Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1349-1 python2.7 security update
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1348-1 python2.7 security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1350-1 pypy security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1347-1 python2.7 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5878-1] php8.2 security update
ELA-1349-1 python2.7 security update
Package : python2.7
Version : 2.7.9-2-ds1-1+deb8u13 (jessie)
Related CVEs :
CVE-2023-27043
CVE-2024-5642
CVE-2024-6232
CVE-2024-6923
CVE-2024-7592
CVE-2024-11168
CVE-2025-0938
Multiple security issues were discovered in Python, an interactive
high-level object-oriented language. This may cause e-mail header
injection, memory leak, improper validation and denial of service
(DoS).
CVE-2023-27043
The email module of Python incorrectly parses e-mail addresses
that contain a special character. The wrong portion of an RFC2822
header is identified as the value of the addr-spec. In some
applications, an attacker can bypass a protection mechanism in
which application access is granted only after verifying receipt
of e-mail to a specific domain (e.g., only @company.example.com
addresses may be used for signup).
CVE-2024-5642
CPython doesn’t disallow configuring an empty list ("[]") for
SSLContext.set_npn_protocols() which is an invalid value for the
underlying OpenSSL API. This results in a buffer over-read when
NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is
of low severity due to NPN being not widely used and specifying an
empty list likely being uncommon in-practice (typically a protocol
name would be configured).
CVE-2024-6232
Regular expressions that allowed excessive backtracking during
tarfile.TarFile header parsing are vulnerable to ReDoS via
specifically-crafted tar archives.
CVE-2024-6923
The email module didn’t properly quote newlines for email headers
when serializing an email message allowing for header injection
when an email is serialized.
CVE-2024-7592
When parsing cookies that contained backslashes for quoted
characters in the cookie value, the parser would use an algorithm
with quadratic complexity, resulting in excess CPU resources being
used while parsing the value.
CVE-2024-11168
The urllib.parse.urlsplit() and urlparse() functions improperly
validated bracketed hosts ([]), allowing hosts that weren’t IPv6
or IPvFuture. This behavior was not conformant to RFC 3986 and
potentially enabled SSRF if a URL is processed by more than one
URL parser.
CVE-2025-0938
urllib.parse.urlsplit and urlparse accepted domain names that
included square brackets which isn’t valid according to RFC
3986. Square brackets are only meant to be used as delimiters for
specifying IPv6 and IPvFuture hosts in URLs. This could result in
differential parsing across the Python URL parser and other
specification-compliant URL parsers.
ELA-1349-1 python2.7 security update
ELA-1348-1 python2.7 security update
Package : python2.7
Version : 2.7.13-2+deb9u10 (stretch)
Related CVEs :
CVE-2023-27043
CVE-2024-0397
CVE-2024-5642
CVE-2024-6232
CVE-2024-6923
CVE-2024-7592
CVE-2024-11168
CVE-2025-0938
Multiple security issues were discovered in Python, an interactive
high-level object-oriented language. This may cause e-mail header
injection, memory corruption, memory leak, improper validation and
denial of service (DoS).
CVE-2023-27043
The email module of Python incorrectly parses e-mail addresses
that contain a special character. The wrong portion of an RFC2822
header is identified as the value of the addr-spec. In some
applications, an attacker can bypass a protection mechanism in
which application access is granted only after verifying receipt
of e-mail to a specific domain (e.g., only @company.example.com
addresses may be used for signup).
CVE-2024-0397
memory race condition with the ssl.SSLContext methods
“cert_store_stats()” and “get_ca_certs()” in the “ssl” module. The
race condition can be triggered if the methods are called at the
same time as certificates are loaded into the SSLContext, such as
during the TLS handshake with a certificate directory configured.
CVE-2024-5642
CPython doesn’t disallow configuring an empty list ("[]") for
SSLContext.set_npn_protocols() which is an invalid value for the
underlying OpenSSL API. This results in a buffer over-read when
NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is
of low severity due to NPN being not widely used and specifying an
empty list likely being uncommon in-practice (typically a protocol
name would be configured).
CVE-2024-6232
Regular expressions that allowed excessive backtracking during
tarfile.TarFile header parsing are vulnerable to ReDoS via
specifically-crafted tar archives.
CVE-2024-6923
The email module didn’t properly quote newlines for email headers
when serializing an email message allowing for header injection
when an email is serialized.
CVE-2024-7592
When parsing cookies that contained backslashes for quoted
characters in the cookie value, the parser would use an algorithm
with quadratic complexity, resulting in excess CPU resources being
used while parsing the value.
CVE-2024-11168
The urllib.parse.urlsplit() and urlparse() functions improperly
validated bracketed hosts ([]), allowing hosts that weren’t IPv6
or IPvFuture. This behavior was not conformant to RFC 3986 and
potentially enabled SSRF if a URL is processed by more than one
URL parser.
CVE-2025-0938
urllib.parse.urlsplit and urlparse accepted domain names that
included square brackets which isn’t valid according to RFC
3986. Square brackets are only meant to be used as delimiters for
specifying IPv6 and IPvFuture hosts in URLs. This could result in
differential parsing across the Python URL parser and other
specification-compliant URL parsers.
ELA-1348-1 python2.7 security update
ELA-1350-1 pypy security update
Package : pypy
Version : 5.6.0+dfsg-4+deb9u2 (stretch), 7.0.0+dfsg-3+deb10u2 (buster)
Related CVEs :
CVE-2023-27043
CVE-2024-5642
CVE-2024-6232
CVE-2024-6923
CVE-2024-7592
CVE-2024-11168
CVE-2025-0938
Multiple vulnerabilities were discovered in PyPy, a fast, compliant
alternative implementation of the Python language.
All fixed vulnerabilities come from embedded code copies.
For vulnerabilities from the python2.7 standard library, please refer
to
ELA-1349-1.ELA-1350-1 pypy security update
ELA-1347-1 python2.7 security update
Package : python2.7
Version : 2.7.16-2+deb10u5 (buster)
Related CVEs :
CVE-2023-27043
CVE-2024-0397
CVE-2024-6232
CVE-2024-6923
CVE-2024-7592
CVE-2024-11168
CVE-2025-0938
Multiple security issues were discovered in Python, an interactive
high-level object-oriented language. This may cause e-mail header
injection, memory corruption, improper validation and denial of
service (DoS).
CVE-2023-27043
The email module of Python incorrectly parses e-mail addresses
that contain a special character. The wrong portion of an RFC2822
header is identified as the value of the addr-spec. In some
applications, an attacker can bypass a protection mechanism in
which application access is granted only after verifying receipt
of e-mail to a specific domain (e.g., only @company.example.com
addresses may be used for signup).
CVE-2024-0397
memory race condition with the ssl.SSLContext methods
“cert_store_stats()” and “get_ca_certs()” in the “ssl” module. The
race condition can be triggered if the methods are called at the
same time as certificates are loaded into the SSLContext, such as
during the TLS handshake with a certificate directory configured.
CVE-2024-6232
Regular expressions that allowed excessive backtracking during
tarfile.TarFile header parsing are vulnerable to ReDoS via
specifically-crafted tar archives.
CVE-2024-6923
The email module didn’t properly quote newlines for email headers
when serializing an email message allowing for header injection
when an email is serialized.
CVE-2024-7592
When parsing cookies that contained backslashes for quoted
characters in the cookie value, the parser would use an algorithm
with quadratic complexity, resulting in excess CPU resources being
used while parsing the value.
CVE-2024-11168
The urllib.parse.urlsplit() and urlparse() functions improperly
validated bracketed hosts ([]), allowing hosts that weren’t IPv6
or IPvFuture. This behavior was not conformant to RFC 3986 and
potentially enabled SSRF if a URL is processed by more than one
URL parser.
CVE-2025-0938
urllib.parse.urlsplit and urlparse accepted domain names that
included square brackets which isn’t valid according to RFC
3986. Square brackets are only meant to be used as delimiters for
specifying IPv6 and IPvFuture hosts in URLs. This could result in
differential parsing across the Python URL parser and other
specification-compliant URL parsers.
ELA-1347-1 python2.7 security update
[SECURITY] [DSA 5878-1] php8.2 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5878-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 14, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : php8.2
CVE ID : CVE-2025-1217 CVE-2025-1219 CVE-2025-1734 CVE-2025-1736
CVE-2025-1861
Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language which could result in denial of
service or HTTP request smuggling.
For the stable distribution (bookworm), these problems have been fixed in
version 8.2.28-1~deb12u1.
We recommend that you upgrade your php8.2 packages.
For the detailed security status of php8.2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php8.2
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/