Register | Log in

python-virtualenv

Choose email to subscribe with

general

source: python-virtualenv (main)
version: 21.2.0+ds-1
maintainer: Debian Python Team (DMD)
uploaders: Carl Chenet [DMD] – Stefano Rivera [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 20.4.0+ds-2+deb11u1
oldstable: 20.17.1+ds-1
stable: 20.31.2+ds-1
testing: 20.38.0+ds-1
unstable: 21.2.0+ds-1

versioned links

20.4.0+ds-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.17.1+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.31.2+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.38.0+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
21.2.0+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-virtualenv (1 bugs: 0, 1, 0, 0)
virtualenv

action needed

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-22702: (needs triaging) virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-01-10 Last update: 2026-03-10 23:02

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2024-53899: (needs triaging) virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.
CVE-2026-22702: (needs triaging) virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-11-24 Last update: 2026-03-10 23:02

testing migrations

excuses:
- Migrates after: python-discovery
- Migration status for python-virtualenv (20.38.0+ds-1 to 21.2.0+ds-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for automake/1:1.18.1-4: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for dolfin/2019.2.0~legacy20240219.1c52e83-27: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered (will not be considered a regression) ♻ (reference ♻), riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for emacs-python-environment/0.0.2-7: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for fenics-dolfinx/1:0.10.0.post5-7: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered (failure will be ignored), riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for mypy/1.19.1-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for pdm/2.26.6-1: amd64: No tests, superficial or marked flaky ♻ (reference ♻), arm64: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻, ppc64el: Test triggered, riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for pipenv/2024.0.1+ds-4: amd64: Failed (not a regression) ♻ (reference ♻), arm64: Failed (not a regression) ♻ (reference ♻), i386: Failed (not a regression) ♻ (reference ♻), ppc64el: Test triggered, riscv64: Failed (not a regression) ♻ (reference ♻), s390x: Test triggered
- ∙ ∙ Autopkgtest for poetry/2.3.2+dfsg-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for poetry-core/2.3.1-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for pusimp/0.1.1-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for pyproject-api/1.10.0-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for pypy3/7.3.20+dfsg-4: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-cffi/2.0.0-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-filelock/3.24.3-1: i386: No tests, superficial or marked flaky ♻ (reference ♻)
- ∙ ∙ Autopkgtest for python-filelock/3.25.0-1: amd64: No tests, superficial or marked flaky ♻ (reference ♻), arm64: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: Test triggered, riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-formencode/2.1.1-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-nox/2025.11.12-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-pbr/7.0.3-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-pecan/1.5.1-6: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-pipdeptree/2.30.0-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-pytest-venv/0.3-5: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-virtualenv/21.2.0+ds-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python3.13/3.13.12-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for python3.14/3.14.3-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for rally/5.0.0-7: amd64: No tests, superficial or marked flaky ♻ (reference ♻), arm64: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻, ppc64el: Test triggered, riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for scikit-build/0.18.1-4: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for scikit-build-core/0.11.6-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for tox/4.33.0-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for virtualenvwrapper/4.8.4-4: amd64: No tests, superficial or marked flaky ♻ (reference ♻), arm64: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻, ppc64el: Test triggered, riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for virtualenvwrapper-el/0.2.0-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for xonsh/0.22.6+dfsg-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Too young, only 1 of 5 days old
- ∙ ∙ Build-Depends-Indep: python-virtualenv python-discovery
- ∙ ∙ Depends: python-virtualenv python-discovery
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/python-virtualenv.html
- ∙ ∙ Reproduced on amd64
- ∙ ∙ Reproduced on arm64
- ∙ ∙ Reproduced on armhf
- ∙ ∙ Reproduced on i386
- ∙ ∙ Reproduced on ppc64el
- Not considered

news

[2026-03-10] Accepted python-virtualenv 21.2.0+ds-1 (source) into unstable (Stefano Rivera)
[2026-02-26] python-virtualenv 20.38.0+ds-1 MIGRATED to testing (Debian testing watch)
[2026-02-23] Accepted python-virtualenv 20.38.0+ds-1 (source) into unstable (Stefano Rivera)
[2026-01-14] python-virtualenv 20.36.1+ds-1 MIGRATED to testing (Debian testing watch)
[2026-01-11] Accepted python-virtualenv 20.36.1+ds-1 (source) into unstable (Stefano Rivera)
[2025-11-13] python-virtualenv 20.35.4+ds-1 MIGRATED to testing (Debian testing watch)
[2025-11-10] Accepted python-virtualenv 20.35.4+ds-1 (source) into unstable (Stefano Rivera)
[2025-10-15] python-virtualenv 20.35.3+ds-1 MIGRATED to testing (Debian testing watch)
[2025-10-13] Accepted python-virtualenv 20.35.3+ds-1 (source) into unstable (Stefano Rivera)
[2025-08-20] python-virtualenv 20.34.0+ds-1 MIGRATED to testing (Debian testing watch)
[2025-08-16] Accepted python-virtualenv 20.34.0+ds-1 (source) into unstable (Stefano Rivera)
[2025-08-16] python-virtualenv 20.33.1+ds-1 MIGRATED to testing (Debian testing watch)
[2025-08-10] Accepted python-virtualenv 20.33.1+ds-1 (source) into unstable (Stefano Rivera)
[2025-05-24] python-virtualenv 20.31.2+ds-1 MIGRATED to testing (Debian testing watch)
[2025-05-10] python-virtualenv 20.30.0+ds-3 MIGRATED to testing (Debian testing watch)
[2025-05-09] Accepted python-virtualenv 20.31.2+ds-1 (source) into unstable (Stefano Rivera)
[2025-04-28] Accepted python-virtualenv 20.30.0+ds-3 (source) into unstable (Stefano Rivera)
[2025-04-27] Accepted python-virtualenv 20.30.0+ds-2 (source) into unstable (Stefano Rivera)
[2025-04-10] python-virtualenv 20.30.0+ds-1 MIGRATED to testing (Debian testing watch)
[2025-04-05] Accepted python-virtualenv 20.30.0+ds-1 (source) into unstable (Stefano Rivera)
[2025-04-03] python-virtualenv 20.29.3+ds-1 MIGRATED to testing (Debian testing watch)
[2025-03-30] Accepted python-virtualenv 20.29.3+ds-1 (source) into unstable (Stefano Rivera)
[2025-01-26] python-virtualenv 20.29.1+ds-1 MIGRATED to testing (Debian testing watch)
[2025-01-20] Accepted python-virtualenv 20.29.1+ds-1 (source) into unstable (Stefano Rivera)
[2024-12-02] python-virtualenv 20.28.0+ds-1 MIGRATED to testing (Debian testing watch)
[2024-11-29] Accepted python-virtualenv 20.28.0+ds-1 (source) into unstable (Stefano Rivera)
[2024-10-23] python-virtualenv 20.27.0+ds-1 MIGRATED to testing (Debian testing watch)
[2024-10-20] Accepted python-virtualenv 20.27.0+ds-1 (source) into unstable (Stefano Rivera)
[2024-10-18] python-virtualenv 20.26.6+ds-1 MIGRATED to testing (Debian testing watch)
[2024-10-15] Accepted python-virtualenv 20.26.6+ds-1 (source) into unstable (Stefano Rivera)

1
2

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 20.36.1+ds-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing