|
python3.14 (3.14.4-1ubuntu0.1) resolute-security; urgency=medium
* SECURITY UPDATE: HTTP proxy via "CONNECT" tunneling doesn't sanitize CR/LF
- debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request
headers in Lib/http/client.py,
Lib/test/test_httplib.py.
- CVE-2026-1502
* SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time
- debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in
unicodedata.normalize() in Lib/test/test_unicodedata.py,
Modules/unicodedata.c.
- CVE-2026-3276
* SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete
- debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution
bypass of dash-prefix check in Lib/test/test_webbrowser.py,
Lib/webbrowser.py.
- CVE-2026-4786
* SECURITY UPDATE: insufficient validation of remote debugging offset tables
- debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables
on load in Modules/_remote_debugging_module.c.
- CVE-2026-5713
* SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()
- debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values
embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.
- debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for
UTF-8 support in js_output() in Lib/http/cookies.py,
Lib/test/test_http_cookies.py.
- CVE-2026-6019
* SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders
- debian/patches/CVE-2026-6100.patch: Fix a possible UAF in
{LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,
Modules/_lzmamodule.c, Modules/zlibmodule.c.
- CVE-2026-6100
* SECURITY UPDATE: tarfile.data_filter could be bypassed
- debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written
link target in Lib/tarfile.py, Lib/test/test_tarfile.py.
- CVE-2026-7774
* SECURITY UPDATE: Incomplete fix for CVE-2021-4189
- debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to
ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.
- CVE-2026-8328
* SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error
- debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after
errors in Lib/test/test_bz2.py, Modules/_bz2module.c.
- CVE-2026-9669
-- Marc Deslauriers <email address hidden> Thu, 18 Jun 2026 10:25:02 -0400
|