-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4583-1 [email protected]
https://www.debian.org/lts/security/ Arnaud Rebillout
May 15, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python3.9
Version : 3.9.2-1+deb11u7
CVE ID : CVE-2025-13462 CVE-2026-0672 CVE-2026-2297 CVE-2026-3644
CVE-2026-4224 CVE-2026-4519
Debian Bug :
Multiple vulnerabilities were discovered in Python 3.9.
CVE-2025-13462
The "tarfile" module would still apply normalization of AREGTYPE
(\x00) blocks to DIRTYPE, even while processing a multi-block member
such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a
crafted tar archive being misinterpreted by the tarfile module
compared to other implementations.
CVE-2026-0672
When using http.cookies.Morsel, user-controlled cookie values and
parameters can allow injecting HTTP headers into messages. Patch
rejects all control characters within cookie names, values, and
parameters.
CVE-2026-2297
The import hook in CPython that handles legacy *.pyc files
(SourcelessFileLoader) is incorrectly handled in FileLoader (a base
class) and so does not use io.open_code() to read the .pyc files.
sys.audit handlers for this audit event therefore do not fire.
CVE-2026-3644
The fix for CVE-2026-0672, which rejected control characters in
http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator,
and unpickling paths were not patched, allowing control characters to
bypass input validation. Additionally, BaseCookie.js_output() lacked
the output validation applied to BaseCookie.output().
CVE-2026-4224
When an Expat parser with a registered ElementDeclHandler parses an
inline document type definition containing a deeply nested content
model a C stack overflow occurs.
CVE-2026-4519
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize
URLs prior to passing to webbrowser.open().
For Debian 11 bullseye, these problems have been fixed in version
3.9.2-1+deb11u7.
We recommend that you upgrade your python3.9 packages.
For the detailed security status of python3.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0Kl7ndbut+9n4bYs5yXoeRRgAhYFAmoGuUQACgkQ5yXoeRRg
AhZ1WQ/+Kn7RLxxUCDC0CpfbKdr4OALtj9CWtMncF12UWqbmFg2WLF7IlxUDuK0w
+a8huarK+DE4Vcw+66dKkMskL5iirH8R1mWsIgO627cct79blu+HiTs+GHZQD0Qy
9ZehV5VTgqCd3RvoehQaGIhqKA17xZIOk3V6Z61aWnZPJX20k1uJj4I1OF96oqnP
tnw2vL08ibJsLnIZhcsH4A078MCF5tDLwBQL82E05VH/sADIfXdiCfzrCJNOFzy/
w67hV3NZ2gyqc6ctuFu6tz1cgnE7B+zvWr1ENPCK7Ej7fG9wZwiyPAWQ/SPqJMPC
dgDnJgna5L3u85cUmMXKELKtfJKP8HrC28AMkOAiMRIe5qUy1+H7QW7H9XtzRc8b
bdiEeyXF573uyOhSt1q7VbflsIWpd46/+oMHqPgZYbqpPqoSK6C+bsrTp+Gquj+f
dZ+CkC5V6+mCcWtRMRK6fciqQhbLVFRyBmJ6mHnF19vBNNSTRDDdoeL1Q2ZW5yRl
0IvqvnglMZWDNs6kjgfUUzU3L0qMkvg13jkHdmBSYcEBa/z6itjrLWDG3CYOQqwI
MFpsGr8CJ3QBTDvaxST3/QsxclLLrnkmyOjLeVE6vPKOWliPY2/gvPXJ44b0cXvx
qA1831L1d5D0WhvZHOuvHy68x13cx6i5V0bQT1+3zeRYQI5uCZI=
=e+59
-----END PGP SIGNATURE-----
