pkg:Debian/python3.11

All known vulnerabilities

• CRITICAL9.8CVE-2026-7210The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
  from 0
• CRITICAL9.8CVE-2025-13462tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling
  from 0
• HIGH7.8Virtual environment (venv) activation scripts don't quote paths
  from 0, < 3.11.2-6+deb12u5
• HIGH7.8python3.7 - security update
  from 0, < 3.11.2-6+deb12u2
• HIGH7.8Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration.
  from 0, < 3.11.0-2
• HIGH7.5Stack overflow parsing XML with deeply nested DTD content models
  from 0
• HIGH7.5Incomplete control character validation in http.cookies
  from 0
• HIGH7.5Python-Markdown has an Uncaught Exception
  from 0
• HIGH7.5Excessive read buffering DoS in http.client
  from 0, < 3.11.2-6+deb12u7
• HIGH7.5Tarfile infinite loop during parsing with negative member offset
  from 0, < 3.11.2-6+deb12u7
• HIGH7.5Regular-expression DoS when parsing TarFile headers
  from 0, < 3.11.2-6+deb12u4
• HIGH7.5Quadratic complexity parsing cookies with backslashes
  from 0, < 3.11.2-6+deb12u5
• HIGH7.5Incorrect IPv4 and IPv6 private ranges
  from 0, < 3.11.2-6+deb12u3
• HIGH7.5An issue was discovered in Python 3.11 through 3.11.4.
  from 0, < 3.11.2-6+deb12u2
• HIGH7.5pypy3 - security update
  from 0, < 3.11.2-6+deb12u2
• HIGH7.5An issue was discovered in Python before 3.11.1.
  from 0, < 3.11.1-1
• HIGH7.5pypy3 - security update
  from 0, < 3.11.0~rc2-1
• HIGH7.4python3.11 - security update
  from 0, < 3.11.2-6+deb12u3
• HIGH7.4python3.11 - security update
  from 0, < 3.11.2-6+deb12u3
• HIGH7.4Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginn…
  from 0, < 3.11.0~b4-1
• MEDIUM6.2python2.7 - security update
  from 0, < 3.11.2-6+deb12u2
• MEDIUM6.1BaseCookie.js_output() does not neutralize embedded characters
  from 0
• MEDIUM5.5Out-of-memory when loading Plist
  from 0, < 3.11.2-6+deb12u7
• MEDIUM5.5Quadratic complexity in os.path.expandvars() with user-controlled template
  from 0, < 3.11.2-6+deb12u7
• MEDIUM5.5Email header injection due to unquoted newlines
  from 0, < 3.11.2-6+deb12u5
• MEDIUM5.3base64.b64decode() always accepts "+/" characters, despite setting altchars
  from 0
• MEDIUM5.3Quadratic complexity in node ID cache clearing
  from 0, < 3.11.2-6+deb12u7
• MEDIUM5.3An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5.
  from 0, < 3.11.2-6+deb12u2
• MEDIUM5.3The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character.
  from 0, < 3.11.2-6+deb12u5
• MEDIUM4.3ZIP64 End of Central Directory (EOCD) Locator record offset not checked
  from 0, < 3.11.2-6+deb12u7
• MEDIUM4.3HTMLParser quadratic complexity when processing malformed inputs
  from 0, < 3.11.2-6+deb12u7
• LOW3.3webbrowser.open() allows leading dashes in URLs
  from 0
• —bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow
  from 0
• —tarfile.data_filter path traversal bypass allows writing outside the extraction directory
  from 0
• —Potential DoS via quadratic complexity in unicodedata.normalize()
  from 0
• —FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
  from 0
• —Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
  from 0
• —Base64 decoding stops at first padded quad by default
  from 0
• —HTTP client proxy tunnel headers not validated for CR/LF
  from 0
• —pkgutil.get_data() does not enforce documented restrictions
  from 0
• —SourcelessFileLoader does not use io.open_code()
  from 0
• —email BytesGenerator header injection due to unquoted newlines
  from 0, < 3.11.2-6+deb12u7
• —wsgiref.headers.Headers allows header newline injection
  from 0, < 3.11.2-6+deb12u7
• —Header injection in http.cookies.Morsel
  from 0, < 3.11.2-6+deb12u7
• —POP3 command injection in user-controlled commands
  from 0
• —IMAP command injection in user-controlled commands
  from 0
• —Header injection via newlines in data URL mediatype
  from 0, < 3.11.2-6+deb12u7
• —python3.9 - security update
  from 0, < 3.11.2-6+deb12u7
• —Use-after-free in "unicode_escape" decoder with error handler
  from 0, < 3.11.2-6+deb12u7
• —Mishandling of comma during folding and unicode-encoding of email headers
  from 0, < 3.11.2-6+deb12u6
• —URL parser allowed square brackets in domain names
  from 0, < 3.11.2-6+deb12u6
• —pypy3 - security update
  from 0, < 3.11.2-6+deb12u5
• —Infinite loop when iterating over zip archive entry names from zipfile.Path
  from 0, < 3.11.2-6+deb12u3