Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted python3.9 3.9.2-1+deb11u5 (source) into oldoldstable-security
Date: Sun, 25 Jan 2026 20:10:23 +0000
Signed by: Andrew Shadura <andrewsh@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 25 Jan 2026 14:37:52 +0100
Source: python3.9
Architecture: source
Version: 3.9.2-1+deb11u5
Distribution: bullseye
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Andrej Shadura <andrewsh@debian.org>
Changes:
 python3.9 (3.9.2-1+deb11u5) bullseye; urgency=medium
 .
   * Apply upstream patch to fix regression after CVE-2025-12084 fix
     (see #1122875 for more details)
   * Apply upstream patched for the following CVEs:
     - CVE-2025-11468: Folding email comments of unfoldable characters
       didn't preserve parenthesis which could be abused.
     - CVE-2025-15282: User-controlled data URLs parsed by urllib allowed
       injecting headers through newlines in the data URL mediatype.
     - CVE-2025-15366: User-controlled command could have additional commands
       injected using newlines.
     - CVE-2025-15367: User-controlled command could have additional commands
       injected using newlines.
     - CVE-2026-0672: User-controlled cookie values and parameters could be
       used to inject HTTP headers into messages.
     - CVE-2026-0865: User-controlled header names and values containing
       newlines could be used to inject HTTP headers.
     - CVE-2026-1299: email module allowed header injection in the
       BytesGenerator class.
Checksums-Sha1:
 a5f784eb5118dff7caced84c961a73aa5b131939 3007 python3.9_3.9.2-1+deb11u5.dsc
 4a6fc7b84a9305036872638e6a53b08549ea183a 302112 python3.9_3.9.2-1+deb11u5.debian.tar.xz
 28eb2e79e38f7781e4ccfdc091b6549878541d8c 10378 python3.9_3.9.2-1+deb11u5_source.buildinfo
Checksums-Sha256:
 e1484a80600e726c3e6d0790c2f07a3fdc984c16f8464124f8fdacd587bd5fb8 3007 python3.9_3.9.2-1+deb11u5.dsc
 b6731f8cb7800ee81512086b36dcffd1a8358a98bdb02f1c31677f0812df526a 302112 python3.9_3.9.2-1+deb11u5.debian.tar.xz
 ad26080ce3f1d80adb83e58948388f4748efbe91d1924337b9f7a6f639ef7c76 10378 python3.9_3.9.2-1+deb11u5_source.buildinfo
Files:
 9419beae396853accf2df34036fd98cb 3007 python optional python3.9_3.9.2-1+deb11u5.dsc
 af86db3a57e14b0733aab859d6251b9d 302112 python optional python3.9_3.9.2-1+deb11u5.debian.tar.xz
 a301c044dab5117bf38ad3caeeaaa8e4 10378 python optional python3.9_3.9.2-1+deb11u5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCaXZ1HgAKCRDoRGtKyMdy
YU2AAQDjTkYrcpKtyda30vWqpK30AmPlkfQCuLfP/hJVzrE4pQEAk0VlV+rociPY
iKyEEyStqip32XkLgKSNCWFuIBC1cAk=
=c1Og
-----END PGP SIGNATURE-----

News for package python3.9