UbuntuUpdates.org

Package "python3.13-minimal"

Name: python3.13-minimal

Description:

Minimal subset of the Python language (version 3.13)
Latest version: 3.13.7-1ubuntu0.3
Release: questing (25.10)
Level: security
Repository: main
Head package: python3.13

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3.13-minimal"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "python3.13-minimal" in Questing

Repository Area Version
base main 3.13.7-1
updates main 3.13.7-1ubuntu0.3

Changelog

Version: 3.13.7-1ubuntu0.3 2026-02-05 19:07:56 UTC

  python3.13 (3.13.7-1ubuntu0.3) questing-security; urgency=medium

  * SECURITY UPDATE: Header injection in email messages where addresses are not
    sanitized.
    - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash
      in Lib/email/_header_value_parser.py. Add test in
      Lib/test/test_email/test__header_value_parser.py.
    - CVE-2025-11468
  * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML
    documents.
    - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace
      with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument
      to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.
    - CVE-2025-12084
  * SECURITY UPDATE: OOM and denial of service when opening malicious plist
    file.
    - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read
      with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.
    - CVE-2025-13837
  * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.
    - debian/patches/CVE-2025-15282.patch: Add control character checks in
      Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.
  * SECURITY UPDATE: Command injection through user controlled commands in
    imaplib.
    - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in
      Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.
  * SECURITY UPDATE: Command injection through user controlled commands in
    poplib.
    - debian/patches/CVE-2025-15367.patch: Add control character regex check
      in Lib/poplib.py. Add test in Lib/test/test_poplib.py.
    - CVE-2025-15367
  * SECURITY UPDATE: HTTP header injection in user controlled cookie values.
    - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and
      checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.
    - CVE-2026-0672
  * SECURITY UPDATE: HTTP header injection in user controlled headers and
    values with newlines.
    - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in
      Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and
      Lib/test/test_wsgiref.py.
    - CVE-2026-0865

 -- Hlib Korzhynskyy <email address hidden> Thu, 22 Jan 2026 16:45:57 -0330
Source diff to previous version
CVE-2025-11468 When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be us
CVE-2025-12084 When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadra
CVE-2025-13837 When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
CVE-2025-15282 User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVE-2025-15366 The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containi
CVE-2025-15367 The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containin
CVE-2026-0672 When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all contro
CVE-2026-0865 User-controlled header names and values containing newlines can allow injecting HTTP headers.

Version: 3.13.7-1ubuntu0.2 2026-01-12 09:07:50 UTC

  python3.13 (3.13.7-1ubuntu0.2) questing-security; urgency=medium

  * SECURITY UPDATE: HTTP Content-Length denial of service
    - debian/patches/CVE-2025-13836.patch: Read large data in chunks with
      geometric reads in Lib/http/client.py and add tests in
      Lib/test/test_httplib.py
    - CVE-2025-13836

 -- Vyom Yadav <email address hidden> Thu, 08 Jan 2026 17:45:45 +0530
Source diff to previous version
CVE-2025-13836 When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malici

Version: 3.13.7-1ubuntu0.1 2025-11-27 10:13:42 UTC

  python3.13 (3.13.7-1ubuntu0.1) questing-security; urgency=medium

  * SECURITY UPDATE: Possible payload obfuscation
    - debian/patches/CVE-2025-8291.patch: check consistency of
      the zip64 end of central dir record in Lib/zipfile.py,
      Lib/test/test_zipfile.py.
    - CVE-2025-8291
  * SECURITY UPDATE: Performance degradation
    - debian/patches/CVE-2025-6075.patch: fix quadratic complexity
      in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,
      Lib/test/test_genericpatch.py, Lib/test/test_npath.py.
    - CVE-2025-6075

 -- Hlib Korzhynskyy <email address hidden> Mon, 24 Nov 2025 17:21:28 -0330
CVE-2025-8291 The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locat
CVE-2025-6075 If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.


About   -   Send Feedback to @ubuntu_updates