Debian LTS: DLA-4087-1: python3.9 Security Advisory Updates
debian lts
March 20, 2025
Multiple vulnerabilities were discovered in modules shipped with cpython 3.9, the primary interpreter for the Python programming language
Topics Covered
Summary
CVE-2022-0391
Functions in the urllib.parse module did not sanitize URLs to remove
newline characters, which could lead to injection attacks.
CVE-2025-0938
Functions in the urllib.parse and urlparse modules accepted domain
names containing square brackets, which isn't valid. These
delimiters are only permitted for IPv6 and IPvFuture hosts. This
problem could result in differential parsing between the Python URL
parser and other specification-compliant URL parsers.
CVE-2025-1795
The implementations of e-mail header parsing and folding would
encode the comma used to separate list items, which could cause
receiving applications to interpret two items in the list as though
they were one item.
For Debian 11 bullseye, these problems have been fixed in version
3.9.2-1+deb11u3.
We recommend that you upgrade your python3.9 packages.
For the detailed security status of python3.9 please refer to
its security tracker page at:
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: python3.9
Version: 3.9.2-1+deb11u3
CVE ID: CVE-2022-0391 CVE-2025-0938 CVE-2025-1795
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!