oct 2017 08:55:50 +0200

nltk (3.2.4-1) unstable; urgency=medium

  * QA upload.
  * New upstream release (LP: #1687974).
  * Drop upstream patches.
  * Update copyright years
  * Drop explicit six dependency, now also oldstable has a newer
    version

 -- Gianfranco Costamagna <locutusofborg@debian.org>  Mon, 19 Jun 2017 14:32:42 +0200

nltk (3.2.1-3) unstable; urgency=medium

  * Package is orphaned.
  [ Andreas Tille ]
  * Add publication data
  [ Daniel Stender ]
  * deb/control: put QA into Maintainer, drop Uploaders.

 -- Daniel Stender <stender@debian.org>  Mon, 19 Jun 2017 12:50:02 +0200

nltk (3.2.1-2) unstable; urgency=high

  * Team upload.
  * Fix previous upload, by tweaking "use-six-package.diff"
    to use system six package in another api place.
    Closes: #825923
    - thanks Raphaël Hertzog <hertzog@debian.org> for the useful report!

 -- Gianfranco Costamagna <locutusofborg@debian.org>  Tue, 31 May 2016 14:44:50 +0200

nltk (3.2.1-1) unstable; urgency=medium

  * Team upload.
  * Fix watch file (now in https mode)
  * Bump std-version to 3.9.8, no changes required.
  * New upstream release, patch refresh.
  * Drop fix-sfs-address.diff: upstream
  * Update copyright years.
  * Fix insecure VCS fields.
  * Remove source/local-options file

 -- Gianfranco Costamagna <locutusofborg@debian.org>  Tue, 17 May 2016 10:39:07 +0200

nltk (3.1-1) unstable; urgency=medium

  * New upstream release.
  * Don't use nltk/six.py but python-six:
    + added use-six-package.diff.
    + stripe out nltk/six.py via Files-Excluded in deb/copyright.
  * deb/control: bumped X-Python-Version to 2.7.
  * Added deb/README.Debian with info where to find a list of changes
    (use override for dh_installdocs in deb/rules to contribute it
    into both binaries).

 -- Daniel Stender <debian@danielstender.com>  Sat, 24 Oct 2015 19:35:19 +0200

nltk (3.0.5-1) unstable; urgency=medium

  * New upstream release.
  * deb/control: added six to Depends.
  * deb/rules: removed override for dh_installdocs (README.txt dropped).
  * added deb/source/options.

 -- Daniel Stender <debian@danielstender.com>  Thu, 10 Sep 2015 14:17:05 +0200

nltk (3.0.4-1) unstable; urgency=medium

  * New upstream release.

 -- Daniel Stender <debian@danielstender.com>  Wed, 15 Jul 2015 23:25:30 +0200

nltk (3.0.3-1) unstable; urgency=medium

  * New upstream release.

 -- Daniel Stender <debian@danielstender.com>  Mon, 15 Jun 2015 06:35:37 +0200

nltk (3.0.2-1) unstable; urgency=medium

  * New upstream release.
  * deb/control: added Tkinter to Recommends.
  * deb/copyright: expanded copyright spans.
  * deb/rules: added override for auto_install with fix of incorrect
    permission in nltk/test/.
  * deb/watch: watch pypi.debian.net.
  * Added deb/source/local-options.

 -- Daniel Stender <debian@danielstender.com>  Mon, 27 Apr 2015 09:24:39 +0200

nltk (3.0.0-1) unstable; urgency=medium

  * Initial release (Closes: #279422, LP: #1155282).

 -- Daniel Stender <debian@danielstender.com>  Sat, 11 Oct 2014 00:31:27 +0200
