Register | Log in

python-virtualenv

Choose email to subscribe with

general

source: python-virtualenv (main)
version: 21.3.1+ds-1
maintainer: Debian Python Team (DMD)
uploaders: Carl Chenet [DMD] – Stefano Rivera [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 20.4.0+ds-2+deb11u1
oldstable: 20.17.1+ds-1
stable: 20.31.2+ds-1
testing: 21.2.4+ds-1
unstable: 21.3.1+ds-1

versioned links

20.4.0+ds-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.17.1+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.31.2+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
21.2.4+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
21.3.1+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-virtualenv (1 bugs: 0, 1, 0, 0)
virtualenv

action needed

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-22702: (needs triaging) virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-01-10 Last update: 2026-05-09 23:30

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2024-53899: (needs triaging) virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.
CVE-2026-22702: (needs triaging) virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-11-24 Last update: 2026-05-09 23:30

testing migrations

excuses:
- Migration status for python-virtualenv (21.2.4+ds-1 to 21.3.1+ds-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for automake: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for dolfin: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for emacs-python-environment: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for fenics-dolfinx: amd64: Test triggered (will not be considered a regression) ♻ (reference ♻), arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered (failure will be ignored), riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for mypy: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for napari-plugin-manager: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for pdm: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for pipenv: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for poetry: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for poetry-core: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for pusimp: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for pyproject-api: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for pypy3: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-cffi: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-filelock: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-formencode: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-nox: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-pbr: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-pecan: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-pipdeptree: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-pytest-venv: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-virtualenv: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python3.13: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for python3.14: amd64: Test triggered, arm64: Test triggered, i386: Test triggered (will not be considered a regression) ♻ (reference ♻), ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for rally: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for scikit-build: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for scikit-build-core: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for tox: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for virtualenvwrapper: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for virtualenvwrapper-el: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for xonsh: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Too young, only 0 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/python-virtualenv.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[2026-05-09] Accepted python-virtualenv 21.3.1+ds-1 (source) into unstable (Stefano Rivera)
[2026-04-30] python-virtualenv 21.2.4+ds-1 MIGRATED to testing (Debian testing watch)
[2026-04-25] Accepted python-virtualenv 21.2.4+ds-1 (source) into unstable (Stefano Rivera)
[2026-03-15] python-virtualenv 21.2.0+ds-1 MIGRATED to testing (Debian testing watch)
[2026-03-10] Accepted python-virtualenv 21.2.0+ds-1 (source) into unstable (Stefano Rivera)
[2026-02-26] python-virtualenv 20.38.0+ds-1 MIGRATED to testing (Debian testing watch)
[2026-02-23] Accepted python-virtualenv 20.38.0+ds-1 (source) into unstable (Stefano Rivera)
[2026-01-14] python-virtualenv 20.36.1+ds-1 MIGRATED to testing (Debian testing watch)
[2026-01-11] Accepted python-virtualenv 20.36.1+ds-1 (source) into unstable (Stefano Rivera)
[2025-11-13] python-virtualenv 20.35.4+ds-1 MIGRATED to testing (Debian testing watch)
[2025-11-10] Accepted python-virtualenv 20.35.4+ds-1 (source) into unstable (Stefano Rivera)
[2025-10-15] python-virtualenv 20.35.3+ds-1 MIGRATED to testing (Debian testing watch)
[2025-10-13] Accepted python-virtualenv 20.35.3+ds-1 (source) into unstable (Stefano Rivera)
[2025-08-20] python-virtualenv 20.34.0+ds-1 MIGRATED to testing (Debian testing watch)
[2025-08-16] Accepted python-virtualenv 20.34.0+ds-1 (source) into unstable (Stefano Rivera)
[2025-08-16] python-virtualenv 20.33.1+ds-1 MIGRATED to testing (Debian testing watch)
[2025-08-10] Accepted python-virtualenv 20.33.1+ds-1 (source) into unstable (Stefano Rivera)
[2025-05-24] python-virtualenv 20.31.2+ds-1 MIGRATED to testing (Debian testing watch)
[2025-05-10] python-virtualenv 20.30.0+ds-3 MIGRATED to testing (Debian testing watch)
[2025-05-09] Accepted python-virtualenv 20.31.2+ds-1 (source) into unstable (Stefano Rivera)
[2025-04-28] Accepted python-virtualenv 20.30.0+ds-3 (source) into unstable (Stefano Rivera)
[2025-04-27] Accepted python-virtualenv 20.30.0+ds-2 (source) into unstable (Stefano Rivera)
[2025-04-10] python-virtualenv 20.30.0+ds-1 MIGRATED to testing (Debian testing watch)
[2025-04-05] Accepted python-virtualenv 20.30.0+ds-1 (source) into unstable (Stefano Rivera)
[2025-04-03] python-virtualenv 20.29.3+ds-1 MIGRATED to testing (Debian testing watch)
[2025-03-30] Accepted python-virtualenv 20.29.3+ds-1 (source) into unstable (Stefano Rivera)
[2025-01-26] python-virtualenv 20.29.1+ds-1 MIGRATED to testing (Debian testing watch)
[2025-01-20] Accepted python-virtualenv 20.29.1+ds-1 (source) into unstable (Stefano Rivera)
[2024-12-02] python-virtualenv 20.28.0+ds-1 MIGRATED to testing (Debian testing watch)
[2024-11-29] Accepted python-virtualenv 20.28.0+ds-1 (source) into unstable (Stefano Rivera)

1
2

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 20.36.1+ds-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing