Debian 11 Python 3.9 Security Advisory DLA-4455-1 Critical CVE-2025-11468
debian lts
January 25, 2026
This upload fixes a regression introduced in 3.9.2-1+deb11u4 (DLA 4445-1), and also fixes multiple security issues in cPython 3.9
Topics Covered
Summary
CVE-2025-12084
When building nested elements using xml.dom.minidom methods such
as appendChild() that have a dependency on _clear_id_cache() the
algorithm was quadratic. Availability could be impacted when building
excessively nested documents.
The fix for this CVE in the previous upload resulted in a regression
in software relying on ownerDocument attribute being always present
in Element instances. This regression has now been fixed.
CVE-2026-0672, CVE-2026-0865, CVE-2025-15282, CVE-2025-15366, CVE-2025-15367
These are all similar vulnerabilities in the following modules:
http.cookies, wsgiref.headers, imaplib, poplib, urllib. In each of
these control characters were handled incorrectly, allowing injection
of additional cookiers, headers or commands. Control characters are
now rejected in these contexts.
CVE-2025-11468
An issue similar to the above. Comments consisting of a very long
PREVIOUS 
NEXT Severity
important
Lowest
Low
Medium
High
Critical
Package: python3.9
Version: 3.9.2-1+deb11u5
CVE ID: CVE-2025-11468 CVE-2025-12084 CVE-2025-15282 CVE-2025-15366
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!