-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4532-1 [email protected]
https://www.debian.org/lts/security/ Arnaud Rebillout
April 15, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python3.9
Version : 3.9.2-1+deb11u6
CVE ID : CVE-2025-15366 CVE-2025-15367 CVE-2026-6100
Debian Bug :
It was found that the patches for CVE-2025-15366 and CVE-2025-15367
break backward compatibility, and upstream decided not to backport those
patches to older Python releases. Therefore those 2 patches, applied in
the previous version (python3.9 3.9.2-1+deb11u5), have been reverted.
Additionally, the following CVE have been fixed:
CVE-2026-6100
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor` and
`bz2.BZ2Decompressor` when a memory allocation fails with a
`MemoryError` and the decompression instance is re-used. This
scenario can be triggered if the process is under memory pressure.
The vulnerability is only present if the program re-uses
decompressor instances across multiple decompression calls even
after a `MemoryError` is raised during decompression. Using the
helper functions to one-shot decompress data such as
`lzma.decompress()` and `bz2.decompress()` are not affected as a new
decompressor instance is used per call. If the decompressor instance
is not re-used after an error condition, this usage is similarly not
vulnerable.
For Debian 11 bullseye, these problems have been fixed in version
3.9.2-1+deb11u6.
We recommend that you upgrade your python3.9 packages.
For the detailed security status of python3.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0Kl7ndbut+9n4bYs5yXoeRRgAhYFAmnfvB0ACgkQ5yXoeRRg
AhYZ7g/+JIQj6/fg63zW9PBsA1imwkgwLqorXnKpPAlqYMFoYJn0Qd6EPAZ1rBQf
LxrwmjN16AyhE6q+Ye9gTRbnwaRb+8DGfwtUqZJa9/rBBw5NXVsD4UEJJTHgsw9T
po8RKVpTkVUQYhpILy5Md3JIOCNloKyGV6K1xk/7VENjgy9TeEI7opByg7e39xPz
Y9AxWBeNrLKVUFn3NYsLYECkDg/t2xtKCCnKC3OvICvRH3IJg9P/RFp6S9wZZQmy
8c3INEOY1nG0pfbiAFBG/HKFcbYLNmX28F+F4H/h2Uzqg5sfoDz9bNZkXu9/JLlx
WABvutkwMCbqRH72Et1fzfL+t6YlXsgMV+cfnorLy9qx1c6HamWlb4PxerqRwMja
0DbyCoOZyh7psqq54CnPWvh8jp+jIwu6iaU9AXORJOJBkAeJCTNVGX1ed0xd48P8
2nQkWT09l4JHj6QUQfYe0bEz4lP0i4luD4zytJMFgqKpeu5+UKsGL3K5RaMYPX3o
rbZlcDgZe/1hX1AqGOgRKcTcT/ovLyZzwKl68Bz2Nq3owFuSnufCUKhzEqvheLB8
lag9MlPg2m5MDW/JNcI/+eQZE10DwlyUC4H2wmZhWMf/LyA0vy+mHKDpxFi6nR5V
s6G7+GQfSJJwn9hJejCSrpo62j3Qm/ZMzH0ZcXWSkxqCvwXBqac=
=JWSa
-----END PGP SIGNATURE-----
