[Git][security-tracker-team/security-tracker][master] CVE-2025-1795/python: fix introductory commit

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Wed Feb 4 08:31:28 GMT 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
41e5f4fb by Sylvain Beucler at 2026-02-04T09:30:21+01:00
CVE-2025-1795/python: fix introductory commit

While v3.3.0a4 introduces the fixed code, the PoC from
https://github.com/python/cpython/issues/100884 doesn't fail (',' is
properly maintained) until the rewrite in v3.6.4rc1.

Same for the initial
'test_address_list_with_list_separator_after_fold' test case.

(Note: following the regression fix, the updated test case fails
before the rewrite but due to an infinite loop, which is a different
issue.)

Fixes: d097a1d38ee8a56d1c9ff1ecf2b38b958f460846

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -117326,7 +117326,7 @@ CVE-2025-1795 (During an address list folding when a separating comma ends up on
 	NOTE: Regression fixed by: https://github.com/python/cpython/commit/8c96850161da23ad2b37551d2a89c7d4716fe024 (v3.12.4)
 	NOTE: Fixed by: https://github.com/python/cpython/commit/70754d21c288535e86070ca7a6e90dcb670b8593 (v3.11.9)
 	NOTE: Regression Fixed by: https://github.com/python/cpython/commit/4762b365406a8cf026a4a4ddcae34c28a41c3de9 (v3.11.10)
-	NOTE: Introduced by: https://github.com/python/cpython/commit/0b6f6c82b51b7071d88f48abb3192bf3dc2a2d24 (v3.3.0a4)
+	NOTE: Introduced by: https://github.com/python/cpython/commit/a87ba60fe56ae2ebe80ab9ada6d280a6a1f3d552 (v3.6.4rc1)
 CVE-2025-1776 (Cross-Site Scripting (XSS) vulnerability in Soteshop, versions prior t ...)
 	NOT-FOR-US: Soteshop
 CVE-2025-1749 (HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. Th ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e5f4fbd22e8d4130d0ab93d1fc54627ab4459e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e5f4fbd22e8d4130d0ab93d1fc54627ab4459e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260204/28cba559/attachment.htm>

More information about the debian-security-tracker-commits mailing list