Tuxcare Errata System 0.0.1 5.10 2026-06-11T10:37:56 Debian 12 * SECURITY UPDATE: DOS, buffer overflow in SHA3, Possible Bypass Blocklisting Redirection vulnerability in http.server, regex DOS, Quadratic complexity, pathname quoting for venv - debian/patches/CVE-2022-37454.patch: fix a buffer overflow in Modules/_sha3/kcp/KeccakSponge.inc, Lib/test/test_hashlib.py (LP: #1995197). - debian/patches/CVE-2022-45061.patch: fix quadratic time idna decoding in Lib/encodings/idna.py, Lib/test/test_codecs.py. - debian/patches/CVE-2023-24329.patch: enforce that a scheme must begin with an alphabetical ASCII character in Lib/urllib/parse.py, Lib/test/test_urlparse.py. start stripping C0 control and space chars in `urlsplit` - debian/patches/CVE-2021-28861.patch: Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` - debian/patches/CVE-2024-6232.patch: Fix header parsing vulnerability that could lead to ReDoS - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in parsing "-quoted cookie values with backslashes - debian/patches/CVE-2024-9287.patch: Quote template strings in `venv` activation - CVE-2022-37454 - CVE-2022-45061 - CVE-2023-24329 - CVE-2021-28861 - CVE-2024-6232 - CVE-2024-7592 - CVE-2024-9287 Critical TuxCare License Agreement CVE-2019-17514 CVE-2022-45061 CVE-2024-9287 CVE-2023-24329 CVE-2024-7592 CVE-2022-37454 CVE-2024-6232 CVE-2021-28861 Debian 12 * SECURITY UPDATE: zip bomb vulnerability in Lib/zipfile.py - debian/patches/CVE-2019-9674.patch: add pitfalls to zipfile module documentation - CVE-2019-9674 * SECURITY UPDATE: Infinite loop - debian/patches/CVE-2019-20907.patch: avoid infinite loop in the tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py. - CVE-2019-20907 Important TuxCare License Agreement CVE-2019-9674 Debian 12 * SECURITY UPDATE: DoS in case of malicious XML entity declarations - debian/patches/CVE-2022-48565.patch: reject XML entity declarations in plist files - CVE-2022-48565 * SECURITY UPDATE: Bypassing blocklisting methods by supplying a URL that starts with blank characters - debian/patches/CVE-2023-24329.patch, debian/patches/CVE-2023-24329-2.patch: prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character - CVE-2023-24329 * SECURITY UPDATE: ReDoS via specifically-crafted tar archives - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing tarfile - CVE-2024-6232 * SECURITY UPDATE: Excessive CPU usage while parsing a cookie value - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in parsing double-quoted cookie values with backslashes - CVE-2024-7592 * SECURITY UPDATE: CPU DoS by crafting inputs to the IDNA decoder - debian/patches/CVE-2022-45061.patch: fix quadratic time idna decoding - CVE-2022-45061 * SECURITY UPDATE: Use-after-free via heappushpop in heapq - debian/patches/CVE-2022-48560.patch: fix posible crash in heapq with custom comparison operators - debian/patches/CVE-2022-48560-2.patch: add tests for CVE-2022-48560 - CVE-2022-48560 * SECURITY UPDATE: DoS by HTTP client infinite line reading from malicious server after a 100 Continue response - debian/patches/CVE-2021-3737.patch: stop reading a header if it's too long - CVE-2021-3737 * SECURITY UPDATE: A flaw in the urllib.parse module - debian/patches/CVE-2022-0391.patch: make urlparse sanitize URLs containing ASCII newline and tabs - CVE-2022-0391 Critical TuxCare License Agreement CVE-2022-0391 CVE-2019-20907 CVE-2021-3737 CVE-2024-7592 CVE-2024-6232 CVE-2022-48565 CVE-2022-45061 CVE-2023-24329 CVE-2022-48560 Debian 12 * SECURITY UPDATE: DoS in regular expression because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking - debian/patches/CVE-2020-8492.patch: fix DoS in the urllib regexp - CVE-2020-8492 * SECURITY UPDATE: a header injection vulnerability for http methods in the httplib - debian/patches/CVE-2020-26116.patch: prevent header injection in http methods in httplib - CVE-2020-26116 Important TuxCare License Agreement CVE-2020-26116 CVE-2020-8492 Debian 12 * SECURITY UPDATE: Web cache poisoning vulnerability - debian/patches/CVE-2021-23336.patch: fix web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs - CVE-2021-23336 * SECURITY UPDATE: Regular expression denial of service - debian/patches/CVE-2021-3733.patch: fix flaw in urllib’s AbstractBasicAuthHandler that could lead to a denial of service by leveraging a regular expression - CVE-2021-3733 * SECURITY UPDATE: Constant-time-defeating optimisations issue - debian/patches/CVE-2022-48566.patch: make compare_digest more constant-time - CVE-2022-48566 * SECURITY UPDATE: Incorrect parsing of email addresses containing special characters - debian/patches/CVE-2023-27043.patch: Fix email address parsing errors by adding optional 'strict' parameter to getaddresses() and parseaddr() functions - CVE-2023-27043 * SECURITY UPDATE: TLS handshake bypass - debian/patches/CVE-2023-40217.patch: Check for & avoid the ssl pre-close flaw. Update SSL tests - CVE-2023-40217 Moderate TuxCare License Agreement CVE-2023-40217 CVE-2021-23336 CVE-2023-27043 CVE-2022-48566 CVE-2021-3733 Debian 12 * SECURITY UPDATE: Traversing outside chmod directory - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filters directory members before chmod/chown - CVE-2024-12718 * SECURITY UPDATE: Symlink exfiltration - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: properly handles different link semantics - CVE-2025-4138 * SECURITY UPDATE: Hardlink Fallback Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filter the source if hardlink extraction falls back to copying - CVE-2025-4330 * SECURITY UPDATE: Errorlevel=0 Extracts Rejected Members - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: account errorlevel - CVE-2025-4435 * SECURITY UPDATE: PATH_MAX Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: prevents PATH_MAX overflow attacks - CVE-2025-4517 * TEST UPDATE: Incorrect encoding leading to an unexpected exception in test_tarfile.py - debian/patch/fix_test_tarfile-enconding.patch: fix encoding Important TuxCare License Agreement CVE-2025-4138 CVE-2025-4517 CVE-2025-4435 CVE-2025-4330 CVE-2024-12718 Debian 12 * SECURITY UPDATE: Command injection vulnerability in venv module activation scripts when virtual environment paths contain special shell characters - debian/patches/CVE-2024-9287.patch: Properly quote template strings in venv activation scripts Important TuxCare License Agreement CVE-2024-9287 Debian 12 * SECURITY UPDATE: ReDoS in tarfile module when parsing specially crafted tar archive headers - debian/patches/CVE-2024-6232.patch: Remove backtracking from tarfile header parsing * SECURITY UPDATE: DoS due to quadratic time complexity in http.cookies module when parsing quoted cookie values with backslashes - debian/patches/CVE-2024-7592.patch: Replace iterative regex search with single-pass substitution to eliminate quadratic complexity * SECURITY UPDATE: Command injection vulnerability in venv module activation scripts when virtual environment paths contain special shell characters - debian/patches/CVE-2024-9287.patch: Properly quote template strings in venv activation scripts Important TuxCare License Agreement CVE-2024-7592 CVE-2024-6232 CVE-2024-9287 Debian 12 * SECURITY UPDATE: Ability to modify permissions with privileged programs - debian/patches/CVE-2023-6597: prevent tempfile.TemporaryDirectory class dereference symlinks - CVE-2023-6597 Important TuxCare License Agreement CVE-2023-6597 Debian 12 * SECURITY UPDATE: Ability to modify permissions with privileged programs - debian/patches/CVE-2023-6597.patch: prevent tempfile.TemporaryDirectory class dereference symlinks - CVE-2023-6597 Important TuxCare License Agreement CVE-2023-6597 Debian 12 * SECURITY UPDATE: Bypass of domain e-mail-based protection mechanism by incorrect parsing of e-mail addresses that contain a special character - debian/patches/CVE-2023-27043.patch: reject malformed addresses in email.parseaddr() - CVE-2023-27043 * SECURITY UPDATE: Bypass of the TLS handshake and included protections - debian/patches/CVE-2023-40217.patch: check for & avoid the ssl pre-close flaw - CVE-2023-40217 Moderate TuxCare License Agreement CVE-2023-40217 CVE-2023-27043 Debian 12 * SECURITY UPDATE: Quadratic complexity in xml.minidom node ID cache clearing - debian/patches/CVE-2025-12084.patch: remove quadratic behavior in xml.minidom node ID cache clearing - CVE-2025-12084 Moderate TuxCare License Agreement CVE-2025-12084 Debian 12 * SECURITY UPDATE: Quadratic complexity in xml.minidom node ID cache clearing - debian/patches/CVE-2025-12084.patch: remove quadratic behavior in xml.minidom node ID cache clearing - CVE-2025-12084 Moderate TuxCare License Agreement CVE-2025-12084 Debian 12 * SECURITY UPDATE: Quadratic complexity in xml.minidom node ID cache clearing - debian/patches/CVE-2025-12084.patch: remove quadratic behavior in xml.minidom node ID cache clearing - CVE-2025-12084 * SECURITY