Tuxcare Errata System 0.0.1 5.10 2026-04-17T11:35:23 Debian 13 * SECURITY UPDATE: DOS, buffer overflow in SHA3, Possible Bypass Blocklisting Redirection vulnerability in http.server, regex DOS, Quadratic complexity, pathname quoting for venv - debian/patches/CVE-2022-37454.patch: fix a buffer overflow in Modules/_sha3/kcp/KeccakSponge.inc, Lib/test/test_hashlib.py (LP: #1995197). - debian/patches/CVE-2022-45061.patch: fix quadratic time idna decoding in Lib/encodings/idna.py, Lib/test/test_codecs.py. - debian/patches/CVE-2023-24329.patch: enforce that a scheme must begin with an alphabetical ASCII character in Lib/urllib/parse.py, Lib/test/test_urlparse.py. start stripping C0 control and space chars in `urlsplit` - debian/patches/CVE-2021-28861.patch: Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` - debian/patches/CVE-2024-6232.patch: Fix header parsing vulnerability that could lead to ReDoS - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in parsing "-quoted cookie values with backslashes - debian/patches/CVE-2024-9287.patch: Quote template strings in `venv` activation - CVE-2022-37454 - CVE-2022-45061 - CVE-2023-24329 - CVE-2021-28861 - CVE-2024-6232 - CVE-2024-7592 - CVE-2024-9287 Critical TuxCare License Agreement CVE-2022-45061 CVE-2019-17514 CVE-2024-9287 CVE-2024-7592 CVE-2024-6232 CVE-2021-28861 CVE-2022-37454 CVE-2023-24329 Debian 13 * SECURITY UPDATE: DoS in case of malicious XML entity declarations - debian/patches/CVE-2022-48565.patch: reject XML entity declarations in plist files - CVE-2022-48565 * SECURITY UPDATE: Bypassing blocklisting methods by supplying a URL that starts with blank characters - debian/patches/CVE-2023-24329.patch, debian/patches/CVE-2023-24329-2.patch: prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character - CVE-2023-24329 * SECURITY UPDATE: ReDoS via specifically-crafted tar archives - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing tarfile - CVE-2024-6232 * SECURITY UPDATE: Excessive CPU usage while parsing a cookie value - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in parsing double-quoted cookie values with backslashes - CVE-2024-7592 * SECURITY UPDATE: CPU DoS by crafting inputs to the IDNA decoder - debian/patches/CVE-2022-45061.patch: fix quadratic time idna decoding - CVE-2022-45061 * SECURITY UPDATE: Use-after-free via heappushpop in heapq - debian/patches/CVE-2022-48560.patch: fix posible crash in heapq with custom comparison operators - debian/patches/CVE-2022-48560-2.patch: add tests for CVE-2022-48560 - CVE-2022-48560 * SECURITY UPDATE: DoS by HTTP client infinite line reading from malicious server after a 100 Continue response - debian/patches/CVE-2021-3737.patch: stop reading a header if it's too long - CVE-2021-3737 * SECURITY UPDATE: A flaw in the urllib.parse module - debian/patches/CVE-2022-0391.patch: make urlparse sanitize URLs containing ASCII newline and tabs - CVE-2022-0391 Critical TuxCare License Agreement CVE-2022-0391 CVE-2022-48565 CVE-2019-20907 CVE-2024-7592 CVE-2022-48560 CVE-2024-6232 CVE-2023-24329 CVE-2022-45061 Debian 13 * SECURITY UPDATE: DoS in regular expression because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking - debian/patches/CVE-2020-8492.patch: fix DoS in the urllib regexp - CVE-2020-8492 * SECURITY UPDATE: a header injection vulnerability for http methods in the httplib - debian/patches/CVE-2020-26116.patch: prevent header injection in http methods in httplib - CVE-2020-26116 Important TuxCare License Agreement CVE-2020-26116 CVE-2020-8492 Debian 13 * SECURITY UPDATE: Web cache poisoning vulnerability - debian/patches/CVE-2021-23336.patch: fix web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs - CVE-2021-23336 * SECURITY UPDATE: Regular expression denial of service - debian/patches/CVE-2021-3733.patch: fix flaw in urllib’s AbstractBasicAuthHandler that could lead to a denial of service by leveraging a regular expression - CVE-2021-3733 * SECURITY UPDATE: Constant-time-defeating optimisations issue - debian/patches/CVE-2022-48566.patch: make compare_digest more constant-time - CVE-2022-48566 * SECURITY UPDATE: Incorrect parsing of email addresses containing special characters - debian/patches/CVE-2023-27043.patch: Fix email