[Git][security-tracker-team/security-tracker][master] Track fixed version for python3.13 issue via unstable

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Jun 11 05:52:34 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
eed5b5c8 by Salvatore Bonaccorso at 2026-06-11T06:51:51+02:00
Track fixed version for python3.13 issue via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2284,7 +2284,7 @@ CVE-2026-11701 (Inappropriate implementation in Guest View in Google Chrome prio
 	[bullseye] - chromium <end-of-life> (see #1061268)
 CVE-2026-9669 (bz2.BZ2Decompressor objects could be reused after a decompression erro ...)
 	- python3.14 3.14.6-1
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 <no-dsa> (Minor issue, will be fixed via pu)
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -5153,7 +5153,7 @@ CVE-2026-8037 (OS Command Injection Remote Code Execution Vulnerability in API i
 	NOT-FOR-US: Progress Software
 CVE-2026-7774 (tarfile.data_filter could be bypassed using crafted link entries, incl ...)
 	- python3.14 3.14.6-1
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -5851,7 +5851,7 @@ CVE-2019-25720 (Dr\xe4ger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000,
 	NOT-FOR-US: Draeger
 CVE-2026-3276 (unicodedata.normalize() can take excessive CPU time when processing sp ...)
 	- python3.14 3.14.6-1
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -18550,7 +18550,7 @@ CVE-2026-8367 (aria2c accepts a server certificate with incorrect Extended Key U
 	NOTE: https://github.com/aria2/aria2/issues/2355
 CVE-2026-8328 (The ftpcp() function in Lib/ftplib.py was not updated when  CVE-2021-4 ...)
 	- python3.14 3.14.6-1
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -21157,7 +21157,7 @@ CVE-2026-7308 (An authenticated user with upload permission to a hosted reposito
 	NOT-FOR-US: Sonatype
 CVE-2026-7210 (`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entro ...)
 	- python3.14 3.14.6-1
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -32717,7 +32717,7 @@ CVE-2026-6874 (A vulnerability was determined in ericc-ch copilot-api up to 0.7.
 	NOT-FOR-US: ericc-ch copilot-api
 CVE-2026-6019 (http.cookies.Morsel.js_output() returns an inline <script> snippet and ...)
 	- python3.14 3.14.5~rc1-1
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 3.13.5-2+deb13u2
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -38010,7 +38010,7 @@ CVE-2026-6201 (A vulnerability was identified in CodeAstro Online Job Portal 1.0
 	NOT-FOR-US: CodeAstro Online Job Portal
 CVE-2026-4786 (Mitgation ofCVE-2026-4519 was incomplete. If the URL contained "%actio ...)
 	- python3.14 3.14.5-1
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 <not-affected> (Incomplete fix not released)
 	- python3.11 <not-affected> (Incomplete fix not released)
 	- python3.9 <not-affected> (Incomplete fix not released)
@@ -38328,7 +38328,7 @@ CVE-2026-6182 (A vulnerability was identified in code-projects Simple Content Ma
 CVE-2026-6100 (Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2 ...)
 	{DLA-4532-1}
 	- python3.14 3.14.5~rc1-1
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 3.13.5-2+deb13u2
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -39134,7 +39134,7 @@ CVE-2026-40021 (Apache Log4net's  XmlLayout https://logging.apache.org/log4net/m
 	NOTE: https://lists.apache.org/thread/q8otftjswhk69n3kxslqg7cobr0x4st7
 CVE-2026-3446 (When calling base64.b64decode() or related functions the decoding proc ...)
 	- python3.14 3.14.4-1
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 3.13.5-2+deb13u2
 	- python3.11 <removed>
 	[bookworm] - python3.11 <ignored> (Not backported to older Python releases due to compat concerns)
@@ -39349,7 +39349,7 @@ CVE-2026-22560 (An open redirect vulnerability in Rocket.Chat versions prior to
 	NOT-FOR-US: Rocket.Chat
 CVE-2026-1502 (CR/LF bytes were not rejected by HTTP client proxy tunnel headers or h ...)
 	- python3.14 3.14.5-1
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -52202,7 +52202,7 @@ CVE-2024-13785 (The The Contact Form, Survey, Quiz & Popup Form Builder \u2013 A
 CVE-2026-4519 (The webbrowser.open() API would accept leading dashes in the URL which ...)
 	{DLA-4583-1}
 	- python3.14 3.14.4-1
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 3.13.5-2+deb13u2
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -54520,7 +54520,7 @@ CVE-2026-4227 (A security vulnerability has been detected in LB-LINK BL-WR9000 2
 CVE-2026-4224 (When an Expat parser with a registered ElementDeclHandler parses an in ...)
 	{DLA-4583-1}
 	- python3.14 3.14.3-4
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 3.13.5-2+deb13u2
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -54541,7 +54541,7 @@ CVE-2026-4224 (When an Expat parser with a registered ElementDeclHandler parses
 CVE-2026-3644 (The fix for CVE-2026-0672, which rejected control characters in http.c ...)
 	{DLA-4583-1}
 	- python3.14 3.14.3-4
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 3.13.5-2+deb13u2
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -56045,7 +56045,7 @@ CVE-2025-13913 (A privileged Ignition user, intentionally or otherwise, imports
 CVE-2025-13462 (The "tarfile" module would still apply normalization of AREGTYPE (\x00 ...)
 	{DLA-4583-1}
 	- python3.14 3.14.3-4
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 3.13.5-2+deb13u1
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -59676,7 +59676,7 @@ CVE-2026-2365 (The Fluent Forms Pro plugin for WordPress is vulnerable to Stored
 CVE-2026-2297 (The import hook in CPython that handles legacy *.pyc files (Sourceless ...)
 	{DLA-4583-1}
 	- python3.14 3.14.3-4
-	- python3.13 <unfixed>
+	- python3.13 3.13.14-1
 	[trixie] - python3.13 3.13.5-2+deb13u1
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed5b5c80f878bc7cbe1b3926d9a52a8ad667fef

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed5b5c80f878bc7cbe1b3926d9a52a8ad667fef
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260611/5925136e/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list