{ "document": { "aggregate_severity": { "text": "None" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "* Fix arm64 build: use multiarch SOABI suffix on all architectures\n * Fix hardcoded x86_64 in debug package config filename for arm64\n * Fix rm -rf __pycache__ failure under fakeroot on Debian 12\n * Use dh_missing --fail-missing instead of manual unpackaged files check", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772197534", "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772197534" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_alt_python/debian12/advisories/2026/clsa-2026_1772197534.json" } ], "tracking": { "current_release_date": "2026-03-03T18:21:40Z", "generator": { "date": "2026-03-03T18:21:40Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1772197534", "initial_release_date": "2026-02-27T13:05:38Z", "revision_history": [ { "date": "2026-02-27T13:05:38Z", "number": "1", "summary": "Initial version" }, { "date": "2026-03-03T18:21:40Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Update of alt-php" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian 12", "product": { "name": "Debian 12", "product_id": "Debian-12", "product_identification_helper": { "cpe": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Debian" } ], "category": "vendor", "name": "Software in the Public Interest, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "alt-python39-tkinter-0:3.9.23-7.arm64", "product": { "name": "alt-python39-tkinter-0:3.9.23-7.arm64", "product_id": "alt-python39-tkinter-0:3.9.23-7.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python39-tkinter@3.9.23-7?arch=arm64&os_name=debian&os_version=12" } } }, { "category": "product_version", "name": "alt-python39-debug-0:3.9.23-7.arm64", "product": { "name": "alt-python39-debug-0:3.9.23-7.arm64", "product_id": "alt-python39-debug-0:3.9.23-7.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python39-debug@3.9.23-7?arch=arm64&os_name=debian&os_version=12" } } }, { "category": "product_version", "name": "alt-python39-idle-0:3.9.23-7.arm64", "product": { "name": "alt-python39-idle-0:3.9.23-7.arm64", "product_id": "alt-python39-idle-0:3.9.23-7.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python39-idle@3.9.23-7?arch=arm64&os_name=debian&os_version=12" } } }, { "category": "product_version", "name": "alt-python39-libs-0:3.9.23-7.arm64", "product": { "name": "alt-python39-libs-0:3.9.23-7.arm64", "product_id": "alt-python39-libs-0:3.9.23-7.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python39-libs@3.9.23-7?arch=arm64&os_name=debian&os_version=12" } } }, { "category": "product_version", "name": "alt-python39-0:3.9.23-7.arm64", "product": { "name": "alt-python39-0:3.9.23-7.arm64", "product_id": "alt-python39-0:3.9.23-7.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python39@3.9.23-7?arch=arm64&os_name=debian&os_version=12" } } }, { "category": "product_version", "name": "alt-python39-devel-0:3.9.23-7.arm64", "product": { "name": "alt-python39-devel-0:3.9.23-7.arm64", "product_id": "alt-python39-devel-0:3.9.23-7.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python39-devel@3.9.23-7?arch=arm64&os_name=debian&os_version=12" } } }, { "category": "product_version", "name": "alt-python39-test-0:3.9.23-7.arm64", "product": { "name": "alt-python39-test-0:3.9.23-7.arm64", "product_id": "alt-python39-test-0:3.9.23-7.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python39-test@3.9.23-7?arch=arm64&os_name=debian&os_version=12" } } } ], "category": "architecture", "name": "arm64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "alt-python39-tkinter-0:3.9.23-7.arm64 as a component of Debian 12", "product_id": "Debian-12:alt-python39-tkinter-0:3.9.23-7.arm64" }, "product_reference": "alt-python39-tkinter-0:3.9.23-7.arm64", "relates_to_product_reference": "Debian-12" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python39-debug-0:3.9.23-7.arm64 as a component of Debian 12", "product_id": "Debian-12:alt-python39-debug-0:3.9.23-7.arm64" }, "product_reference": "alt-python39-debug-0:3.9.23-7.arm64", "relates_to_product_reference": "Debian-12" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python39-idle-0:3.9.23-7.arm64 as a component of Debian 