Hi,
On Mon, 2 Feb 2026 19:46:38 +0100 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=
<[email protected]> wrote:
Am Sun, Feb 01, 2026 at 10:47:59PM +0100 schrieb Andrej Shadura:
> Hi,
>
> As part of my work on Debian LTS, I’ve fixed these CVEs in Python 3.9,
> so I went ahead and backported fixes for them for Python 3.11 as well.
CVE-2022-37454 doesn't affect python3.11, this was fixed upstream before
it 3.11 was branched off.
And there's several cases like e.g. for CVE-2025-11468:
|Origin: backport,
https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2
Why didn't you use the corresponding fixes from the 3.11 branch instead (where
applicable for the issues which were fixed in 3.11)?
E.g. for CVE-2025-11468 that would be
https://github.com/python/cpython/commit/e9970f077240c7c670e8a6fc6662f2b30d3b6ad0
Additionally, while working on ELTS py* packages, I excluded/postponed:
- CVE-2025-15366, CVE-2025-15367: potential regressions are being
investigated, which explain why upstream didn't backport to the fix to
its 3.xx release branches
- CVE-2026-0865: overreaching fix so a follow-up is under review
(also this may be considered unimportant as upstream now added a
security disclaimer for wsgiref)
Tracker updated:
https://security-tracker.debian.org/tracker/CVE-2025-15366
https://security-tracker.debian.org/tracker/CVE-2025-15367
https://security-tracker.debian.org/tracker/CVE-2026-0865
I would recommend postponing them for now.
Cheers!
Sylvain Beucler
Debian LTS Team
