[Git][security-tracker-team/security-tracker][master] python3.14 fixed in sid

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon May 11 13:33:15 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6f6cbd00 by Moritz Muehlenhoff at 2026-05-11T14:32:56+02:00
python3.14 fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -15288,11 +15288,12 @@ CVE-2026-5754 (Reflected Cross-Site Scripting (XSS) Vulnerability in Radware Alt
 CVE-2026-5752 (Sandbox Escape Vulnerability in Terrarium allows arbitrary code execut ...)
 	NOT-FOR-US: Terrarium
 CVE-2026-5713 (The "profiling.sampling" module (Python 3.15+) and "asyncio introspect ...)
-	- python3.14 <unfixed>
+	- python3.14 3.14.5-1
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/OG4RHARYSNIE22GGOMVMCRH76L5HKPLM/
 	NOTE: https://github.com/python/cpython/issues/148178
 	NOTE: https://github.com/python/cpython/pull/148187
-	NOTE: https://github.com/python/cpython/commit/289fd2c97a7e5aecb8b69f94f5e838ccfeee7e67
+	NOTE: https://github.com/python/cpython/commit/289fd2c97a7e5aecb8b69f94f5e838ccfeee7e67 (v3.15.0b1)
+	NOTE: https://github.com/python/cpython/commit/316f6265b7f9ca4ffed5346b747475ef1943f35d (v3.14.5)
 CVE-2026-5307
 	REJECTED
 CVE-2026-4914 (Stored XSSinIvantiN-ITSMbeforeversion 2025.4allows aremoteauthenticate ...)
@@ -15931,14 +15932,12 @@ CVE-2026-6202 (A security flaw has been discovered in code-projects Easy Blog Si
 CVE-2026-6201 (A vulnerability was identified in CodeAstro Online Job Portal 1.0. The ...)
 	NOT-FOR-US: CodeAstro Online Job Portal
 CVE-2026-4786 (Mitgation ofCVE-2026-4519 was incomplete. If the URL contained "%actio ...)
-	- python3.14 <unfixed>
+	- python3.14 3.14.5-1
 	- python3.13 <unfixed>
 	[trixie] - python3.13 <not-affected> (Incomplete fix not released)
-	- python3.11 <removed>
-	[bookworm] - python3.11 <not-affected> (Incomplete fix not released)
+	- python3.11 <not-affected> (Incomplete fix not released)
 	- python3.9 <removed>
-	- python2.7 <removed>
-	[bullseye] - python2.7 <not-affected> (Incomplete fix not released)
+	- python2.7 <not-affected> (Incomplete fix not released)
 	- jython <not-affected> (Incomplete fix not released)
 	- pypy3 7.3.22+dfsg-1
 	[trixie] - pypy3 <not-affected> (Incomplete fix not released)
@@ -15948,6 +15947,7 @@ CVE-2026-4786 (Mitgation ofCVE-2026-4519 was incomplete. If the URL contained "%
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/
 	NOTE: https://github.com/python/cpython/issues/148169
 	NOTE: https://github.com/python/cpython/pull/148170
+	NOTE: https://github.com/python/cpython/commit/28b4ad38067bbdad34edfcd03ad2de5f06387e53 (v3.14.5rc1)
 CVE-2026-4479 (The WholeSale Products Dynamic Pricing Management WooCommerce plugin f ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-4388 (The Form Maker by 10Web plugin for WordPress is vulnerable to Stored C ...)
@@ -17251,7 +17251,7 @@ CVE-2026-22750 (When configuring SSL bundles in Spring Cloud Gateway by using th
 CVE-2026-22560 (An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0  ...)
 	NOT-FOR-US: Rocket.Chat
 CVE-2026-1502 (CR/LF bytes were not rejected by HTTP client proxy tunnel headers or h ...)
-	- python3.14 <unfixed>
+	- python3.14 3.14.5-1
 	- python3.13 <unfixed>
 	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
@@ -17265,7 +17265,8 @@ CVE-2026-1502 (CR/LF bytes were not rejected by HTTP client proxy tunnel headers
 	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/
 	NOTE: https://github.com/python/cpython/issues/146211
-	NOTE: https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 (main)
+	NOTE: https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 (v3.15.0b1)
+	NOTE: https://github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed (v3.14.5rc1)
 CVE-2025-66447 (Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1 ...)
 	NOT-FOR-US: Chamilo LMS
 CVE-2025-5804 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f6cbd00f0336669fcffd79e11183a77f5fcbfa0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f6cbd00f0336669fcffd79e11183a77f5fcbfa0
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260511/bca6f424/attachment.htm>

More information about the debian-security-tracker-commits mailing list