12", "product_id": "Debian-12:alt-python39-idle-0:3.9.23-7.arm64" }, "product_reference": "alt-python39-idle-0:3.9.23-7.arm64", "relates_to_product_reference": "Debian-12" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python39-libs-0:3.9.23-7.arm64 as a component of Debian 12", "product_id": "Debian-12:alt-python39-libs-0:3.9.23-7.arm64" }, "product_reference": "alt-python39-libs-0:3.9.23-7.arm64", "relates_to_product_reference": "Debian-12" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python39-0:3.9.23-7.arm64 as a component of Debian 12", "product_id": "Debian-12:alt-python39-0:3.9.23-7.arm64" }, "product_reference": "alt-python39-0:3.9.23-7.arm64", "relates_to_product_reference": "Debian-12" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python39-devel-0:3.9.23-7.arm64 as a component of Debian 12", "product_id": "Debian-12:alt-python39-devel-0:3.9.23-7.arm64" }, "product_reference": "alt-python39-devel-0:3.9.23-7.arm64", "relates_to_product_reference": "Debian-12" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python39-test-0:3.9.23-7.arm64 as a component of Debian 12", "product_id": "Debian-12:alt-python39-test-0:3.9.23-7.arm64" }, "product_reference": "alt-python39-test-0:3.9.23-7.arm64", "relates_to_product_reference": "Debian-12" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-6075", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "If the value passed to os.path.expandvars() is user-controlled a \nperformance degradation is possible when expanding environment \nvariables.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-python39-0:3.9.23-7.arm64", "Debian-12:alt-python39-debug-0:3.9.23-7.arm64", "Debian-12:alt-python39-devel-0:3.9.23-7.arm64", "Debian-12:alt-python39-idle-0:3.9.23-7.arm64", "Debian-12:alt-python39-libs-0:3.9.23-7.arm64", "Debian-12:alt-python39-test-0:3.9.23-7.arm64", "Debian-12:alt-python39-tkinter-0:3.9.23-7.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2025-6075" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c", "url": "https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427", "url": "https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84", "url": "https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca", "url": "https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742", "url": "https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba", "url": "https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c", "url": "https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c" }, { "category": "external", "summary": "https://github.com/python/cpython/issues/136065", "url": "https://github.com/python/cpython/issues/136065" }, { "category": "external", "summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/" } ], "release_date": "2025-10-31T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-02-27T13:05:38.247424Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772197534", "product_ids": [ "Debian-12:alt-python39-0:3.9.23-7.arm64", "Debian-12:alt-python39-debug-0:3.9.23-7.arm64", "Debian-12:alt-python39-devel-0:3.9.23-7.arm64", "Debian-12:alt-python39-idle-0:3.9.23-7.arm64", "Debian-12:alt-python39-libs-0:3.9.23-7.arm64", "Debian-12:alt-python39-test-0:3.9.23-7.arm64", "Debian-12:alt-python39-tkinter-0:3.9.23-7.arm64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772197534" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-12:alt-python39-0:3.9.23-7.arm64", "Debian-12:alt-python39-debug-0:3.9.23-7.arm64", "Debian-12:alt-python39-devel-0:3.9.23-7.arm64", "Debian-12:alt-python39-idle-0:3.9.23-7.arm64", "Debian-12:alt-python39-libs-0:3.9.23-7.arm64", "Debian-12:alt-python39-test-0:3.9.23-7.arm64", "Debian-12:alt-python39-tkinter-0:3.9.23-7.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2025-13837", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-python39-0:3.9.23-7.arm64", "Debian-12:alt-python39-debug-0:3.9.23-7.arm64", "Debian-12:alt-python39-devel-0:3.9.23-7.arm64", "Debian-12:alt-python39-idle-0:3.9.23-7.arm64", "Debian-12:alt-python39-libs-0:3.9.23-7.arm64", "Debian-12:alt-python39-test-0:3.9.23-7.arm64", "Debian-12:alt-python39-tkinter-0:3.9.23-7.