UPDATE: Overwriting of arbitrary files by remote attackers - debian/patches/CVE-2007-4559.patch: implement PEP 706 - a filter in the tarfile module to prevent directory traversal vulnerability - CVE-2007-4559 Moderate TuxCare License Agreement CVE-2007-4559 CVE-2025-12084 Debian 12 * SECURITY UPDATE: Potential denial of service in http.client - debian/patches/CVE-2025-13836.patch: Read large data by chunks instead of allocating memory based on Content-Length - CVE-2025-13836 * SECURITY UPDATE: Quadratic complexity in xml.minidom node ID cache clearing - debian/patches/CVE-2025-12084.patch: Remove quadratic behavior in xml.minidom node ID cache clearing - CVE-2025-12084 Critical TuxCare License Agreement CVE-2025-13836 CVE-2025-12084 Debian 12 * SECURITY UPDATE: Memory denial of service in plistlib - debian/patches/CVE-2025-13837.patch: read large data by chunks, therefore the upper limit of consumed memory is proportional to the size of the input file. - CVE-2025-13837 Moderate TuxCare License Agreement CVE-2025-13837 Debian 12 * SECURITY UPDATE: Memory denial of service in plistlib - debian/patches/CVE-2025-13837.patch: read large data by chunks, therefore the upper limit of consumed memory is proportional to the size of the input file. - CVE-2025-13837 Moderate TuxCare License Agreement CVE-2025-13837 Debian 12 * SECURITY UPDATE: Memory denial of service in plistlib - debian/patches/CVE-2025-13837.patch: read large data by chunks, therefore the upper limit of consumed memory is proportional to the size of the input file. - CVE-2025-13837 Moderate TuxCare License Agreement CVE-2025-13837 Debian 12 * SECURITY UPDATE: Memory denial of service in plistlib - debian/patches/CVE-2025-13837.patch: read large data by chunks, therefore the upper limit of consumed memory is proportional to the size of the input file. - CVE-2025-13837 Moderate TuxCare License Agreement CVE-2025-13837 Debian 12 * SECURITY UPDATE: Shell command injection in mailcap module - debian/patches/CVE-2015-20107.patch: sanitize the second argument which allowing shell commands injection - CVE-2015-20107 Important TuxCare License Agreement CVE-2015-20107 Debian 12 * SECURITY UPDATE: Traversing outside chmod directory - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filters directory members before chmod/chown - CVE-2024-12718 * SECURITY UPDATE: Symlink exfiltration - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: properly handles different link semantics - CVE-2025-4138 * SECURITY UPDATE: Hardlink Fallback Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filter the source if hardlink extraction falls back to copying - CVE-2025-4330 * SECURITY UPDATE: Errorlevel=0 Extracts Rejected Members - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: account errorlevel - CVE-2025-4435 * SECURITY UPDATE: PATH_MAX Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: prevents PATH_MAX overflow attacks - CVE-2025-4517 Important TuxCare License Agreement CVE-2025-4435 CVE-2024-12718 CVE-2025-4138 CVE-2025-4330 CVE-2025-4517 Debian 12 * SECURITY UPDATE: Traversing outside chmod directory - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filters directory members before chmod/chown - CVE-2024-12718 * SECURITY UPDATE: Symlink exfiltration - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: properly handles different link semantics - CVE-2025-4138 * SECURITY UPDATE: Hardlink Fallback Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filter the source if hardlink extraction falls back to copying - CVE-2025-4330 * SECURITY UPDATE: Errorlevel=0 Extracts Rejected Members - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: account errorlevel - CVE-2025-4435 * SECURITY UPDATE: PATH_MAX Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: prevents PATH_MAX overflow attacks - CVE-2025-4517 Important TuxCare License Agreement CVE-2025-4435 CVE-2024-12718 CVE-2025-4138 CVE-2025-4330 CVE-2025-4517 Debian 12 * SECURITY UPDATE: Shell command injection in the mailcap module - debian/patches/CVE-2015-20107.patch: sanitize the second argument which allowing shell command injection - CVE-2015-20107 Important TuxCare License Agreement CVE-2015-20107 Debian 12 * SECURITY UPDATE: Quadratic complexity in xml.minidom node ID cache clearing - debian/patches/CVE-2025-12084.patch: remove quadratic behavior in xml.minidom node ID cache clearing - CVE-2025-12084 Moderate TuxCare License Agreement CVE-2025-12084 Debian 12 * SECURITY UPDATE: Quadratic complexity in os.path.expandvars() - debian/patches/CVE-2025-6075.patch: fix quadratic complexity in os.path.expandvars() by replacing the character-by-character loop with regex-based substitution in both posixpath and ntpath modules. - CVE-2025-6075 Moderate TuxCare License Agreement CVE-2025-6075 Debian 12 * SECURITY UPDATE: Quadratic complexity in os.path.expandvars() - debian/patches/CVE-2025-6075.patch: fix quadratic complexity in os.path.expandvars() by replacing the character-by-character loop with regex-based substitution in both posixpath and ntpath modules. - CVE-2025-6075 Moderate TuxCare License Agreement CVE-2025-6075 Debian 12 * SECURITY UPDATE: Quadratic complexity in os.path.expandvars() - debian/patches/CVE-2025-6075.patch: fix quadratic complexity in os.path.expandvars() by replacing the character-by-character loop with regex-based substitution in both posixpath and ntpath modules. - CVE-2025-6075 Moderate TuxCare License Agreement CVE-2025-6075 Debian 12 * SECURITY UPDATE: defect in 'tarfile' module leads to infinite loop and deadlock in parsing of maliciously crafted tar archives - debian/patches/CVE-2025-8194.patch: Validate archives to ensure member offsets are non-negative - CVE-2025-8194 Important TuxCare License Agreement CVE-2025-8194 Debian 12 * SECURITY UPDATE: defect in 'tarfile' module leads to infinite loop and deadlock in parsing of maliciously crafted tar archives - debian/patches/CVE-2025-8194.patch: Validate archives to ensure member offsets are non-negative - CVE-2025-8194 Important TuxCare License Agreement CVE-2025-8194 Debian 12 * SECURITY UPDATE: Quadratic complexity in os.path.expandvars() - debian/patches/CVE-2025-6075.patch: fix quadratic complexity in os.path.expandvars() by replacing the character-by-character loop with regex-based substitution in both posixpath and ntpath modules. - CVE-2025-6075 Moderate TuxCare License Agreement CVE-2025-6075 Debian 12 * SECURITY UPDATE: defect in 'tarfile' module leads to infinite loop and deadlock in parsing of maliciously crafted tar archives - debian/patches/CVE-2025-8194.patch: Validate archives to ensure member offsets are non-negative - CVE-2025-8194 Important TuxCare License Agreement CVE-2025-8194 Debian 12 * SECURITY UPDATE: defect in 'tarfile' module leads to infinite loop and deadlock in parsing of maliciously crafted tar archives - debian/patches/CVE-2025-8194.patch: Validate archives to ensure member offsets are non-negative - CVE-2025-8194 Important TuxCare License Agreement CVE-2025-8194 Debian 12 * SECURITY UPDATE: defect in 'tarfile' module leads to infinite loop and deadlock in parsing of maliciously crafted tar archives - debian/patches/CVE-2025-8194.patch: Validate archives to ensure member offsets are non-negative - CVE-2025-8194 Important TuxCare License Agreement CVE-2025-8194 Debian 12 * SECURITY UPDATE: quadratic complexity in os.path.expandvars() - debian/patches/CVE-2025-6075.patch: replace character-by-character loop with regex-based substitution to fix quadratic complexity - CVE-2025-6075 Moderate TuxCare License Agreement CVE-2025-6075 Debian 12 * SECURITY UPDATE: regex denial of service via crafted HTML - debian/patches/CVE-2022-40897.patch: limit whitespace matching in REL regex - CVE-2022-40897 * SECURITY UPDATE: remote code execution via command injection in VCS downloads - debian/patches/CVE-2024-6345.patch: replace os.system with subprocess.check_call - CVE-2024-6345 * SECURITY UPDATE: path traversal in download filename resolution - debian/patches/CVE-2025-47273.patch: validate download filename stays within tmpdir - CVE-2025-47273 Important TuxCare License Agreement CVE-2025-47273 CVE-2022-40897 CVE-2024-6345 Debian 12 * SECURITY UPDATE: regex denial of service via crafted HTML - debian/patches/CVE-2022-40897.patch: limit whitespace matching in REL regex - CVE-2022-40897 * SECURITY UPDATE: remote code execution via command injection in VCS downloads - debian/patches/CVE-2024-6345.patch: replace os.system with subprocess.check_call - CVE-2024-6345 * SECURITY UPDATE: path traversal in download filename resolution - debian/patches/CVE-2025-47273.patch: validate download filename stays within tmpdir - CVE-2025-47273 Important TuxCare License Agreement CVE-2025-47273 CVE-2022-40897 CVE-2024-6345 Debian 12 * SECURITY UPDATE: regex denial of service via crafted HTML - debian/patches/CVE-2022-40897.patch: limit whitespace matching in REL regex - CVE-2022-40897 * SECURITY UPDATE: remote code execution via command injection in VCS downloads - debian/patches/CVE-2024-6345.patch: replace os.system with subprocess.check_call - CVE-2024-6345 * SECURITY UPDATE: path traversal in download filename resolution - debian/patches/CVE-2025-47273.patch: validate download filename stays within tmpdir - CVE-2025-47273 Important TuxCare License Agreement CVE-2025-47273 CVE-2022-40897 CVE-2024-6345 Debian 12 * SECURITY UPDATE: regex denial of service via crafted HTML - debian/patches/CVE-2022-40897.patch: limit whitespace matching in REL regex - CVE-2022-40897 * SECURITY UPDATE: remote code execution via command injection in VCS downloads - debian/patches/CVE-2024-6345.patch: replace os.system with subprocess.check_call - CVE-2024-6345 * SECURITY UPDATE: path traversal in download filename resolution - debian/patches/CVE-2025-47273.patch: validate download filename stays within tmpdir - CVE-2025-47273 Important TuxCare License Agreement CVE-2025-47273 CVE-2022-40897 CVE-2024-6345 Debian 12 * SECURITY UPDATE: webbrowser.open() allows command-line option injection via URLs with leading dashes - debian/patches/CVE-2026-4519.patch: reject leading dashes in webbrowser.open() URLs to prevent command-line option injection in browser subprocesses - CVE-2026-4519 Low TuxCare License Agreement CVE-2026-4519 Debian 12 * SECURITY UPDATE: command-line option injection in webbrowser.open() - debian/patches/CVE-2026-4519.patch: reject leading dashes in webbrowser.open() URLs to prevent command-line option injection in browser subprocesses - CVE-2026-4519 Low TuxCare License Agreement CVE-2026-4519 Debian 12 * SECURITY UPDATE: command-line option injection in webbrowser.open() - debian/patches/CVE-2026-4519.patch: reject leading dashes in webbrowser.open() URLs to prevent command-line option injection in browser subprocesses - CVE-2026-4519 Low TuxCare License Agreement CVE-2026-4519 Debian 12 * SECURITY UPDATE: webbrowser.open() accepts leading dashes in URLs which could be interpreted as command-line options by web browsers - debian/patches/CVE-2026-4519.patch: reject URLs starting with dashes in BaseBrowser._check_url() before passing to subprocess - CVE-2026-4519 Low TuxCare License Agreement CVE-2026-4519 Debian 12 * SECURITY UPDATE: Command-line option injection in webbrowser.open() - debian/patches/CVE-2026-4519.patch: reject leading dashes in webbrowser.open() URLs to prevent command-line option injection in browser subprocesses - CVE-2026-4519 Low TuxCare License Agreement CVE-2026-4519 Debian 12 * SECURITY UPDATE: use-after-free in lzma/bz2/gzip decompressors - debian/patches/CVE-2026-6100.patch: null next_in at the error: label of decompress() in Modules/_bz2module.c and Modules/_lzmamodule.c so the decompressor cannot be re-used with a stale buffer pointer after a MemoryError. - CVE-2026-6100 Critical TuxCare License Agreement CVE-2026-6100 Debian 12 * SECURITY UPDATE: use-after-free in lzma/bz2/gzip decompressors - debian/patches/CVE-2026-6100.patch: null next_in at the error: label of decompress() in Modules/_bz2module.c and Modules/_lzmamodule.c so the decompressor cannot be re-used with a stale buffer pointer after a MemoryError. - CVE-2026-6100 Critical TuxCare License Agreement CVE-2026-6100 Debian 12 * SECURITY UPDATE: zipfile quoted-overlap zip bomb - debian/patches/CVE-2024-0450.patch: raise BadZipFile when an archive entry overlaps with another entry or the central directory, preventing quoted-overlap zip bombs with extreme compression ratios. - CVE-2024-0450 * SECURITY UPDATE: use-after-free in lzma/bz2 decompressors - debian/patches/CVE-2026-6100.patch: null next_in at the error: label of decompress() in Modules/_bz2module.c and Modules/_lzmamodule.c so the decompressor cannot be re-used with a stale buffer pointer after a MemoryError. - CVE-2026-6100 Critical TuxCare License Agreement CVE-2026-6100 CVE-2024-0450 Debian 12 * SECURITY UPDATE: zipfile quoted-overlap zip bomb - debian/patches/CVE-2024-0450.patch: raise BadZipFile when an archive entry overlaps with another entry or the central directory, preventing quoted-overlap zip bombs with extreme compression ratios. - CVE-2024-0450 * SECURITY UPDATE: use-after-free in lzma/bz2 decompressors - debian/patches/CVE-2026-6100.patch: null next_in at the error: label of decompress() in Modules/_bz2module.c and Modules/_lzmamodule.c so the decompressor cannot be re-used with a stale buffer pointer after a MemoryError. - CVE-2026-6100 Critical TuxCare License Agreement CVE-2026-6100 CVE-2024-0450 Debian 12 * SECURITY UPDATE: use-after-free in BZ2Decompressor when MemoryError is raised in the C-level decompress() helper - debian/patches/CVE-2026-6100.patch: defensively null bzs->next_in on the error: path of BZ2Decomp_decompress in Modules/bz2module.c. - CVE-2026-6100 Critical TuxCare License Agreement CVE-2026-6100 CVE-2020-27619 CVE-2024-0450 CVE-2021-3177 CVE-2021-4189 Debian 12 * SECURITY UPDATE: header injection via newline in email.Generator - debian/patches/CVE-2026-1299.patch: add HeaderWriteError exception to Lib/email/errors.py, add NEWLINE_WITHOUT_FWSP regex to Lib/email/generator.py and check the header *value* in all four branches of Generator._write_headers(), raising HeaderWriteError when a CR/LF without folding whitespace is found. Updates test_embedded_header_via_string_rejected to expect HeaderWriteError instead of HeaderParseError. In Python 2.7 this single Generator-class hardening covers both upstream CVE-2026-1299 (BytesGenerator) and CVE-2024-6923 because BytesGenerator does not exist in 2.7. - CVE-2026-1299 * SECURITY UPDATE: missing header-name newline check in email.Generator - debian/patches/CVE-2024-6923.patch: add NEWLINE_WITHOUT_FWSP check on the header *name* at the top of Generator._write_headers() in Lib/email/generator.py, raising HeaderWriteError when a CR/LF without folding whitespace is found in the header name. Documents HeaderWriteError in Doc/library/email.errors.rst and adds a test_invalid_header_format regression test in Lib/email/test/test_email_renamed.py. - CVE-2024-6923 * SECURITY UPDATE: ssl.SSLContext data race in cert_store_stats / get_ca_certs - debian/patches/CVE-2024-0397.patch: backport of upstream 3.8 commit 29c97287d2 ("[3.8] gh-114572: Fix locking in cert_store_stats and get_ca_certs"). Adds a polyfill of OpenSSL 3.3's X509_STORE_get1_objects() (deep-copy under X509_STORE_lock()) and replaces the shared, unlocked X509_STORE_get0_objects() calls in cert_store_stats() and get_ca_certs() in Modules/_ssl.c, preventing a memory race and potential use-after-free when an SSLContext is shared across multiple threads. - CVE-2024-0397 * SECURITY UPDATE: open redirect in BaseHTTPServer when path starts with // - debian/patches/CVE-2021-28861.patch: backport of upstream commit 4abab6b603 ("gh-87389: Fix an open redirection vulnerability in http.server"). In Lib/BaseHTTPServer.py, after the request line is parsed, collapse any leading run of '/' characters to a single '/' so an attacker-controlled '//evil.example/...' path cannot become an absolute scheme-less URI in a 301 Location header. Adds a regression test in Lib/test/test_httpservers.py. - CVE-2021-28861 Important TuxCare License Agreement CVE-2024-6923 CVE-2021-28861 CVE-2024-0397 CVE-2026-1299 Debian 12 * SECURITY UPDATE: email BytesGenerator header injection - debian/patches/CVE-2026-1299.patch: combined backport of gh-121650 (CVE-2024-6923) and gh-144125 (CVE-2026-1299) that adds email.errors.HeaderWriteError, the policy.verify_generated_headers attribute, and the verify-on-write check for both Generator and BytesGenerator, preventing CRLF/LF header injection through custom fold(). - CVE-2026-1299 * SECURITY UPDATE: ssl.SSLContext memory race in cert_store_stats / get_ca_certs - debian/patches/CVE-2024-0397.patch: backport the X509_STORE_get1_objects shim and the x509_object_dup helper from cpython 3.8.20 (29c97287d2). The two affected impl functions in Modules/_ssl.c (cert_store_stats / get_ca_certs) now take a deep-copy snapshot of the X509_STORE under X509_STORE_lock(), preventing the use-after-free that occurred when certificates were loaded concurrently from another thread. - CVE-2024-0397 * SECURITY UPDATE: ipaddress is_private/is_global misclassification - debian/patches/CVE-2024-4032.patch: backport cpython 3.8.20 fix 895f7e2ac2 (gh-113171). Adds the _IPv4Constants._private_networks_exceptions list (192.0.0.9/32, 192.0.0.10/32) and the IPv6 equivalents (2001:1::1/128, 2001:1::2/128, 2001:3::/32, 2001:4:112::/48, 2001:20::/28, 2001:30::/28). Expands 192.0.0.0/29 to /24, adds 64:ff9b:1::/48 and 2002::/16 to the IPv6 _private_networks list, and updates is_private to filter against the exceptions list and use ipv4_mapped semantics on IPv6. - CVE-2024-4032 Important TuxCare License Agreement CVE-2024-4032 CVE-2024-0397 CVE-2026-1299 Debian 12 * SECURITY UPDATE: email BytesGenerator header injection - debian/patches/CVE-2026-1299.patch: verify generated headers in email.generator.BytesGenerator and Generator. Adds the HeaderWriteError exception, NEWLINE_WITHOUT_FWSP / NEWLINE_WITHOUT_FWSP_BYTES regexes, and the Policy.verify_generated_headers attribute, then raises HeaderWriteError when the folded header does not end with the policy linesep or contains a stray newline. Includes the CVE-2024-6923 prerequisite hardening of the string Generator. - CVE-2026-1299 * SECURITY UPDATE: ssl.SSLContext memory race in cert_store_stats / get_ca_certs - debian/patches/CVE-2024-0397.patch: backport the upstream X509_STORE_get1_objects shim and the x509_object_dup helper from cpython 29c97287d205bf2f410f4895ebce3f43b5160524, then switch _ssl__SSLContext_cert_store_stats_impl and _ssl__SSLContext_get_ca_certs_impl to take a deep-copy snapshot of the X509_STORE under lock, freeing the snapshot before returning. Closes a use-after-free triggered by loading certificates concurrently from another thread. - CVE-2024-0397 * SECURITY UPDATE: ipaddress is_private / is_global misclassification - debian/patches/CVE-2024-4032.patch: backport upstream gh-113171 / gh-65056. Update Lib/ipaddress.py to align the _private_networks lists with the IANA special-purpose registries and add _private_networks_exceptions so that is_private / is_global no longer misclassify addresses in 192.0.0.0/24 (with 192.0.0.9 and 192.0.0.10 exceptions), 64:ff9b:1::/48, 2002::/16, and the 2001::/23 sub-range exceptions (2001:1::1, 2001:1::2, 2001:3::/32, 2001:4:112::/48, 2001:20::/28, 2001:30::/28). Includes the matching docs and test updates. - CVE-2024-4032 Important TuxCare License Agreement CVE-2024-4032 CVE-2024-0397 CVE-2026-1299 Debian 12 * SECURITY UPDATE: email.BytesGenerator did not quote newlines in serialized headers, allowing header injection when a custom header class (e.g. LiteralHeader) bypasses the email folding rules. This is a bypass of CVE-2024-6923, which only added the validation to the text Generator class. - debian/patches/CVE-2026-1299.patch: mirror the verify_generated_headers / NEWLINE_WITHOUT_FWSP check from Generator._write_headers into BytesGenerator._write_headers in Lib/email/generator.py, raising HeaderWriteError on unsafely folded or delimited headers; extend test_email tests to cover message.as_bytes(). - CVE-2026-1299 Important TuxCare License Agreement CVE-2026-1299 Debian 12 * SECURITY UPDATE: email.generator.BytesGenerator does not validate folded headers, allowing header injection via crafted Header subclasses - debian/patches/CVE-2026-1299.patch: extend verify_generated_headers check to BytesGenerator._write_headers() in Lib/email/generator.py so unsafely folded or delimited headers raise HeaderWriteError on as_bytes() too. Adds matching test coverage in Lib/test/test_email/test_generator.py and test_policy.py. - CVE-2026-1299 Important TuxCare License Agreement CVE-2026-1299 Debian 12 * SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding after the first padded quad, silently dropping any excess data. The behaviour can lead to data being accepted that other implementations process differently. - debian/patches/CVE-2026-3446.patch: backport of upstream commits 4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats the pad character as non-alphabet data per RFC 4648 section 3.3: the loop in binascii_a2b_base64_impl no longer breaks out on a pad sequence; a `pads` counter is added so post-loop validation still raises "Incorrect padding" / "Invalid base64-encoded string" for inputs that do not satisfy `quad_pos + pads == 4`. The unused `binascii_find_valid` helper is removed. - CVE-2026-3446 Moderate TuxCare License Agreement CVE-2026-3446 Debian 12 * SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding after the first padded quad, silently dropping any excess data. The behaviour can lead to data being accepted that other implementations process differently. - debian/patches/CVE-2026-3446.patch: backport of upstream commits 4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats the pad character as non-alphabet data per RFC 4648 section 3.3: the loop in binascii_a2b_base64_impl no longer breaks out on a pad sequence; a `pads` counter tracks them so post-loop validation still raises "Incorrect padding" / "Invalid base64-encoded string" for inputs that do not satisfy `quad_pos + pads == 4`. The unused `done:` label is removed. - CVE-2026-3446 Moderate TuxCare License Agreement CVE-2026-3446 Debian 12 * SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding after the first padded quad, silently dropping any excess data. The behaviour can lead to data being accepted that other implementations process differently. - debian/patches/CVE-2026-3446.patch: backport of upstream commits 4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats the pad character as non-alphabet data per RFC 4648 section 3.3: the loop in binascii_a2b_base64_impl no longer breaks out on a pad sequence; a `pads` counter is added so post-loop validation still raises "Incorrect padding" for inputs that do not satisfy `quad_pos + pads == 4`. The unused `binascii_find_valid` helper is removed. - CVE-2026-3446 Moderate TuxCare License Agreement CVE-2026-3446 Debian 12 * SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding after the first padded quad, silently dropping any excess data. The behaviour can lead to data being accepted that other implementations process differently. - debian/patches/CVE-2026-3446.patch: backport of upstream commits 4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats the pad character as non-alphabet data per RFC 4648 section 3.3: the loop in binascii_a2b_base64 no longer breaks out on a pad sequence; a `pads` counter is added so post-loop validation still raises "Incorrect padding" for inputs that do not satisfy `quad_pos + pads == 4`. The unused `binascii_find_valid` helper is removed. - CVE-2026-3446 Moderate TuxCare License Agreement CVE-2026-3446 Debian 12 * SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding after the first padded quad, silently dropping any excess data. The behaviour can lead to data being accepted that other implementations process differently. - debian/patches/CVE-2026-3446.patch: backport of upstream commits 4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats the pad character as non-alphabet data per RFC 4648 section 3.3: the loop in binascii_a2b_base64_impl no longer breaks out on a pad sequence; a `pads` counter is added so post-loop validation still raises "Incorrect padding" / "Invalid base64-encoded string" for inputs that do not satisfy `quad_pos + pads == 4`. The unused `binascii_find_valid` helper is removed. - CVE-2026-3446 Moderate TuxCare License Agreement CVE-2026-3446 Debian 12 * SECURITY UPDATE: urllib.request.DataHandler accepted data: URLs whose mediatype contained control characters, allowing newline-based HTTP header injection downstream. - debian/patches/CVE-2025-15282.patch: backport of cpython f25509e78e (gh-143925, Seth Larson). Adds a [\\x00-\\x1F\\x7F] regex check in data_open() and a matching test_invalid_mediatype. - CVE-2025-15282 * SECURITY UPDATE: http.cookies.Morsel did not reject control characters in keys / values / coded_value, allowing cookie injection via __setitem__, setdefault, set, and BaseCookie.output. - debian/patches/CVE-2026-0672.patch: backport of cpython 95746b3a13 (gh-143919, Seth Larson). Adds _has_control_character helper and inserts validation in __setitem__, setdefault, set, plus a wrap of BaseCookie.OutputString / output. - CVE-2026-0672 * SECURITY UPDATE: the CVE-2026-0672 fix was incomplete; control characters could still bypass via Morsel.update(), |=, __setstate__ (pickle), and BaseCookie.js_output(). - debian/patches/CVE-2026-3644.patch: backport of cpython 57e88c1cf9 (gh-145599, Stan Ulbrych + Victor Stinner). Adds validation to Morsel.update(), defines explicit Morsel.__ior__ (was inherited from dict and bypassed validation), validates __setstate__ before assigning attributes, and re-validates the assembled output string in js_output(). - CVE-2026-3644 * SECURITY UPDATE: Modules/pyexpat.c conv_content_model could overflow the C stack when an Expat parser with a registered ElementDeclHandler parsed a deeply nested DTD content model, causing a denial-of-service. - debian/patches/CVE-2026-4224.patch: backport of cpython eb0e8be3a7 (gh-145986, Stan Ulbrych + Bénédikt Tran). Wraps conv_content_model with Py_EnterRecursiveCall / Py_LeaveRecursiveCall so deep nesting raises RecursionError instead of crashing. - CVE-2026-4224 Moderate TuxCare License Agreement CVE-2025-15282 CVE-2026-3644 CVE-2026-4224 CVE-2026-0672 Debian 12 * SECURITY UPDATE: urllib.request.DataHandler accepted data: URLs whose mediatype contained control characters, allowing newline-based HTTP header injection downstream. - debian/patches/CVE-2025-15282.patch: backport of cpython f25509e78e (gh-143925, Seth Larson). Adds a [\\x00-\\x1F\\x7F] regex check in data_open() and a matching test_invalid_mediatype. - CVE-2025-15282 * SECURITY UPDATE: http.cookies.Morsel did not reject control characters in keys / values / coded_value, allowing cookie injection via __setitem__, setdefault, set, and BaseCookie.output. - debian/patches/CVE-2026-0672.patch: backport of cpython 95746b3a13 (gh-143919, Seth Larson). Adds _has_control_character helper and inserts validation in __setitem__, setdefault, set, plus a wrap of BaseCookie.OutputString / output. - CVE-2026-0672 * SECURITY UPDATE: the CVE-2026-0672 fix was incomplete; control characters could still bypass via Morsel.update(), |=, __setstate__ (pickle), and BaseCookie.js_output(). - debian/patches/CVE-2026-3644.patch: backport of cpython 57e88c1cf9 (gh-145599, Stan Ulbrych + Victor Stinner). Adds validation to Morsel.update(), defines explicit Morsel.__ior__ (was inherited from dict and bypassed validation), validates __setstate__ before assigning attributes, and re-validates the assembled output string in js_output(). - CVE-2026-3644 * SECURITY UPDATE: Modules/pyexpat.c conv_content_model could overflow the C stack when an Expat parser with a registered ElementDeclHandler parsed a deeply nested DTD content model, causing a denial-of-service. - debian/patches/CVE-2026-4224.patch: backport of cpython eb0e8be3a7 (gh-145986, Stan Ulbrych + Bénédikt Tran). Wraps conv_content_model with Py_EnterRecursiveCall / Py_LeaveRecursiveCall so deep nesting raises RecursionError instead of crashing. - CVE-2026-4224 Moderate TuxCare License Agreement CVE-2025-15282 CVE-2026-3644 CVE-2026-4224 CVE-2026-0672 Debian 12 * SECURITY UPDATE: urllib.request.DataHandler accepted data: URLs whose mediatype contained control characters, allowing newline-based HTTP header injection downstream. - debian/patches/CVE-2025-15282.patch: backport of cpython f25509e78e (gh-143925, Seth Larson). Adds a [\\x00-\\x1F\\x7F] regex check in data_open() and a matching test_invalid_mediatype. - CVE-2025-15282 * SECURITY UPDATE: http.cookies.Morsel did not reject control characters in keys / values / coded_value, allowing cookie injection via __setitem__, setdefault, set, and BaseCookie.output. - debian/patches/CVE-2026-0672.patch: backport of cpython 95746b3a13 (gh-143919, Seth Larson). Adds _has_control_character helper and inserts validation in __setitem__, setdefault, set, plus a wrap of BaseCookie.OutputString / output. - CVE-2026-0672 * SECURITY UPDATE: the CVE-2026-0672 fix was incomplete; control characters could still bypass via Morsel.update(), |=, __setstate__ (pickle), and BaseCookie.js_output(). - debian/patches/CVE-2026-3644.patch: backport of cpython 57e88c1cf9 (gh-145599, Stan Ulbrych + Victor Stinner). Adds validation to Morsel.update(), defines explicit Morsel.__ior__ (was inherited from dict and bypassed validation), validates __setstate__ before assigning attributes, and re-validates the assembled output string in js_output(). - CVE-2026-3644 * SECURITY UPDATE: Modules/pyexpat.c conv_content_model could overflow the C stack when an Expat parser with a registered ElementDeclHandler parsed a deeply nested DTD content model, causing a denial-of-service. - debian/patches/CVE-2026-4224.patch: backport of cpython eb0e8be3a7 (gh-145986, Stan Ulbrych + Bénédikt Tran). Wraps conv_content_model with Py_EnterRecursiveCall / Py_LeaveRecursiveCall so deep nesting raises RecursionError instead of crashing. - CVE-2026-4224 Moderate TuxCare License Agreement CVE-2025-15282 CVE-2026-3644 CVE-2026-4224 CVE-2026-0672 Debian 12 * SECURITY UPDATE: urllib.request.DataHandler accepted data: URLs whose mediatype contained control characters, allowing newline-based HTTP header injection downstream. - debian/patches/CVE-2025-15282.patch: backport of cpython f25509e78e (gh-143925, Seth Larson). Adds a [\\x00-\\x1F\\x7F] regex check in data_open() and a matching test_invalid_mediatype. - CVE-2025-15282 * SECURITY UPDATE: http.cookies.Morsel did not reject control characters in keys / values / coded_value, allowing cookie injection via __setitem__, setdefault, set, and BaseCookie.output. - debian/patches/CVE-2026-0672.patch: backport of cpython 95746b3a13 (gh-143919, Seth Larson). Adds _has_control_character helper and inserts validation in __setitem__, setdefault, set, plus a wrap of BaseCookie.OutputString / output. - CVE-2026-0672 * SECURITY UPDATE: the CVE-2026-0672 fix was incomplete; control characters could still bypass via Morsel.update(), |=, __setstate__ (pickle), and BaseCookie.js_output(). - debian/patches/CVE-2026-3644.patch: backport of cpython 57e88c1cf9 (gh-145599, Stan Ulbrych + Victor Stinner). Adds validation to Morsel.update(), defines explicit Morsel.__ior__ (was inherited from dict and bypassed validation), validates __setstate__ before assigning attributes, and re-validates the assembled output string in js_output(). - CVE-2026-3644 * SECURITY UPDATE: Modules/pyexpat.c conv_content_model could overflow the C stack when an Expat parser with a registered ElementDeclHandler parsed a deeply nested DTD content model, causing a denial-of-service. - debian/patches/CVE-2026-4224.patch: backport of cpython eb0e8be3a7 (gh-145986, Stan Ulbrych + Bénédikt Tran). Wraps conv_content_model with Py_EnterRecursiveCall / Py_LeaveRecursiveCall so deep nesting raises RecursionError instead of crashing. - CVE-2026-4224 Moderate TuxCare License Agreement CVE-2025-15282 CVE-2026-3644 CVE-2026-4224 CVE-2026-0672 Debian 12 * SECURITY UPDATE: Modules/pyexpat.c conv_content_model could overflow the C stack when an Expat parser with a registered ElementDeclHandler parsed a deeply nested DTD content model, causing a denial-of-service. - debian/patches/CVE-2026-4224.patch: C-level backport of cpython eb0e8be3a7 (gh-145986, Stan Ulbrych + Bénédikt Tran). Wraps conv_content_model with Py_EnterRecursiveCall / Py_LeaveRecursiveCall so deep nesting raises RuntimeError instead of crashing. The upstream Lib/test/test_pyexpat.py test addition is skipped: it depends on test.support.infinite_recursion() which only exists in Python 3.x test.support. - CVE-2026-4224 * SECURITY UPDATE: Lib/Cookie.py Morsel accepts control characters in reserved-attribute values, in key/value/coded_value via .set(), and via the inherited dict.update() / pickle restoration paths, allowing newline-based HTTP header injection via Set-Cookie. The upstream CVE description and py3 fix target Lib/http/cookies.py (which does not exist in py2); a runtime POC confirmed the same vulnerability class is reachable through py2's Cookie module via five distinct write paths. - debian/patches/CVE-2026-0672-CVE-2026-3644.patch: py2 adaptation of cpython 95746b3a13 (gh-143919, Seth Larson) and 57e88c1cf9 (gh-145599, Stan Ulbrych + Victor Stinner). Adds a _has_control_character helper and validates at Morsel.__setitem__, .setdefault, .set, an explicit .update, an explicit .__setstate__, plus re-validates the assembled output in Morsel.js_output and BaseCookie.output (defence-in-depth against direct attribute mutation). The py3 __ior__ hunk is not ported (py2 dict has no `|=` operator). Doctest fixture `keebler="...fudge=\012;"` is updated to drop the embedded newline, mirroring the upstream doctest fix. - CVE-2026-0672, CVE-2026-3644 Moderate TuxCare License Agreement CVE-2026-3644 CVE-2026-4224 CVE-2026-0672 Debian 12 * SECURITY UPDATE: CVE-2026-7210 + CVE-2026-41080 (paired) — backport the libexpat 16-byte salt API (XML_SetHashSalt16Bytes) into bundled expat 2.4.1 and wire pyexpat/_elementtree to use it. Together these restore proper hash-flood mitigation for xml.parsers.expat and xml.etree.ElementTree. - debian/patches/CVE-2026-7210.patch: backport of cpython 24b8f12544 (gh-149018, Stan Ulbrych). Adds a new 16-byte _Py_HashSecret.expat.hashsalt16 slot in Include/pyhash.h (overlapping the existing padding), extends the PyExpat CAPI in Include/pyexpat.h with SetHashSalt16Bytes, and prefers the new API in Modules/pyexpat.c and Modules/_elementtree.c when built against libexpat exposing it; falls back to the legacy XML_SetHashSalt path otherwise. The two XML_COMBINED_VERSION gates are extended with `|| defined(XML_HAS_HASHSALT16BYTES_BACKPORT)` so the new code path activates against the bundled patched libexpat without bumping its advertised version, while --with-system-expat builds (Alpine) keep the upstream `>= 20800` semantics. - debian/patches/CVE-2026-41080.patch: backport of libexpat PR #1183. Widens the parser's internal hash salt from `unsigned long m_hash_secret_salt` to a full `struct sipkey m_hash_secret_salt_128` (+ an m_hash_secret_salt_set flag), adds the new