address parsing errors by adding optional 'strict' parameter to getaddresses() and parseaddr() functions - CVE-2023-27043 * SECURITY UPDATE: TLS handshake bypass - debian/patches/CVE-2023-40217.patch: Check for & avoid the ssl pre-close flaw. Update SSL tests - CVE-2023-40217 Moderate TuxCare License Agreement CVE-2023-40217 CVE-2022-48566 CVE-2021-23336 CVE-2021-3733 CVE-2023-27043 Debian 13 * SECURITY UPDATE: Traversing outside chmod directory - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filters directory members before chmod/chown - CVE-2024-12718 * SECURITY UPDATE: Symlink exfiltration - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: properly handles different link semantics - CVE-2025-4138 * SECURITY UPDATE: Hardlink Fallback Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filter the source if hardlink extraction falls back to copying - CVE-2025-4330 * SECURITY UPDATE: Errorlevel=0 Extracts Rejected Members - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: account errorlevel - CVE-2025-4435 * SECURITY UPDATE: PATH_MAX Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: prevents PATH_MAX overflow attacks - CVE-2025-4517 * TEST UPDATE: Incorrect encoding leading to an unexpected exception in test_tarfile.py - debian/patch/fix_test_tarfile-enconding.patch: fix encoding Important TuxCare License Agreement CVE-2025-4138 CVE-2025-4517 CVE-2025-4435 CVE-2025-4330 CVE-2024-12718 Debian 13 * SECURITY UPDATE: Command injection vulnerability in venv module activation scripts when virtual environment paths contain special shell characters - debian/patches/CVE-2024-9287.patch: Properly quote template strings in venv activation scripts Important TuxCare License Agreement CVE-2024-9287 Debian 13 * SECURITY UPDATE: ReDoS in tarfile module when parsing specially crafted tar archive headers - debian/patches/CVE-2024-6232.patch: Remove backtracking from tarfile header parsing * SECURITY UPDATE: DoS due to quadratic time complexity in http.cookies module when parsing quoted cookie values with backslashes - debian/patches/CVE-2024-7592.patch: Replace iterative regex search with single-pass substitution to eliminate quadratic complexity * SECURITY UPDATE: Command injection vulnerability in venv module activation scripts when virtual environment paths contain special shell characters - debian/patches/CVE-2024-9287.patch: Properly quote template strings in venv activation scripts Important TuxCare License Agreement CVE-2024-9287 CVE-2024-7592 CVE-2024-6232 Debian 13 * SECURITY UPDATE: Ability to modify permissions with privileged programs - debian/patches/CVE-2023-6597: prevent tempfile.TemporaryDirectory class dereference symlinks - CVE-2023-6597 Important TuxCare License Agreement CVE-2023-6597 Debian 13 * SECURITY UPDATE: Ability to modify permissions with privileged programs - debian/patches/CVE-2023-6597.patch: prevent tempfile.TemporaryDirectory class dereference symlinks - CVE-2023-6597 Important TuxCare License Agreement CVE-2023-6597 Debian 13 * SECURITY UPDATE: Bypass of domain e-mail-based protection mechanism by incorrect parsing of e-mail addresses that contain a special character - debian/patches/CVE-2023-27043.patch: reject malformed addresses in email.parseaddr() - CVE-2023-27043 * SECURITY UPDATE: Bypass of the TLS handshake and included protections - debian/patches/CVE-2023-40217.patch: check for & avoid the ssl pre-close flaw - CVE-2023-40217 Moderate TuxCare License Agreement CVE-2023-40217 CVE-2023-27043 Debian 13 * SECURITY UPDATE: Quadratic complexity in xml.minidom node ID cache clearing - debian/patches/CVE-2025-12084.patch: remove quadratic behavior in xml.minidom node ID cache clearing - CVE-2025-12084 Moderate TuxCare License Agreement CVE-2025-12084 Debian 13 * SECURITY UPDATE: Quadratic complexity in xml.minidom node ID cache clearing - debian/patches/CVE-2025-12084.patch: remove quadratic behavior in xml.minidom node ID cache clearing - CVE-2025-12084 Moderate TuxCare License Agreement CVE-2025-12084 Debian 13 * SECURITY UPDATE: Quadratic complexity in xml.minidom node ID cache clearing - debian/patches/CVE-2025-12084.patch: remove quadratic behavior in xml.minidom node ID cache clearing - CVE-2025-12084 * SECURITY UPDATE: Overwriting of arbitrary files by remote attackers - debian/patches/CVE-2007-4559.patch: implement PEP 706 - a filter in the tarfile module to prevent directory traversal vulnerability - CVE-2007-4559 Moderate TuxCare License Agreement CVE-2007-4559 CVE-2025-12084 Debian 13 * SECURITY UPDATE: Potential denial of service in http.client - debian/patches/CVE-2025-13836.patch: Read large data by chunks instead of allocating memory based on Content-Length - CVE-2025-13836 * SECURITY UPDATE: Quadratic complexity in xml.minidom node ID cache clearing - debian/patches/CVE-2025-12084.patch: Remove quadratic behavior in xml.minidom node ID cache clearing - CVE-2025-12084 Critical TuxCare License Agreement CVE-2025-12084 CVE-2025-13836 Debian 13 * SECURITY UPDATE: Memory denial of service in plistlib - debian/patches/CVE-2025-13837.patch: read large data by chunks, therefore the upper limit of consumed memory is proportional to the size of the input file. - CVE-2025-13837 Moderate TuxCare License Agreement CVE-2025-13837 Debian 13 * SECURITY UPDATE: Memory denial of service in plistlib - debian/patches/CVE-2025-13837.patch: read large data by chunks, therefore the upper limit of consumed memory is proportional to the size of the input file. - CVE-2025-13837 Moderate TuxCare License Agreement CVE-2025-13837 Debian 13 * SECURITY UPDATE: Memory denial of service in plistlib - debian/patches/CVE-2025-13837.patch: read large data by chunks, therefore the upper limit of consumed memory is proportional to the size of the input file. - CVE-2025-13837 Moderate TuxCare License Agreement CVE-2025-13837 Debian 13 * SECURITY UPDATE: Memory denial of service in plistlib - debian/patches/CVE-2025-13837.patch: read large data by chunks, therefore the upper limit of consumed memory is proportional to the size of the input file. - CVE-2025-13837 Moderate TuxCare License Agreement CVE-2025-13837 Debian 13 * SECURITY UPDATE: Shell command injection in mailcap module - debian/patches/CVE-2015-20107.patch: sanitize the second argument which allowing shell commands injection - CVE-2015-20107 Important TuxCare License Agreement CVE-2015-20107 Debian 13 * SECURITY UPDATE: Traversing outside chmod directory - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filters directory members before chmod/chown - CVE-2024-12718 * SECURITY UPDATE: Symlink exfiltration - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: properly handles different link semantics - CVE-2025-4138 * SECURITY UPDATE: Hardlink Fallback Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filter the source if hardlink extraction falls back to copying - CVE-2025-4330 * SECURITY UPDATE: Errorlevel=0 Extracts Rejected Members - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: account errorlevel - CVE-2025-4435 * SECURITY UPDATE: PATH_MAX Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: prevents PATH_MAX overflow attacks - CVE-2025-4517 Important TuxCare License Agreement CVE-2025-4435 CVE-2024-12718 CVE-2025-4138 CVE-2025-4330 CVE-2025-4517 Debian 13 * SECURITY UPDATE: Traversing outside chmod directory - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filters directory members before chmod/chown - CVE-2024-12718 * SECURITY UPDATE: Symlink exfiltration - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: properly handles different link semantics - CVE-2025-4138 * SECURITY UPDATE: Hardlink Fallback Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: re-filter the source if hardlink extraction falls back to copying - CVE-2025-4330 * SECURITY UPDATE: Errorlevel=0 Extracts Rejected Members - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: account errorlevel - CVE-2025-4435 * SECURITY UPDATE: PATH_MAX Attack - debian/patches/CVE-2024-12718-CVE-2025-4138-CVE-2025-4330-CVE -2025-4435-CVE-2025-4517.patch: prevents PATH_MAX overflow attacks - CVE-2025-4517 Important TuxCare License Agreement CVE-2025-4435 CVE-2024-12718 CVE-2025-4138 CVE-2025-4330 CVE-2025-4517 Debian 13 * SECURITY UPDATE: Shell command injection in the mailcap module - debian/patches/CVE-2015-20107.patch: sanitize the second argument which allowing shell command injection - CVE-2015-20107 Important TuxCare License Agreement CVE-2015-20107 Debian 13 * SECURITY UPDATE: Quadratic complexity in xml.minidom node ID cache clearing - debian/patches/CVE-2025-12084.patch: remove quadratic behavior in xml.minidom node ID cache clearing - CVE-2025-12084 Moderate TuxCare License Agreement CVE-2025-12084 Debian 13 * SECURITY UPDATE: Quadratic complexity in os.path.expandvars() - debian/patches/CVE-2025-6075.patch: fix quadratic complexity in os.path.expandvars() by replacing the character-by-character loop with regex-based substitution in both posixpath and ntpath modules. - CVE-2025-6075 Moderate TuxCare License Agreement CVE-2025-6075 Debian 13 * SECURITY UPDATE: Quadratic complexity in os.path.expandvars() - debian/patches/CVE-2025-6075.patch: fix quadratic complexity in os.path.expandvars() by replacing the character-by-character loop with regex-based substitution in both posixpath and ntpath modules. - CVE-2025-6075 Moderate TuxCare License Agreement CVE-2025-6075 Debian 13 * SECURITY UPDATE: Quadratic complexity in os.path.expandvars() - debian/patches/CVE-2025-6075.patch: fix quadratic complexity in os.path.expandvars() by replacing the character-by-character loop with regex-based substitution in both posixpath and ntpath modules. - CVE-2025-6075 Moderate TuxCare License Agreement CVE-2025-6075 Debian 13 * SECURITY UPDATE: defect in 'tarfile' module leads to infinite loop and deadlock in parsing of maliciously crafted tar archives - debian/patches/CVE-2025-8194.patch: Validate archives to ensure member offsets are non-negative - CVE-2025-8194 Important TuxCare License Agreement CVE-2025-8194 Debian 13 * SECURITY UPDATE: defect in 'tarfile' module leads to infinite loop and deadlock in parsing of maliciously crafted tar archives - debian/patches/CVE-2025-8194.patch: Validate archives to ensure member offsets are non-negative - CVE-2025-8194 Important TuxCare License Agreement CVE-2025-8194 Debian 13 * SECURITY UPDATE: Quadratic complexity in os.path.expandvars() - debian/patches/CVE-2025-6075.patch: fix quadratic complexity in os.path.expandvars() by replacing the character-by-character loop with regex-based substitution in both posixpath and ntpath modules. - CVE-2025-6075 Moderate TuxCare License Agreement CVE-2025-6075 Debian 13 * SECURITY UPDATE: defect in 'tarfile' module leads to infinite loop and deadlock in parsing of maliciously crafted tar archives - debian/patches/CVE-2025-8194.patch: Validate archives to ensure member offsets are non-negative - CVE-2025-8194 Important TuxCare License Agreement CVE-2025-8194 Debian 13 * SECURITY UPDATE: defect in 'tarfile' module leads to infinite loop and deadlock in parsing of maliciously crafted tar archives - debian/patches/CVE-2025-8194.patch: Validate archives to ensure member offsets are non-negative - CVE-2025-8194 Important TuxCare License Agreement CVE-2025-8194 Debian 13 * SECURITY UPDATE: defect in 'tarfile' module leads to infinite loop and deadlock in parsing of maliciously crafted tar archives - debian/patches/CVE-2025-8194.patch: Validate archives to ensure member offsets are non-negative - CVE-2025-8194 Important TuxCare License Agreement CVE-2025-8194 Debian 13 * SECURITY UPDATE: quadratic complexity in os.path.expandvars() - debian/patches/CVE-2025-6075.patch: replace character-by-character loop with regex-based substitution to fix quadratic complexity - CVE-2025-6075 Moderate TuxCare License Agreement CVE-2025-6075 Debian 13 * SECURITY UPDATE: regex denial of service via crafted HTML - debian/patches/CVE-2022-40897.patch: limit whitespace matching in REL regex - CVE-2022-40897 * SECURITY UPDATE: remote code execution via command injection in VCS downloads - debian/patches/CVE-2024-6345.patch: replace os.system with subprocess.check_call - CVE-2024-6345 * SECURITY UPDATE: path traversal in download filename resolution - debian/patches/CVE-2025-47273.patch: validate download filename stays within tmpdir - CVE-2025-47273 Important TuxCare License Agreement CVE-2025-47273 CVE-2022-40897 CVE-2024-6345 Debian 13 * SECURITY UPDATE: regex denial of service via crafted HTML - debian/patches/CVE-2022-40897.patch: limit whitespace matching in REL regex - CVE-2022-40897 * SECURITY UPDATE: remote code execution via command injection in VCS downloads - debian/patches/CVE-2024-6345.patch: replace os.system with subprocess.check_call - CVE-2024-6345 * SECURITY UPDATE: path traversal in download filename resolution - debian/patches/CVE-2025-47273.patch: validate download filename stays within tmpdir - CVE-2025-47273 Important TuxCare License Agreement CVE-2025-47273 CVE-2022-40897 CVE-2024-6345 Debian 13 * SECURITY UPDATE: regex denial of service via crafted HTML - debian/patches/CVE-2022-40897.patch: limit whitespace matching in REL regex - CVE-2022-40897 * SECURITY UPDATE: remote code execution via command injection in VCS downloads - debian/patches/CVE-2024-6345.patch: replace os.system with subprocess.check_call - CVE-2024-6345 * SECURITY UPDATE: path traversal in download filename resolution - debian/patches/CVE-2025-47273.patch: validate download filename stays within tmpdir - CVE-2025-47273 Important TuxCare License Agreement CVE-2025-47273 CVE-2022-40897 CVE-2024-6345 Debian 13 * SECURITY UPDATE: regex denial of service via crafted HTML - debian/patches/CVE-2022-40897.patch: limit whitespace matching in REL regex - CVE-2022-40897 * SECURITY UPDATE: remote code execution via command injection in VCS downloads - debian/patches/CVE-2024-6345.patch: replace os.system with subprocess.check_call - CVE-2024-6345 * SECURITY UPDATE: path traversal in download filename resolution - debian/patches/CVE-2025-47273.patch: validate download filename stays within tmpdir - CVE-2025-47273 Important TuxCare License Agreement CVE-2025-47273 CVE-2022-40897 CVE-2024-6345 Debian 13 * SECURITY UPDATE: webbrowser.open() allows command-line option injection via URLs with leading dashes - debian/patches/CVE-2026-4519.patch: reject leading dashes in webbrowser.open() URLs to prevent command-line option injection in browser subprocesses - CVE-2026-4519 Low TuxCare License Agreement CVE-2026-4519 Debian 13 * SECURITY UPDATE: command-line option injection in webbrowser.open() - debian/patches/CVE-2026-4519.patch: reject leading dashes in webbrowser.open() URLs to prevent command-line option injection in browser subprocesses - CVE-2026-4519 Low TuxCare License Agreement CVE-2026-4519 Debian 13 * SECURITY UPDATE: command-line option injection in webbrowser.open() - debian/patches/CVE-2026-4519.patch: reject leading dashes in webbrowser.open() URLs to prevent command-line option injection in browser subprocesses - CVE-2026-4519 Low TuxCare License Agreement CVE-2026-4519 Debian 13 * SECURITY UPDATE: webbrowser.open() accepts leading dashes in URLs which could be interpreted as command-line options by web browsers - debian/patches/CVE-2026-4519.patch: reject URLs starting with dashes in BaseBrowser._check_url() before passing to subprocess - CVE-2026-4519 Low TuxCare License Agreement CVE-2026-4519 alt-python36 alt-python36-debug alt-python36-devel alt-python36-libs alt-python36-test alt-python36-tkinter alt-python36-tools alt-python27 alt-python27-debug alt-python27-devel alt-python27-idle alt-python27-libs alt-python27-test alt-python27-tkinter alt-python27-tools alt-python38 alt-python38-debug alt-python38-devel alt-python38-idle alt-python38-libs alt-python38-test alt-python38-tkinter alt-python37 alt-python37-debug alt-python37-devel alt-python37-libs alt-python37-test alt-python37-tkinter alt-python37-tools alt-python39 alt-python39-debug alt-python39-devel alt-python39-idle alt-python39-libs alt-python39-test alt-python39-tkinter alt-python39-setuptools alt-python39-setuptools-wheel alt-python36-setuptools alt-python36-setuptools-wheel alt-python38-setuptools alt-python38-setuptools-wheel alt-python37-setuptools alt-python37-setuptools-wheel amd64 3.6.15-14 amd64 2.7.18-6 amd64 2.7.18-7 amd64 2.7.18-8 amd64 3.6.15-19 amd64 3.8.20-4 amd64 3.7.17-5 amd64 3.6.15-20 amd64 3.7.17-6 amd64 3.7.17-7 amd64 3.6.15-21 amd64 3.9.23-4 amd64 3.7.17-8 amd64 3.8.20-5 amd64 3.6.15-23 amd64 3.8.20-7 amd64 3.7.17-10 amd64 3.9.23-6 amd64 2.7.18-9 amd64 3.7.17-11 amd64 3.8.20-8 amd64 3.6.15-25 amd64 2.7.18-10 amd64 3.9.23-8 amd64 3.6.15-27 amd64 3.7.17-13 amd64 3.6.15-28 amd64 3.7.17-14 amd64 3.8.20-10 amd64 2.7.18-11 amd64 3.8.20-11 amd64 3.9.23-9 amd64 2.7.18-12 58.3.0-2 38.5.2-10 58.3.0-3 amd64|arm64 3.8.20-12 amd64 2.7.18-14 amd64|arm64 3.6.15-29 amd64|arm64 3.9.23-10