Debian 11 Python3.9 Advisory DLA-4583-1 Multiple Issues Found
debian lts
May 15, 2026
Multiple vulnerabilities were discovered in Python 3.9
Topics Covered
Summary
CVE-2025-13462
The "tarfile" module would still apply normalization of AREGTYPE
(\x00) blocks to DIRTYPE, even while processing a multi-block member
such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a
crafted tar archive being misinterpreted by the tarfile module
compared to other implementations.
CVE-2026-0672
When using http.cookies.Morsel, user-controlled cookie values and
parameters can allow injecting HTTP headers into messages. Patch
rejects all control characters within cookie names, values, and
parameters.
CVE-2026-2297
The import hook in CPython that handles legacy *.pyc files
(SourcelessFileLoader) is incorrectly handled in FileLoader (a base
class) and so does not use io.open_code() to read the .pyc files.
sys.audit handlers for this audit event therefore do not fire.
CVE-2026-3644
The fix for CVE-2026-0672, which rejected control characters in
http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator,
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: python3.9
Version: 3.9.2-1+deb11u7
CVE ID: CVE-2025-13462 CVE-2026-0672 CVE-2026-2297 CVE-2026-3644
Debian Bug:
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!