Package "libpython3.10-stdlib"
| Name: |
libpython3.10-stdlib
|
Description: |
Interactive high-level object-oriented language (standard library, version 3.10)
|
| Latest version: |
3.10.12-1~22.04.14 |
| Release: |
jammy (22.04) |
| Level: |
security |
| Repository: |
main |
| Head package: |
python3.10 |
Links
Download "libpython3.10-stdlib"
Other versions of "libpython3.10-stdlib" in Jammy
Changelog
|
python3.10 (3.10.12-1~22.04.14) jammy-security; urgency=medium
* SECURITY UPDATE: Header injection in email messages where addresses are not
sanitized.
- debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash
in Lib/email/_header_value_parser.py. Add test in
Lib/test/test_email/test__header_value_parser.py.
- CVE-2025-11468
* SECURITY UPDATE: Quadratic algorithm when building excessively nested XML
documents.
- debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace
with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument
to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.
- CVE-2025-12084
* SECURITY UPDATE: OOM and denial of service when opening malicious plist
file.
- debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read
with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.
- CVE-2025-13837
* SECURITY UPDATE: Header injection in user controlled data URLs in urllib.
- debian/patches/CVE-2025-15282.patch: Add control character checks in
Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.
* SECURITY UPDATE: Command injection through user controlled commands in
imaplib.
- debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in
Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.
* SECURITY UPDATE: Command injection through user controlled commands in
poplib.
- debian/patches/CVE-2025-15367.patch: Add control character regex check
in Lib/poplib.py. Add test in Lib/test/test_poplib.py.
- CVE-2025-15367
* SECURITY UPDATE: HTTP header injection in user controlled cookie values.
- debian/patches/CVE-2026-0672.patch: Add _control_characters_re and
checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.
- CVE-2026-0672
* SECURITY UPDATE: HTTP header injection in user controlled headers and
values with newlines.
- debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in
Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and
Lib/test/test_wsgiref.py.
- CVE-2026-0865
-- Hlib Korzhynskyy <email address hidden> Mon, 26 Jan 2026 11:25:28 -0330
|
| Source diff to previous version |
| CVE-2025-11468 |
When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be us |
| CVE-2025-12084 |
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadra |
| CVE-2025-13837 |
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues |
| CVE-2025-15282 |
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. |
| CVE-2025-15366 |
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containi |
| CVE-2025-15367 |
The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containin |
| CVE-2026-0672 |
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all contro |
| CVE-2026-0865 |
User-controlled header names and values containing newlines can allow injecting HTTP headers. |
|
|
python3.10 (3.10.12-1~22.04.13) jammy-security; urgency=medium
* SECURITY UPDATE: HTTP Content-Length denial of service
- debian/patches/CVE-2025-13836.patch: Read large data in chunks with
geometric reads in Lib/http/client.py and add tests in
Lib/test/test_httplib.py
- CVE-2025-13836
-- Vyom Yadav <email address hidden> Thu, 08 Jan 2026 12:22:19 +0530
|
| Source diff to previous version |
| CVE-2025-13836 |
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malici |
|
|
python3.10 (3.10.12-1~22.04.12) jammy-security; urgency=medium
* SECURITY UPDATE: Possible payload obfuscation
- debian/patches/CVE-2025-8291.patch: check consistency of
the zip64 end of central dir record in Lib/zipfile.py,
Lib/test/test_zipfile.py.
- CVE-2025-8291
* SECURITY UPDATE: Performance degradation
- debian/patches/CVE-2025-6075.patch: fix quadratic complexity
in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,
Lib/test/test_genericpatch.py, Lib/test/test_npath.py.
- CVE-2025-6075
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 04 Nov 2025 05:48:33 -0300
|
| Source diff to previous version |
| CVE-2025-8291 |
The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locat |
| CVE-2025-6075 |
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. |
|
|
python3.10 (3.10.12-1~22.04.11) jammy-security; urgency=medium
* SECURITY UPDATE: Regular expression denial of service.
- debian/patches/CVE-2025-6069.patch: Improve regex parsing in
Lib/html/parser.py.
- CVE-2025-6069
* SECURITY UPDATE: Infinite loop when parsing tar archives.
- debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in
Lib/tarfile.py.
- CVE-2025-8194
-- Hlib Korzhynskyy <email address hidden> Fri, 15 Aug 2025 12:02:43 -0230
|
| Source diff to previous version |
| CVE-2025-6069 |
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplifie |
| CVE-2025-8194 |
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process |
|
|
python3.10 (3.10.12-1~22.04.10) jammy-security; urgency=medium
* SECURITY UPDATE: incorrect address list folding
- debian/patches/CVE-2025-1795-1.patch: don't encode list separators in
Lib/email/_header_value_parser.py,
Lib/test/test_email/test__header_value_parser.py.
- debian/patches/CVE-2025-1795-2.patch: fix AttributeError in the email
module in Lib/email/_header_value_parser.py,
Lib/test/test_email/test__header_value_parser.py.
- CVE-2025-1795
* SECURITY UPDATE: DoS via bytes.decode with unicode_escape
- debian/patches/CVE-2025-4516.patch: fix use-after-free in the
unicode-escape decoder with an error handler in
Include/cpython/bytesobject.h, Include/cpython/unicodeobject.h,
Lib/test/test_codeccallbacks.py, Lib/test/test_codecs.py,
Objects/bytesobject.c, Objects/unicodeobject.c,
Parser/string_parser.c.
- CVE-2025-4516
-- Marc Deslauriers <email address hidden> Tue, 27 May 2025 13:12:29 -0400
|
| CVE-2025-1795 |
During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is a |
| CVE-2025-4516 |
There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding |
|
About
-
Send Feedback to @ubuntu_updates