XML_SetHashSalt16Bytes API and the matching XML_HAS_HASHSALT16BYTES_BACKPORT marker in expat.h, and namespaces the new symbol via pyexpatns.h. Applied to bundled Modules/expat/; on Alpine `prepare()` deletes Modules/expat after the patch, so the libexpat backport is a no-op there and the system libexpat decides whether the new API is available. - CVE-2026-7210 - CVE-2026-41080 Critical TuxCare License Agreement CVE-2026-7210 Debian 12 * SECURITY UPDATE: xml.parsers.expat and xml.etree.ElementTree used insufficient entropy (a single Py_hash_t) to seed Expat's hash-flooding protection, allowing a crafted XML document to trigger hash flooding (CWE-331). The CPython side and the libexpat side of the fix are paired -- the new XML_SetHashSalt16Bytes call sites are inert unless the linked libexpat exposes the 16-byte salt API. Because alt-python37 statically links the bundled Modules/expat/ tree (libexpat 2.5.0), we backport both halves here. - debian/patches/CVE-2026-7210.patch: backport of cpython 24b8f12544 (gh-149018, Stan Ulbrych). Adds the XML_SetHashSalt16Bytes function pointer to the pyexpat CAPI and uses it with 16 bytes of entropy in pyexpat.c and _elementtree.c when the 16-byte salt API is available; falls back to legacy XML_SetHashSalt otherwise. The original upstream conditional only checks XML_COMBINED_VERSION >= 20800; we widen it to also activate when the feature-test macro XML_HAS_SET_HASH_SALT_16_BYTES is defined, which our bundled expat patch exposes (see CVE-2026-41080.patch). On builds that use system libexpat (--with-system-expat, e.g. Alpine), the macro is absent and the version check still applies normally. - debian/patches/CVE-2026-41080.patch: backport of libexpat PR #1183 (https://github.com/libexpat/libexpat/pull/1183), restricted to the C sources needed for the bundled static link (Modules/expat/expat.h, internal.h, xmlparse.c). Widens the per-parser salt storage to a full struct sipkey (128 bits) and adds XML_SetHashSalt16Bytes. Also defines the alt-python- specific feature-test macro XML_HAS_SET_HASH_SALT_16_BYTES so the CPython side can detect the backported API without bumping XML_COMBINED_VERSION (the bundled tree still reports 2.5.0). Together with CVE-2026-7210 this activates the 16-byte salt path inside pyexpat / xml.etree against the bundled expat, restoring proper hash-flood mitigation. - CVE-2026-7210 - CVE-2026-41080 Critical TuxCare License Agreement CVE-2026-7210 Debian 12 * SECURITY UPDATE: CVE-2026-7210 + CVE-2026-41080 (paired): backport the libexpat 16-byte salt API (XML_SetHashSalt16Bytes) into bundled expat 2.2.8 and wire pyexpat/_elementtree to use it. Together these restore proper hash-flood mitigation. xml.parsers.expat and xml.etree.ElementTree previously used only the legacy 8-byte XML_SetHashSalt API; that salt is brute-forceable with modern hardware, allowing a crafted XML document to trigger hash collisions and a denial of service. - debian/patches/CVE-2026-7210.patch: backport of cpython 24b8f12544 (gh-149018, Stan Ulbrych). Switches pyexpat and _elementtree to XML_SetHashSalt16Bytes when built/linked against libexpat >= 2.8.0, falling back to the legacy XML_SetHashSalt on older expat. Adds a hashsalt16[16] field to _Py_HashSecret_t in Include/object.h (seeded by _PyRandom_Init alongside prefix / suffix) and a NULL-able SetHashSalt16Bytes function pointer in the pyexpat CAPI struct so _elementtree can dispatch at runtime. No upstream backport to 2.7 exists; upstream backports landed only to 3.14 / 3.15. - debian/patches/CVE-2026-41080.patch: backport of libexpat PR #1183 into the bundled Modules/expat/ tree (libexpat 2.2.8). Widens m_hash_secret_salt from `unsigned long` to a 128-bit `struct sipkey` and adds the new public XML_SetHashSalt16Bytes() entry point. Since pyexpat.so / _elementtree.so are statically linked against this tree, the cpython half now consumes full 16-byte entropy without requiring an external libexpat >= 2.8.0 at runtime. - CVE-2026-7210 - CVE-2026-41080 Critical TuxCare License Agreement CVE-2026-7210 Debian 12 * SECURITY UPDATE: xml.parsers.expat and xml.etree.ElementTree used insufficient entropy for the Expat hash-flooding salt (only the 8-byte Py_hash_t field _Py_HashSecret.expat.hashsalt was passed to XML_SetHashSalt), allowing a crafted XML document to trigger hash flooding in Expat's internal hash tables. Full mitigation requires libexpat 2.8.0+ at runtime (or a distro-backported equivalent that exports XML_SetHashSalt16Bytes). - debian/patches/CVE-2026-7210.patch: backport of cpython 24b8f12544 (gh-149018, Stan Ulbrych). Adds a 16-byte hashsalt16 field to _Py_HashSecret.expat and prefers the new XML_SetHashSalt16Bytes API in both Modules/pyexpat.c (newxmlparseobject + capi export) and Modules/_elementtree.c (XMLParser.__init__); the legacy XML_SetHashSalt path is kept as fallback when the loaded libexpat does not export the new symbol. The symbol is declared __attribute__((weak)) in Modules/pyexpat.c so the same source path works whether the build links against bundled libexpat 2.8.0+ or a distro libexpat 2.5/2.7 that backports the entropy fix without bumping XML_COMBINED_VERSION (Debian, Ubuntu, RHEL/CL, Alpine). - CVE-2026-7210 Critical TuxCare License Agreement CVE-2026-7210 Debian 12 * SECURITY UPDATE: xml.parsers.expat / xml.etree.ElementTree used insufficient entropy for libexpat hash-flooding protection, allowing a crafted XML document to trigger hash collisions. Mitigation requires both libexpat 2.8.0+ (or a distro-backported equivalent that exports XML_SetHashSalt16Bytes) and a Python-side patch to seed the parser with the new 16-byte salt API. - debian/patches/CVE-2026-7210.patch: backport of cpython 24b8f12544 (gh-149018, Stan Ulbrych). pyexpat and _elementtree call XML_SetHashSalt16Bytes with _Py_HashSecret.expat.hashsalt16 (16 bytes of entropy); legacy XML_SetHashSalt remains as the fallback when the loaded libexpat does not export the new symbol. The symbol is declared __attribute__((weak)) in Modules/pyexpat.c so the same source path works whether the build links against bundled libexpat 2.8.0+ or a distro libexpat 2.5/2.7 that backports the entropy fix without bumping XML_COMBINED_VERSION (Debian, Ubuntu, RHEL/CL, Alpine). Extends the PyExpat CAPI with a nullable SetHashSalt16Bytes slot populated from the weak reference. - CVE-2026-7210 Critical TuxCare License Agreement CVE-2026-7210 Debian 12 * SECURITY UPDATE: tarfile normalized AREGTYPE blocks to DIRTYPE while processing GNU long name/link follow-up headers, allowing a crafted tar archive to be misinterpreted. - debian/patches/CVE-2025-13462.patch: backport of cpython 42d754e34c (gh-141707). Skip DIRTYPE normalization on follow-up headers via a dircheck flag. - CVE-2025-13462 * SECURITY UPDATE: wsgiref.headers.Headers accepted C0 control characters in header names, values and parameters, enabling response splitting. - debian/patches/CVE-2026-0865.patch: backport of cpython f7fceed79c (gh-143916) plus the HTAB follow-up. Reject control characters; HTAB remains allowed in values but not names. - CVE-2026-0865 * SECURITY UPDATE: http.client did not reject CR/LF in HTTP tunnel (CONNECT) request headers set via HTTPConnection.set_tunnel(). - debian/patches/CVE-2026-1502.patch: backport of cpython 05ed7ce7ae (gh-146211). Validate the tunnel host and per-header name/value. - CVE-2026-1502 * SECURITY UPDATE: http.cookies Morsel.js_output() emitted cookie values into a document.cookie assignment using only quote-escaping, allowing a </script> breakout / JavaScript injection. - debian/patches/CVE-2026-6019.patch: backport of cpython 76b3923d68 (gh-90309). Base64-encode the value and wrap it in atob(). - CVE-2026-6019 Moderate TuxCare License Agreement CVE-2025-13462 CVE-2026-1502 CVE-2026-0865 CVE-2025-8291 CVE-2025-6069 CVE-2025-1795 CVE-2026-6019 CVE-2025-11468 Debian 12 * SECURITY UPDATE: rework the CVE-2026-7210 fix so the XML_SetHashSalt16Bytes code path is no longer inert when the linked libexpat does not bump XML_COMBINED_VERSION to 2.8.0 (Alpine system libexpat). - debian/patches/CVE-2026-7210.patch: rewritten. Declares XML_SetHashSalt16Bytes as __attribute__((weak)) at the top of Modules/pyexpat.c and replaces the compile-time XML_COMBINED_VERSION / XML_HAS_SET_HASH_SALT_16_BYTES gate with a single runtime "if (... != NULL)" check at every call site (newxmlparseobject in pyexpat.c, the pyexpat C-API capsule init, and _elementtree.c). RPM / Debian builds keep 16-byte mitigation via bundled libexpat 2.5.0 + CVE-2026-41080; Alpine activates the 16-byte path automatically the moment the system libexpat ships the entropy fix; libexpat without the symbol falls back to the legacy 8-byte XML_SetHashSalt path (no regression). - CVE-2026-41080.patch is unchanged. - CVE-2026-7210 * SECURITY UPDATE: urllib.parse.urlsplit / urlparse accepted bracketed hosts that were not valid