[Git][security-tracker-team/security-tracker][master] Add references for CVEs that affect Python 3.11

Arnaud Rebillout (@arnaudr) arnaudr at debian.org
Wed Mar 25 08:00:54 GMT 2026 


Arnaud Rebillout pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1c8d8722 by Arnaud Rebillout at 2026-03-25T15:00:43+07:00
Add references for CVEs that affect Python 3.11

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -49559,6 +49559,7 @@ CVE-2025-12084 (When building nested elements using xml.dom.minidom methods such
 	NOTE: Fixed by: https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4 (main)
 	NOTE: Fixed by: https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0 (v3.14.2)
 	NOTE: Fixed by: https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964 (v3.13.11)
+	NOTE: Fixed by: https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8 (v3.11.15)
 	NOTE: Regression: https://github.com/python/cpython/issues/142754
 	NOTE: Regression: https://github.com/python/cpython/commit/1cc7551b3f9f71efbc88d96dce90f82de98b2454 (v3.15.0a3)
 CVE-2024-3884 (A flaw was found in Undertow that can cause remote denial of service a ...)
@@ -50256,6 +50257,7 @@ CVE-2025-13837 (When loading a plist file, the plistlib module reads data in siz
 	NOTE: https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70 (main)
 	NOTE: https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb (v3.14.1)
 	NOTE: https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba (v3.13.10)
+	NOTE: https://github.com/python/cpython/commit/cefee7d118a26ef6cd43db59bb9d98ca9a331111 (v3.11.15)
 	NOTE: Introduced by: https://github.com/python/cpython/commit/065266450ea5519a43bcc199e48d304f1e7038e8 (v3.4.2rc1)
 CVE-2025-13836 (When reading an HTTP response from a server, if no read amount is spec ...)
 	{DLA-4445-1}
@@ -50274,6 +50276,7 @@ CVE-2025-13836 (When reading an HTTP response from a server, if no read amount i
 	NOTE: https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5 (main)
 	NOTE: https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155 (v3.14.1)
 	NOTE: https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15 (v3.13.11)
+	NOTE: https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c (v3.11.15)
 	NOTE: Introduced by: https://github.com/python/cpython/commit/d6bf6f2d0c83f0c64ce86e7b9340278627798090 (v3.8.0a4)
 	NOTE: but reverted for branch 3.9 (only): https://github.com/python/cpython/commit/153365d864c411f6fb523efa752ccb3497d815ca (v3.9.7)
 CVE-2025-13835 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
@@ -57927,6 +57930,7 @@ CVE-2025-6075 (If the value passed to os.path.expandvars() is user-controlled a
 	NOTE: https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c (main)
 	NOTE: https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84 (v3.14.1)
 	NOTE: https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742 (v3.13.10)
+	NOTE: https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427 (v3.11.15)
 	NOTE: https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca (3.10-branch)
 	NOTE: https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c (v3.9.25)
 CVE-2025-64389 (The web server of the device performs exchanges of sensitive informati ...)
@@ -91494,6 +91498,7 @@ CVE-2025-8194 (There is a defect in the CPython \u201ctarfile\u201d module affec
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/
 	NOTE: Fixed by: https://github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38 (main)
 	NOTE: Fixed by: https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe (v3.13.6)
+	NOTE: Fixed by: https://github.com/python/cpython/commit/b4ec17488eedec36d3c05fec127df71c0071f6cb (v3.11.14)
 CVE-2025-7676 (DLL hijacking of all PE32 executables when run on Windows for ARM64 CP ...)
 	NOT-FOR-US: Microsoft
 CVE-2025-6918 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c8d8722ec1a0bb769c728def786d207646e9ae8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c8d8722ec1a0bb769c728def786d207646e9ae8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260325/57954cec/attachment.htm>

More information about the debian-security-tracker-commits mailing list