[Git][security-tracker-team/security-tracker][master] Reserve DLA-4445-1 for python3.9

Tue Jan 20 17:48:31 GMT 2026


Andrej Shadura pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9e6b2a09 by Andrej Shadura at 2026-01-20T18:48:07+01:00
Reserve DLA-4445-1 for python3.9

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -21641,7 +21641,6 @@ CVE-2025-12084 (When building nested elements using xml.dom.minidom methods such
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	[bullseye] - python3.9 <postponed> (Minor issue)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- pypy3 <unfixed>
@@ -22337,7 +22336,6 @@ CVE-2025-13837 (When loading a plist file, the plistlib module reads data in siz
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	[bullseye] - python3.9 <postponed> (Minor issue)
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
@@ -22354,7 +22352,6 @@ CVE-2025-13836 (When reading an HTTP response from a server, if no read amount i
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	[bullseye] - python3.9 <postponed> (Minor issue)
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
@@ -29971,7 +29968,6 @@ CVE-2025-6075 (If the value passed to os.path.expandvars() is user-controlled a
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	[bullseye] - python3.9 <postponed> (Minor issue, DoS)
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
@@ -38034,7 +38030,6 @@ CVE-2025-8291 (The 'zipfile' module would not check the validity of the ZIP64 En
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	[bullseye] - python3.9 <postponed> (Minor issue, canonical validation)
 	- jython <unfixed> (bug #1118432)
 	[trixie] - jython <no-dsa> (Minor issue)
 	[bookworm] - jython <no-dsa> (Minor issue)
@@ -63462,7 +63457,6 @@ CVE-2025-8194 (There is a defect in the CPython \u201ctarfile\u201d module affec
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	[bullseye] - python3.9 <postponed> (Minor issue)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	NOTE: https://github.com/python/cpython/issues/130577
@@ -76755,7 +76749,6 @@ CVE-2025-6069 (The html.parser.HTMLParser class had worse-case quadratic complex
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	[bullseye] - python3.9 <postponed> (Minor issue; can be fixed in next update)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- pypy3 <unfixed> (bug #1118430)
@@ -86121,7 +86114,6 @@ CVE-2025-4516 (There is an issue in CPython when using `bytes.decode("unicode_es
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	[bullseye] - python3.9 <postponed> (Minor issue, likely DoS-only, fix along with next update)
 	- pypy3 <not-affected> (Vulnerable code not present; memory error in C code implementation)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/L75IPBBTSCYEF56I2M4KIW353BB3AY74/
 	NOTE: PoC: https://www.openwall.com/lists/oss-security/2025/05/19/1


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[20 Jan 2026] DLA-4445-1 python3.9 - security update
+	{CVE-2022-37454 CVE-2025-4516 CVE-2025-6069 CVE-2025-6075 CVE-2025-8194 CVE-2025-8291 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837}
+	[bullseye] - python3.9 3.9.2-1+deb11u4
 [19 Jan 2026] DLA-4444-1 apache-log4j2 - security update
 	{CVE-2025-68161}
 	[bullseye] - apache-log4j2 2.17.1-1~deb11u2


=====================================
data/dla-needed.txt
=====================================
@@ -339,11 +339,6 @@ python-tornado (dleidert)
 python-urllib3 (guilhem)
   NOTE: 20260108: Added by Front-Desk (lamby)
 --
-python3.9 (andrewsh)
-  NOTE: 20251214: Added by Front-Desk (dleidert)
-  NOTE: 20251214: Another round of CVEs is due to be fixed (dleidert/front-desk)
-  NOTE: 20260102: Consider fixing python3.11/bookworm and python3.13/trixie (Beuc/front-desk)
---
 runc
   NOTE: 20251105: Added by Front-Desk (Beuc)
   NOTE: 20251105: 3 high-severity container breakouts. Used by docker.io.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e6b2a09dc14946ef1d0f38b76b8fd981dd3c4e7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e6b2a09dc14946ef1d0f38b76b8fd981dd3c4e7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260120/0ca38f8e/attachment-0001.htm>