IPv6 / IPvFuture, enabling SSRF and parser-differential attacks. - debian/patches/CVE-2024-11168.patch: backport of cpython 3.11 b2171a2 (gh-103848, Seth Larson). - CVE-2024-11168 * SECURITY UPDATE: bundled libexpat 2.5.0 crashes in XML_ResumeParser when XML_StopParser is called on an unstarted parser (NULL deref). - debian/patches/CVE-2024-50602.patch: backport of libexpat 51c70190 (PR #915). Alpine builds use system expat (--with-system-expat) so this hardening affects only the bundled-expat path used by RPM/Debian builds. - CVE-2024-50602 * SECURITY UPDATE: urllib.parse.urlsplit / urlparse continued to accept domain names containing square brackets after the CVE-2024-11168 fix; follow-up that completes the validation. - debian/patches/CVE-2025-0938.patch: backport of cpython 3.10 b8b4b71 (gh-105704). - CVE-2025-0938 * SECURITY UPDATE: bytes.decode("unicode_escape", errors="ignore" or "replace") could trigger a use-after-free when the error handler reallocated the input buffer. - debian/patches/CVE-2025-4516.patch: backport of cpython 3.9 8d35fd1b (gh-129648, Serhiy Storchaka). Captures the initial starts pointer and only stores *first_invalid_escape when starts == initial_starts. - CVE-2025-4516 * SECURITY UPDATE: ftplib.ftpcp() was not updated when CVE-2021-4189 was fixed; still passed raw server-supplied PASV host / port to target.sendport(). - debian/patches/CVE-2026-8328.patch: backport of cpython eac4fe3b (gh-87451, PR #149648). Applies the CVE-2021-4189 hardening to ftpcp() using source.sock.getpeername()[0] unless trust_server_pasv_ipv4_address is set. - CVE-2026-8328 Moderate TuxCare License Agreement CVE-2025-4516 CVE-2024-50602 CVE-2024-11168 CVE-2026-8328 CVE-2025-0938 Debian 12 * SECURITY UPDATE: base64.b64decode / urlsafe_b64decode silently accepted the '+/' alphabet regardless of altchars. - debian/patches/CVE-2025-12781.patch: backport of cpython 3.x 9060b4ab (gh-125346) - deprecation-only fix that emits a DeprecationWarning / FutureWarning when '+' / '/' appear in input outside the configured alphabet. Behavior is unchanged, matching upstream's deprecation intent. - CVE-2025-12781 * SECURITY UPDATE: wsgiref.headers.Headers did not reject control characters in header names / values. - debian/patches/CVE-2026-0865.patch: combined backport of cpython 22e4d552 (gh-143916, the initial fix that adds a control-char regex check in _convert_string_type) and follow-up 83ecd187 (gh-144762, "Allow HTAB in wsgiref header values" per RFC 9110 Section 5.5). Splits the regex into _name_disallowed_re and _value_disallowed_re, threads a keyword-only `name` parameter through _convert_string_type, and updates every caller to pass name=True or name=False. HTAB is now allowed in header values but still rejected in header names; LF / CR / DEL remain rejected in both. - CVE-2026-0865 * SECURITY UPDATE: http.client did not reject CR/LF in HTTPConnection CONNECT tunnel host / headers, enabling request injection. - debian/patches/CVE-2026-1502.patch: backport of cpython 05ed7ce7 (gh-146211). Validates the tunnel host and each tunnel header name / value via _is_legal_header_name / _is_illegal_header_value before sending. - CVE-2026-1502 * SECURITY UPDATE: http.cookies.Morsel.js_output() emitted an inline <script> snippet that only escaped " and left </script> intact. - debian/patches/CVE-2026-6019.patch: backport of cpython f795e042 (gh-90309). Base64-encodes the cookie value and emits a self-decoding JavaScript stub instead of an unescaped string literal. Builds on top of the CVE-2026-3644 control-character validation that the repo already carries. - CVE-2026-6019 Moderate TuxCare License Agreement CVE-2025-13462 CVE-2026-1502 CVE-2026-0865 CVE-2025-8291 CVE-2025-6069 CVE-2025-1795 CVE-2026-6019 CVE-2025-11468 Debian 12 * SECURITY UPDATE: tarfile applied AREGTYPE -> DIRTYPE normalization even during multi-block GNU long members (GNUTYPE_LONGNAME / GNUTYPE_LONGLINK), enabling a parsing differential vs. other tar implementations. - debian/patches/CVE-2025-13462.patch: backport of cpython 42d754e3 (gh-143934, Seth Larson + Eashwar Ranganathan). Threads a dircheck flag through frombuf / fromtarfile so normalization is skipped on the inner header during GNU long name / link handling. - CVE-2025-13462 * SECURITY UPDATE: wsgiref.headers.Headers did not reject control characters in header names / values, allowing HTTP header injection from WSGI applications. - debian/patches/CVE-2026-0865.patch: combined backport of cpython f7fceed7 (gh-143917) which adds the control-char regex check, 66da7bf6 (gh-143916 HTAB follow-up) which splits the check so HTAB is allowed in header values (RFC 9110 Section 5.5) but still rejected in header names, plus d931725b (gh-144370) which disallows control characters in status in wsgiref.handlers.start_response. - CVE-2026-0865 * SECURITY UPDATE: http.client did not reject CR/LF in HTTPConnection CONNECT tunnel host / per-tunnel-header values, enabling request injection through a proxy tunnel. - debian/patches/CVE-2026-1502.patch: backport of cpython 05ed7ce7 + b1cf9016 (gh-146212, Seth Larson). Adapted to 3.6's per-line self.send() form (no headers=[] list in _tunnel until 3.9+). Validates _tunnel_host and per-header name / value in _tunnel(). - CVE-2026-1502 * SECURITY UPDATE: http.cookies.Morsel.js_output() emitted an inline <script> snippet that only escaped " and left </script> intact, enabling HTML injection when a cookie value contains </script>. - debian/patches/CVE-2026-6019.patch: backport of cpython 76b3923d (gh-148848, Seth Larson). Base64-encodes the cookie value and emits document.cookie = atob("...") instead of pasting the raw cookie string into the JavaScript snippet. Composes on top of CVE-2026-3644's js_output() control-character recheck (preserved). - CVE-2026-6019 Moderate TuxCare License Agreement CVE-2025-4516 CVE-2025-13462 CVE-2026-1502 CVE-2024-50602 CVE-2024-11168 CVE-2026-0865 CVE-2025-8291 CVE-2025-6069 CVE-2025-1795 CVE-2025-0938 CVE-2026-6019 CVE-2025-11468 Debian 12 * SECURITY UPDATE: urllib.parse.urlsplit()/urlparse() did not validate that bracketed [...] hosts were valid IPv6 or IPvFuture, enabling SSRF-relevant differential parsing. - debian/patches/CVE-2024-11168.patch: backport of cpython 29f348e232 (gh-103848, John James Utley). Adds _check_bracketed_host() and calls it from urlsplit(); also backports ipaddress.IPv6Address scope-id support (_split_scope_id) needed by the new check. - CVE-2024-11168 * SECURITY UPDATE: follow-up to CVE-2024-11168; urlsplit()/urlparse() still accepted square brackets in non-IPv6 hostnames, enabling differential parsing across URL parsers. - debian/patches/CVE-2025-0938.patch: backport of cpython d89a5f6a6e (gh-105704, Seth Larson). Adds _check_bracketed_netloc() to reject brackets that don't enclose a valid IPv6/IPvFuture host. - CVE-2025-0938 * SECURITY UPDATE: email._header_value_parser folded address-list separator commas through encoded-word, so the separating comma could be unicode-encoded and misinterpreted by mail servers. - debian/patches/CVE-2025-1795.patch: backport of cpython 09fab93c3d (gh-100884) plus the bundled regression follow-up 858b9e85fc (gh-118643) which fixes the AttributeError that gh-100884 introduced when re-folding long address lists. Sets ListSeparator.as_ew_allowed to False and routes the list- separator token through the named constant. - CVE-2025-1795 * SECURITY UPDATE: when folding a long email-header comment composed of unfoldable characters, email._header_value_parser dropped the enclosing parenthesis (and could omit the required leading space), enabling header injection. - debian/patches/CVE-2025-11468.patch: backport of cpython 61614a5e50 (gh-143935). Adds make_parenthesis_pairs() and a comment-folding branch in _refold_parse_tree() that re-emits parentheses around comment subparts. - CVE-2025-11468 * SECURITY UPDATE: use-after-free in the unicode-escape decoder when an error handler ('ignore'/'replace') was used. - debian/patches/CVE-2025-4516.patch: backport of cpython 0d5d68f707 (gh-133767, Serhiy Storchaka). Replaces the buffer pointer with an integer (first_invalid_escape_char) plus a starts==initial_starts guard; adds binary-compat wrappers _PyBytes_DecodeEscape2 and _PyUnicode_DecodeUnicodeEscapeInternal2. - CVE-2025-4516 * SECURITY UPDATE: html.parser.HTMLParser had worst-case quadratic complexity on crafted malformed input (e.g. unterminated tags or comments at EOF), enabling amplified DoS. - debian/patches/CVE-2025-6069.patch: backport of cpython 8d1b3dfa09 (gh-135462). Replaces the EOF-handling branch with starttagopen.match/endtagopen.match/bogus-comment handling. - CVE-2025-6069 Moderate TuxCare License Agreement CVE-2025-4516 CVE-2024-11168 CVE-2025-6069 CVE-2025-1795 CVE-2025-0938 CVE-2025-11468 Debian 12 * SECURITY UPDATE: zipfile did not validate the ZIP64 End-of-Central- Directory