Andrej Shadura pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9e6b2a09 by Andrej Shadura at 2026-01-20T18:48:07+01:00
Reserve DLA-4445-1 for python3.9
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -21641,7 +21641,6 @@ CVE-2025-12084 (When building nested elements using
xml.dom.minidom methods such
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- [bullseye] - python3.9 <postponed> (Minor issue)
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
- pypy3 <unfixed>
@@ -22337,7 +22336,6 @@ CVE-2025-13837 (When loading a plist file, the plistlib
module reads data in siz
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- [bullseye] - python3.9 <postponed> (Minor issue)
- pypy3 <unfixed>
[trixie] - pypy3 <no-dsa> (Minor issue)
[bookworm] - pypy3 <no-dsa> (Minor issue)
@@ -22354,7 +22352,6 @@ CVE-2025-13836 (When reading an HTTP response from a
server, if no read amount i
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- [bullseye] - python3.9 <postponed> (Minor issue)
- pypy3 <unfixed>
[trixie] - pypy3 <no-dsa> (Minor issue)
[bookworm] - pypy3 <no-dsa> (Minor issue)
@@ -29971,7 +29968,6 @@ CVE-2025-6075 (If the value passed to
os.path.expandvars() is user-controlled a
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- [bullseye] - python3.9 <postponed> (Minor issue, DoS)
- pypy3 <unfixed>
[trixie] - pypy3 <no-dsa> (Minor issue)
[bookworm] - pypy3 <no-dsa> (Minor issue)
@@ -38034,7 +38030,6 @@ CVE-2025-8291 (The 'zipfile' module would not check the
validity of the ZIP64 En
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- [bullseye] - python3.9 <postponed> (Minor issue, canonical validation)
- jython <unfixed> (bug #1118432)
[trixie] - jython <no-dsa> (Minor issue)
[bookworm] - jython <no-dsa> (Minor issue)
@@ -63462,7 +63457,6 @@ CVE-2025-8194 (There is a defect in the CPython
\u201ctarfile\u201d module affec
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- [bullseye] - python3.9 <postponed> (Minor issue)
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
NOTE: https://github.com/python/cpython/issues/130577
@@ -76755,7 +76749,6 @@ CVE-2025-6069 (The html.parser.HTMLParser class had
worse-case quadratic complex
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- [bullseye] - python3.9 <postponed> (Minor issue; can be fixed in next
update)
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
- pypy3 <unfixed> (bug #1118430)
@@ -86121,7 +86114,6 @@ CVE-2025-4516 (There is an issue in CPython when using
`bytes.decode("unicode_es
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- [bullseye] - python3.9 <postponed> (Minor issue, likely DoS-only, fix
along with next update)
- pypy3 <not-affected> (Vulnerable code not present; memory error in C
code implementation)
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/L75IPBBTSCYEF56I2M4KIW353BB3AY74/
NOTE: PoC: https://www.openwall.com/lists/oss-security/2025/05/19/1
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[20 Jan 2026] DLA-4445-1 python3.9 - security update
+ {CVE-2022-37454 CVE-2025-4516 CVE-2025-6069 CVE-2025-6075 CVE-2025-8194
CVE-2025-8291 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837}
+ [bullseye] - python3.9 3.9.2-1+deb11u4
[19 Jan 2026] DLA-4444-1 apache-log4j2 - security update
{CVE-2025-68161}
[bullseye] - apache-log4j2 2.17.1-1~deb11u2
=====================================
data/dla-needed.txt
=====================================
@@ -339,11 +339,6 @@ python-tornado (dleidert)
python-urllib3 (guilhem)
NOTE: 20260108: Added by Front-Desk (lamby)
--
-python3.9 (andrewsh)
- NOTE: 20251214: Added by Front-Desk (dleidert)
- NOTE: 20251214: Another round of CVEs is due to be fixed
(dleidert/front-desk)
- NOTE: 20260102: Consider fixing python3.11/bookworm and python3.13/trixie
(Beuc/front-desk)
---
runc
NOTE: 20251105: Added by Front-Desk (Beuc)
NOTE: 20251105: 3 high-severity container breakouts. Used by docker.io.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e6b2a09dc14946ef1d0f38b76b8fd981dd3c4e7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e6b2a09dc14946ef1d0f38b76b8fd981dd3c4e7
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
