-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 10 Jun 2026 14:10:12 -0400 Source: python3.13 Architecture: source Version: 3.13.14-1 Distribution: unstable Urgency: medium Maintainer: Matthias Klose <doko@debian.org> Changed-By: Stefano Rivera <stefanor@debian.org> Closes: 1101810 1109449 1138157 Changes: python3.13 (3.13.14-1) unstable; urgency=medium . * Python 3.13.14. - Avoid crash decompressing untrusted bz2 data. CVE-2026-9669. - Don't trust server-provided passive connection addresses in ftplib. CVE-2026-8328. - Don't allow untrusted tarfile extraction to write outside the destination. CVE-2026-7774. - Protects against DoS in expat XML parsing. CVE-2026-7210. - Avoid use-after-free in decompressors under memory pressure. CVE-2026-6100. - Base64-encode cookie values embedded in JS. CVE-2026-6019. - Protect webbrowser %action substitutions. CVE-2026-4786. - Avoid DoS in unicode normalization. CVE-2026-3276. - Reject CR/LF in HTTP tunnel request headers. CVE-2026-1502. - Fixes reference leaks in ssl.Context. Closes: #1138157. * Python 3.13.13 resolved some security issues: - Avoid launching webbrowser with attacker controlled options. CVE-2026-4519. - Avoid C stack overflow in Expat parsing with registered ElementDeclHandler. CVE-2026-4224. - Reject control characters in Morsel cookies. CVE-2026-3644. - Base64 decode no longer ignores data after the first padded quad. CVE-2026-3446. - Ensure io.open_code is used to read .pyc files. CVE-2026-2297. - Skip TarInfo DIRTYPE normalization during GNU long name handling. CVE-2025-13462. . [ Matthias Klose ] * Explicitly build-depend on uuid-dev. LP: #2147343. . [ Colin Watson ] * Drop libnsl-dev build-dependency, which is superfluous since the nis module was removed in Python 3.13. . [ Stefano Rivera ] * Refresh patches. * Drop mention of gdbinit from README.debug. Closes: #1109449. * Tidy up python3.X-config manpage. Closes: #1101810. Checksums-Sha1: 2c8220840437c8d34a9a8063557d19a6c3b09df9 3697 python3.13_3.13.14-1.dsc 2c448ef334b33b3a2db9bbc70b9b51b312e1cc32 23021880 python3.13_3.13.14.orig.tar.xz 5bf5920ac08e02093c783995d216a721fdef4dbc 963 python3.13_3.13.14.orig.tar.xz.asc 4b88ee232b124eb4f879f1ff4d203fdf5ff1cca3 261180 python3.13_3.13.14-1.debian.tar.xz 8b01e1fb0cf68ca9b8546ce34363b6dddd07de52 9583 python3.13_3.13.14-1_source.buildinfo Checksums-Sha256: 03a7b347861b7e56bae6895f6d0d2f3f4101a5e7d7a247d36ef166eabe17cb75 3697 python3.13_3.13.14-1.dsc 639e43243c620a308f968213df9e00f2f8f62332f7adbaa7a7eeb9783057c690 23021880 python3.13_3.13.14.orig.tar.xz 81335bb62d1321ae78a4c70ebeb33007e126df3510cebe1f6e2b4b5e6adf5414 963 python3.13_3.13.14.orig.tar.xz.asc cadcb15e1b585c0109a4d3807806d9e02178f0e80fdc8a733b0c836cf2a29bb9 261180 python3.13_3.13.14-1.debian.tar.xz f88f1f328fa752e48d8930d9a9dd70c3aff03506cfabe1a6cd5ecb3203a367c4 9583 python3.13_3.13.14-1_source.buildinfo Files: d0059d89959d79f4d17a824ddc5c60a7 3697 python optional python3.13_3.13.14-1.dsc b080786b09a61ab277632259b9031d3f 23021880 python optional python3.13_3.13.14.orig.tar.xz d2281a8871f8a5b563fc03e544516e15 963 python optional python3.13_3.13.14.orig.tar.xz.asc f989966b75711da1b2b226a8d3cea4a4 261180 python optional python3.13_3.13.14-1.debian.tar.xz 2d3003f2c823a678db654020114b2bf5 9583 python optional python3.13_3.13.14-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCaioYDxQcc3RlZmFub3JA ZGViaWFuLm9yZwAKCRBHew2wJjpU2NFWAQCgAQW/YK3oVgojFq1myHnnV/YuylTb HFsugI2VXaibNgD/cwJ3DY8nX0DdyLnXrQ/krBbyGoAbGyHgfaiNUx3xGwI= =KpCp -----END PGP SIGNATURE-----
