Register | Log in

python-virtualenv

Choose email to subscribe with

general

source: python-virtualenv (main)
version: 20.36.1+ds-1
maintainer: Debian Python Team (DMD)
uploaders: Carl Chenet [DMD] – Stefano Rivera [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 20.4.0+ds-2+deb11u1
oldstable: 20.17.1+ds-1
stable: 20.31.2+ds-1
testing: 20.35.4+ds-1
unstable: 20.36.1+ds-1

versioned links

20.4.0+ds-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.17.1+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.31.2+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.36.1+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-virtualenv (1 bugs: 0, 1, 0, 0)
virtualenv

action needed

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-22702: virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

Created: 2026-01-10 Last update: 2026-01-12 17:00

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2026-22702: virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

1 issue postponed or untriaged:

CVE-2024-53899: (postponed; to be fixed through a stable update) virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.

Created: 2026-01-10 Last update: 2026-01-12 17:00

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-01-11 Last update: 2026-01-11 22:31

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-22702: (needs triaging) virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-01-10 Last update: 2026-01-12 17:00

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2024-53899: (needs triaging) virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.
CVE-2026-22702: (needs triaging) virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-11-24 Last update: 2026-01-12 17:00

testing migrations

excuses:
- Migration status for python-virtualenv (20.35.4+ds-1 to 20.36.1+ds-1): Will attempt migration (Any information below is purely informational)
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/python-virtualenv.html
- ∙ ∙ Autopkgtest for automake/1:1.18.1-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for dolfin/2019.2.0~legacy20240219.1c52e83-26: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for fenics-dolfinx/1:0.10.0.post5-4: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Test triggered (failure will be ignored), riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for mypy/1.19.1-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for python-virtualenv/20.36.1+ds-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for python3.13/3.13.11-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for python3.14/3.14.2-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on arm64 - info ♻
- ∙ ∙ Required age reduced by 3 days because of autopkgtest
- ∙ ∙ 2 days old (needed 2 days)

news

[2026-01-11] Accepted python-virtualenv 20.36.1+ds-1 (source) into unstable (Stefano Rivera)
[2025-11-13] python-virtualenv 20.35.4+ds-1 MIGRATED to testing (Debian testing watch)
[2025-11-10] Accepted python-virtualenv 20.35.4+ds-1 (source) into unstable (Stefano Rivera)
[2025-10-15] python-virtualenv 20.35.3+ds-1 MIGRATED to testing (Debian testing watch)
[2025-10-13] Accepted python-virtualenv 20.35.3+ds-1 (source) into unstable (Stefano Rivera)
[2025-08-20] python-virtualenv 20.34.0+ds-1 MIGRATED to testing (Debian testing watch)
[2025-08-16] Accepted python-virtualenv 20.34.0+ds-1 (source) into unstable (Stefano Rivera)
[2025-08-16] python-virtualenv 20.33.1+ds-1 MIGRATED to testing (Debian testing watch)
[2025-08-10] Accepted python-virtualenv 20.33.1+ds-1 (source) into unstable (Stefano Rivera)
[2025-05-24] python-virtualenv 20.31.2+ds-1 MIGRATED to testing (Debian testing watch)
[2025-05-10] python-virtualenv 20.30.0+ds-3 MIGRATED to testing (Debian testing watch)
[2025-05-09] Accepted python-virtualenv 20.31.2+ds-1 (source) into unstable (Stefano Rivera)
[2025-04-28] Accepted python-virtualenv 20.30.0+ds-3 (source) into unstable (Stefano Rivera)
[2025-04-27] Accepted python-virtualenv 20.30.0+ds-2 (source) into unstable (Stefano Rivera)
[2025-04-10] python-virtualenv 20.30.0+ds-1 MIGRATED to testing (Debian testing watch)
[2025-04-05] Accepted python-virtualenv 20.30.0+ds-1 (source) into unstable (Stefano Rivera)
[2025-04-03] python-virtualenv 20.29.3+ds-1 MIGRATED to testing (Debian testing watch)
[2025-03-30] Accepted python-virtualenv 20.29.3+ds-1 (source) into unstable (Stefano Rivera)
[2025-01-26] python-virtualenv 20.29.1+ds-1 MIGRATED to testing (Debian testing watch)
[2025-01-20] Accepted python-virtualenv 20.29.1+ds-1 (source) into unstable (Stefano Rivera)
[2024-12-02] python-virtualenv 20.28.0+ds-1 MIGRATED to testing (Debian testing watch)
[2024-11-29] Accepted python-virtualenv 20.28.0+ds-1 (source) into unstable (Stefano Rivera)
[2024-10-23] python-virtualenv 20.27.0+ds-1 MIGRATED to testing (Debian testing watch)
[2024-10-20] Accepted python-virtualenv 20.27.0+ds-1 (source) into unstable (Stefano Rivera)
[2024-10-18] python-virtualenv 20.26.6+ds-1 MIGRATED to testing (Debian testing watch)
[2024-10-15] Accepted python-virtualenv 20.26.6+ds-1 (source) into unstable (Stefano Rivera)
[2024-05-28] python-virtualenv 20.26.2+ds-1 MIGRATED to testing (Debian testing watch)
[2024-05-25] Accepted python-virtualenv 20.26.2+ds-1 (source) into unstable (Stefano Rivera)
[2024-05-02] python-virtualenv 20.26.1+ds-1 MIGRATED to testing (Debian testing watch)
[2024-04-29] Accepted python-virtualenv 20.26.1+ds-1 (source) into unstable (Stefano Rivera)

1
2

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 2)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 20.35.4+ds-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing