Advisory: CLSA-2025:1759251979
OS: Ubuntu 20.04
Public date: 2025-09-30 17:06:21.24245
Project: python
Version: 3.6.15-14
Errata link: https://errata.tuxcare.com/els_alt_python/ubuntu20.04/CLSA-2025-1759251979.html
* SECURITY UPDATE: DOS, buffer overflow in SHA3, Possible Bypass Blocklisting Redirection vulnerability in http.server, regex DOS, Quadratic complexity, pathname quoting for venv - debian/patches/CVE-2022-37454.patch: fix a buffer overflow in Modules/_sha3/kcp/KeccakSponge.inc, Lib/test/test_hashlib.py (LP: #1995197). - debian/patches/CVE-2022-45061.patch: fix quadratic time idna decoding in Lib/encodings/idna.py, Lib/test/test_codecs.py. - debian/patches/CVE-2023-24329.patch: enforce that a scheme must begin with an alphabetical ASCII character in Lib/urllib/parse.py, Lib/test/test_urlparse.py. start stripping C0 control and space chars in `urlsplit` - debian/patches/CVE-2021-28861.patch: Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` - debian/patches/CVE-2024-6232.patch: Fix header parsing vulnerability that could lead to ReDoS - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in parsing "-quoted cookie values with backslashes - debian/patches/CVE-2024-9287.patch: Quote template strings in `venv` activation - CVE-2022-37454 - CVE-2022-45061 - CVE-2023-24329 - CVE-2021-28861 - CVE-2024-6232 - CVE-2024-7592 - CVE-2024-9287
Update command: apt-get update apt-get --only-upgrade install alt-python*
alt-python36_3.6.15-14_amd64.deb alt-python36-debug_3.6.15-14_amd64.deb alt-python36-devel_3.6.15-14_amd64.deb alt-python36-libs_3.6.15-14_amd64.deb alt-python36-test_3.6.15-14_amd64.deb alt-python36-tkinter_3.6.15-14_amd64.deb alt-python36-tools_3.6.15-14_amd64.deb