security advisorydebianattack
Multiple vulnerabilities were discovered in Python 3.9. CVE-2025-13462 The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a. Debian LTS Advisory DLA-4583-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Arnaud Rebillout May 15, 2026 https://wiki.debian.org/LTS Package : python3.9 Version : 3.9.2-1+deb11u7 CVE ID : CVE-2025-13462 CVE-2026-0672 CVE-2026-2297 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 Debian Bug : Multiple vulnerabilities were discovered in Python 3.9. CVE-2025-13462 The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. CVE-2026-0672 When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. CVE-2026-2297 The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. CVE-2026-3644 The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). CVE-2026-4224 When an Expat parser with a registeredElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. CVE-2026-4519 The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). For Debian 11 bullseye, these problems have been fixed in version 3.9.2-1+deb11u7. We recommend that you upgrade your python3.9 packages. For the detailed security status of python3.9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python3.9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Multiple vulnerabilities found in Debian's Python 3.9 could compromise security; apply updates urgently to mitigate risks.. Debian Python Security Update, Python 3.9 CVE Details, Debian Package Vulnerability. . Severity: Critical. LinuxSecurity.com Team
May 15, 2026
•Critical
Debian LTS
Refine advisories