Locator relative-offset, assuming the EOCD64 record sat immediately before the locator, allowing ambiguous-parsing ZIP archives (parser confusion vs. other ZIP tools). - debian/patches/CVE-2025-8291.patch: backport of cpython d11e69d620 (gh-139700, PSF-2025-12). Validates the locator offset and raises BadZipFile when it disagrees. - CVE-2025-8291 * SECURITY UPDATE: tarfile applied the V7 AREGTYPE -> DIRTYPE normalization in frombuf() even when the header was a sub-block of a multi-block GNUTYPE_LONGNAME/LONGLINK member, causing parser confusion. - debian/patches/CVE-2025-13462.patch: backport of cpython 42d754e34c (gh-141707). Skips the normalization on continuation blocks (dircheck=False on follow-up headers in _proc_gnulong and _proc_pax). - CVE-2025-13462 * SECURITY UPDATE: wsgiref.headers.Headers did not reject control characters in header names/values, allowing HTTP header injection. - debian/patches/CVE-2026-0865.patch: backport of cpython 22e4d55285 (gh-143916, initial reject of [\x00-\x1F\x7F] in _convert_string_type) plus follow-up 83ecd18779 (gh-144762, relax to allow HTAB \x09 in header values per RFC 9110). The merged patch splits the regex into _name_disallowed_re and _value_disallowed_re and threads a `name` keyword through _convert_string_type call sites. - CVE-2026-0865 * SECURITY UPDATE: http.client.HTTPConnection did not sanitize CR/LF in the proxy CONNECT tunnel host or in set_tunnel() headers, enabling request/header splitting. - debian/patches/CVE-2026-1502.patch: backport of cpython b1cf901633 (gh-146211). Applies _is_legal_header_name/ _is_illegal_header_value and control-char checks in _tunnel()/set_tunnel(). - CVE-2026-1502 * SECURITY UPDATE: http.cookies.Morsel.js_output() emitted the cookie value inside <script> ... </script> only escaping `"`, so a value containing </script> could break out of the script element (XSS). - debian/patches/CVE-2026-6019.patch: backport of cpython 76b3923d68 (gh-90309). Base64-encodes the embedded cookie value; composes with the existing CVE-2026-3644 patch on the same function. - CVE-2026-6019 * SECURITY UPDATE: ftplib.ftpcp() called parse227() directly and passed the attacker-controllable PASV host/port to target.sendport() (SSRF). The CVE-2021-4189 PASV fix had been applied to makepasv() but not ftpcp(). - debian/patches/CVE-2026-8328.patch: backport of cpython eac4fe3b2c (gh-87451). Mirrors the getpeername() / trust_server_pasv_ipv4_address logic in ftpcp(). - CVE-2026-8328 Moderate TuxCare License Agreement CVE-2025-13462 CVE-2026-1502 CVE-2026-8328 CVE-2026-0865 CVE-2025-8291 CVE-2026-6019 Debian 12 * SECURITY UPDATE: imaplib.IMAP4._command() did not reject control characters in command arguments, so a CR/LF embedded in an argument could inject a second IMAP command. - debian/patches/CVE-2025-15366.patch: backport of cpython 6262704b (gh-143921). Adds the _control_chars regex and rejects arguments containing bytes in [\x00-\x1F\x7F] in _command() with ValueError. - CVE-2025-15366 * SECURITY UPDATE: poplib.POP3._putcmd() did not reject control characters, allowing the same CR/LF command injection on the POP3 socket. - debian/patches/CVE-2025-15367.patch: backport of cpython b234a2b6 (gh-143923). Rejects lines containing bytes in [\x00-\x1F\x7F] in _putcmd() with ValueError. - CVE-2025-15367 Important TuxCare License Agreement CVE-2025-15366 CVE-2025-15367 Debian 12 * SECURITY UPDATE: imaplib.IMAP4._command() concatenated command arguments without rejecting control characters, allowing IMAP command injection via CR/LF in a user-controlled argument. - debian/patches/CVE-2025-15366.patch: backport of cpython 6262704b13 (gh-143921). Add the _control_chars guard and raise ValueError on any argument byte in [\x00-\x1F\x7F]. - CVE-2025-15366 * SECURITY UPDATE: poplib.POP3._putcmd() wrote command lines without rejecting control characters, allowing POP3 command injection via CR/LF in a user-controlled argument. - debian/patches/CVE-2025-15367.patch: backport of cpython b234a2b675 (gh-143923). Reject any line byte in [\x00-\x1F\x7F] with ValueError. - CVE-2025-15367 Important TuxCare License Agreement CVE-2025-15366 CVE-2025-15367 Debian 12 * SECURITY UPDATE: command injection via control characters in imaplib - debian/patches/CVE-2025-15366-CVE-2025-15367.patch: backport of cpython 6262704b (gh-143921, Seth Michael Larson). imaplib.IMAP4._command() concatenated each argument into the wire-level command without inspecting it, so user-controlled text (e.g. a username passed to IMAP4.login()) containing CR/LF or other control characters could inject a second IMAP command. Adds a module-level _control_chars regex to Lib/imaplib.py and a guard in _command() that rejects any argument containing a byte in [\x00-\x1F\x7F] with ValueError before concatenation. Adds a test_control_characters regression test to Lib/test/test_imaplib.py. - CVE-2025-15366 * SECURITY UPDATE: command injection via control characters in poplib - debian/patches/CVE-2025-15366-CVE-2025-15367.patch: backport of cpython b234a2b6 (gh-143923, Seth Michael Larson). poplib.POP3._putcmd() sent its argument to the server without inspecting it, so user-controlled text passed to user()/pass_()/apop()/rpop()/top() could inject a second POP3 command. Adds a guard in _putcmd() (Lib/poplib.py) that rejects any argument containing a byte in [\x00-\x1F\x7F] with ValueError before sending. Adds a test_control_characters regression test to Lib/test/test_poplib.py. - CVE-2025-15367 Important TuxCare License Agreement CVE-2025-15366 CVE-2025-15367 Debian 12 * SECURITY UPDATE: imaplib.IMAP4._command() concatenated each argument into the wire command without validation, so an argument embedding CR/LF (or any other C0 control / DEL byte) could inject a second IMAP command. - debian/patches/CVE-2025-15366.patch: backport of cpython 6262704b13 (gh-143921). Adds the _control_chars [\x00-\x1F\x7F] regex and raises ValueError in _command() before appending an offending argument. - CVE-2025-15366 * SECURITY UPDATE: poplib.POP3._putcmd() wrote its argument to the POP3 socket without validation, allowing the same CR/LF command-injection via the POP3 command API. - debian/patches/CVE-2025-15367.patch: backport of cpython b234a2b675 (gh-143923). Rejects lines matching [\x00-\x1F\x7F] with ValueError in _putcmd() before they are written. - CVE-2025-15367 Important TuxCare License Agreement CVE-2025-15366 CVE-2025-15367 alt-python36 alt-python36-debug alt-python36-devel alt-python36-libs alt-python36-test alt-python36-tkinter alt-python36-tools alt-python27 alt-python27-debug alt-python27-devel alt-python27-idle alt-python27-libs alt-python27-test alt-python27-tkinter alt-python27-tools alt-python38 alt-python38-debug alt-python38-devel alt-python38-idle alt-python38-libs alt-python38-test alt-python38-tkinter alt-python37 alt-python37-debug alt-python37-devel alt-python37-libs alt-python37-test alt-python37-tkinter alt-python37-tools alt-python39 alt-python39-debug alt-python39-devel alt-python39-idle alt-python39-libs alt-python39-test alt-python39-tkinter alt-python39-setuptools alt-python39-setuptools-wheel alt-python38-setuptools alt-python38-setuptools-wheel alt-python36-setuptools alt-python36-setuptools-wheel alt-python37-setuptools alt-python37-setuptools-wheel amd64 0:3.6.15-14 amd64 0:2.7.18-3 amd64 0:2.7.18-6 amd64 0:2.7.18-7 amd64 0:2.7.18-8 amd64 0:3.6.15-19 amd64 0:3.8.20-4 amd64 0:3.7.17-5 amd64 0:3.6.15-20 amd64 0:3.7.17-6 amd64 0:3.7.17-7 amd64 0:3.6.15-21 amd64 0:3.9.23-4 amd64 0:3.7.17-8 amd64 0:3.8.20-5 amd64 0:3.6.15-23 amd64 0:3.8.20-7 amd64 0:3.7.17-10 amd64 0:3.9.23-6 amd64 0:2.7.18-9 amd64 0:3.7.17-11 amd64 0:3.8.20-8 amd64 0:3.6.15-25 amd64 0:2.7.18-10 amd64 0:3.9.23-8 amd64 0:3.6.15-27 amd64 0:3.7.17-13 amd64 0:3.6.15-28 amd64 0:3.7.17-14 amd64 0:3.8.20-10 amd64 0:2.7.18-11 amd64 0:3.8.20-11 amd64 0:3.9.23-9 amd64 0:2.7.18-12 0:58.3.0-2 0:58.3.0-3 0:38.5.2-10 amd64|arm64 0:3.8.20-12 amd64 0:2.7.18-14 amd64|arm64 0:3.6.15-29 amd64|arm64 0:3.9.23-10 amd64|arm64 0:3.7.17-15 amd64|arm64 0:3.8.20-13 amd64|arm64 0:3.9.23-11 amd64|arm64 0:3.7.17-16 amd64|arm64 0:3.6.15-30 amd64|arm64 0:2.7.18-16 amd64|arm64 0:2.7.18-17 amd64|arm64 0:3.7.17-17 amd64|arm64 0:3.6.15-31 amd64|arm64 0:3.9.23-12 amd64|arm64 0:3.8.20-14 amd64|arm64 0:3.8.20-15 amd64|arm64 0:3.9.23-13 amd64|arm64 0:3.6.15-32 amd64|arm64 0:2.7.18-18 amd64|arm64 0:3.7.17-18 amd64|arm64 0:3.9.23-14 amd64|arm64 0:3.8.20-16 amd64|arm64 0:3.7.17-19 amd64|arm64 0:3.6.15-33 amd64|arm64 0:2.7.18-19 amd64|arm64 0:3.6.15-34 amd64|arm64 0:3.7.17-20 amd64|arm64 0:2.7.18-20 amd64|arm64 0:3.8.20-17 amd64|arm64 0:3.9.23-15 amd64|arm64 0:3.9.23-17 amd64|arm64 0:3.7.17-21 amd64|arm64 0:3.7.17-23 amd64|arm64 0:3.6.15-37 amd64|arm64 0:3.8.20-18 amd64|arm64 0:3.8.20-19 amd64|arm64 0:3.7.17-24 amd64|arm64 0:3.9.23-18 amd64|arm64 0:2.7.18-21 amd64|arm64 0:3.8.20-20