UbuntuUpdates.org

Bugs fixes in "python3.14"

Origin Bug number Title Date fixed
CVE CVE-2026-3276 unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with 2026-07-06
CVE CVE-2026-1502 CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. 2026-07-06
CVE CVE-2026-9669 bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same dec 2026-07-06
CVE CVE-2026-8328 The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV ho 2026-07-06
CVE CVE-2021-4189 ftplib should not use the host from the PASV response 2026-07-06
CVE CVE-2026-7774 tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive me 2026-07-06
CVE CVE-2026-6100 Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `M 2026-07-06
CVE CVE-2026-6019 http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML 2026-07-06
CVE CVE-2026-5713 The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree" 2026-07-06
CVE CVE-2026-4786 Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser. 2026-07-06
CVE CVE-2026-4519 The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behav 2026-07-06
CVE CVE-2026-3276 unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with 2026-07-06
CVE CVE-2026-1502 CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. 2026-07-06
CVE CVE-2026-9669 bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same dec 2026-07-06
CVE CVE-2026-8328 The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV ho 2026-07-06
CVE CVE-2021-4189 ftplib should not use the host from the PASV response 2026-07-06
CVE CVE-2026-7774 tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive me 2026-07-06
CVE CVE-2026-6100 Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `M 2026-07-06
CVE CVE-2026-6019 http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML 2026-07-06
CVE CVE-2026-5713 The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree" 2026-07-06



About   -   Send Feedback to @ubuntu_updates