A vulnerability has been discovered in the OpenStack middleware package for both Debian GNU/Linux 12 (Bookworm) and 13 (Trixie), specifically in the authentication and authorization features for web services other than Keystone. If an external OAuth provider is configured, authentication headers are insufficiently sanitized, leading to potential privilege escalation or user impersonation (CVE-2026-22797). Additionally, multiple security fixes have been applied to the python3.9 package in version 3.9.2-1+deb11u4 for Debian GNU/Linux 11 (Bullseye) LTS, addressing several issues, including integer overflows, buffer overflows, and denial-of-service vulnerabilities.

[DSA 6104-1] python-keystonemiddleware security update
[DLA 4445-1] python3.9 security update

[SECURITY] [DSA 6104-1] python-keystonemiddleware security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6104-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 20, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-keystonemiddleware
CVE ID : CVE-2026-22797

Grzegorz Grasza discovered a vulnerability in the Openstack middleware to
provide authentication and authorization features to web services other
than Keystone: If an external OAuth provider is configured,
authentication headers are insufficiently sanitised, which could result
in privilege escalation or user impersonation.

The oldstable distribution (bookworm) is not affected.

For the stable distribution (trixie), this problem has been fixed in
version 10.9.0-2+deb13u1.

We recommend that you upgrade your python-keystonemiddleware packages.

For the detailed security status of python-keystonemiddleware please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-keystonemiddleware

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4445-1] python3.9 security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4445-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
January 20, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python3.9
Version : 3.9.2-1+deb11u4
CVE ID : CVE-2022-37454 CVE-2025-4516 CVE-2025-6069 CVE-2025-6075
CVE-2025-8194 CVE-2025-8291 CVE-2025-12084 CVE-2025-13836
CVE-2025-13837

Multiple security fixes in cPython 3.9.

CVE-2022-37454

The Keccak XKCP SHA-3 implementation had an integer overflow
and a buffer overflow in the sponge function interface. This
allowed attackers to execute arbitrary code or eliminate expected
cryptographic properties.

CVE-2025-4516

An issue in bytes.decode("unicode_escape", error="ignore|replace")
could result in a crash.

CVE-2025-6069

The html.parser.HTMLParser class had worse-case quadratic complexity
when processing certain crafted malformed inputs potentially leading
to amplified denial-of-service.

CVE-2025-6075

If the value passed to os.path.expandvars() is user-controlled
a performance degradation was possible when expanding environment
variables.

CVE-2025-8194

The tar implementation would process tar archives with negative
offsets without error, resulting in an infinite loop and deadlock
during the parsing of maliciously crafted tar archives.

CVE-2025-8291

The 'zipfile' module would not check the validity of the ZIP64 End
of Central Directory (EOCD) Locator record offset value would not be
used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record
would be assumed to be the previous record in the ZIP archive. This
could be abused to create ZIP archives that are handled differently
by the 'zipfile' module compared to other ZIP implementations.

CVE-2025-12084

When building nested elements using xml.dom.minidom methods such
as appendChild() that have a dependency on _clear_id_cache() the
algorithm was quadratic. Availability could be impacted when building
excessively nested documents.

CVE-2025-13836

When reading an HTTP response from a server, if no read amount was
specified, the default behavior was to use Content-Length. This
allowed a malicious server to cause the client to read large amounts
of data into memory, potentially causing OOM or other DoS.

CVE-2025-13837

When loading a plist file, the plistlib module would read data in
size specified by the file itself, meaning a malicious file could
cause OOM and DoS issues.

For Debian 11 bullseye, these problems have been fixed in version
3.9.2-1+deb11u4.

We recommend that you upgrade your python3.9 packages.

For the detailed security status of python3.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS