-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4445-1 [email protected]
https://www.debian.org/lts/security/ Andrej Shadura
January 20, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python3.9
Version : 3.9.2-1+deb11u4
CVE ID : CVE-2022-37454 CVE-2025-4516 CVE-2025-6069 CVE-2025-6075
CVE-2025-8194 CVE-2025-8291 CVE-2025-12084 CVE-2025-13836
CVE-2025-13837
Multiple security fixes in cPython 3.9.
CVE-2022-37454
The Keccak XKCP SHA-3 implementation had an integer overflow
and a buffer overflow in the sponge function interface. This
allowed attackers to execute arbitrary code or eliminate expected
cryptographic properties.
CVE-2025-4516
An issue in bytes.decode("unicode_escape", error="ignore|replace")
could result in a crash.
CVE-2025-6069
The html.parser.HTMLParser class had worse-case quadratic complexity
when processing certain crafted malformed inputs potentially leading
to amplified denial-of-service.
CVE-2025-6075
If the value passed to os.path.expandvars() is user-controlled
a performance degradation was possible when expanding environment
variables.
CVE-2025-8194
The tar implementation would process tar archives with negative
offsets without error, resulting in an infinite loop and deadlock
during the parsing of maliciously crafted tar archives.
CVE-2025-8291
The 'zipfile' module would not check the validity of the ZIP64 End
of Central Directory (EOCD) Locator record offset value would not be
used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record
would be assumed to be the previous record in the ZIP archive. This
could be abused to create ZIP archives that are handled differently
by the 'zipfile' module compared to other ZIP implementations.
CVE-2025-12084
When building nested elements using xml.dom.minidom methods such
as appendChild() that have a dependency on _clear_id_cache() the
algorithm was quadratic. Availability could be impacted when building
excessively nested documents.
CVE-2025-13836
When reading an HTTP response from a server, if no read amount was
specified, the default behavior was to use Content-Length. This
allowed a malicious server to cause the client to read large amounts
of data into memory, potentially causing OOM or other DoS.
CVE-2025-13837
When loading a plist file, the plistlib module would read data in
size specified by the file itself, meaning a malicious file could
cause OOM and DoS issues.
For Debian 11 bullseye, these problems have been fixed in version
3.9.2-1+deb11u4.
We recommend that you upgrade your python3.9 packages.
For the detailed security status of python3.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCaW/TqAAKCRDoRGtKyMdy
YXEYAP0YL0zyKl1YBs8EVNwkk/X2euRMQF2qc1FXaw8LsCjqMAEA58u6rZ7yVjSY
fK7hKNEzJ0pAZYuoQhoLnXF8qO37iwU=
=bIL/
-----END PGP SIGNATURE-----
