Debian 11: Python3.9 Critical Security Update DLA-4445-1 CVE-2022-37454
debian lts
January 20, 2026
Multiple security fixes in cPython 3.9
Topics Covered
Summary
CVE-2022-37454
The Keccak XKCP SHA-3 implementation had an integer overflow
and a buffer overflow in the sponge function interface. This
allowed attackers to execute arbitrary code or eliminate expected
cryptographic properties.
CVE-2025-4516
An issue in bytes.decode("unicode_escape", error="ignore|replace")
could result in a crash.
CVE-2025-6069
The html.parser.HTMLParser class had worse-case quadratic complexity
when processing certain crafted malformed inputs potentially leading
to amplified denial-of-service.
CVE-2025-6075
If the value passed to os.path.expandvars() is user-controlled
a performance degradation was possible when expanding environment
variables.
CVE-2025-8194
The tar implementation would process tar archives with negative
offsets without error, resulting in an infinite loop and deadlock
during the parsing of maliciously crafted tar archives.
CVE-2025-8291
The 'zipfile' module would not check the validity of the ZIP64 End
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: python3.9
Version: 3.9.2-1+deb11u4
CVE ID: CVE-2022-37454 CVE-2025-4516 CVE-2025-6069 CVE-2025-6075
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!