Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted python3.9 3.9.2-1+deb11u4 (source) into oldoldstable-security
Date: Tue, 20 Jan 2026 13:10:24 +0000
Signed by: Andrew Shadura <andrewsh@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 20 Jan 2026 11:45:10 +0100
Source: python3.9
Architecture: source
Version: 3.9.2-1+deb11u4
Distribution: bullseye-security
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Andrej Shadura <andrewsh@debian.org>
Changes:
 python3.9 (3.9.2-1+deb11u4) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * Add salsa-ci.yml.
   * Drop Build-Conflicts: git.
   * Unexport PYTHONIOENCODING to unbreak tests on Salsa.
   * Disable test_mmap as it fails on Salsa.
   * Apply upstream patches for the following CVEs:
     - CVE-2022-37454: integer overflow and buffer overflow in the Keccak XKCP
       SHA-3 implementation.
     - CVE-2025-4516: issue in bytes.decode("unicode_escape",
       error="ignore|replace")
     - CVE-2025-6069: quadratic complexity in html.parser.HTMLParser
     - CVE-2025-6075: performance degradation in os.path.expandvars()
     - CVE-2025-8194: infinite loop and deadlock in tarfile
     - CVE-2025-8291: incorrect ZIP64 End of Central Directory handling
     - CVE-2025-12084: quadratic complexity in xml.dom.minidom appendChild etc
     - CVE-2025-13836: OOM or other DoS due to incorrect Content-Length
       handling in http.client
     - CVE-2025-13837: OOM or other DoS due to incorrect data size handling
       in plistlib
   * Update libpython symbols.
Checksums-Sha1:
 9286c4ff5444a3c9f3577b22cfa73e785d5f8fa6 3104 python3.9_3.9.2-1+deb11u4.dsc
 01ca7185264d2cb177576b314526037a62e4336b 295780 python3.9_3.9.2-1+deb11u4.debian.tar.xz
 6fecff7ab560e4f5a2fa50576d7fc06bf7378812 10475 python3.9_3.9.2-1+deb11u4_source.buildinfo
Checksums-Sha256:
 5a5112478bd5d1b58eb0fa1ebff39e29d4d6cb5bb72ee459365067590395c4e2 3104 python3.9_3.9.2-1+deb11u4.dsc
 3ba2596aacbe002f3d67287cae8389e153f3d4f17e29a7a5e7471f5125dc33dc 295780 python3.9_3.9.2-1+deb11u4.debian.tar.xz
 b25efc84eb975c09a55151e43e19eedf20a1110d825093b6f1cf8b35429a5b08 10475 python3.9_3.9.2-1+deb11u4_source.buildinfo
Files:
 7f2aafb927d4ac207e9f5cc68c52031c 3104 python optional python3.9_3.9.2-1+deb11u4.dsc
 82198db98b2180327433c8a9cb0a0a40 295780 python optional python3.9_3.9.2-1+deb11u4.debian.tar.xz
 bbc6e935a5319bc4ed871649a12b37e0 10475 python optional python3.9_3.9.2-1+deb11u4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wr0EARYKAG8FgmlvXSEJEOhEa0rIx3JhRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z
LnNlcXVvaWEtcGdwLm9yZ2m/8sE+mRLZQjV0sC1imKp21zX1d+0OBcbVBB5wwQpV
FiEEg9zRf0SyLMg2Vu2h6ERrSsjHcmEAADYzAQDJJz28XlX3zY1mgUFbA27QOWMe
kcwKOTNdIBgCa244/wD/ZUFlyKdLCn9JKCittvRusfVjoYD9mqyT8/Neb4dalAU=
=kmIS
-----END PGP SIGNATURE-----

News for package python3.9