Debian alert DLA-4532-1 (python3.9)
| From: | Arnaud Rebillout <arnaudr@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4532-1] python3.9 regression and security update | |
| Date: | Wed, 15 Apr 2026 23:26:37 +0700 | |
| Message-ID: | <4abbe2f5199ede172a85d896b195ac21@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4532-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Arnaud Rebillout April 15, 2026 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : python3.9 Version : 3.9.2-1+deb11u6 CVE ID : CVE-2025-15366 CVE-2025-15367 CVE-2026-6100 Debian Bug : It was found that the patches for CVE-2025-15366 and CVE-2025-15367 break backward compatibility, and upstream decided not to backport those patches to older Python releases. Therefore those 2 patches, applied in the previous version (python3.9 3.9.2-1+deb11u5), have been reverted. Additionally, the following CVE have been fixed: CVE-2026-6100 Use-after-free (UAF) was possible in the `lzma.LZMADecompressor` and `bz2.BZ2Decompressor` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()` and `bz2.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable. For Debian 11 bullseye, these problems have been fixed in version 3.9.2-1+deb11u6. We recommend that you upgrade your python3.9 packages. For the detailed security status of python3.9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python3.9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0Kl7ndbut+9n4bYs5yXoeRRgAhYFAmnfvB0ACgkQ5yXoeRRg AhYZ7g/+JIQj6/fg63zW9PBsA1imwkgwLqorXnKpPAlqYMFoYJn0Qd6EPAZ1rBQf LxrwmjN16AyhE6q+Ye9gTRbnwaRb+8DGfwtUqZJa9/rBBw5NXVsD4UEJJTHgsw9T po8RKVpTkVUQYhpILy5Md3JIOCNloKyGV6K1xk/7VENjgy9TeEI7opByg7e39xPz Y9AxWBeNrLKVUFn3NYsLYECkDg/t2xtKCCnKC3OvICvRH3IJg9P/RFp6S9wZZQmy 8c3INEOY1nG0pfbiAFBG/HKFcbYLNmX28F+F4H/h2Uzqg5sfoDz9bNZkXu9/JLlx WABvutkwMCbqRH72Et1fzfL+t6YlXsgMV+cfnorLy9qx1c6HamWlb4PxerqRwMja 0DbyCoOZyh7psqq54CnPWvh8jp+jIwu6iaU9AXORJOJBkAeJCTNVGX1ed0xd48P8 2nQkWT09l4JHj6QUQfYe0bEz4lP0i4luD4zytJMFgqKpeu5+UKsGL3K5RaMYPX3o rbZlcDgZe/1hX1AqGOgRKcTcT/ovLyZzwKl68Bz2Nq3owFuSnufCUKhzEqvheLB8 lag9MlPg2m5MDW/JNcI/+eQZE10DwlyUC4H2wmZhWMf/LyA0vy+mHKDpxFi6nR5V s6G7+GQfSJJwn9hJejCSrpo62j3Qm/ZMzH0ZcXWSkxqCvwXBqac= =JWSa -----END PGP SIGNATURE-----