[Git][security-tracker-team/security-tracker][master] pypy3: reference recent py3-stdlib CVEs

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Thu Jul 17 20:36:20 BST 2025 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
914d974e by Sylvain Beucler at 2025-07-17T21:35:43+02:00
pypy3: reference recent py3-stdlib CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -18969,6 +18969,8 @@ CVE-2025-4516 (There is an issue in CPython when using `bytes.decode("unicode_es
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	[bullseye] - python3.9 <postponed> (Minor issue, likely DoS-only, fix along with next update)
+	- pypy3 <unfixed>
+	[bullseye] - pypy3 <postponed> (Minor issue, likely DoS-only, fix along with next update)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/L75IPBBTSCYEF56I2M4KIW353BB3AY74/
 	NOTE: PoC: https://www.openwall.com/lists/oss-security/2025/05/19/1
 	NOTE: https://github.com/python/cpython/issues/133767
@@ -44056,6 +44058,8 @@ CVE-2025-1795 (During an address list folding when a separating comma ends up on
 	- python3.11 <removed>
 	[bookworm] - python3.11 3.11.2-6+deb12u6
 	- python3.9 <removed>
+	- pypy3 7.3.18+dfsg-1
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/100884
 	NOTE: Regression issue: https://github.com/python/cpython/issues/118643
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/MB62IZMEC3UM6SGHP5LET5JX2Y7H4ZUR/
@@ -77794,6 +77798,8 @@ CVE-2024-11168 (The urllib.parse.urlsplit() and urlparse() functions improperly
 	- python3.11 3.11.4-1
 	[bookworm] - python3.11 3.11.2-6+deb12u5
 	- python3.9 <removed>
+	- pypy3 7.3.18+dfsg-1
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/103848
 	NOTE: https://github.com/python/cpython/pull/103849
 	NOTE: https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5 (v3.12.0b1)
@@ -96825,6 +96831,8 @@ CVE-2024-6232 (There is a MEDIUM severity vulnerability affecting CPython.
 	- python3.9 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+	- pypy3 7.3.18+dfsg-1
+	[bullseye] - pypy3 <postponed> (Minor issue; ReDoS)
 	NOTE: https://github.com/python/cpython/issues/121285
 	NOTE: https://github.com/python/cpython/pull/121286
 	NOTE: https://github.com/python/cpython/commit/ed3a49ea734ada357ff4442996fd4ae71d253373 (v3.13.0rc2)
@@ -98677,6 +98685,8 @@ CVE-2024-8088 (There is a HIGH severity vulnerability affecting the CPython "zip
 	- python3.11 <removed>
 	- python3.9 <removed>
 	- python2.7 <not-affected> (zipfile.Path introduced in v3.8)
+	- pypy3 7.3.18+dfsg-1
+	[bullseye] - pypy3 <not-affected> (zipfile.Path introduced in v3.8; embedding 3.6.9)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
 	NOTE: https://github.com/python/cpython/pull/122906
 	NOTE: https://github.com/python/cpython/issues/122905
@@ -99940,6 +99950,8 @@ CVE-2024-7592 (There is a LOW severity vulnerability affecting CPython, specific
 	- python3.11 <removed>
 	[bookworm] - python3.11 3.11.2-6+deb12u5
 	- python3.9 <removed>
+	- pypy3 7.3.18+dfsg-1
+	[bullseye] - pypy3 <postponed> (Minor issue; DoS)
 	NOTE: https://github.com/python/cpython/pull/123075
 	NOTE: https://github.com/python/cpython/issues/123067
 	NOTE: https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621 (v3.13.0rc2)
@@ -104245,6 +104257,8 @@ CVE-2024-6923 (There is a MEDIUM severity vulnerability affecting CPython.  The
 	- python3.9 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+	- pypy3 7.3.18+dfsg-1
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/121650
 	NOTE: https://github.com/python/cpython/pull/122233
 	NOTE: https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0 (v3.13.0rc2)
@@ -116007,11 +116021,13 @@ CVE-2024-4032 (The \u201cipaddress\u201d module contained incorrect information
 	- python3.9 <removed>
 	- python3.7 <removed>
 	- python2.7 <not-affected> (ipaddress module added in 3.3)
+	- pypy3 7.3.18+dfsg-1
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/advisories/GHSA-mh6q-v4mp-2cc7
 	NOTE: https://github.com/python/cpython/issues/113171
 	NOTE: https://github.com/python/cpython/pull/113179
-	NOTE: https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb (3.11.y-branch)
-	NOTE: https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8 (3.9.y-branch)
+	NOTE: https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb (v3.11.10)
+	NOTE: https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8 (v3.9.20)
 CVE-2024-38470 (zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site ...)
 	NOT-FOR-US: zhimengzhe iBarn
 CVE-2024-38469 (zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site ...)
@@ -287705,6 +287721,8 @@ CVE-2015-20107 (In Python (aka CPython) up to 3.10.8, the mailcap module does no
 	- python2.7 <unfixed>
 	[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
 	[stretch] - python2.7 <no-dsa> (Minor issue)
+	- pypy3 7.3.11+dfsg-1
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://bugs.python.org/issue24778
 	NOTE: https://github.com/python/cpython/issues/68966
 	NOTE: https://github.com/python/cpython/pull/91993



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/914d974e527771f7ff161a37037d8d81a0350ed0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/914d974e527771f7ff161a37037d8d81a0350ed0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250717/42b3896e/attachment.htm>

More information about the debian-security-tracker-commits mailing list