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2025-13837" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b", "url": "https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70", "url": "https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba", "url": "https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb", "url": "https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb" }, { "category": "external", "summary": "https://github.com/python/cpython/issues/119342", "url": "https://github.com/python/cpython/issues/119342" }, { "category": "external", "summary": "https://github.com/python/cpython/pull/119343", "url": "https://github.com/python/cpython/pull/119343" }, { "category": "external", "summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/" } ], "release_date": "2025-12-01T18:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-02-27T13:05:38.247424Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772197534", "product_ids": [ "Debian-12:alt-python39-0:3.9.23-7.arm64", "Debian-12:alt-python39-debug-0:3.9.23-7.arm64", "Debian-12:alt-python39-devel-0:3.9.23-7.arm64", "Debian-12:alt-python39-idle-0:3.9.23-7.arm64", "Debian-12:alt-python39-libs-0:3.9.23-7.arm64", "Debian-12:alt-python39-test-0:3.9.23-7.arm64", "Debian-12:alt-python39-tkinter-0:3.9.23-7.arm64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772197534" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-12:alt-python39-0:3.9.23-7.arm64", "Debian-12:alt-python39-debug-0:3.9.23-7.arm64", "Debian-12:alt-python39-devel-0:3.9.23-7.arm64", "Debian-12:alt-python39-idle-0:3.9.23-7.arm64", "Debian-12:alt-python39-libs-0:3.9.23-7.arm64", "Debian-12:alt-python39-test-0:3.9.23-7.arm64", "Debian-12:alt-python39-tkinter-0:3.9.23-7.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2025-12084", "cwe": { "id": "CWE-407", "name": "Inefficient Algorithmic Complexity" }, "notes": [ { "category": "description", "text": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-python39-0:3.9.23-7.arm64", "Debian-12:alt-python39-debug-0:3.9.23-7.arm64", "Debian-12:alt-python39-devel-0:3.9.23-7.arm64", "Debian-12:alt-python39-idle-0:3.9.23-7.arm64", "Debian-12:alt-python39-libs-0:3.9.23-7.arm64", "Debian-12:alt-python39-test-0:3.9.23-7.arm64", "Debian-12:alt-python39-tkinter-0:3.9.23-7.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2025-12084" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0", "url": "https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4", "url": "https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437", "url": "https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af", "url": "https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273", "url": "https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907", "url": "https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d", "url": "https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8", "url": "https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8", "url": "https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0", "url": "https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964", "url": "https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53", "url": "https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53" }, { "category": "external", "summary": "https://github.com/python/cpython/issues/142145", "url": "https://github.com/python/cpython/issues/142145" }, { "category": "external", "summary": "https://github.com/python/cpython/pull/142146", "url": "https://github.com/python/cpython/pull/142146" } ], "release_date": "2025-12-03T19:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-02-27T13:05:38.247424Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772197534", "product_ids": [ "Debian-12:alt-python39-0:3.9.23-7.arm64", "Debian-12:alt-python39-debug-0:3.9.23-7.arm64", "Debian-12:alt-python39-devel-0:3.9.23-7.arm64", "Debian-12:alt-python39-idle-0:3.9.23-7.arm64", "Debian-12:alt-python39-libs-0:3.9.23-7.arm64", "Debian-12:alt-python39-test-0:3.9.23-7.arm64", "Debian-12:alt-python39-tkinter-0:3.9.23-7.arm64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772197534" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "Debian-12:alt-python39-0:3.9.23-7.arm64", "Debian-12:alt-python39-debug-0:3.9.23-7.arm64", "Debian-12:alt-python39-devel-0:3.9.23-7.arm64", "Debian-12:alt-python39-idle-0:3.9.23-7.arm64", "Debian-12:alt-python39-libs-0:3.9.23-7.arm64", "Debian-12:alt-python39-test-0:3.9.23-7.arm64", "Debian-12:alt-python39-tkinter-0:3.9.23-7.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }