Register | Log in

python-virtualenv

Choose email to subscribe with

general

source: python-virtualenv (main)
version: 20.38.0+ds-1
maintainer: Debian Python Team (DMD)
uploaders: Stefano Rivera [DMD] – Carl Chenet [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 20.4.0+ds-2+deb11u1
oldstable: 20.17.1+ds-1
stable: 20.31.2+ds-1
testing: 20.36.1+ds-1
unstable: 20.38.0+ds-1

versioned links

20.4.0+ds-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.17.1+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.31.2+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.36.1+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.38.0+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-virtualenv (1 bugs: 0, 1, 0, 0)
virtualenv

action needed

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-22702: (needs triaging) virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-01-10 Last update: 2026-02-23 10:30

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2024-53899: (needs triaging) virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.
CVE-2026-22702: (needs triaging) virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-11-24 Last update: 2026-02-23 10:30

testing migrations

excuses:
- Migration status for python-virtualenv (20.36.1+ds-1 to 20.38.0+ds-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 1 of 2 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/python-virtualenv.html
- ∙ ∙ Autopkgtest for automake/1:1.18.1-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for dolfin/2019.2.0~legacy20240219.1c52e83-27: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Failed (not a regression) ♻ (reference ♻), riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for fenics-dolfinx/1:0.10.0.post5-5: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered (failure will be ignored), riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for mypy/1.19.1-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for python-virtualenv/20.38.0+ds-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for python3.13/3.13.12-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for python3.14/3.14.3-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Reproducible on amd64
- ∙ ∙ Reproducible on arm64
- ∙ ∙ Reproducible on armhf
- ∙ ∙ Reproducible on i386
- ∙ ∙ Reproducible on ppc64el
- ∙ ∙ Required age reduced by 3 days because of autopkgtest
- Not considered

news

[2026-02-23] Accepted python-virtualenv 20.38.0+ds-1 (source) into unstable (Stefano Rivera)
[2026-01-14] python-virtualenv 20.36.1+ds-1 MIGRATED to testing (Debian testing watch)
[2026-01-11] Accepted python-virtualenv 20.36.1+ds-1 (source) into unstable (Stefano Rivera)
[2025-11-13] python-virtualenv 20.35.4+ds-1 MIGRATED to testing (Debian testing watch)
[2025-11-10] Accepted python-virtualenv 20.35.4+ds-1 (source) into unstable (Stefano Rivera)
[2025-10-15] python-virtualenv 20.35.3+ds-1 MIGRATED to testing (Debian testing watch)
[2025-10-13] Accepted python-virtualenv 20.35.3+ds-1 (source) into unstable (Stefano Rivera)
[2025-08-20] python-virtualenv 20.34.0+ds-1 MIGRATED to testing (Debian testing watch)
[2025-08-16] Accepted python-virtualenv 20.34.0+ds-1 (source) into unstable (Stefano Rivera)
[2025-08-16] python-virtualenv 20.33.1+ds-1 MIGRATED to testing (Debian testing watch)
[2025-08-10] Accepted python-virtualenv 20.33.1+ds-1 (source) into unstable (Stefano Rivera)
[2025-05-24] python-virtualenv 20.31.2+ds-1 MIGRATED to testing (Debian testing watch)
[2025-05-10] python-virtualenv 20.30.0+ds-3 MIGRATED to testing (Debian testing watch)
[2025-05-09] Accepted python-virtualenv 20.31.2+ds-1 (source) into unstable (Stefano Rivera)
[2025-04-28] Accepted python-virtualenv 20.30.0+ds-3 (source) into unstable (Stefano Rivera)
[2025-04-27] Accepted python-virtualenv 20.30.0+ds-2 (source) into unstable (Stefano Rivera)
[2025-04-10] python-virtualenv 20.30.0+ds-1 MIGRATED to testing (Debian testing watch)
[2025-04-05] Accepted python-virtualenv 20.30.0+ds-1 (source) into unstable (Stefano Rivera)
[2025-04-03] python-virtualenv 20.29.3+ds-1 MIGRATED to testing (Debian testing watch)
[2025-03-30] Accepted python-virtualenv 20.29.3+ds-1 (source) into unstable (Stefano Rivera)
[2025-01-26] python-virtualenv 20.29.1+ds-1 MIGRATED to testing (Debian testing watch)
[2025-01-20] Accepted python-virtualenv 20.29.1+ds-1 (source) into unstable (Stefano Rivera)
[2024-12-02] python-virtualenv 20.28.0+ds-1 MIGRATED to testing (Debian testing watch)
[2024-11-29] Accepted python-virtualenv 20.28.0+ds-1 (source) into unstable (Stefano Rivera)
[2024-10-23] python-virtualenv 20.27.0+ds-1 MIGRATED to testing (Debian testing watch)
[2024-10-20] Accepted python-virtualenv 20.27.0+ds-1 (source) into unstable (Stefano Rivera)
[2024-10-18] python-virtualenv 20.26.6+ds-1 MIGRATED to testing (Debian testing watch)
[2024-10-15] Accepted python-virtualenv 20.26.6+ds-1 (source) into unstable (Stefano Rivera)
[2024-05-28] python-virtualenv 20.26.2+ds-1 MIGRATED to testing (Debian testing watch)
[2024-05-25] Accepted python-virtualenv 20.26.2+ds-1 (source) into unstable (Stefano Rivera)

1
2

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 20.36.1+ds-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing